Chapter 7. Tools To Enhance Security
At a Glance
In this chapter, software tools and techniques to enhance computer and network security are investigated. These software packages include virus checkers, firewalls and remote access tools.
Virus software
Rule 20: Every computer that is vulnerable to viruses should run anti-virus software and should check for up-to-date virus signatures daily. A full scan of the machine should be performed periodically as well.
Rule 21: Computers that are not particularly subject to viruses such as Unix-based systems should nevertheless ensure that the mail that they send out does not contain a virus that may harm the recipient.
Rule 22: Keep your operating system and key application software up-to-date and remember that virus checkers only check for infestations in files. Vulnerabilities in operating systems and applications programs can leave you open to attack in other ways.
Virus checking software attempts to keep your computer free of viruses, worms, and Trojans in a number of ways:
• Whenever you access, copy, save, move, open, or close a file, the virus checker makes sure that it is not infected with any known virus (and other similar pests).
• Whenever you insert a foreign disk in your machine, it is checked for certain types of viruses.
• Whenever a mail file is received, it (and attachments) is scanned for malware.
• Whenever a file is downloaded from the web, it is scanned.
• In many cases, when a web page with embedded software is downloaded, it is scanned.
• You can explicitly request that any file, set of files, or entire disks be checked for viruses.
• If a virus, worm or Trojan is detected, the program will either remove it
(disinfect) or it will tell you that the problem cannot be fixed and will
“hide” the bad file so that it cannot cause any damage.
A virus checker with up-to-date virus signatures (a signature is the specific characteristic of each virus that is recognized by the checker) is an essential part of any computer, whether it is Internet-connected or not. Note that there are few known Unix viruses at the time this is being written but Unix worms and Trojans certainly do exist.
As of the end of August 2003, one of the popular PC/Macintosh virus programs (Norton AntiVirus”) checked for almost 65,000 different viruses. That these programs can do this as fast as they do, without perceptibly slowing down your computer, is quite amazing. August 2003 was a particularly interesting month for malware, with the release of several worms (Blaster and SOBIG being the most common ones) that took advantage of a vulnerability in Windows computers. A month earlier, Microsoft had released a patch for this vulnerability, but relatively few people installed this patch, and so these new worms hit new records for the number of machines infected and the speed at which they spread. They may have also set new records for the number of “copy-cats” – the same basic worm, but with various modifications. On the busiest day, Norton added fiftyone new virus signatures (defining characteristics of those viruses) to their list. For the whole month, 520 new signatures were added.
Firewalls
A firewall watches all network activity going into or coming out of your computer. Based on a set of rules, it can allow the traffic to pass or it can block it. A firewall can be either a program running on your computer or a separate piece of equipment between your computer (or a cluster of computers) and its network connection. Sometimes firewalls are included in other equipment such as routers. There are free or pre-installed firewalls available for many operating systems.
Rule 23: All computers should be protected by a firewall of some sort, either software within the computer, or an external firewall protecting that computer or an entire local network of computers.
To fully understand what a firewall does, and how to set up the rules that govern it, you need an introductory understanding of TCP/IP – the protocol (set of rules) governing all messages sent over the Internet. If you are already familiar with the TCP/IP protocol, you should go directly to the next section. If you are not already familiar with TCP/IP, you should first read Addendum 2. TCP/IP. Note that a firewall can be used even if you do not want to learn these technical details. In that case, here is all you need to know about TCP/IP:
• Machines on the Internet all have an “ IP address” that has the form 12.222.103.43, that is, four numbers separated by periods. The Internet uses your address to route messages to you, and your computer says where to send out-going messages by providing the address of the destination.
• Within each machine, different programs are identified by the “port” number (sort of like a telephone extension number within a large company – there is just one telephone number, but each person has their own extension number).
• Information sent to or from your computer is enclosed in “envelopes” call packets.
• Ignore the words TCP and UDP in the following discussion.
Why do we need firewalls?
If your computer is not connected to a local network or to the Internet, you do not need a firewall. Once you use the network, you are subject to all sorts of abuse. For example:
• If you use file sharing, print-sharing or any other inter-computer services, your computer is probably listening on certain ports. Although you may be doing this so that the computer in the next room can share your resources, it is possible that a computer anywhere else in the world could as well.
• If you are listening on a port for (for instance) file sharing, it is possible that due to bugs in the program, someone could send you a message that would take some other action – perhaps malicious. Unfortunately, such bugs are quite common.
• Even if you are not listening on any port, computers elsewhere can send you floods of messages. Even though they will all be ignored, they can keep your network connection so busy that you cannot do any real work (only hardware firewalls will help you in this case).
• If, despite your best efforts, you do end up with a virus, worm or Trojan on your computer, it can send anything on your computer to the malware creator. This could include any of your data or logs of what you are typing (including passwords).
How do firewalls work?
A firewall watches every packet that is received by to sent from your computer, and verifies whether it violates any of the rules that you have set for it. If a packet violates the rules, it is blocked (discarded). For both software firewalls and external (hardware) firewalls, the rules might include:
• Do not allow any packets to TCP/UDP ports 135, 137, 139, 445. These ports are used for Windows file sharing and a selection of other Windows services. By discarding these packets, you are ensuring that no one on the Internet can contact your computer for these services.
• Do not allow any packets to TCP/UDP ports 135, 137, 139, 445 unless they come from IP address 192.168.1.150 (where 192.168.1.150 is that address of your second computer that is allowed to share your resources).
• You can give the firewall a list of trusted computers – those that you know are not trying to hurt you. Only trusted computers will be able to initiate communications with you. You can still communication with other computers, such as web servers on the Internet, but you must initiate the communication.
Software firewalls consume resources on your computer, but have the added advantage that they not only look at the datagram (with its to/from address and ports), but they can check which program is sending the message. If it sees a program initiating a communication that you had not explicitly allowed, the firewall can ask you for your permission before allowing it to go through. A hardware firewall cannot determine which program is bring used, but since it is a separate piece of equipment, it does not slow your computer down at all.
Like all security-related precautions, if you have a firewall, whether hardware or software, you must keep the software and firmware up to date. Attackers are very innovative and it is essential that the tools that you are using to protect your system and data are current.
Private Address Spaces and Network Address Translation (NAT)
As the Internet was originally designed, every computer or device on the Internet had its own address, so there was the ubiquitous ability of every computer to talk to every other computer. Today, there are cases where universal connectivity is no longer appropriate. There are two primary reasons:
• You want to isolate a set of computers so that they cannot directly talk to the rest of the Internet – and the Internet cannot talk directly to them. This is the case with computers within some organizations, both public and private.
• Because of the way that IP addresses are allocated within the Internet, your organization does not have enough IP addresses to assign unique addresses to every machine. This is often the case with developing countries where national Internets were built (or are being built) several years after comparable networks in developed countries.
There are certain IP addresses that are not usable over the Internet. These are called Private Address Spaces and can be used in the above two cases. Since these computers will not directly interact with the rest of the Internet, they do not need unique addresses. Although several organizations may be using this same set of addresses, neither of them can see the other and there is no problem. In the first case in the bullet point above, even though you do not want to allow most contacts between the internal machines and the Internet, there will be some interactions that are desirable and necessary. In the second case, there is no prohibition on such access.
There are two mechanisms that allow a computer with a private address to communicate over the Internet.
Proxy servers
A proxy server is a specific type of firewall. The proxy server has an address in the private address space, but also has a second connection and address connected to the Internet. If a user wants to (and is allowed to) communicate with a machine in the Internet, it sends the message to the proxy server, and requests that this message be forwarded to the target machine in the Internet. The proxy server keeps track of this request, and when the answer comes back, it returns the answer to the originating machine.
Proxy servers can also be used if you have a normal IP address. They are used to control what type of traffic goes out onto the Internet, or to simplify a user’s interaction with the network. A web proxy server will keep copies of pages requested, and if a second user requests the same page, it simply provides the copy – limiting the number of requests sent to the Internet and therefore reducing external bandwidth requirements. Keeping recently requested pages is called caching.
Network Address Network Address Translation (NAT) is Translation
normally implemented by having a special box sit between the local network and the Internet. Like the proxy server, it is connected to both the local network where private IP addresses are used, and to the Internet. When a message from the local network bound for the Internet is received by the NAT box, the NAT box sends the message out to the Internet using its IP address, and says it is coming from an port number that is unused. When the reply comes in, it is returned to the originating computer on the local network. A NAT box is similar to a proxy server, but it works for all kinds of traffic, not only a specific kind (such as web traffic) and it does not do any caching.
Both proxy servers and NAT boxes are effectively firewalls and implicitly protect the machines within the local private address spaces from many of the types of attacks that machines with normal IP address are subject to.
Remote access/management/ administration tools
Remote access, remote management and remote administration tools allow you to control your computer remotely, either via a dial-up telephone line or via the Internet. When you are connected to your computer in this way, it is equivalent to sitting at the keyboard.
Rule 24: If you use remote access facilities to remotely control any computers, make sure that they have robust security (at the very least, excellent usernames and passwords) to ensure that attackers do not use these same tools.
Remote access tools have many important uses. Among them are:
• They allow you to use your office computer while not at the office. This allows you to use data, applications programs, and network services that are accessible at work.
• They allow you turn over control of your machine to a specialist to diagnose or fix a problem without the specialist having to come to your location.
• They allow multiple people to use an application program that is only installed on one machine.
• They allow systems support personnel to manage multiple servers easily.
Remote access tools also allow an attacker to do all of the same things. In fact, there is often little functional difference between a remote access tool that is sold for the above type of applications (such as pcAnywhere), and the backdoor Trojan (such as NetBus or Back Orifice).
Malware detectors
It would be nice to assume that if you practice keep all of your software up-to-date, check incoming files for viruses and worms, use secure usernames and passwords, and protect yourself with a robust firewall, then you will be completely safe. To phrase this as a question, if you practice safe computing, will you be safe?
The answer is “probably”. There is always the chance that some sort of problem will hit you before a solution is generally available. It is also possible that occasionally you may do something that is less than 100% safe.
Malware detectors are programs that check your computer to see if there is anything there that looks suspicious, regardless of how it got there. Their functions overlap with virus checkers in some cases, as they will both detect the presence of some types of malware on your disk. Depending on the specific tool, they will check to verify that key system programs have not been surreptitiously changed.
Malware detectors will also look at browser plug-ins and add-ons and try to detect those that are potentially malicious or will violate your privacy. Some malware detectors also include tools to remove an offending program.
Logs
Logs are an under-utilized and under-appreciated tool in ensuring that you computer is secure. A log is a file on disk into which programs can write messages. Typically a message is written into a log when something interesting happens or if some error occurs.
Rule 25: System functions and applications logs should be judiciously enabled.
Examples of
“interesting” things include:
• the computer is powered on;
• someone logged onto the computer;
• someone tried to log onto the computer, but had a wrong password;
• an e-mail was received;
• an e-mail send was attempted, but the connection failed;
• there were many errors on a disk, or on a network connection;
• the firewall detected an illegal communication and blocked it;
• the virus checker automatically downloaded a new set of virus signatures;
• a virus scan of all files on your system was run and a virus was detected.
Depending on the program/system, log files can just grow until they are erased, or there may be a new log file created every so often, with the old log files being kept for later review (typically they will have a date in the filename)
In general, there is a separate log file for each application or system function. Sometimes you read a log with any text editor, and sometimes the application or system provides specialized tools to read and format logs.
Logs are very useful and should generally be enabled. However, you need to take care to ensure that you do not enable logging for functions that happen too often, or your system will spend all of its time writing logs and your disk will become clogged with log files.
If you understand what the detailed log entries are saying, you should review them periodically to see if anything unusual is happening. Otherwise, logs should be kept so that in the case of some sort of unusual happening, they may give some hint as to exactly what happened.
|
