Tuesday, April 8, 2008

The Network As Target

There are some problems for which there is currently no easy solution. When the entry points into your network are saturated with an overload of network traffic, there's not much you can do about it. The best actic you can use when such an attack occurs is to try to block out the address ranges from which the attack is coming. But when your network is being singled out by several hundred other compromised computers, it's rather difficult to quickly program routers to block all of these network addresses. The fact that many large Internet sites have been taken down during the past few years by these kinds of attacks should be indicative of how serious this attack can be. What can you do? Gather all the information you can, and, when the attack is over, try to backtrack to find out where the attack initiated. At this time it might not be possible to do this because one computer can set off others to do the dirty work for them. If you don't have access to the actual computers that perform a distributed denial-of-service attack, you can use the information on those other systems to further research the problem.

Internet 2010

So for now, the best solution is to hope that this doesn't happen to you and to use an Internet service provider that has a good technical team that can respond quickly to help block sites that are generating this type of attack. And by all means, if you are targeted, get the authorities involved.

Protecting Host Computers Encryption and Virus-Protection Software

After an intruder gets past a router, it's usually pretty easy to intrude further by gaining access to host computers on the network. Again, it is so easy to simply put up a router and firewall configuration and assume that your network is safe. However, even if these methods do protect you from outsiders you still must worry about users who are allowed on the network. A disgruntled employee can do more damage (and probably do a good job of hiding the evidence) than many network intruders. Host security is a very important topic.

You should first start by becoming intimately familiar with the resource-protection and user- authentication schemes used by your computers. For example, many Unix variants provide for a shadow password file that is not easily accessible. When someone breaks into a Unix server, it's a simple matter to download the contents of the / etc / passwd file and spend a few minutes or hours using an automated program to encrypt words in a dictionary, check to see whether they match the encrypted password in the stolen file, and then simply log back into your Unix box using a valid password!

The applications you run on servers or workstations can also make the host computer an easy target. For example, if you are using older versions of FTP or Telnet, you're sending usernames and passwords about your network in clear, easy-to-read ASC text. A network sniffer (which can be something as simple as a Trojan horse program planted somewhere in your network) can watch for these and transmit them back to the intruder. Because secure versions of these and other related utilities are available, you should always be sure to use the secure versions, even if it means purchasing additional software that already comes with your operating system.

If you have an important server that is absolutely critical to your business operations, you might want to consider keeping a "hot spare" around. That is, create another server that is virtually a clone of the important server. If the original server is compromised, place the hot spare into service. This might involve a little time if you have data that needs to be restored to the hot spare before it can be used. However, for servers that contain data that doesn't change often, such as some Web servers, you can have an exact duplicate sitting around just waiting to be used in case the operational Web server becomes compromised.

No comments:

Internet Blogosphere