Tuesday, April 8, 2008

Network Probes

A network probe or sniffer is a very useful tool for troubleshooting network problems. You can find software and hardware network sniffers that collect data packets from the network and allow you to examine them to determine what is causing a problem on your network.

Because the purpose of a network probe is to intercept packets and examine them, you can easily see how this could be very damaging when used for purposes other than troubleshooting.

Remember that the less information known about your network by outsiders, the more difficult it is to infiltrate your network. However, when someone has broken in, it's a simple task to plant a program that does nothing except listen to the network and send information back to the person who planted the program in the first place. Using a network sniffer for this purpose enables an outsider to find out all sorts of useful information about your computers, users, and network configuration. For example, you already know it's a bad idea to use FTP, Telnet, and other utilities that use clear-text to send usernames and passwords. However, you might think it's safe to use these inside your network. Well, that's not so. If someone has planted a program in a server on your network and is "probing" the packets that pass around your network, they'll find it very easy to further infiltrate your network by obtaining more user account information, and thus be able to compromise one computer after another. Use safe utilities inside your network as well as for communications on the Internet. An example of this would be to use the Secure Shell utilities.

Internet 2010

Spoofing and Impersonation

Just as it's a simple matter to create a program that can construct a steady stream of SYN packets and send them rapidly to your server, it's also easy to create network packets that have false information in other fields of the IP header. For example, you might have a firewall set up to reject packets from known sources of trouble, based on the source IP address found in the header. However, there's nothing to stop the hacker, cracker, or attacker from simply putting in another source address so that your firewall lets the packet through.

IP address spoofing is very easy to do. It's also very hard to detect. One thing a firewall can do, however, is guard against packets that contain a spoofed address, making it appear that the packet originated inside your network. Think about it. If the source address of a network packet falls within the address range of your internal network, it shouldn't be coming in through a firewall interface that's connected to the Internet. It should be the other way around! All good firewalls can be configured to drop packets that arrive from the outside world with an address that makes it look like the packet came from your network.

If It's Too Good to Be True, It Isn't

One of the more prevalent scams that has proliferated on the Internet in the past two years is the claim that you can make a fortune by helping out a civil servant, or the wife of an ex-legislator of a foreign country, usually Nigeria. When you get these emails, don't even try to respond. The scam involves your helping the sender transfer his secret funds to another bank outside the originating country. For a small fee, you can receive a few million in return. Yet, after you get involved, the person encourages you to open an account at a bank he uses (which is simply a Web site, not a bank) and transfer funds to that bank. In this manner e can (1) keep your cash and (2) in some cases gain access to your real account information from y r own bank.

This is just one example. Again, if it appears too good to be true, it isn't (true)! The Internet can be a great place to learn about new ideas, to get involved in e-commerce, and so on. It can also be a great place to get fleeced.

Another similar scam is an email that appears to come from a reputable company. Recently, emails from a site that appeared to be Microsoft was passed through the Internet. When you receive a suspicious email, look closely at the address of the email. Check the properties page of the email to see where it was sent from. You shouldn't get emails, for example, from Microsoft. com, or Ebay. . corn, unless you have granted them the right to send you emails. Yet, if you get an email from, say, Microsoft - readnow.com, don't open it! Check those emails carefully.

Preventative Measures

There are many standard techniques typically used to keep a network up and running. One of these preventative measures is regular backups. If your system becomes infected with virus programs or if you find that data has been corrupted, you'll understand the importance of regular, frequent backups. In addition, it's a good idea to keep offline copies of important data files for an extended period. Simply doing a backup each night and overwriting the tape or tapes the next night will provide you with very little protection. Damage to your system might not become evident until weeks or, in some cases, months after the initial intrusion.

There are also commercial and noncommercial products you can use to help safeguard your system. These include intrusion-detection mechanisms, antivirus programs, and programs that can monitor changes on important servers.

So where should you start when defining the defensive mechanisms needed to protect your network? Let's start at the edge of the network—the router.

Protecting Routers

Routers typically can be configured in several ways. You can attach a serial cable and terminal directly to most routers and perform configuration tasks. Another method is Telnet. Most modern routers allow you to Telnet into the router to perform configuration tasks. Turn this functionality on only when it is needed, and then turn it back off. The same goes for unnecessary protocols and services. In a manner similar to deciding what services you want to allow through a firewall (and in what direction), you should turn off all unnecessary services on a router. You'll have to consult your documentation to find out the particular commands you'll need to use.

You might want to check vendor Web sites for other router products that are in use on your network to look for similar advice. Additionally, be sure to stay informed of router firmware updates and operating-system updates and patches. As new threats are discovered, a responsible vendor will release information or code that can be used to help improve the security of the routers that stand guard at the edge of the network.

No comments:

Internet Blogosphere