Network security for small businesses -an insight

WHITE PAPER Network Security for the Small Business: An Insight Network Security For the Small Business: An Insight Mark Guntrip, Marketing Engineer, 3Com Corporation “Nothing more than the whim of a 13 year old hacker is required to knock any user, site or server right off the Internet.” Steve Gibson, Gibson Research Corporation CONTENTS Benefits of Shared Internet Access ........1 Broadband Internet ...............................1 Is Anyone Safe? ................................1 Attacks and Security Threats .................2 Denial of Service (DoS) Attacks..........2 Intrusion Attacks ...............................2 Security Technologies ............................2 Different Types of Firewall .................2 Hardware Vs Software ......................2 Network Address Translation (NAT), Stateful Packet Inspection (SPI) and DoS Detection...................................2 Choosing your technology ................3 Virtual Private Networks (VPNs) .............3 How 3Com can help secure your network ........................................4 OfficeConnect Cable/DSL Gateway (3C855) ............................................4 Features and Benefits ........................4 As small businesses move with the Internet revolution—from dial-up connections to broadband 24 x 7 Internet, security threats to networks increase dramatically. Now PCs and networks are constantly visible on the Internet, giving hackers more time and opportunity than ever to wreak havoc on the businesses of the world. With over 700,000 small businesses in the United States alone having a broadband Internet connection, it is obvious that a large number of businesses that have opened themselves up to the Internet. Recent high profile hacker attacks against large corporations such as Amazon, E-Bay, NASA and Microsoft, have placed Internet and network security at the forefront of media attention, but are small businesses also at risk? How can businesses enjoy the benefits of Internet while protecting themselves against the threats that come with it? This white paper discusses the recent explosion in broadband Internet and the increase in security threats that has arisen from this; the different security technologies available for businesses; and the different ways that 3Com can help businesses to secure their networks. Broadband Internet The introduction of affordable broadband technologies such as Digital Subscriber Line (DSL) and cable has transformed the Internet from a useful tool into a business essential, giving 24 x 7 access and higher data rates, allowing faster access to information. The ability to do more in less time should mean that employee productivity increases. Remote users can access the LAN at a speed that allows them to work as if they were in the office rather than through a painfully slow analogue link. Large e-mails can be sent quickly and easily instead of waiting for the PC to send the mail. With all these benefits, however, come added security threats—PCs and networks can be visible on the Internet 24 hours a day. Network security should be an essential part of the network —preventing the many threats from damaging your network and business. Is Anyone Safe? Benefits of Shared Internet Access Internet access is almost essential for any business hoping to be successful. But the cost of getting many PCs connected through individual accounts can be very high. However, sharing one Internet connection between multiple computers can save money and increase productivity by giving every PC on your network Internet access, employees are within easy reach of information that they need to do their job more effectively—and all at no extra cost. Using a gateway or Network Address Translation (NAT) device, many computers can be connected through one Internet connection. According to IDC, the average new broadband connection experiences three attempted attacks in the first 48 hours of operation. Hackers do not know whether a visible device on the Internet is a large network that is hidden, a home network or just an individual computer—so everyone on the Internet can be a target for attack. Within the last few years many large enterprises, including the CIA and NASA have had their web sites attacked. As well as this, companies such as Amazon, eBay, CNN and Yahoo were attacked, causing their systems to overload and shut down with resulting losses of around $1.2 billion. Meanwhile, a Gartner Group survey shows that hackers will attack more than 50% of small and medium businesses using the Internet—so everyone on the Internet, large or small, is a target for attack. NETWORK SECURITY FOR THE SMALL BUSINESS: AN INSIGHT 1 Attacks and Security Threats There are a number of different types of attack that can be used by a hacker to gain access to your network or to cause damage. The two main types of attack are: Denial of Service—this is where a hacker will attempt to bring down part of or your entire network by causing devices to crash or rendering them inoperable. Intrusion—this is where a hacker enters the network and tries to gain information (such as passwords or access to data). This might be done without the owner of the network even knowing that anyone has gained unauthorized access to the network. Denial of Service (DoS) Attacks any vulnerable ports. If any port connections are made, these are reported to the hacker and in this way a picture of the network is built up. Once the hacker has gained as much information as possible, they will then try to breach the security of the network using one of the vulnerable ports discovered. A good network security product will block port scanners, denying the hacker the ability to gather information about the network. Security Technologies Different Types of Firewall DoS attacks have become increasingly widespread, with high profile targets hit as mentioned earlier. DoS attacks are not aimed at stealing information or data, but instead at crashing or disabling devices and networks so that they are unusable. Common attacks include Ping of Death, SYN Flood and LAND Attack. Distributed Denial of Service (DDoS) Attacks can also wreak havoc on computers, web sites and networks, using a complex system of “Zombie” computers to attack a chosen targets. The users of computers that have the Zombie Trojan installed do not even know that their computer is infected and possibly attacking targets all over the world! These Trojans can give full access to the computer, including access to file systems and even real-time keystrokes. Trojans are destructive programs that masquerade as normal applications. Once on a computer, a Trojan can be used to attack your computer or to take part in an attack on a remote computer—the only way to ensure that your computer is safe is to prevent Trojans from being planted, by installing good network security. Intrusion Attacks Firewalls and security are available in a number of different forms, hardware or software, or incorporated into another device such as a router. Hardware Vs Software Dedicated software security is usually a complex application that requires a UNIX or Windows NT/2000 Server to run on. These products are well suited to businesses that already have UNIX or NT/2000 Servers and the technical support required to configure and maintain them. Hardware firewalls, or gateway products that include security are normally based on ease of use and maintenance, offering a plug-and-play solution. Preconfiguration is built into the product so that the user configuration is as easy as possible. As a result of this, gateway type devices are suitable for small and medium sized businesses with little or no in-house technical support and networking knowledge. Routers that have additional security software upgrades can offer a good level of security. This solution is normally more expensive than the other options as the security upgrade can extensively slow down the performance of the router as it is not optimized to carry out this function. Network Address Translation (NAT), Stateful Packet Inspection (SPI) and DoS detection Intrusion attacks are used to gain unauthorized access to a device or network. Once inside, the hacker can steal data or passwords, or can vandalize the system by destroying valuable data. The first step in an intrusion attack is to gather information about the network that is to be attacked. This is done by probing the target network to try and find any weaknesses or security holes that can be exploited. A tool such as a Port Scanner can be used to easily scan every port on a range of network addresses searching for There is a difference in the level of security offered by NAT and SPI. NAT hides the Local Area Network (LAN) behind it by making it look like there is only one PC sending data out onto the Internet. It does this by changing the private network addresses of PCs on the LAN to a public network address given by the Internet Service Provider. In this way, it looks like all data from the network is actually originating from one device. 2 NETWORK SECURITY FOR THE SMALL BUSINESS: AN INSIGHT Therefore hackers that might be monitoring Internet traffic will only see one device. Stateful Packet Inspection (SPI) monitors every packet entering or leaving the LAN and applies a series of firewall rules to decide whether to allow the packet to enter the network or not. It is called a stateful packet inspection because it examines the contents of the packet to determine what the state of the communication is—i.e. it ensures that the stated destination computer has previously requested the current communication. This is a way of ensuring that all communications are initiated by the recipient computer and are taking place only with sources that are known and trusted from previous interactions. In addition to being more rigorous in their inspection of packets, stateful inspection firewalls also close off ports until connection to the specific port is requested. This allows an added layer of protection from the threat of port scanning. Denial of Service Attack Detection monitors traffic outside the protected network and looks for patterns of data that match known denial of service attack patterns. If a known pattern is detected, then the connection is dropped, ensuring that the attack fails, therefore keeping the network secure and the details of the attack are logged for future reference. Choosing your technology Virtual Private Networks (VPNs) A VPN is a secure method of accessing a private network using the public Internet. Encryption is used to ensure that any data sent is secure from those who might choose to snoop on the Internet. This can result in significant cost savings when compared to the cost of leased lines or dial-up costs for remote users to connect to a central network. Instead of paying for very expensive leased line links between sites or making long distance calls to connect to a central site, VPNs can allow a remote site or user to connect to their local ISP and then access the central network securely, all at the cost of a local call. It is vitally important that a firewall be able to pass through VPN traffic. This will allow PCs on the LAN to initiate a secure VPN tunnel to a remote site (e.g. a central office) to allow secure data transfer. Some gateways are able to initiate and terminate VPN tunnels themselves. This allows multiple PCs on the LAN to share the same VPN tunnel and can also speed up the performance of the VPN tunnel if the gateway uses hardware to encrypt the data rather than software. There are a number of different VPN technologies that are available today. The main protocols are Point-to-Point Tunnel Protocol (PPTP), Secure Internet Protocol (IPSec) and Layer 2 Tunnel Protocol (L2TP). A further, indepth explanation of these is given in “Virtual Private Networks: Internet based VPNs”, available with this white paper or from www.3com.com. To choose what type of network security technology to use you must answer two questions. How much money are you prepared to invest and how secure do you want your network to be. A combination of at least two of the technologies will help ensure that you have the best security available. For example—NAT with DoS prevention will provide a good level of security that can stop hackers from entering your network and from breaking your network through attacks. If more security is required then SPI can be used as well—this gives a fully comprehensive security system for your network. To ensure that the level of security is of the highest standard, it is a good guideline to ensure that the product is certified by an external independent security organization (e.g. ICSA). This organization will ensure that all the claims made about the product are true. NETWORK SECURITY FOR THE SMALL BUSINESS: AN INSIGHT 3 How 3Com can help secure your network OfficeConnect Cable/DSL Gateway (3C855) The 3Com® OfficeConnect® Cable/DSL Gateway is an easy-to-install, professional quality device which offers small business and home office users secure, reliable shared Internet access over cable, DSL and other broadband access services, while at the same time providing a simple way to manage and protect a local network. The OfficeConnect Cable/DSL Gateway offers NAT security coupled with hacker attack detection and prevention. This will hide the local network from the Internet as well as protecting it from Denial of Service attacks. VPN protocols (PPTP and IPSec) can pass through the gateway to allow the set-up of secure tunnels. Inter net Cable nec eCon ® Offic way 3Com SL Gate /D Cable t® o dem SL m or D Features and Benefits Feature Sharing Internet connection between multiple PCs Network Address Translation (NAT) Denial of Service (DoS) Attack Prevention Benefit Significant cost savings. Security through hiding the private network. Added security to help ensure that hacker attacks are not able to bring down the network. Allows secure connection to a remote network via the Internet, resulting in cost savings. Allows the operation of applications that need multiple, dynamic ports to be open (e.g. NetMeeting, MSN Gaming Zone). More flexibility for the network. Allows publicly accessible servers to exist on the private LAN. Specify different access rights (Allow and block services) on a per user basis. Allows connection of up to 4 computers directly to the gateway. Allows file and resource sharing. Allows centralization of network addressing Allows intuitive management of the device and network addressing. Peace of mind. VPN Pass-Thru (IPSec and PPTP) User Definable Special Application support Virtual Server support User Access Privileges Built-in 4-Port 10/100 Switch DHCP Server Web based Interface Lifetime Warranty NETWORK SECURITY FOR THE SMALL BUSINESS: AN INSIGHT 4 3Com Corporation, Corporate Headquarters, 5400 Bayfront Plaza, Santa Clara, CA 95052-8145 To learn more about 3Com solutions, visit www.3com.com. 3Com Corporation is publicly traded on Nasdaq under the symbol COMS. The information contained in this document represents the current view of 3Com Corporation on the issues discussed as of the date of publication. Because 3Com must respond to changing market conditions, this paper should not be interpreted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only; 3Com makes no warranties, express or implied, in this document. Copyright © 2002 3Com Corporation. All rights reserved. 3Com and OfficeConnect are registered trademarks and the 3Com logo is a trademark of 3Com Corporation. Windows NT is a trademark of Microsoft. UNIX is a trademark of UNIX Laboratories. Other company and product names may be trademarks of their respective companies. 503109-001 02/02