248248 The ~/.rhosts file can be used to allow remote access to a system and is sometimes used by intruders to create easy backdoors into a system. If this file has recently been modified, examine it for evidence of tampering. Initially and periodically verify that the remote host and user names in the files are consistent with local user access requirements. View with extreme caution a “+” entry; this allows users from any host to access the local system. An older vulnerability is systems set up with a single “+” in the /etc/hosts.equiv file. This allows any other system to log in to your system. The “+” should be replaced with specific system names. Note, however, that an intruder cannot gain root access through /etc/rhosts entries. ~/ftp Files Directories which can be written to by anonymous FTP users are commonly used for storing and exchanging intruder files. Do not allow the user “ftp” to own any directories or files. System Executables in User Directories Copies of what may appear to be system executables in user directories may actually be an attempt to conceal malicious software. For example, recent attacks have made use of binaries called “vi” and “sed”, two commonly used Unix utilities. However, these particular binaries were actually renamed intrusion software files, designed to scan systems for weaknesses. System binaries found in unusual locations may be compared to the actual executable using the “cmp” command: Determining if System Executables Have Been Trojaned SPI or Tripwire must be set up before an exposure in order to determine if your system executables have been Trojaned. Use your CD-ROM to make sure you have a good copy of all your system executables, then run the above mentioned products according to the instructions that accompany them to create a basis for later comparison. Periodically, run SPI or Tripwire to detect any modification of the system executables. /etc/inetd.conf Print a baseline listing of this file for comparison. Look for new services. /etc/aliases Look for unusual aliases and those that redirect E-mail to unlikely places. Look for suspicious commands. cron Look for new entries in cron tab, especially root’s. Look at each user’s table. /etc/rc* Look for additions to install or reinstall backdoors or sniffer programs. Use SPI or Tripwire to detect changes to files. NFS Exports Use the “showmount -a” command to find users that have file systems mounted. 249249 Check the /etc/exports (or equivalent) file for modifications. Run SPI or Tripwire to detect changes. Changes to Critical Binaries Run SPI or Tripwire initially and then periodically. Use the “ls -lc” command to determine if there have been inappropriate changes to these files. Note that the change time displayed by the “ls -lc” command can be changed and the command itself can be Trojaned. 250250 Section References: Pichnarczyk, Karen, Weeber, Steve & Feingold, Richard. “Unix Incident Guide: How to Detect an Intrusion CIAC-2305 R.1”. C I A C Department of Energy. December, 1994. 251251 Appendix A : How Most Firewalls are Configured All firewalls from any vendor that will be providing Internet firewall facilities require a routed connection to the Internet to provide traffic flow between the Internet and in- house network facilities. There are usually more than one router involved in such connections. With some effort, connections are successful but usually difficult to monitor and manage. A typical set-up with an Internet Service Provider where a firewall is configured in the network is set-up as follows: Internet CSU/DSU IP Router Firewall System Trusted Network Hub Ethernet/802.3 Ethernet/802.3 A B C D E F G In the above diagram, the network and firewall connection parts are as follows: a) Internet connection provided by an Internet Service Provider (ISP) b) A CSU/DSU interface to the telephone drop from the local equipment company (LEC) 252252 c) A router system to connect to the ISP’s router connection to the Internet d) An Ethernet/802.3 or Token Ring/802.5 UTP connection from the router to the firewall e) A “dual-homed gateway” firewall system with two LAN controllers (in this diagram, two Ethernet/802.3 connections are provided) f) An Ethernet/802.3 UTP connection from the firewall to the internal network g) An internal network configuration. In this case, a simple stacked hub architecture (e.g. Cabletron Mini-MAC) The above is an illustration of a typical, but simple, network configuration between a customer network and the Internet where information provision (e.g. a Web Site) will not be used. Using a Router as a “Screen” One of the more popular configurations of a “firewall” is to use an external router as the singular security facility between an untrusted network (e.g. Internet) and the internal, trusted network. This configuration is called a “screening router” set-up. A typical configuration is as follows: Internet CSU/DSU IP Router Trusted Network Hub Ethernet/802.3 A B C D E The network configuration for a “screening router” is as follows: a) Internet connection provided by an Internet Service Provider (ISP) b) A CSU/DSU interface to the telephone drop from the local equipment company (LEC) c) A router system to connect to the ISP’s router connection to the Internet. On this router, there are a variety of “filter” rules, which provide some level of security between the trusted internal network and the untrusted Internet connection. d) An Ethernet/802.3 or Token Ring/802.5 UTP connection from the router to the internal network 253253 e) An internal network configuration. In this case, a simple stacked hub architecture (e.g. Cabletron Mini-MAC) While the router is a required part of the network connection, there are some definitive problems with using screening routers as the only network security interface to an untrusted network, including: • Configuration of filters and security facilities in the router may be difficult to accomplish and knowledge about the intricacies of routing is required to do it correctly • There usually is little or no auditing or logging of traffic and security information as most routers are diskless in nature and have no easy way to get information to secondary (disk) storage. Further, routers are built to route and not necessarily to handle logging of network traffic. • It can be quite difficult for the network and security managers to get information out of the router on the paths and security rule base that was implemented • Adding authentication is difficult, time consuming and expensive even if the router vendor supports such functions • Sessions from other parts of the network may be “tunneled” on top of each other and, therefore, non-filterable by the router itself • There is usually a user demand to open up features in a router that are not screenable by the router and therefore put the network (trusted side) at risk • Any bug in the router’s operating environment may not be detected and can compromise the network’s security (there are numerous CERT and CIAC alerts about router bugs and security issues over the years) • Routers can be “spoofed” with some types of IP header options that would cause the router to believe that an external packet “looks” like an internal packet to the router tables • Over time, multiple connections on the router usually do not get the same security screening rules. This means that one path through the router may not have the same security facilities as another and this may allow alternate paths to compromise the security of the router. • Routers are configured to route. Enabling any filtering facility in a router will degrade the router’s performance. As more filters are added, the router’s performance may degrade to a totally unacceptable performance level for traffic. As a result, many sites opt to remove necessary filtering for security to gain performance and end up compromising trusted network security and integrity. Using a router on a network connection is a normal, essential function. Relying on the router as the only screen for security facilities is dangerous. 254254 Appendix B: Basic Cost Factors of Firewall Ownership The following 20 base factors comprise the basic costing issues in the ownership of firewall products: 1. Firewall requirements analysis prior to vendor selection. This phase involves the technology assessment issues a company must go through to determine the threat to the corporate information structures, the risk of loss that would be associated with a connection that is unprotected, the risk of loss that could happen if the connection is breached, the known corporate information resources that must be protected and their relative priorities of protection categories, corporate security policies and procedures as related to any external network connection, corporate audit measurement and adherence requirements, technical details on what facilities are on-line and are threatened, etc 2. Corporate decisions on exactly what security policies need to be in-place in any firewall to satisfy the corporate security requirements as defined in the initial needs analysis. This step is crucial to properly identifying to the firewall vendor WHAT the firewall will be programmed to protect. The vendors will need this list to identify if their product can provide the levels of protection required by the corporate need. 3. Vendor product evaluation to determine a list of finalist vendors. Typically, a corporate committee will be appointed to evaluate vendor offerings vis-a-vis the corporate firewall requirements list. In this stage of costing, the meeting with vendors and selection of, typically, no more than five finalists for the firewall product set is completed. 4. Evaluation of finalist vendors. This costing factor involves the testing and technical evaluation of the firewall vendor finalists to ensure that the selected vendor products can really provide the required corporate security services in the firewall product, that the product meets quality and management standards as defined in the requirement definition phase, that the firewall product(s) function as advertised by discussing the product with existing customers, that the firewall product performs technically as expected and provides required throughput to solve the firewall connectivity requirements and that the vendors meet corporate requirements of technical support, maintenance and other requirements that may have been defined. 5. Selection of a vendor’s product. This phase involves the selection of a vendor and the political jostling that always takes place just prior to a decision in a corporate culture. 6. Acquisition of hardware/software and basic set-up effort. In this costing phase, the basic hardware, system software, firewall software and layered/additional products are acquired, configured and set-up so that security policies may be later added. Items would also include basic system management (backup/restore, system tuning, system and network management tool set-up, system/network management account set-up, etc.), network hardware interconnection and set-up (router installation, service acquisition from the Internet feed provider, cabinet and cable installation, power hook-up, basic hardware configuration and activation, etc.), etc 7. Training on the creation/definition/management of security policies for the selected firewall. If the company intends to properly manage and maintain the firewall product set, training must be supplied to the technical staff which will be installing and maintaining the firewall facilities. If the staff is not familiar with technical aspects of firewall technologies, then additional training on firewall concepts, network security concepts, advanced network security technologies and security management must be undertaken. Failure to provide adequate 255255 training on the firewall product will result in a much higher manpower costing factor for in-house personnel as well as a higher consultation costing factor due to the recurring need to secure outside help to make modifications to the firewall facilities to satisfy corporate needs as time goes on. 8. Definition and installation of security policies for the firewall. Using the requirements definitions, security filters are created that mirror the security requirements for use of the network connection that is provided via the firewall facilities. How long this phase takes depends heavily on the training provided to in-house personnel or the expertise in the system and firewall product set for the consultant(s) hired to implement the security policy filter baseline. There can be a very wide variance in manpower requirement from product to product. 9. Testing of the firewall with the security policies installed. This phase of costing is critical to reduce corporate risk factors and to ensure that the firewall is functioning properly. Typically, the filters are fully tested by in-house or consulting personnel and then a third party is contracted to provide a penetration study to verify integrity of the firewall and proper implementation of security policies implemented as filters in the firewall product set. How much testing is required is a function of corporate risk factors, estimated usage metrics, importance of reliability and many other issues. 10. Release of the firewall connection to the user population. For a period of time, there is a requirement to provide modifications and changes to satisfy a shake-down period of user access. This is usually a higher manpower requirement than the day-to-day management function that eventually settles into corporate use. 11. Day-to-day technical management effort. This costing factor involves the typical day-to-day functions required to keep the firewall functioning properly (checking of logs, events, backup/restore, disk maintenance, etc.) as well as the modifications and additions to the security policy rule base to accommodate new users, changes of service to existing users, moves of users, readdressing issues of systems on the network, added service facilities, etc. There may also be report-writing requirements to the company to show management and maintenance of the firewall as well as disposition of serious events and problems that need to be addressed as the product is used. 12. Periodic major maintenance and upgrades. As time goes on, there will be required down-time network activities that are required to satisfy hardware and software operational needs. The hardware will need to be periodically updated with additional disk space or memory, faster processing may be required via a new processing system, additional network controllers or faster network controllers may be added to the configuration and so on. Software-wise, the operating system may require upgrades to patch or fix problems, bug fixes and updates to the firewall software will be required, new security threats may be identified by vendors and updates to the security filters are required, etc. Further major maintenance may be required in the form of major system upgrades to support higher-speed Internet connectivity or to support multiple network feeds from Internet, customers, sister companies, etc. 13. Remedial training for technical personnel. As the systems and software are upgraded over time, the firewall software and operating environment will undergo extensive transformations to take into account new security facilities as well as new user facilities. This will require remedial training and updates to technical personnel to allow them to properly take advantage of the new facilities as well as to properly identify potential security risks and isolate them before they become problems for the company. Remedial training may also include attendance at national and international security conferences and outside training events for firewall and security efforts. 14. Investigation of infiltration attempts. As the firewall product set is used and connected to a publicly available network, chances are extremely likely that 256256 unauthorized connections will be attempted by hackers and other disreputable individuals on the network. When these infiltration attempts occur, someone within the company will be required to investigate the whys and hows of the penetration attempt, report on the attempt and help management make decisions on what to do to defeat such infiltrations in the future as well as modify existing policies, filtering rules and other firewall functions to ensure security integrity in the firewall set-up. This effort, depending upon the visibility of the company, can be time consuming and expensive. It is labor intensive as tools on firewalls are only one component of the investigator’s repertoir of facilities required to accomplish their mission. 15. Corporate audits. Needless to say, corporate EDP audit functionaries will require someone who understands the firewall set-up to work with them to ensure that corporate security requirements are properly implemented in the firewall facilities. For those companies without proper corporate audit expertise, an outside consultancy may be hired to evaluate the firewall set-up and operations from time to time to ensure integrity and reliability. In either case, someone familiar with the technical operations of the firewall set-up must be made available to the audit functionary and this takes time. 16. Application additions to the network firewall connection. As the network connection via the firewall increases in popularity and criticality to corporate business, the need to add application facilities and access to remote network facilities will increase. This leads to multiple meetings between firewall management team personnel and users/application implementers who wish to add applications over the firewall facilities. This will eventually result in new security policy filters, additional firewall packet loading and other performance and labor-related functions which affect overall cost of ownership. It may also require hardware and software upgrades faster than expected due to packet or application loading increases. 17. Major outage troubleshooting. From time-to-time, all technological components break and a firewall is no exception. When such outages occur, someone has to spend time defining the problem(s), finding solutions, implementing solutions and restoring the status quo ante. How much time this will take varies, but it usually is significant and intense as the firewall becomes a locus of activity during an outage of any kind. 18. Miscellaneous firewall and network security meeting time (technical and political). This factor is a catch-all for time spent explaining the firewall facilities to interested corporate groups or management as well as functioning as a “go- between” for information on facilities available to users. This factor can be extremely time consuming and does not generate any measurable progression as a general rule. It is manpower time required to keep things running smoothly and is, therefore, a cost factor. 19. New firewall and network security technology assessment (ongoing). As the firewall lifetime progresses, the need to evaluate new threats and new technologies that defeat new threats is important. Further, additional vendor features for a particular firewall product may need to be evaluated for inclusion into the existing facilities. For instance, if a new standard for remote authentication via firewalls is added to most products, this facility will need to be evaluated for use with the existing facilities. This takes time and technical effort. 20. Application changes and network re-engineering. All applications and network components change with time on any network. Prudent engineering requires that firewall facilities be re-evaluated for any changes in application set- up or network hardware changes that could affect the integrity of the firewall facility. Again, a time-consuming effort is involved. As can be seen, properly (and improperly) defined and installed firewalls consume a great deal of time and resources. This makes them fairly expensive resources as 257257 well as a strategic corporate resource - not a tactical one. The cost of a firewall is not the firewall itself - it is all the ancilliary functions and time involved. The more the extra costs are eliminated, the better the costing solution for the customer. [...]... uncompressed files Computer Emergency Response Team (CERT) A formal organization operated by the Software Engineering Institute at Carnegie Mellon University and dedicated to addressing computer and network security issues CERT also serves as a clearinghouse for identifying and resolving security “holes” in network- related software or operating systems 275 Computer Network A collection of computers and... Establish and Enforce A Security Policy Develop and enforce a company-wide computer and physical security policy 9 Employee Awareness Ensure all employees and management are briefed regularly on security threats, policies, corrective measures and incident reporting procedures 10 Make Use Of Public Domain Security Tools A variety of public domain security tools exist on the Internet, many of which can... corporate systems are protected from Internet attacks Deploy a firewall between these systems and the Internet to guard against network scans and intrusions 2 Obtain Security Alert Information Subscribe to security alert mailing lists to identify potential security exposures before they become problems CERT (Computer Emergency Response Team at Carnegie Mellon University) is a good place to start The URL... responsible for erasing system data Protect systems from computer viruses by using anti-virus software to detect and remove computer viruses 9 Prefix Scanning Computer hackers will be scanning company telephone numbers looking for modem lines, which they can use to gain access to internal systems These modem lines bypass network firewalls and usually bypass most security policies These "backdoors" can easily... connection-oriented, full- duplex, and point-to-point high-speed cell-switched network architecture that was created in the late 198 0s/early 199 0s to apply circuit switching concepts to data networks Designed to carry data in 53-octet cells, ATM can be used to transmit data, voice and video—separately or simultaneously—over the same network path Although not based on any specific physical layer protocol,... but not a flood Loss of networking resources Sends OOB (Out-ofBand) data to port 1 39 and exploits Win 3.11, Win95, Win NT 3.51 and Win NT 4.0 systems 264 Does not crash the system, but it causes a fatal exception requiring a reboot to regain TCP/IP (Internet) connectivity AppendixF:Top10SecurityPrecautions 1 Firewall Sensitive Systems Ensure corporate systems are protected from Internet attacks Deploy... in a security breach 22 Logging: The process of storing information about events that occurred on the firewall or network 23 Log Retention: How long audit logs are retained and maintained 24 Log Processing: How audit logs are processed, searched for key events, or summarized 25 Network- Level Firewall: A firewall in which traffic is examined at the network protocol packet level 26 Perimeter-based Security: ... than three minutes to identify and compromise security Companies can prevent this by ensuring that their systems sit behind a network firewall and any services available through this firewall are carefully monitored for potential security exposures 2 Network File Systems (NFS) Application Attacks Hackers attempt to exploit well-known vulnerabilities in the Network File System application, which is used... Recently computer hackers have been using sophisticated techniques and tools at their disposal to identify and expose vulnerabilities on Internet networks These tools and techniques can be used to capture names and passwords, as well as compromise-trusted systems through the firewall To protect systems from this type of attack, check with computer and firewall vendors to identify possible security. .. that spreads copies of itself through-out a network The first use of the term was applied to a program that copied itself benignly around a network, to use otherwise unused resources for distributed computation A worm becomes a security problem when it spreads against the wishes of the system owners, and disrupts the network by overloading it 268 AppendixH:NetworkTermsGlossary AAL An acronym for ATM . follows: Internet CSU/DSU IP Router Trusted Network Hub Ethernet/802.3 A B C D E The network configuration for a “screening router” is as follows: a) Internet connection provided by an Internet. technologies, then additional training on firewall concepts, network security concepts, advanced network security technologies and security management must be undertaken. Failure to provide adequate 255255 training. these systems and the Internet to guard against network scans and intrusions. 2. Obtain Security Alert Information Subscribe to security alert mailing lists to identify potential security exposures