4 Chapter 1 Introduction to Network Security

Types of Security Weaknesses

This is probably the most important section in this chapter because it defines what security weaknesses are and how to understand inherent weaknesses in hardware, software, and people. Generally, there are three types of security weaknesses in any network implementation:

Technology Weaknesses

Cisco defines technology weaknesses as a protocol, operating system, or hardware weakness. By default, protocols, operating systems, and hardware are typically not secure. Understanding their weaknesses can help you secure your network before you are attacked.

Technology weakness refers to the inadequacies of electronic systems, whether it is hardware or software. Technology weaknesses create a challenge for IT people because most hardware and software used in a company were already installed when they started their job.

Let’s break down this category into three specific areas.

TCP/IP Weaknesses

TCP/IP has intrinsic security weaknesses because it was designed as an open standard to facilitate network communication. The fact that TCP/IP is an open standard is the main reason for its vast popularity, but the open standard nature of TCP/IP is also a reason why network attacks happen so easily and often—many people are familiar with how TCP/IP works.

For example, the original Unix sendmail daemon allows access to the Unix root, which, in turn, allows access to the entire Unix system! By simply viewing the sendmail information, a hacker can lock, load, and launch attacks on vulnerabilities specific to the operating system version. Special torture!

Yes, TCP/IP has operating system weaknesses that truly need to be addressed, but what’s worse is that TCP/IP has also created network equipment weaknesses such as password protection, lack of required authentication, its routing protocols (which advertise your entire network), and firewall holes.

The two protocols that Cisco likes to pick on in the TCP/IP stack as inherently insecure are Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP). IP spoofing (masquerade attack), man-in-the-middle, and session replaying are specific examples of TCP/IP weaknesses.

Operating System Weaknesses

While every operating system has weaknesses, Microsoft Windows’ weaknesses get top billing because most people use some version of Windows. To be fair, Unix and Linux have considerably fewer operating system weaknesses than Windows does, but they still have security issues

that must be dealt with if you’re running them on your network. It all comes down to a specific network’s needs.

Network Equipment Weaknesses

All network equipment, such as servers, routers, switches, and so on, has some inherent security weakness. But being armed with a well-defined policy for the configuration and installation of network equipment can help tremendously in reducing the effects of network equipment weaknesses.

It is recommended that the following policies be in place before any piece of network equipment is configured and installed: passwords, authentication, routing protocols, and firewalls.

Configuration Weaknesses

Here’s where human error comes into the fray—it’s the administrator who creates configuration weaknesses. You’d be surprised how often a network administrator either leaves equipment at a default setting or fails to secure the network administrator accounts. Some common “come hither and hack me” scenarios exposing your everyday corporate network include configuration flaws such as unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment.

Unsecured User Accounts

Using default administrator accounts with no passwords and “God-like” control over the network is definitely asking for trouble. Just don’t do that! If you’re running Microsoft Windows NT, make sure you rename the administrator account. Doing this ensures that any intruders will at least have a slightly harder time finding and breaking into your operating system.

Put some serious thought into which users are granted which rights and privileges, because if you don’t and you instead give rights away indiscriminately, chaos will ensue. Take the time to establish the rights each user really needs, and don’t give them any more rights than what they really need to do their job!

Did you know that usernames and passwords are generally transmitted insecurely across the network? Ever hear of the Reconnaissance intruder? You know, the guy or gal who likes to think they are in the “Internet Special Forces” and their job is to find your network weakness and exploit it? Funny how these people always think they are performing a public service when they steal your data and that you were just so lucky that it was only them who broke in and not some really bad person. They actually believe that they have helped you because now you will fix “the weakness” before a “bad guy” really breaks in. Right. Anyway, these clear passwords are the kind of cool stuff that these snoopers spy for so they can use the information to gain access to your network later. As an administrator, make sure to define password policies that will help you secure your network.

System Accounts with Easily Guessed Passwords

Another way to invite trouble is to assign system account passwords that are easy to guess. To avoid this blunder, the administrator needs to set up policies on your servers that won’t allow certain kinds of passwords and that make sure each password has an expiration date.

6 Chapter 1 Introduction to Network Security

Explicitly define a corporate policy for all users that makes it crystal clear that they can’t use their name, their significant other’s name, their child’s name, their birth date, or any other excruciatingly obvious passwords—even if they add something to it! It’s also a really great idea to have them mix lowercase and uppercase letters, numbers, and special characters into their passwords. This helps defend your network against brute-force attacks that use dictionary files to guess passwords.

Misconfigured Internet Services

I know it’s hard to believe, but some companies really do still use actual routable IP addresses on their network to address their hosts and servers. With the Network Address Translation (NAT) and Port Address Translation (PAT) services that are available now, there is absolutely no reason to use real IP addresses.

But you can use private IP addresses. These allow corporations—and even single homes—to use an IP address range that’s blocked on the Internet. This provides some security for corporations, whose real IP addresses on the border router allow routing from the Internet.

This isn’t a magical cure though. Ports need to be open on the router connecting the router interface to the Internet in order to allow users access to and from the Internet. This is the very hole in a firewall that attackers can and do exploit.

Don’t get me wrong. By putting up a firewall—the Cisco Secure Private Internet eXchange (PIX) Firewall is one of the best—you can provide good security for your network by using conduits, which are basically secure connections, to open ports from the Internet to your servers. Is this bulletproof security? No, that doesn’t exist, but the PIX box is good—really good!

Another potential source of trouble and exposure is that some network administrators enable Java and JavaScript in their web browsers. Doing this makes it possible for hackers to attack you with hostile Java applets.

Unsecured Default Settings in Products

Tangling things further is the fact that many hardware products ship with either no password at all or they make the password available so that the administrator can easily configure the device. On one hand, this really does make life easier—some devices are meant to be plug-and- play. For example, Cisco switches are plug-and-play because they want you to be able to just replace your hubs and instantly make your network better. And it really works, too! But you definitely need to put a password on that switch or an attacker could easily break in.

Cisco actually gave this some thought and is a step ahead in solving this problem. Cisco routers and switches won’t allow Telnet sessions into them without some type of login configuration on the device. But this cool feature does nothing to guard against other types of break-in attempts, such as what the “Internet Special Forces” are trying to “protect” you from.

This is one reason why it’s such a good idea to establish a configuration security policy on each device before any new equipment is installed on your network.

Misconfigured Network Equipment

Misconfigured network equipment is another exploitable flaw—weak passwords, no security policy, and unsecured user accounts can all be part of misconfigured network equipment policies.

Hardware and the protocols that run on it can also create security holes in your network. If you don’t have a policy that describes the hardware and the protocols that run on each piece of equipment, hackers could be breaking in without your ever being aware that you’ve been attacked until it’s too late.

Here’s a huge problem: If you use SNMP default settings, tons of information about your network can be deciphered simply and quickly. So make sure you either disable SNMP or change the default SNMP community strings. These strings are basically passwords for gathering SNMP data.

Policy Weaknesses

You know by now that your corporate network security policy describes how and where security will be implemented within your network. And you understand that your policy should include information on how those configuration policies will be or have been initiated—right?

Let’s take a moment to really clarify solid security policy by identifying the characteristics that contaminate bad policies.

Absence of a Written Security Policy

If a network administrator—or anyone else around—doesn’t understand what’s expected of them from the start, they’ll just make things up as they go along. This is a very bad idea, and it’s a good way to create the kind of chaos that will leave your network wide open to bad guys. Start your written security policy by first describing users, passwords, and Internet access. Then describe your network’s hardware configuration, including all devices—PCs, servers, routers, and switches—and the security that’s required to protect them.

Organization Politics

You thought I was kidding, huh? No way. Office politics absolutely play a leading role in each and every part of the corporate security policy. Understanding the power plays that occur continuously within the annals of upper management (they are happening—just pay attention for about five minutes to get the dynamics right) is very important indeed. What does each member of the upper management team envision and expect for the corporation’s security? Does one manager have one goal and another manager have a different goal? The answer is always yes. You’ll need to find a common ground if you want to get anything done.

Lack of Business Continuity

Here’s another really hard-to-believe fact: Just about every corporate network is pretty much slapped together with the thought of “doing it right later.” And now you are stuck with the mess. Unless you find yourself in the enviable position of being able to just move into a new building and design the network from the ground up, you’ll be hard-pressed to create a single streamlined corporate security policy that you can implement evenly throughout the organization. And even then, layoffs and constant turnovers in the IT department cause security nightmares—all passwords for the equipment, servers, and so on must be changed. Sometimes corporate restructuring makes this process nasty and overwhelming, so administrators perform tasks and configure settings hastily