INTERNET Security

-->

INTERNET Security

1. Introduction

While Internet connectivity offers enormous benefits in terms of increased access to information, Internet connectivity is not necessarily a good thing for sites with low levels of security. The Internet suffers from glaring security problems that, if ignored, could have disastrous results for unprepared sites. Inherent problems with TCP/IP services, the complexity of host configuration, vulnerabilities introduced in the software development process, and a variety of other factors have all contributed to making unprepared sites open to intruder activity and related problems.

The security problems of a big Internet site can be devided into three parts: base security of Unix system, local network security and security of Internet connections.

2. Security of the Unix system

The Unix operating system, although now in widespread use in environments concerned about security, was not really designed with security in mind. The reasons for this state are largely historical. Unix was originally designed by programmers for use by other programmers. This does not mean that Unix does not provide any security mechanisms: indeed, several very good ones are available. The only problem is that host security rely only on proper configuration of the system by system administrator.

Unix system security can be devided into three main areas of concern. Two of these areas, account security and network security, are primarily concerned with keeping unathorized users from gaining access to the system. This section describes the Unix security tools provided to make each of these areas as secure as possible.

2.1 Account security

One of the easiest ways for a cracker to get into a system is by breaking into someone's account. This is usually easy to do, since many accounts whose users have left the organization, accounts with easy-to-guess passwords, and so on. The following describes how to configure password security.

When setting password, several rules are to be keep in mind:

don't use your login name in any form

don't use your first or last name in any form

don't use other information easily obtained about you

don't use password of all digits

don't use a word contained in dictionaries

don't use a password shorter than 6 characters

do use a password with mixed-case alphabetics

do use a password with nonalphabetic characters

do use a quickly-typed password

do use a password that is easy to remember for you.

The second important feature is expiration dates for passwords. If your system have many users, it's not easy to guess which of them use the system and which do not. These accounts are major security hole: not only can they be broken into if the password is insecure, but because nobody is using the account anymore, it is unlikely that a break-in will be noticed.

Guests accounts present still another security hole. The best way to deal with this problem is to never use guest accounts. Accounts without passwords also must be prohibited.

2.2 Network security

One of the most convenient features of the Berkeley (and Sun) Unix networking software is the concept of "trusted hosts". The software allows the specification of other hosts (and possibly users) who are to be considered trusted, i.e remote logins and remote command execution from this hosts will be granted without requiring the user to enter a password.

The trusted hosts concept represent potential security problem: if you allow users to specify trusted hosts for each of them, you'll lose control of the access to your system. Trusted hosts are usially specified in .rhosts file in user's home directory. The compromise between security and advantages of 'r' functions can be found by specifying trusted hosts for you system in one file: /etc/hosts.equiv , which must be only under control of the administrator, and forbidding .rhosts files in user's home directories.

Under newer versions of Unix, the concept of "secure terminal" has been introduced. Simply put, the super-user (root) may not log in on a nonsecure terminal even with a password. The best solution is to leave only one secure terminal: console, and all other terminals must be unsecure.

The Network File System (NFS) is designed to allow several hosts to share files over network. /etc/exports file defines which filesystems are exported and permittions of read, write, execute for exported filesystems. Also it is possible to specify hosts, subnets, to which only a filesystem will be exported. The secure rule is: never export filesystems with write permitions to anyone. Export only that filesystems, which indeed are to be exported.

Many security problems appear because of nonsecure configuration of FTP daemon. To get your daemon secure, try to obtain it's latest version and carefully install it according to manual. Many problems with ftp security begin from misconfiguration and wrong permitions.

Sendmail - Unix mail system is known to have security problems. The only way to solve them is to constantly update the destribution.

Such services, as finger, sysstat can provide cracker with important information about your system. So, where such services are not absolutely nesessary, don't use them.

3. FireWalls

Fortunately, there are readily-available solutions that can be used to improve site security. A firewall system is one technique that has proven highly effective for improving the overall level of site security. A firewall system is a collection of systems, routers, and policy placed at a site's central connection to a network. A firewall forces all network connections to pass through the gateway where they can be examined and evaluated, and provides other services such as advanced authentication measures to replace simple passwords. The firewall may then restrict access to or from selected systems, or block certain TCP/IP services, or provide other security features. A well-configured firewall system can act also as an organization's ``public-relations vehicle'' and can help to present a favorable image of the organization to other Internet users.

A simple network usage policy that can be implemented by a firewall system is to provide access from internal to external systems, but little or no access from external to internal systems. However, a firewall does not negate the need for stronger system security. There are many tools available for system administrators to enhance system security and provide additional logging capability. Such tools can check for strong passwords, log connection information, detect changes in system files, and provide other features that will help administrators detect signs of intruders and break-ins. A firewall system can be a router, a personal computer, a host, or a collection of hosts, set up specifically to shield a site or subnet from protocols and services that can be abused from hosts outside the subnet. A firewall system is usually located at a higher-level gateway, such as a site's connection to the Internet, however firewall systems can be located at lower-level gateways to provide protection for some smaller collection of hosts or subnets. Firewall Components:

network policy,
advanced authentication mechanisms,
packet filtering,
application gateways

1. Network Policy
There are two levels of network policy that directly influence the design, installation and use of a firewall system. The higher-level policy is an issue-specific, network access policy that defines those services that will be allowed or explicitly denied from the restricted network, how these services will be used, and the conditions for exceptions to this policy. The lower-level policy describes how the firewall will actually go about restricting the access and filtering the services that were defined in the higher level policy.

2. Advanced authentication
Advanced authentication measures such as smartcards, authentication tokens, biometrics, and software-based mechanisms are designed to counter the weaknesses of traditional passwords. While the authentication techniques vary, they are similar in that the passwords generated by advanced authentication devices cannot be reused by an attacker who has monitored a connection. Given the inherent problems with passwords on the Internet, an Internet-accessible firewall that does not use or does not contain the hooks to use advanced authentication makes little sense.Some of the more popular advanced authentication devices in use today are called one-time password systems. A smartcard or authentication token, for example, generates a response that the host system can use in place of a traditional password. Because the token or card works in conjunction with software or hardware on the host, the generated response is unique for every login. The result is a one-time password that, if monitored, cannot be reused by an intruder to gain access to an account.

3. Packet Filtering
IP packet filtering is done usually using a packet filtering router designed for filtering packets as they pass between the router's interfaces. A packet filtering router usually can filter IP packets based on some or all of the following fields:

source IP address,
destination IP address,
TCP/UDP source port
TCP/UDP destination port.

4. Application Gateways
To counter some of the weaknesses associated with packet filtering routers, firewalls need to use software applications to forward and filter connections for services such as TELNET and FTP. Such an application is referred to as a proxy service, while the host running the proxy service is referred to as an application gateway. Application gateways and packet filtering routers can be combined to provide higher levels of security and flexibility than if either were used alone.

References

Avol94: Frederick Avolio and Marcus Ranum. A Network Perimeter With Secure Internet Access. In Internet Society Symposium on Network and Distributed System Security, pages 109-119. Internet Society, February 2-4 1994.
Bel89: Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review, 9(2):32-48, April 1989.
Cerf93: Vinton Cerf. A National Information Infrastructure. Connexions, June 1993.
CERT94: Computer Emergency Response Team/Coordination Center. CA-94:01, Ongoing Network Monitoring Attacks.
Chap92: D. Brent Chapman. Network (In)Security Through IP Packet Filtering. In USENIX Security Symposium III Proceedings, pages 63-76. USENIX Association, September 14-16 1992.
Ches94: William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security. Addison-Wesley, Reading, MA, 1994.
CIAC94a: Computer Incident Advisory Capability. Number e-07, unix sendmail vulnerabilities update.
CIAC94b: Computer Incident Advisory Capability. Number e-09, network monitoring attacks.
CIAC94c: Computer Incident Advisory Capability. Number e-14, wuarchive ftpd trojan horse.
Com91a: Douglas E. Comer. Internetworking with TCP/IP: Principles, Protocols, and Architecture. Prentice-Hall, Englewood Cliffs, NJ, 1991.
Com91b: Douglas E. Comer and David L. Stevens. Internetworking with TCP/IP: Design, Implementation, and Internals. Prentice-Hall, Englewood Cliffs, NJ, 1991.
Cur92: David Curry. UNIX System Security: A Guide for Users and System Administrators. Addison-Wesley, Reading, MA, 1992.
Farm93: Dan Farmer and Wietse Venema. Improving the security of your site by breaking into it.
Ford94: Warwick Ford. Computer Communications Security. Prentice-Hall, Englewood Cliffs, NJ, 1994.
Garf92: Simpson Garfinkel and Gene Spafford. Practical UNIX Security. O'Reilly and Associates, Inc., Sebastopol, CA, 1992.
Haf91: Katie Hafner and John Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon and Schuster, New York, 1991.
Hunt92: Craig Hunt. TCP/IP Network Administration. O'Reilly and Associates, Inc., Sebastopol, CA, 1992.
NIST91a: NIST. Advanced Authentication Technology. CSL Bulletin, National Institute of Standards and Technology, November 1991.
NIST91b: NIST. Establishing a Computer Security Incident Response Capability. Special Publication 800-3, National Institute of Standards and Technology, January 1991.
NIST93: NIST. Connecting to the Internet: Security Considerations. CSL Bulletin, National Institute of Standards and Technology, July 1993.
NIST94a: NIST. Guideline for the use of Advanced Authentication Technology Alternatives. Federal Information Processing Standard 190, National Institute of Standards and Technology, September 1994.
NIST94b: NIST. Reducing the Risk of Internet Connection and Use. CSL Bulletin, National Institute of Standards and Technology, May 1994.
NIST94c: NIST. Security in Open Systems. Special Publication 800-7, National Institute of Standards and Technology, September 1994.
Ran93: Marcus Ranum. Thinking About Firewalls. In SANS-II Conference, April 1993.
RFC1244: Paul Holbrook and Joyce Reynolds. RFC 1244: Security Policy Handbook. prepared for the Internet Engineering Task Force, 1991.

indis@msu.ru