Beat Hackers

FRONTDESK SPECIAL REPORT HOW TO BEAT THE HACKERS nternet security is often seen as something of a black art, with security gurus engaged in a permanent war with crackers and their script kiddie minions. With metaphors taken from medieval military tactics, or from 1960s cold war threat assessments, it’s not surprising that the prospect of connecting a computer to the outside world can be confusing. Do you need a bastion host, or a demilitarised zone? Should you be using a personal firewall, or can you manage security with a dedicated piece of network security equipment? Internet security often uses terms taken straight from the text books of medieval castle designers. It’s not a surprising analogy, as the layered defences around the central keeps are similar to the layers of firewalls and other security tools used to protect enterpriselevel internet connections. An SME won’t be able to put together complex firewall architectures – especially as these can cost around £60,000 for a three-layered high availability system based around a set of firewall appliances. Any system connected directly to the internet should be considered to be vulnerable to attack or intrusion, and so needs to be secured. You could secure your system by running a secured operating system, such as Argus Pitbull, or by using the Bastille scripts to harden Simon Bisson dons his flameproof overalls to take a look inside firewalls I Linux. However, these aren’t really applicable for most normal uses, as they limit what you can do online. The traditional solution is the firewall. A firewall is best thought of as a set of network applications, running on a gateway server that protects the resources of a private IP network from the actions of users on other networks. A company that enables its workers access to the wider internet will install a firewall to prevent outsiders from accessing its private data and to control access from its internal network to the outside world. Internal workings The firewall software is, at heart, a very simple tool, examining each network packet received at the firewall and then using a set of rules to determine whether the packet can be forwarded to its destination. As this can be quite an intensive process, a firewall is often installed in a dedicated piece of hardware, away from the rest of the network so that no incoming request can get directly at private network resources. Firewalls work in many ways. One approach is to match the information in IP packets against a list of accepted IP ports and allowed source addresses. This works for most cases, but a more secure approach is to actively inspect the content of every packet that passes through, making sure that specific application attacks can be blocked. One key concept in internet security is that of the trust boundary. There are computers you trust, and computers you don’t. Any connections between them are assumed to be insecure, and a firewall should be used to manage all data flowing across the resulting trust boundary. A large e-commerce site can contain several different trust boundaries, all requiring a differently configured firewall. Typically, you’ll find one set of firewalls between the public internet and any web servers, another between the web servers and the application servers that run the site’s applications. A secure service may also include another layer of firewalls before you access any ! The Seattle Firewall is a set of scripts that turns a Linux system into a fully-fledged firewall, complete with alerts and VPN support. databases, and a further set protecting any management applications and tools. With a layered firewall system, only trusted systems can connect to specific services at each level – reducing the risk of a complete system compromise. Of course, there are some forms of attack that a firewall is unlikely to protect you from – especially denial of service attacks. As these are designed to overwhelm network connections by flooding them with IP packets, there’s not really much that a firewall can do, apart from absorbing the brunt of the attack and enabling your internal systems to keep running, letting you use any back up connectivity you may have. Until recently, firewalls were the province of ISPs and business internet presences, and they were costly pieces of equipment that required regular configuration and monitoring. With the cost of permanent internet connections well beyond the average pocket – even a 64 Kbps connection cost several thousand pounds a year – firewalls had yet to arrive on the end of a SOHO internet connection. The recent arrival of cable modems, DSL connections and low-cost unlimited dial-up internet connections has changed all that. With always-on net access for £40 a month, there’s a need for cheaper firewalls. The new risks... DSL and cable modem connections mean a sea change in the way homes and small businesses will need to consider internet security. With a dial-up modem or ISDN connection you knew when you were online, and had the limited security of being hidden in the midst of your ISP’s dynamic IP address pool. All you needed was a port-scanning tool, such as NukeNabber, to make sure that no one was trying to access your PC directly. And, of course, you were only at risk when you connected to the internet. Once you’re hooked up with DSL, or a cable modem, things are different. Instead of an intermittent internet connection initiated when you need to go online, you’re now always online with, 24/PCPlus.co.uk #176 SPECIAL REPORT at the very least, a long lease on a dynamically assigned IP address, or even with your very own set of static IP addresses and domain to go with them. As a result, you now have the same problems as a company with a leased line – and nowhere near the security budget they have. You could stick with personal firewall tools like ZoneAlarm, but unfortunately, these violate one of the basic rules of internet security: never run critical business applications on your firewall. Instead you’re going to have to put together a full firewall – a bastion host configured to protect your network. Firewall appliances One of the best ways of securing an always-on network is to use a firewall appliance. Instead of relying on a standard OS with all its associated risks, appliances are dedicated pieces of security hardware – ranging from simple firewalls for SOHO networks, to powerful firewalls suitable for the largest and busiest e-commerce websites. One of the most popular enterprise firewall appliances comes from an unlikely source, more commonly known for mobile phones – Nokia. By linking a specialised piece of network hardware with the popular Firewall-1 package, Nokia has produced an easy to manage and powerful tool. The latest versions can be clustered, and controlled using remote management tools. Another popular high-end firewall appliance comes from networking specialists Cisco. The PIX is a powerful tool capable of dealing with the high traffic levels generated by a popular website, and is ideal for protecting the borders of a web farm. Starting at around £5,000, the enterprise firewall isn’t suitable for SOHO security implementation – your best option is to use a small firewall appliance. SOHO firewall appliances are a new class of devices, closely related to the early network address translation (NAT) routers used to share modems and ISDN connections, enabling a single internet access account to be used by an office. With DSL and cable modems becoming a popular SOHO connection method in the US, it wasn’t long before these devices started to add firewall functions. One of the most popular devices in the US is Linksys’ NAT cable and DSL routers. These sit between an Ethernet internet connection and the rest of your network, providing a low cost solution to the problem of connecting several PCs to a cable modem. As well as connecting a network to the internet, the Linksys boxes can be used to make an effective, if rather simple, firewall by configuring them to reject external connections – as well as by shielding the IP addresses of your network through NAT. This is a quick first step to protecting your network, but may not offer the flexibility of a full firewall. A more effective firewall solution comes from SonicWALL. Unlike the routers % So are your shields up? A simple web utility at www. grc.com helps you find out just how secure your PC is. ! SonicWALL firewall appliances can be configured from a web interface, providing you with logging information as well as management tools. from Linksys, SonicWALL’s firewall appliances offer true firewall functions. These can provide you with a much more flexible approach, enabling you to manage the services and systems in your network more effectively. A web-based configuration tool is the key to this approach, and gives you the ability to shut down services without having to change the configurations of your PCs. There’s a sample SonicWALL configuration interface ready for you to try out on the web at www.sonicwall.com/products/ demo/index.html, where you can see how to control and manage the firewall. Alerts and logs can be sent by email, keeping you informed of any attempted intrusions or attacks. SonicWALL gives you an upgrade path, so you can start with a basic SOHO system and upgrade, through a trade-in programme, to appliances designed to protect e-commerce sites. Any firewall appliance will need to be updated to take account of new attacks and security holes. You’ll need to make sure that any appliance you buy enables you to upgrade its firmware – and that the manufacturer will keep you informed of changes and new releases. Firewalling with Linux By taking advantage of Open Source software, and nearly obsolete hardware, it’s possible to put together solid security architectures for substantially less than £1,000. If you’re in the UK, you will need to get a routed DSL or cable modem solution to take advantage of this approach – there’s no Linux support for the Alcatel USB DSL modems used by BT. All you need to do to secure your network is to take an old Pentium class PC, and set it up as a Linux-based firewall. We don’t recommend the canonical 486 running Linux, as a firewall can require a lot of processor intensive packet inspection and routing – so take advantage of distros, such as Mandrake, which give you optimised Pentium kernels (or compile you own!). Recent versions (2.2 and better) of the Linux kernel include a set of tools for creating a firewall using a default Linux installation. # 176 PCPlus.co.uk /25 FRONTDESK Using this technology, known as ipchains, it is now possible to put together a network address translation based firewall in just a few minutes, simply by following the instructions in one of Linux’s many How-To documents. The recently released 2.4 kernel has updated ipchains with a brand new firewall technology, named iptables, but when working with internet security, you are always better off working with an older, proven technology rather than the latest thing. We’ve found the Home Network mini How-To very useful when setting up always-on networks with DSL connections, especially thanks to the sections on putting together an IP masquerading firewall for a small network. You can find a copy of this How-To at www.linuxdoc.org/ HOWTO/mini/Home-Network-miniHOWTO.html. With this and a copy of Linux, available on the PC Plus SuperDisc, you’ll be able to secure a small network. There’s no need to buy a full set of Linux disks, as you’re going to be only using a minimal installation. You can also use the very useful Linux firewall tools site to help you tweak and tune your new bastion host (www.linuxfirewall-tools.com/linux/). You don’t even need one of the major distros to set up a firewall, as there’s even a way of building a Linux firewall from a single floppy disk, thanks to the Linux router project (www. linuxrouter.org). It doesn’t need to be any bigger than a floppy, because the LRP is a cut-down Linux distribution designed to turn a single PC into an IP router for a SOHO network. With a set of widely available scripts, you can quickly configure an LRP-based border PC into a firewall that is based on ipchains. One of the most popular sets of scripts is the Seattle Firewall, which can be downloaded from the SourceForge open source exchange at http://seawall. sourceforge.net/. Running these sets will configure a Linux firewall, and will also add monitoring features that aren’t in the standard LRP implementation, including audible warnings, as well as tools for connecting your network to others over a VPN. internet. Replacing the standard Winsock calls with its own network layer, a personal firewall can manage every network connection access to and from your PC. As configuring a network firewall requires an experienced network engineer, personal firewalls enable you to give certain applications to and from the internet. You’ll need to specify which applications are treated as servers – as these will enable external systems access to your PC. You’ll also need to be sure that you’ve configured the various alerts correctly, as personal firewalls are often prone to false alarms. These can be triggered by your ISP checking if you are still online, or by connections that are being maintained by a machine that was the previous tenant of your dynamic IP address. False positives don’t mean that you’re under attack. It’s only if you get warnings of specific attempts to connect to ports used by Trojans, such as BackOrifice or NetBus, that you need to be worried! Generally pay-for products, such as ZoneAlarm Pro or BlackIce Defender, have a better reputation than free tools, but if you’re on a tight budget and are willing to learn about the ports used by Windows internet applications, the free ZoneAlarm from www.zonelabs.com is worth a try. Just remember that despite the name, you’re not using a firewall! A better alternative is a firewall application running on a separate PC. One of the best known is WinRoute, a simple routing package for Windows that will also protect a single PC or a small network. You can also use WinRoute as a proxy, providing secured connections to other PCs on your network – not something you can do with Windows’ built-in internet connection sharing feature. This type of tool is ideal for putting a small office online, where a connection is to be shared by three or four PCs, with a tool like VPOP3 handling email. You’ll probably find it a better approach than the proxy server bundled in Microsoft’s Windows NT Small Business Server package. n The Linksys DSL router is an attractive box, which mixes some firewall functions alongside all the tools that you require to connect a small network to the internet. Personal firewalls One of the biggest misnomers around is the idea of the personal firewall. Whilst tools like ZoneAlarm and BlackIce Defender serve an adequate role as a personal security tool, they are not firewalls. Think of them instead as personal security tools. Unlike a true firewall, a personal firewall shares the same hardware as a PC that is running critical applications. This can cause problems, especially if there are memory leaks in either your application or the personal firewall. You’re also still vulnerable to deficiencies in the Windows IP stack; so don’t consider yourself to be completely secured! So keep this in mind, use a good virus checker and make sure you know exactly what software you’re giving access to the internet. It’s worth using not only the ShieldsUp service at www.grc.com, but also the LeakTest software, which checks if software running on your PC can connect through a personal firewall without any warnings. That’s not to say that personal firewalls shouldn’t be used. If you’ve got a USB DSL connection, or are connecting a single PC to a cable modem then they’re probably your only real choice – unless you’re happy manually locking down IP services in the Windows registry. It’s also likely to be your only way of protecting a unlimited use dial-up connection. A personal firewall acts as a new layer on top of the basic Windows IP stack, controlling how applications access the $ Microsoft has recently launched its internet Security and Acceleration server, a set of tools that add firewall and proxy functions to Windows 2000. . A personal firewall like ZoneAlarm isn’t a true firewall, but it’s still an important security tool for a standalone PC. Wrap-up It’s important that any business-critical service should be kept secure. It doesn’t matter if it’s a multi-million pound ebusiness system or your £100 a month ADSL connection – security should have the same emphasis no matter what you’re doing, and thanks to low cost solutions, such as Linux firewalls and firewall appliances, it can be achieved even on the lowest of budgets. However, there’s one thing you need to keep in mind: security doesn’t only depend on your firewalls, it’s also up to you and anyone using your computers. Companies are at far more risk from their own employees than they are from the internet. Any security policy put in place around your computers and internet connection needs to be as much about the people as the firewall itself. PCP 26/PCPlus.co.uk #176