 6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM   that travels with a signal coming back through the configuration table; thus obtaining all addresses. To remove this potential weakness of dynamic IP address allocation, firewalls can track the TCP sequence numbers and port numbers of originating TCP/IP connections. In order for spoofers to penetrate the firewall to reach an end server, they would need not only the IP address, but the port number and TCP sequence numbers as well. To minimize the possibility of unauthorized network penetration, some firewalls also support sequence number randomization, a process that prevents potential IP address spoofing attacks, as described in a Security Advisory (CA-95:01) from the Computer Emergency Response Team (CERT). Essentially, this advisory proposes to randomize TCP sequence numbers in order to prevent spoofers from deciphering these numbers and then hijacking sessions. By using a randomizing algorithm to generate TCP sequence numbers, the firewall then makes this spoofing process extremely difficult, if not impossible. In fact, the only accesses that can occur through this type of firewall are those made from designated servers, which network administrators configure with a dedicated ‘conduit’ through the firewall to a specific server – and that server alone. *3@YJKSOROZGXO`KJ`UTKY Most firewalls have two ports, one connected to the intranet and the other to the outside world. The problem arises: on which side does one place a particular (e.g. WWW, FTP or any other application) server? On either side of the firewall the server is exposed to attacks, either from insiders or from outsiders. In order to address this problem, some firewalls have a third port, protected from both the other ports, leading to a so-called DMZ or de-militarized zone. A server attached to this port is protected from attacks, both from inside and outside. 9ZXOQKHGIQOTZX[JKXXKYVUTYK Some firewalls have a so-called intruder response function. If an attack is detected or an alarm is triggered, it collects data on the attackers, their source, and the route they are using to attack the system. They can also be programmed to automatically print these results, e-mail them to the designated person, or initiate a real-time response via SNAP or a pager. Some firewalls will even send out a global distress call to all its peers (from the same manufacturer) and inform them of the origin of the attack. Although the actual attacker may be incognito, the router of his ISP is not, and can easily be traced. All the firewalls then start pinging the ISP’s router ‘to death’ to slow it down or disable it. 'VVROIGZOUTRG_KXLOXK]GRRY Application layer firewalls generally are hosts running proxy servers, and perform basically the same function as network layer firewalls, although in a slightly different way. Basically, an application layer firewall acts as an ambassador for a LAN or intranet connected to the Internet. Proxies tend to perform elaborate logging and auditing of all the network traffic intended to pass between the LAN and the outside world, and can cache (store) information such as web pages so that the client accesses it internally rather than directly from the Web. A proxy server or application layer firewall will be the only Internet connected machine on the LAN. The rest of the machines on the LAN have to connect to the Internet via the proxy server, and for them Internet connectivity is just simulated. Because no other machines on the network are connected to the Internet, a valid IP address is not needed for every machine. Application layer firewalls are very effective for small office environments that are connected with a leased line and do not have allocated 9KI[XOZ_IUTYOJKXGZOUTY   IP address blocks. They can even perform a dial-up connection on behalf of a LAN, and manage e-mail and any other Internet requests. They do, however, have some drawbacks. Since all hosts on the network have to access the outside world via the proxy, any machine on the network that requires Internet access usually needs to be configured for the proxy. A proxy server hardly ever functions at a level completely transparent to the users. Furthermore, a proxy has to provide all the services that a user on the LAN uses, which means that there is a lot of server type software running for each request. This results in a slower performance than that of a network layer firewall. 5ZNKXZ_VKYULLOXK]GRRY Stateful inspection firewalls are becoming very popular. They are software firewalls running on individual hosts and monitor the state of any active network connection on that host, and based on this information determines what packets to accept or reject. This is an active process that does not rely on any static rules. Generally speaking this is one of the easiest firewalls to configure or use.  /TZX[YOUTJKZKIZOUTY_YZKSY/*9 Intrusion detection is a new technology that enables network and security administrators to detect patterns of misuse within the context of their network traffic. IDS is a growing field and there are several excellent intrusion detection systems available today, not just traffic monitoring devices. These systems are capable of centralized configuration management, alarm reporting, and attack info logging from many remote IDS sensors. IDS systems are intended to be used in conjunction with firewalls and other filtering devices, not as the only defence against attacks. There are two ways that intrusion detection is implemented in the industry today: host- based systems and network-based systems.  .UYZHGYKJ/*9 Host-based intrusion detection systems use information from the operating system audit records to watch all operations occurring on the host on which the intrusion detection software has been installed. These operations are then compared with a pre-defined security policy. This analysis of the audit trail, however, imposes potentially significant overhead requirements on the system because of the increased amount of processing power required by the intrusion detection software. Depending on the size of the audit trail and the processing power of the system, the review of audit data could result in the loss of a real-time analysis capability.  4KZ]UXQHGYKJ/*9 Network-based intrusion detection, on the other hand, is performed by dedicated devices (probes) that are attached to the network at several points and passively monitor network activity for indications of attacks. Network monitoring offers several advantages over host-based intrusion detection systems. Because intrusions might occur at many possible points over a network, this technique is an excellent method of detecting attacks which may be missed by host-based intrusion detection mechanisms. The greatest advantage of network monitoring mechanisms is their independence from reliance on audit data (logs). Because these methods do not require input from any  6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM   operating system’s audit trail they can use standard network protocols to monitor heterogeneous sets of operating systems and hosts. Independence from audit trails also frees network-monitoring systems from possessing an inherent weakness caused by the vulnerability of the audit trail to attack. Intruder actions, which interfere with audit functions or which modify audit data can lead to the prevention of intrusion detection or the inability to identify the nature of an attack. Network monitors are able to avoid attracting the attention of intruders by passively observing network activity and reporting unusual occurrences. Another significant advantage of detecting intrusions without relying on audit data is the improvement of system performance, which results from the removal of the overhead imposed by the analysis of audit trails. In addition, techniques, which move the audit data across network connections, reduce the bandwidth available to other functions.  9KI[XOZ_SGTGMKSKTZ  )KXZOLOIGZOUT Certification is the process of proving that the performance of a particular piece of equipment conforms to the laid-down policies and specifications. Whereas this is easy in the case of electrical wiring and wall sockets, where Underwriters’ Laboratory can certify the product, it is a different case with networks where no official bodies and/or guidelines exist. If one needs a certified network security solution, there are only two options viz: • Trusting someone else’s assumptions about one’s network • Certifying it oneself It is possible to certify a network by oneself. This exercise will demand some time but will leave the certifier with a deeper knowledge of how the system operates. The following are needed for self-certification: • A company policy that favors security • A security policy (see next section) • Some basic knowledge of TCP/IP networking • Access to the Web • Time To simplify this discussion, we will assume we are certifying a firewall configuration. Let us look at each individually. 'IUSVGT_VUROI_ZNGZLG\UXYYKI[XOZ_ One of the biggest weaknesses in security practice is the large number of cases in which a formal vulnerability analysis finds a hole that simply cannot be fixed. Often the causes are a combination of existing network conditions, office politics, budgetary constraints, or lack of management support. Regardless of who is doing the analysis, management needs to clear up the political or budgetary obstacles that might prevent implementation of security.   9KI[XOZ_IUTYOJKXGZOUTY   9KI[XOZ_VUROI_ In this case, ‘policy’ means the access control rules that the network security product is intended to enforce. In the case of the firewall, the policy should list: • The core services that are being permitted back and forth. • The systems to which those services are permitted • The necessary controls on the service, either technical or behavioral • The security impact of the service • Assumptions that the service places on destination systems (GYOI:)6/6QTU]RKJMK Many firewalls expose details of TCP/IP application behavior to the end user. Unfortunately, there have been cases where individuals bought firewalls and took advantage of the firewall’s easy ‘point and click’ interface, believing they were safe because they had a firewall. One needs to understand how each service to be allowed in and out operates, in order to make an informed decision about whether or not to permit it. 'IIKYYZUZNK=KH When starting to certify components of a system, one will need to research existing holes in the version of the components to be deployed. The Web, and its search engines, are an invaluable tool for finding vendor-provided information about vulnerabilities, hacker- provided information about vulnerabilities, and wild rumors that are totally inaccurate. Once the certification process has been deployed, researching the components will be a periodic maintenance effort. :OSK Research takes time, and management needs to support this and to invest the time necessary to do the job right. Depending on the size/complexity of the security system in question, one could be looking at anything between a day’s work and several weeks.  /TLUXSGZOUTYKI[XOZ_VUROIOKY The ultimate reason for having security policies is to save money. This is accomplished by: • Minimizing cost of security incidents; accelerating development of new application systems • Justifying additional amounts for information security budgets • Establishing definitive reference points for audits In the process of developing a corporate security consciousness, one will, amongst other things, have to: • Educate and train staff to become more security conscious • Generate credibility and visibility of the information security effort by visibly driving the process from a top management level • Assure consistent product selection and implementation • Coordinate the activities of internal decentralized groups The corporate security policies are not only limited to minimize the possibility on internal and external intrusions, but also to:  6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM   • Maintain trade secret protection for information assets • Arrange contractual obligations needed for legal action • Establish a basis for disciplinary actions • Demonstrate quality control processes for example ISO 9000 compliance The topics covered in the security policy document should, for example, include: • Web pages • Firewalls • Electronic commerce • Computer viruses • Contingency planning • Internet usage • Computer emergency response teams • Local area networks • Electronic mail • Telecommuting • Portable computers • Privacy issues • Outsourcing security functions • Employee surveillance • Digital signatures • Encryption • Logging controls • Intranets • Microcomputers • Password selection • Data classification • Telephone systems • User training In the process of implementing security policies, one need not re-invent the wheel. Products such as Information Security Policies Made Easy are available in a hardcopy book and CD-ROM. By using a word processing package, one can generate or update a professional policy statement in a couple of days.  9KI[XOZ_GJ\OYUX_YKX\OIKY There are several security advisory services available to the systems administrator. This section will deal with only three of them, as examples. 3OIXUYULZ All software vendors issue security advisories from time to time, warning users about possible vulnerabilities in their software. A particular case in point is Microsoft’s advisory regarding the Word97 template security, which was issued on 19 January 1999. This weakness was exploited by a devious party who subsequently devised the Melissa virus. See Section 14.6 for a Web address.  . numbers and port numbers of originating TCP/IP connections. In order for spoofers to penetrate the firewall to reach an end server, they would need not only the IP address, but the port number and. Essentially, this advisory proposes to randomize TCP sequence numbers in order to prevent spoofers from deciphering these numbers and then hijacking sessions. By using a randomizing algorithm to generate. Internet. Proxies tend to perform elaborate logging and auditing of all the network traffic intended to pass between the LAN and the outside world, and can cache (store) information such as web