Matt Curtin
Reprinted with the permission of Kent Information Services, Inc.
Abstract:
Network security is a complicated subject, historically only tackled by well-trained and experienced experts. However, as more and more people become “wired”, an increasing number of people need to understand the basics of security in a networked world. This document was written with the basic computer user and information systems manager in mind, explaining the concepts needed to read through the hype in the marketplace and understand risks and how to deal with them.
Risk Management: The Game of Security
It’s very important to understand that in security, one simply cannot say “what’s the best firewall?” There are two extremes: absolute security and absolute access. The closest we can get to an absolutely secure machine is one unplugged from the network, power supply, locked in a safe, and thrown at the bottom of the ocean. Unfortunately, it isn’t terribly useful in this state. A machine with absolute access is extremely convenient to use: it’s simply there, and will do whatever you tell it, without questions, authorization, passwords, or any other mechanism. Unfortunately, this isn’t terribly practical, either: the Internet is a bad neighborhood now, and it isn’t long before some bonehead will tell the computer to do something like self-destruct, after which, it isn’t terribly useful to you.
This is no different from our daily lives. We constantly make decisions about what risks we’re willing to accept. When we get in a car and drive to work, there’s a certain risk that we’re taking. It’s possible that something completely out of control will cause us to become part of an accident on the highway. When we get on an airplane, we’re accepting the level of risk involved as the price of convenience. However, most people have a mental picture of what an acceptable risk is, and won’t go beyond that in most circumstances. If I happen to be upstairs at home, and want to leave for work, I’m not going to jump out the window. Yes, it would be more convenient, but the risk of injury outweighs the advantage of convenience.
Every organization needs to decide for itself where between the two extremes of total security and total access they need to be. A policy needs to articulate this, and then define how that will be enforced with practices and such. Everything that is done in the name of security, then, must enforce that policy uniformly.
Types And Sources Of Network Threats
Now, we’ve covered enough background information on networking that we can actually get into the security aspects of all of this. First of all, we’ll get into the types of threats there are against networked computers, and then some things that can be done to protect yourself against various threats.
DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address. These are the nastiest, because they’re very easy to launch, difficult (sometimes impossible) to track, and it isn’t easy to refuse the requests of the attacker, without also refusing legitimate requests for service.
The premise of a DoS attack is simple: send more requests to the machine than it can handle. There are toolkits available in the underground community that make this a simple matter of running a program and telling it which host to blast with requests. The attacker’s program simply makes a connection on some service port, perhaps forging the packet’s header information that says where the packet came from, and then dropping the connection. If the host is able to answer 20 requests per second, and the attacker is sending 50 per second, obviously the host will be unable to service all of the attacker’s requests, much less any legitimate requests (hits on the web site running there, for example).
Such attacks were fairly common in late 1996 and early 1997, but are now becoming less popular.