Before we delve into what types of firewalls there are, we must understand the pre- sent threats. While there are many types of threats, we only discuss a few of them in this chapter, paying the most attention to those that can be mitigated by firewalls.
Ensuring a physically secure network environment is the first step in controlling access to your network’s data and system files; however, it is only part of a good security plan.This is truer today than in the past, because there are more ways into a network than there used to be. A medium- or large-sized network can have multiple Internet Service Providers (ISP’s), virtual private network (VPN) servers, and various remote access avenues for mobile employees including Remote Desktop, browser- based file sharing and e-mail access, mobile phones, and Personal Digital Assistants (PDAs).
Physical Security
One of the most important and overlooked aspects of a comprehensive network security plan is physical access control.This matter is usually left up to facilities man- agers and plant security departments, or outsourced to security guard companies.
Some network administrators concern themselves with sophisticated software and hardware solutions to prevent intruders from accessing internal computers remotely, while at the same time not protecting the servers, routers, cable, and other physical components from direct access.To many “security-conscious” organization’s com- puters are locked all day, only to be left open at night for the janitorial staff. It is not uncommon for computer espionage experts to pose as members of cleaning crews to gain physical access to machines that hold sensitive data.This is a favorite ploy for several reasons:
■ Cleaning services are often contracted out and their workers are often tran- sient, so your company’s employees might not know who is a legitimate member of the cleaning company staff.
74 Chapter 3 • Defining a Firewall
■ Cleaning is usually done late at night when all or most company employees are gone, making it easier to surreptitiously steal data.
■ The cleaning crew members are paid little attention by company
employees, who take their presence for granted and think nothing of them being in areas where the presence of others would normally be questioned.
Physically breaking into a server room and stealing a hard disk where sensitive data resides is a crude method of breaching security; nonetheless, it happens. In some organizations, it may be the easiest way to gain unauthorized access, especially for an intruder who has help “on the inside.”
It is beyond the scope of this book to go into detail about how to physically secure your network, but it is important for you to make physical access control the outer perimeter of your security plan, which means:
■ Controlling physical access to the servers
■ Controlling physical access to networked workstations
■ Controlling physical access to network devices
■ Controlling physical access to the cable
■ Being aware of security considerations with wireless media
■ Being aware of security considerations related to portable computers
■ Recognizing the security risk of allowing data to be printed
■ Recognizing the security risks involving floppy disks, CDs, tapes, and other removable media
There are also different types of external intruders who will physically break into your facility to gain access to your network. Although not a true “insider,” because he or she is not authorized to be there and do not have a valid account on the net- work, this person still has many of the advantages (refer to the “Internal Security Breaches” section.) Your security policy should take into account the threats posed by these “hybrid” intruders. Remember, someone with physical access to your servers has complete control over your data. Someone with physical access to your authentication servers owns everything.
Network Security
Virtual intruders can access your network from across the street or from halfway around the world.They can do as much damage as a thief that breaks into your
company headquarters to steal or destroy data, and are much harder to catch.The following sections examine specific network security risks and ways to prevent them.
For a number of years, firewalls were used to divide an organization’s internal network from the Internet.There was usually a demilitarized zone (DMZ), which contained less valuable resources that had to be exposed to the Internet (e.g., Web servers, VPN gateways, and so forth), and a private network that contained all of the organization’s resources (e.g., user computers, servers, printers, and so forth).
Perimeter defense is still vitally important, given the ever-increasing threat level from outside the network. However, it is no longer adequate by itself.
With the growth of the Internet, many organizations focused their security efforts on defending against outside attackers (i.e., those originating from an external network) who are not authorized to access the systems. Firewalls were the primary focus of these efforts. Money was spent building a strong perimeter defense, resulting in what Bill Cheswick from Bell Labs famously described years ago as, “A crunchy shell around a soft, chewy center.” Any attacker who succeeded in getting through (or around) the perimeter defenses, would have a relatively easy time compromising internal systems.This situation is analogous to the enemy parachuting into the castle keep instead of breaking through the walls. Perimeter defense is still vitally impor- tant, given the increased threat level from outside the network; however, it is simply no longer adequate by itself.
Various information security studies and surveys have found that the majority of attacks come from inside an organization. Given how lucrative the sale of informa- tion can be, people inside organizations can be a greater threat than people outside the organization.These internal threats can include authorized users attempting to exceed their permissions, or unauthorized users trying to go where they should not be.Therefore, an insider is more dangerous than an outsider, because he or she has a level of access to facilities and systems that the outsider does not. Many organizations lack the internal preventive controls and other countermeasures to adequately defend against this threat. Wide open networks and servers sitting in unsecured areas provide easy access to the internal hacker.
The greatest threat, however, arises when an insider colludes with a structured outside attacker. With few resources exposed to the outside world, it is easier for the bad guys to enlist internal people to do their dirty work.The outsider’s skills com- bined with the insider’s access could result in substantial damage or loss to the organization.
76 Chapter 3 • Defining a Firewall
Attacks
Attacks can be divided into three main categories:
■ Reconnaissance Attacks Hackers attempt to discover systems and gather information. In most cases, these attacks are used to gather information to set up an access or a Denial of Service (DoS) attack. A typical reconnais- sance attack might consist of a hacker pinging Internet Protocol (IP) addresses to discover what is alive on a network.The hacker might then perform a port scan on the system to see which applications are running, and to try to determine the operating system (OS) and version on a target machine.
■ Access Attacks An access attack is one in which an intruder attempts to gain unauthorized access to a system to retrieve information. Sometimes the attacker has to gain access to a system by cracking passwords or using an exploit. At other times, the attacker already has access to the system, but needs to escalate his or her privileges.
■ DoS Attacks Hackers use DoS attacks to disable or corrupt access to net- works, systems, or services.The intent is to deny authorized or valid users access to these resources. DoS attacks typically involve running a script or a tool, and the attacker does not require access to the target system, only the means to reach it. In a Distributed DoS (DDoS) attack, the source consists of many computers that are usually spread across a large geographic boundary.
Recognizing Network Security Threats
In order to effectively protect your network, you must consider the following ques- tion: From who or what are you protecting it? In this section, we approach the answer to that question from three perspectives:
■ Who are the people that break into networks?
■ Why do they do what they do?
■ What are the types of network attacks and how do they work?
First we look at intruder motivations and classify the various types of people who have the skill and desire to hack into others’ computers and networks.
Understanding Intruder Motivations
There are probably as many different specific motives as there are hackers, but the most common intruder motivations can be broken down into a few broad categories:
■ Recreation Those who hack into networks “just for fun” or to prove their technical prowess; often young people or “antiestablishment” types.
■ Remuneration People who invade the network for personal gain, such as those who attempt to transfer funds to their own bank accounts or erase records of their debts, and “hackers for hire” who are paid by others to break into the network. Corporate espionage is also included in this category.
■ Revenge Dissatisfied customers, disgruntled former employees, angry competitors, or people who have a personal grudge against someone in the organization.
The scope of damage and the extent of the intrusion are often tied to the intruder’s motivation.
Recreational Hackers
Teen hackers who hack primarily for the thrill of accomplishment, often do little or no permanent damage, perhaps only leaving “I was here” messages to “stake their claims” and prove to their peers that they were able to penetrate your network’s security.
There are also more malevolent versions of the fun-seeking hacker.These cyber- vandals get their kicks out of destroying as much of your data as possible or causing your systems to crash.
NOTE
The following is one example of a recreational hacker:
October 17, 2005 (Computerworld) — Using a self-propagating worm that exploits a scripting vulnerability common to most dynamic Web sites, a Los Angeles teenager made himself the most popular member of community Web site MySpace.com earlier this month. While the attack caused little damage, the technique could be used to destroy Web site data or steal private information, even from enterprise users behind protected networks.
78 Chapter 3 • Defining a Firewall