index_16
Auerbach Publications
© 2001 CRC Press LLC
08/01
troduced that can completely circumvent any security measures taken by
corporate that would normally be providing the security envelope. It is
at the point of connecting to the Internet where the dramatic tumbling of
realized security takes place, and the remote system becomes the judge,
jury, and possibly, the executioner of the corporate security.
The remote system may have employed a very robust VPN solution,
one that does not allow the host system to act as a router or allow the
forwarding of information from the Internet into the private network. To
take it one step further, the VPN solution may employ limited firewalling
capabilities or filtering concepts to limit access into the internal network.
Nonetheless, the protection possibly supplied by the VPN client or fire-
wall software can be turned off by users, ultimately opening them up to
attack. In the event that a package can be implemented in which the user
cannot turn the protection suite off, it can be assumed that a vulnerability
will arise that requires a patch to remedy.
This scenario is extremely common and nearly an everyday occur-
rence for firewall and perimeter security administrators simply attempt-
ing to keep up with a limited number of firewalls. Given the lack of
attention normally seen in many organizations toward their firewall
maintenance, one can only imagine the disintegration of security when
vulnerabilities are discovered in the remote systems firewall software.
VULNERABILITY CONCEPTS
To fully understand the extremity of the destruction of perceived corpo-
rate security made available by ample amounts of technology and pro-
cesses, it is necessary to know that the remote system is open and
exposed to the Internet. In some cases, as with broadband, the exposure
is constant and for long periods of time, making it predictable an at-
tackers greatest asset.
The Internet is a sea of threats, if nothing else, simply because of the
vast numbers of people and technologies available to them to anony-
mously wreak havoc on others, especially those unprepared. There are
several different types of attacks that are for different uses and affect dif-
ferent layers in the communication. For example, Denial of Service (DoS)
attacks are simply geared to eliminate the availability of a system or ser-
vice a purely destructive purpose. DoS attacks take advantage of
weaknesses in low-level communication attributes, such as a protocol
vulnerability, or higher-level weaknesses that may reside in the applica-
tion itself. Some other attacks have very specific applications and are de-
signed for particular situations to either gain access or obtain information.
It is becoming more and more common to see these attacks taking ad-
vantage of application errors and quirks. The results are applications spe-
cifically engineered to obtain system information, or even to remotely
control the host system.