212 Practical TCP/IP and Ethernet Networking with whom they are working. It is possible to incorporate live action color video and voice with shared workspace on the PC screen over the Internet. VidCall uses anyone of over 25 inexpensive video capture boards (including digital plug and play cameras) to transmit still and motion video. Depending on the speed of the computer modem, VGA display and LAN/WAN, virtual motion of up to 10 frames per second is achievable. Multi-point video and document conferencing is available over LAN/WAN accommodating up to 10 participants who can be located across the globe. VidCall also supplies additional freeware for registered VidCall users on the Internet. WhoIsThere enables individuals to setup their own user groups and to be informed as soon as members of their group are logging in to the video conference. 13.10.2 Video networking Another company providing video networking and video conferencing software is BitField. BitField claims to be the first company to have provided a complete H320 compatible video codec on a single PC video adapter board. Their video communication products turn PCs into video communication workstations, transferring full motion video between standard PCs via ISDN, LANs, and other communication networks. Since the products utilize existing PC and networking technology, they can be applied in many areas where traditional video equipment is too expensive and flexible. 13.11 News 13.11.1 News push The original approach to news via the Internet has been to search the World Wide Web and ‘pull down’ relevant news items. This is not only time consuming but also costly for an individual who has to connect through an ISP. On the other hand, products such as PointCast aggregate news from more than 700 sources, process this in a central broadcast facility and then broadcast it world-wide via the Internet. Only the news categories selected by the user is PUSHED down for collection every morning. PointCast delivers national, international, business, industry and company news, stock quotes, sports scores, weather reports, entertainment news and more. Currently, it acquires information from sources such as CNN, CNNfn, NY Times, Wall Street Journal, Reuters, Business Wire, PR News Wire, Standard and Poor’s ComStock, Sports Ticker and AccuWeather. PointCast network will work with a dial-up connection, as long as the dial-up connection assigns a valid IP Address. The PointCast network offers support for viewers using CompuServe, Shiva, FTP and Windows 95 Internet dialers. As for the on-line services, it depends on how they implement the Internet access. Currently, PointCast will work with CompuServe, America On-line and MicroSoft Network. From an enterprise point of view, PointCast allows management to selectively broadcast news to all employees using the existing network infrastructure, keeping in mind that PointCast is completely free thanks to commercial advertisers. To help the system administrator customize the PointCast Network, PointCast offers a suite of free tools, the so-called Intranet Broadcast Solution which allows the following: • It ensures that important company news is widely seen and read by broadcasting it directly to employees desktops via a private Intranet channel on PointCast The Internet for communications 213 • It allows the management to effectively communicate time sensitive messages through special windows on employees’ desktops • It empowers ‘knowledge workers’ by supplying all the news they need to be competitive including news from customers, suppliers, competitors and industry 13.11.2 News pull Individual publications The conventional pull services are still widely available with many private newspapers maintaining their own webster. A particular case in point is the South African based East London Daily Dispatch, which is widely read by Australian-based South African expatriates living in Australia. Collated news IBM Internet Connection Services offers a news service to subscribers available in 10 different languages and utilizing a news search engine that pulls stories from over 250 news sources from over the globe. Topics include top stories in technology, politics, business, culture news, CAN world news, TechWeb and USA today. It is also possible to select world news on a regional basis. 13.11.3 News groups: USENET While web (www) sites have received most of the attention from software developers and the press, the Internet’s news and conferencing service, USENET, represents another major Internet resource. USENET is based on news groups, such as comp.client.server or misc.education.adult, that contain articles similar to e-mail messages. News groups exist for virtually every conceivable professional and personal interest. Some news groups serve as problem solving forums and as the ‘help desks’ of the Internet. Most news groups are public and can be viewed anywhere the Internet reaches. Anyone with a news client and an Internet connection can submit an article. Some news group’s subject articles to a screening prior to publication, others automatically distribute all submissions. World wide, over 300 000 articles are posted each day to over 50 000 news groups. Because of the massive storage requirements, articles begin to disappear within a few days of publication. Stand-alone news client software is available from several sources. News clients are also built into Netscape Navigator and Microsoft Internet Explorer. As users of these web browsers become more experienced, they are able to ‘graduate’ to the world of USENET news. There are several packages available for dealing with USENET and many of them are available as freeware. We will now deal with some of them: 13.11.4 Search agents The question may well be asked: Why on earth would a company care about USENET postings? Here are a few reasons: • Find out who is mentioning your products • Find out who is using or misusing your trademarks • Discover people and companies looking for solutions that your organization can provide 214 Practical TCP/IP and Ethernet Networking • Find out what people are saying about your competitors’ products and services • Detect imposters forging messages that appear to originate from your organization A good example of a USENET search agent is NewsMonger by TechSmith Corporation. NewsMonger constructs the search query for you, or allows you to create the query yourself. It searches public USENET groups for each of your active queries using Digital’s Alta Vista engine. It removes duplicate articles and identifies new submissions. It then notifies you via e-mail when articles matching your criteria are discovered. A similar product is OUI (off-line user interface), which has the ability to locate, retrieve, download and post information to and from news groups. Upload utilities AutoPost is a program, which is capable UUEncoding files, and automatically uploading them to a new server, i.e. it automates the process of posting large volumes of files to news services. Retrieval programs There are several downloading programs for USENET, available as either shareware or freeware. Programs worth noting are: • Agent • Free Agent • News XPress • Pluckit 3 • SBNews; NewsRobot Functions of these packages include on-line/off-line news reading, e-mail functionality, built-in viewers for graphics files, and the ability to launch URLs, firewall protection, spam elimination, and automatic encryption to protect sensitive images. The prospective user will have to peruse the specifications and make a decision as to the most suitable package for a particular application. 13.12 Additional information Additional details about products mentioned in this chapter can be obtained from the following web sites. 13.12.1 Internet telephony PGPfone (Pretty Good Privacy Phone): http://web.mit.edu Net2Phone: http://www.net2phone.com FreeTel: http://www.freetel.com Internet Phone Release 5: http://www.vocaltec.com Internet Phone Call Waiting: http://www.vocaltec.com Aplio (Voice over IP): http://www.voiceoverip.sitehosting.net NetPhone IPBX: http://www.netphone.com WebPhone: http://www.netspeak.com Net2Phonepro: http:/www.net2phonepro.com The Internet for communications 215 13.12.2 Video conferencing VidCall: http://www.powernethk.com PictureTel: http://picturetel.com BitField: http://www.bitfield.fi VidCall has a ‘continuously running’ demo system with IP Address 205.157.131.91. First download and register the demo program, then ping the demo system to make sure it is running, then follow the steps supplied on the screen. 13.12.3 Paging SMS (Small Message Services): http://www.mobiledata.co.za 13.12.4 Fax Net2Fax: http://www.net2phone.com VocalTec PASSaFAX: http://www.vocaltec.com 13.12.5 Voice communication via web page link Click2Talk: http://www.net2phone.com Click2CallMe: http://www.net2phone.com Mini WebPhone: http://www.netspeak.com 13.12.6 Voice mail Internet Voice Mail: http://www.vocaltec.com QualComm: http://eudora.qualcomm.com BitWare: http://www.cheyenne.com 13.12.7 News services NewsMonger: http://www.techsmith.com PointCast: http://www.pointcast.com Commercial News Services on the Internet (listing) : http://www.jou.ufl.edu WebGate: http://ngw.webgate.net CNN Interactive: http://www.ibm.net UseNet News Readers: http://tucows.netactive.co.za East London Daily Dispatch: http://www.dispatch.co.za 13.12.8 PPP servers Foray PPP Remote Access Server: http://www.techsmith.com 13.12.9 E-mail Hotmail: http://www.hotmail.com Eudora Webmail: http://www.eudoramail.com Eudora Lite: http://www.eudora.com Voice e-mail: http://eudora.qualcom.com 14 9KI[XOZ_IUTYOJKXGZOUTY 5HPKIZO\KY When you have completed study of this chapter you should be able to: • Explain the security problem • Define the ways of controlling access to a network :NKYKI[XOZ_VXUHRKS Although people tend to refer to the ‘Internet’ as one global entity, there are in fact three clearly defined subsets of this global network. Four, in fact, if one wishes to include the so-called ‘community network’. It just depends on where the conceptual boundaries are drawn. • In the center is the in-house corporate ‘intranet’, primarily for the benefit of the people within the organization • The intranet is surrounded by the ‘extranet’, exterior to the organization yet restricted to access by business partners, customers and preferred suppliers • Third, and this is optional, there can be a ‘community’ layer around the extranet. This space is shared with a particular community of interest, e.g. industry associations • Finally, these three layers are surrounded by the global Internet as we know it, which is shared by prospective clients/customers and the rest of the world This expansion of the Internet into organizations, in fact right down to the factory floor, has opened the door to incredible opportunities. Unfortunately it has also opened the door to pirates and hackers. Therefore, as the use of the Internet, intranets, and extranets has grown, so has the need for security. The TCP/IP protocols and network technologies are inherently designed to be open in order to allow interoperability. Therefore, unless proper precautions are taken, data can readily be intercepted and altered – often without either the sending or the receiving party being aware of the security breach. Because dedicated 9KI[XOZ_IUTYOJKXGZOUTY links between the parties in a communication are often not established in advance, it is easy for one party to impersonate another party. There is a misconception that attacks on a network will always take place from the outside. This is as true of networks as it is true of governments. In recent times the growth in network size and complexity has increased the potential points of attack both from outside and from within. Without going into too much detail, the following list attempts to give an idea of the magnitude of the threat experienced by intranets and extranets: • Unauthorized access by contractors or visitors to a company’s computer system • Access by authorized users (employees or suppliers) to unauthorized databases. For example, an engineer might break into the Human Resources database to obtain confidential salary information • Confidential information might be intercepted as it is being sent to an authorized user. A hacker might attach a network-sniffing device (probe) to the network, or use sniffing software on his computer. While sniffers are normally used for network diagnostics, they can also be used to intercept data coming over the network medium • Users may share documents between geographically separated offices over the Internet or extranet, or ‘telecommuters’ users accessing the corporate intranet from their home computer via a dial-up connection can expose sensitive data as it is sent over the medium • Electronic mail can be intercepted in transit, or hackers can break into the mail server Here follows a list of some additional threats: • SYN flood attacks • Fat ping attacks (ping of death) • IP spoofing • Malformed packet attacks (TCP and UDP) • ACK storms • Forged source address packets • Packet fragmentation attacks • Session hijacking • Log overflow attacks • SNMP attacks • Log manipulation • ICMP broadcast flooding • Source routed packets • Land attack • ARP attacks • Ghost routing attacks • Sequence number prediction • FTP bounce or port call attack • Buffer overflows • ICMP protocol tunneling • VPN key generation attacks • Authentication race attacks 6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM These are not merely theoretical concerns. While computer hackers breaking into corporate computer systems over the Internet have received a great deal of press in recent years, in reality, insiders such as employees, former employees, contractors working onsite, and other suppliers are far more likely to attack their own company’s computer systems over an intranet. In a 1998 survey of 520 security practitioners in US corporations and other institutions conducted by the Computer Security Institute (CSI) with the participation of the FBI, 44 per cent reported unauthorized access by employees compared with 24 per cent reporting system penetration from the outside! Such insider security breaches are likely to result in greater losses than attacks from the outside. Of the organizations that were able to quantify their losses, the CSI survey found that the most serious financial losses occurred through unauthorized access by insiders, with 18 companies reporting total losses of $51 million as compared with $86 million for the remaining 223 companies. The following list gives the average losses from various types of attacks as per the CSI/FBI 1998 Survey of Computer Security: Fortunately technology has kept up with the problem, and the rest of this chapter will deal with possible solutions to the threat. Keep in mind that securing a network is a continuous process, not a one-time prescription drug that can be bought over the counter. Also, remember that the most sensible approach is a defense-in-depth (‘belt-and- braces’) approach as used by the nuclear industry. In other words, one should not rely on a single approach, but rather a combination of measures with varying levels of complexity and cost. )UTZXURROTMGIIKYYZUZNKTKZ]UXQ There are several ways of addressing the problem. These include: • Authentication • Routers • Firewalls • Intrusion detection systems • Encryption 9KI[XOZ_IUTYOJKXGZOUTY '[ZNKTZOIGZOUT A company whose LAN (or intranet) is not routed to the Internet mainly has to face internal threats to its network. In order to allow access only to authorized personnel, authentication is often performed by means of passwords. A password, however, is mainly used to ‘keep the good guys out’ since it is usually very easy to figure out someone’s password, or to capture the password with a sniffer (protocol analyzer) as it travels across the network. To provide proper authentication, two or three items from the following list are required. • Something the user knows. These can be a password or a PIN number, and by itself it is not very secure • Something the user has. This can be a SecurID tag, or similar. The SecurID system has a server on the network, generating a 6-bit pseudo-random code every 60 seconds. The user has a credit-card size card or a key fob with a 6- digit LCD display. After initialization at the server, the code on the user’s card follows the code on the server. After entering a PIN number, the prospective user enters the 6-digit code. Even if someone manages to obtain the code, it will be useless in less than a minute • Something the user is. This can be done with an iris or fingerprint scan. The hardware for this purpose is readily available 8U[ZKXY A router can be used as a simple firewall that connects the intranet to the ‘outside world’. Despite the fact that its primary purpose is to route packets, it can also be used to protect the intranet. In comparison to firewalls, routers are extremely simple devices and are clearly not as effective as firewalls in properly securing a network perimeter access point. However, despite their lack of sophistication, there is much that can be done with routers to improve security on a network. In many cases these changes involve little administrative overhead. There are two broad objectives in securing a router, namely: • Protecting the router itself • Using the router to protect the rest of the network 6XUZKIZOTMZNKXU[ZKXY The following approaches can be taken: • Keep the router software current. This could be a formidable task, especially for managers maintaining a large routed network and are likely to be faced with the prospect of updating code on hundreds of devices. It is, however, essential since operating routers on current code is a substantial step toward protecting them from attack and properly maintaining security on a network. In addition, new updated software revisions often provide improved performance, offering more leeway to address security concerns without bringing network traffic to a halt • It is imperative for network managers to keep current on release notes and vendor bulletins. Release notes are a good source of information and enable network managers to determine whether or not a fix is applicable to their organization. In the case of a detected vulnerability in the software for a 6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM particular router, CERT advisories and vendor bulletins often provide workarounds to minimize risk until a solution to the problem has been found • Verify that the network manager’s password is strong and make sure the password is changed periodically and distributed as safely and minimally as possible. More important, verify that all non-supervisory level accounts are password protected, to prevent unauthorized users from reading the router’s configuration information • Allow TELNET access to the router only from specific IP addresses • Authenticate any routing protocol possible • From a security perspective, SNMP is a poor protocol to use. However, it does aid in managing the network. Defining a limited set of authorized SNMP management stations is always prudent 6XUZKIZOTMZNKTKZ]UXQ • Logging Logging the actions of the router can assist in completing the overall picture of the condition of the network. The ideal solution is to keep one copy of the log on the router, as well as one on a remote logging facility, such as syslog, since an attacker could potentially fill the router’s limited internal log storage to erase details of the attack. With only remote storage, though, the attacker need only disrupt the logging service to prevent events from being recorded • Access control lists (ACLs) ACLs allow the router to reject or pass packets based on TCP port number, IP source address or IP destination address. Traffic control can be accomplished on the basis of (a) implicit permission, which means only traffic not specifically prohibited will be passed through, or (b) implicit denial which means that all traffic not specifically allowed will be denied ,OXK]GRRY Routers can be used to block unwanted traffic and therefore act as a first line of defense against unwanted network traffic, thereby performing basic firewall functions. It must, however, be kept in mind that they were developed for a different purpose, namely routing, and that their ability to assist in protecting the network is just an additional advantage. Routers, however sophisticated, generally do not make particularly intricate decisions about the content or source of a data packet. For this reason network managers have to revert to dedicated firewalls. Firewalls are designed to sit on the boundary between an intranet and the rest of the world, monitoring both incoming and outgoing traffic, allowing only specific incoming and outgoing packets to pass and rejecting all other packets. This is not such an impossible task, since all TCP/IP communications is based on a port number contained in the TCP header. On the basis of the port number, a firewall can be instructed about who can transmit data, to what port they can transmit, and what sort of incoming connections are allowed on the network. One firewall is usually sufficient, but since a firewall only guards against attacks ‘from the other side’ and not from within, several of them might have to be deployed internally within an intranet if information on a particular part or ‘region’ has to be secured against other parts of the organization. Firewalls are implemented in two ways – hardware-based and software-based. Hardware-based firewalls are dedicated self-contained ‘firewalls in boxes’, and are 9KI[XOZ_IUTYOJKXGZOUTY generally faster albeit more expensive. On the other hand, software firewalls are implemented with firewall software on individual hosts. This solution is generally less costly, but slower. Apart from the way they are implemented (i.e. hardware or software), firewalls can also be divided into two distinct types. The two most common types are packet filtering firewalls (also referred to as network layer firewalls) and application layer firewalls. 4KZ]UXQRG_KXLOXK]GRRY Network layer firewalls deal mostly with routing rules. In other words, when a packet of data arrives at the firewall, it checks to see where the packet came from, where it is going, what it is used for, and then decides whether or not it is authorized. It monitors the actual content of data streams and the services exchanging these streams, while also checking for IP or DNS (domain name service) spoofing. The most distinguishing feature of a network layer firewall is its ability to allow IP traffic to pass through it. Network layer firewalls are almost completely transparent and anyone using the intranet will, generally, not even be aware of its presence. Unfortunately, this means that the intranet is probably going to need an assigned IP address block which can be difficult to obtain. These routers employ several advanced techniques, including dynamic IP address allocation, sequence number scrambling, DMZ (de-militarized zoning) and ‘strikeback’. These techniques will now be discussed briefly in order to facilitate a better understanding of how these devices operate. *_TGSOI/6GJJXKYYGRRUIGZOUT This is also known as natural address translation or NAT. With NAT, the private IP addresses of machines inside the network are hidden from the outside world. They therefore need not be registered, and can be assigned by the system administrator. The firewall, on the other hand, has a built-in set of legitimate IP addresses, which are typically contained within one class C address. An outward-bound packet sent by a host inside the Intranet follows a default route to the inside interface of the firewall. Upon receipt of the outbound packet, the firewall extracts the host’s source addresses (MAC and IP) and replaces it with its own MAC address and a globally unique IP number from the firewall’s pool of available IP addresses. The packet therefore seems to originate from the firewall. Since the difference between the original and translated versions of the packet are known, the checksums are updated with a simple adjustment rather than complete recalculation, which saves time. Since it seems, to the outside world, as if the message has originated from the firewall, any returned messages would be routed back to the firewall. The firewall inspects returning packets, and once it is satisfied with their legitimacy, it strips the allocated IP address, returns it to the available pool of IP addresses, and restores the IP and MAC addresses of the original sender before sending it off to the originating host. After a user-configurable timeout period during which there have been no returned packets for a particular address mapping, the firewall removes the entry, freeing the global address for use by another inside host. This is done so that a particular IP address will not be tied up indefinitely in the case of a packet getting lost along the way. :)6YKW[KTIKT[SHKXXGTJUSO`GZOUT Dynamic IP address allocation, while secure, is not port-specific and relies on a simple configuration table to track removed addresses. As a result, it does not provide absolute security because a spoofer could, theoretically, initiate a packet from outside the network . people and companies looking for solutions that your organization can provide 214 Practical TCP/IP and Ethernet Networking • Find out what people are saying about your competitors’ products and. 212 Practical TCP/IP and Ethernet Networking with whom they are working. It is possible to incorporate live action color video and voice with shared workspace on. opened the door to pirates and hackers. Therefore, as the use of the Internet, intranets, and extranets has grown, so has the need for security. The TCP/IP protocols and network technologies are