Protection against network attacks. Classification of network attacks and basic methods of protection against them
Once you install Ubuntu as your primary OS, you should learn how to protect against Rubber Ducky payloads, law enforcement seizure of your data, and generally reduce the number of targets you can hit. When protecting against network attacks, you need to minimize the disclosure of information about your hardware, prevent packet sniffers from running, tighten firewall rules, and much more.
We continue our mini-series on strengthening the protection of the Ubuntu operating system. In this part, you will learn how to spoof a MAC address to confuse passive hackers, disable unused network services such as CUPS and Avahi, create firewall rules for specific ports to block unauthorized access attempts and take your data, protect against password and cookie sniffing. files in your packages using a VPN.
If you missed the previous article, be sure to check it out, even if you already have Ubuntu installed and just want to strengthen its security. You'll find out what motivated us to write this four-part series.
Step 1: Protect yourself from detection of your hardware
When connecting to new Wi-Fi networks and routers, spoof the MAC address of your Wi-Fi adapter. Of course, this won't stop a motivated hacker from knowing what operating system you're using, but it might confuse him and prevent him from gathering information about your hardware.
For example, a hacker connected to a café's Wi-Fi network might focus his efforts on hacking devices other than Apple. If you appear on the network with , the attacker will completely ignore your device. Or it might try some MacOS-specific attacks on your device that won't work because you're not actually using a MacBook, you're only appearing online as if you're using Apple hardware. Combined with a fake browser User-Agent, this can really confuse a not-so-smart adversary.
To change the MAC address in Ubuntu, open Network Manager and go to the "Edit" menu of your Wi-Fi connection. On the Identity tab, enter the MAC address you want to use in the Cloned Address field.
Step 2: Protect against attacks on listening services
When a background process (or service) is in the “ ” (listening) state, it means that other services and applications on your device and network can interact with it. These “listening” services always expect some data as input, upon receiving which the service must give a specific response. Any service with local address 0.0.0.0, while in the listening state, will most likely be available to all users on that local network and possibly on the Internet too.
A freshly installed Ubuntu will only have a few services running, so there's no need to worry about the dreaded port listening by default. But always keep in mind the applications that you will install in the future. They may open listening ports without telling you.
To keep track of which background processes are listening, we'll use netstat, a tool used to display information about network connections, open ports, and running services. Since we used a minimal installation of Ubuntu, the set of net-tools utilities we need for working with networks (including netstat) will have to be installed manually. This can be done using the command sudo apt-get install net-tools.
Sudo apt-get install net-tools Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: net-tools 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded . Need to get 194 kB of archives. After this operation, 803 kB of additional disk space will be used. Selecting previously unselected package net-tools. (Reading database ... 149085 files and directories currently installed.) Preparing to unpack .../net-tools_1.60+git20161116.90da8a0-1ubuntu1_amd64.deb ... Unpacking net-tools (1.60+git20161116.90da8a0-1ubuntu1) ... Processing triggers for man-db (2.8.3-2) ... Setting up net-tools (1.60+git20161116.90da8a0-1ubuntu1) ...
Use the following netstat command to view services in the "LISTEN" state.
Sudo netstat -ntpul Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 651/systemd-resolve tcp 0 0 127.0 .0.1:631 0.0.0.0:* LISTEN 806/cupsd tcp6 0 0::1:631:::* LISTEN 806/cupsd udp 47616 0 127.0.0.53:53 0.0.0.0:* 651/systemd-resolve udp 0 0 0.0.0.0:631 0.0.0.0:* 812/cups-browsed udp 2304 0 0.0.0.0:5353 0.0.0.0:* 750/avahi-daemon: r udp 0 0 0.0.0.0:38284 0.0.0.0:* 750/ avahi-daemon: r udp6 0 0:::37278:::* 750/avahi-daemon: r udp6 25344 0:::5353:::* 750/avahi-daemon: r
Systemd-resolve is used to resolve domain names and, of course, should not be changed or removed. We will talk about “cupsd” and “avahi-daemon” below in the following sections.
Disable or remove CUPS
In 2011, a DDoS vulnerability was discovered in avahi-daemon. Although this CVE is quite old and has a very low severity level, it nevertheless demonstrates how a hacker on a local network discovers vulnerabilities in network protocols and manipulates running services on a victim's device.
If you do not plan to interact with Apple products or services on other devices, avahi-daemon can be disabled using the following command: sudo systemctl disa avahi-daemon.
Sudo systemctl disable avahi-daemon Synchronizing state of avahi-daemon.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable avahi-daemon Removed /etc/systemd/system/dbus-org.freedesktop.Avahi.service. Removed /etc/systemd/system/sockets.target.wants/avahi-daemon.socket.
Avahi can also be completely removed using sudo apt-get purge avahi-daemon.
Sudo apt-get purge avahi-daemon Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: avahi-daemon* (0.7-3.1ubuntu1) avahi-utils* (0.7-3.1 ubuntu1) libnss-mdns* (0.10-8ubuntu1) 0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded. After this operation, 541 kB disk space will be freed. Do you want to continue?
y
Step 3: Protect your ports
To manage port availability, we will use a program that provides a simple interface for configuring firewalls. UFW literally means Uncomplicated FireWall. It acts as a front-end to (packet filter) and is not intended to provide full firewall functionality, but instead is a convenient means of adding or removing firewall rules.
1. Deny all incoming and outgoing connections
To enable UFW, use the sudo ufw enable command.
Sudo ufw enable Firewall is active and enabled on system startup
Disable all incoming connections with this command:
Sudo ufw default deny incoming
Then disable all redirects:
Sudo ufw default deny forward
And deny all outgoing connections:
Sudo ufw default deny outgoing
From now on, you will no longer have access to the Internet using Firefox or any other application.
2. Find your Wi-Fi interface
To allow outgoing connections, you first need to find the name of the Wi-Fi adapter using the ifconfig -a command.
Ifconfig -a enp0s8: flags=4163
For the purposes of this article, we are using Ubuntu in VirtualBox, so our interface name is "enp0s8". The ifconfig command might show your wireless interface as "wlp3s0", "wlp42s0" or something like that.
3. Create firewall exceptions and configure secure DNS resolution
You can allow DNS, HTTP and HTTPS traffic on the wireless interface using these three commands.
Sudo ufw allow out on to 1.1.1.1 proto udp port 53 comment "allow DNS on " sudo ufw allow out on to any proto tcp port 80 comment "allow HTTP on " sudo ufw allow out on to any proto tcp port 443 comment "allow HTTPS on"
The address "1.1.1.1" in the DNS command is the new DNS resolver. Many internet users don't realize that even if they browse a website using an encrypted connection (the little green padlock in the URL bar), ISPs can still see the name of every domain visited using DNS queries. Using CloudFlare's DNS resolver will help prevent Internet Service Providers (ISPs) from trying to snoop on your traffic.
4. Update DNS configuration in Network Manger
After setting the UFW rules in Network Manager, go to the Edit menu of your Wi-Fi connection and change the DNS field to 1.1.1.1. Disconnect and reconnect to your Wi-Fi network for the DNS changes to take effect.
View the newly created rules using the command sudo ufw status numbered.
Sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 1.1.1.1 53/udp ALLOW OUT Anywhere on enp0s8 (out) # allow DNS on enp0s8 [ 2] 443/tcp ALLOW OUT Anywhere on enp0s8 (out) # allow HTTPS on enp0s8 [ 3] 80/tcp ALLOW OUT Anywhere on enp0s8 (out) # allow HTTP on enp0s8
Ubuntu will be able to make standard HTTP/HTTPS requests on ports 80 and 443 on the wireless interface you specify. If these rules are too strict for your daily activities, you can allow all outgoing packets using this command:
Sudo ufw default allow outgoing
5. Monitor your firewall
If you are trying to debug incoming or outgoing connections, you can use the tail command with the -f argument to monitor messages and discrepancies in the UFW logs in real time. This command will look like this in full:
Tail -f /var/log/ufw.log kernel: [ 3900.250931] IN= OUT=enp0s8 SRC=192.168.1.44 DST=104.193.19.59 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47090 DF PROTO=TCP SPT=35944 DPT=9999 WINDOW=29200 RES=0x00 SYN URGP=0 kernel: [ 3901.280089] IN= OUT=enp0s8 SRC=192.168.1.44 DST=104.193.19.59 LEN=60 TOS=0x00 PREC=0x00 TTL=64 = 47091 DF PROTO=TCP SPT=35944 DPT=9999 WINDOW=29200 RES=0x00 SYN URGP=0
In the above logs, UFW is blocking outgoing connections (OUT=) from our local IP address (192.168.1.44) to the Null Byte server (104.193.19.59) using TCP with destination port (DPT) 9999. This can be resolved using this command UFW:
Sudo ufw allow out on from 192.168.1.44 to 104.193.19.59 proto tcp port 9999
For more information on UFW, you can read the man pages (man ufw).
Readers interested in very fine-tuning a firewall should definitely.
Step 4: Protect against packet sniffing and cookie interception
Packet manipulation attacks can be prevented by using a virtual private network (VPN). VPN offers a set of technologies that:
- Stop hackers on Wi-Fi networks from manipulating packets and tracking your activity.
- Prohibit Internet providers from monitoring your activity and selling your data to third parties.
- They help bypass blocking by censorship authorities (like RKN), when Internet providers or network firewalls block access to certain websites.
Most paid VPN services start at $5 per month. Some noteworthy VPN providers are: ProtonVPN, Mullvad, VyprVPN and .
The next step is to strengthen application protection and create sandboxes
That's it for establishing protection for your online presence and activities. In the next article, we will talk about applications for creating sandboxes and keeping your system safe in case any malware is running on your device. After that, we'll dive into auditing with antivirus software and monitoring system logs.
Denial of responsibility: This article is written for educational purposes only. The author or publisher did not publish this article for malicious purposes. If readers would like to use the information for personal gain, the author and publisher are not responsible for any harm or damage caused.Chapter 5. Protection against network attacks
The security of information on computer networks and individual computers is achieved by implementing a unified policy of protective measures, as well as a system of legal, organizational and engineering measures.
When developing the required level of information protection on the network, the mutual responsibility of personnel and management, respect for the interests of the individual and the enterprise, and interaction with law enforcement agencies are taken into account. Ensuring the security of information is achieved through legal, organizational, administrative and engineering measures.
Protecting corporate networks is different from protecting home users' computers (although protecting individual workstations is an integral part of protecting networks). And first of all, because this issue is dealt with (or rather, should be) by competent computer security specialists. In addition, the basis of a corporate network security system is to achieve a compromise between the ease of use for end users and the requirements of technical specialists.
A computer system can be viewed from two points of view: it can be seen only as users on workstations, or it can only be considered as the functioning of a network operating system. A computer network can also be considered a collection of information packets passing through wires.
There are several levels of network representation. You can approach the problem of network security in the same way - at different levels. Accordingly, protection methods will be different for each level. The more layers are protected, the more reliably the system as a whole is protected.
The first, most obvious and most difficult in practice, way is to train personnel in behavior that makes a network attack difficult. This is not at all as simple as it seems at first glance. It is necessary to introduce restrictions on the use of the Internet, and users often have no idea what these restrictions are due to (they do not have such qualifications), so they try in every possible way to violate existing prohibitions. Moreover, the prohibitions must be clearly formulated. For example, an ordinary user is unlikely to understand advice not to use client applications with an insufficiently secure protocol, but he will almost certainly understand the instruction not to run ICQ on his computer and will protest quite violently. It is no coincidence that they say that ICQ is the flower on the grave of working time.
The set of information security measures should be based on an information protection strategy. It defines the goals, criteria, principles and procedures necessary to build a reliable security system. A well-developed strategy should reflect not only the degree of protection, the search for gaps, where to install firewalls or proxy servers, etc. It must also clearly define the procedures and how to apply them in order to guarantee reliable protection.
The most important feature of the overall information security strategy is the study of the security system. Two main directions can be distinguished:
– analysis of protective equipment;
– determination of the fact of intrusion.
Based on the information security concept, an information security strategy and an information security system architecture are developed. The next stage of a generalized approach to ensuring security is to determine a policy, the content of which is the most rational means and resources, approaches and goals of the task under consideration.
It is recommended to develop a protection concept in three stages. At the first stage, the target protection setting must be clearly defined, i.e. what real values, production processes, programs, data sets need to be protected. At this stage, it is advisable to differentiate by significance individual objects that require protection.
At the second stage, an analysis of criminal acts that could potentially be committed against the protected object should be carried out. It is important to determine the degree of real danger of the most widespread crimes such as economic espionage, terrorism, sabotage, and burglary. Then you need to analyze the most likely actions of attackers in relation to the main objects that need protection.
The main task of the third stage is to analyze the situation, including specific local conditions, production processes, and existing technical means of protection.
The protection concept must contain a list of organizational, technical and other measures that ensure the highest possible level of safety for a given residual risk and minimal costs for their implementation.
A security policy is a general document that lists access rules, defines how the policy will be implemented, and describes the basic architecture of the security environment. This document itself usually consists of several pages of text. It forms the basis of the physical architecture of the network, and the information it contains determines the choice of security products. In this case, the document may not include a complete list of necessary purchases, but the choice of specific components after its preparation should be obvious.
Security policies go far beyond the simple idea of “keep intruders out.” This is a very complex document that defines access to data, “the nature of surfing the WWW, the use of passwords or encryption, attitudes towards email attachments, the use of Java and ActiveX, and much more. It details these rules for individuals or groups. We must not forget about basic physical protection - if someone can break into the server room and gain access to the main file server or leave the office with backup floppy disks and disks in their pocket, then all other measures become completely meaningless and stupid.
Of course, the policy should not allow outsiders to penetrate the network, but it should also establish control over potentially unscrupulous and non-performing employees of your organization. The motto of any security system administrator is “Don’t Trust Anyone!”
The first step in policy development is to decide which users should have access to which information and services, the likelihood of harm, and what protections are already in place. In addition, the security policy should dictate a hierarchy of access rights, that is, users should be given access only to the information they actually need to do their jobs.
The security policy must necessarily reflect the following:
– access control (prohibiting user access to materials that he is not allowed to use);
– identification and authentication (use of passwords or other mechanisms to verify user status);
– accounting (recording all user actions on the network);
– audit trail (the log allows you to determine when and where a security violation occurred);
– accuracy (protection from any accidental violations);
– reliability (preventing monopolization of system resources by one user);
– data exchange (protection of all communications).
Access is determined by firewall policies: access to system resources and network data can be described at the operating system level and, if necessary, supplemented with third-party security programs. Passwords may be the most valuable part of your security environment, but if used or mishandled, they can become the key to your network. A good password policy is especially useful when managing temporary budgets to ensure that someone does not use a valid password after temporary employees or contractors have completed work.
Some operating systems also offer such an option as qualification, i.e., they enter a minimum level of password difficulty. In these systems, the security administrator can simply set the rule “No easy to guess passwords.” For example, the system will not accept a password that contains only the user's name and age. End users usually, despite all the warnings, choose the simplest paths. If they have to deal with too many passwords, they will use the same password, or set easy-to-remember passwords, or worse, write them down on a piece of paper and keep them in a drawer, or even stick the password sheet on their monitor.
The plethora of security devices, firewalls, gateways, and VPNs (virtual private networks), as well as the growing demand for access to corporate data from employees, partners, and customers, creates a complex security environment that is difficult to manage. Rules for many of the listed devices often have to be specified separately.
As large corporations continue to merge and acquire smaller companies, the security environment (and the network as a whole) has become increasingly haphazard and layered. When this happens, managing the rules becomes incredibly difficult.
Firewalls (both hardware and software) allow you to determine who has the right to access your network from the outside. All firewalls implement some rules; the difference is the level of detail and ease of use provided by the management interface. Ideally, a firewall solves three critical problems:
– set rules from an intuitive graphical interface;
– control access down to the level of individual files and objects;
– group files and objects for collective application of rules to them in order to simplify management.
At the network level, you can manage protection using rules in several ways. One common way is through addressing, where users are assigned to a specific internal subnet to limit their level of access. Packet filtering allows packets to be allowed through or blocked when they cross certain boundaries, depending on the sender or recipient address.
Protection systems operate at the application level; in this case, the systems or applications to which the packets are addressed prompt the user for a password, verify it, and then grant access according to predefined rules.
So, as you already understand, the basis of any protection is a systematic approach. To build a truly effective defense, you need to think it through carefully. For any computer “looking” at the network, three things are critical:
– firewall;
– antivirus;
– critical updates for your operating system.
This is true for both a home computer and one connected to a corporate network. Let's take a closer look at each of these points.
5.1. Firewall
A firewall is a means of protection against intrusion from the outside and from some types of hacking from the inside. A firewall is a combination of hardware and software used to protect a network from outside interference. Using firewalls, you can significantly increase the security of your local network.
In the literature about firewalls, you can often see the term bastion host. The name "bastion" comes from a medieval word describing the walls of a castle. A bastion is a special fortified place within the walls of a castle, designed to repel attacks. A bastion computer is a computer that is specifically installed to protect against attacks on the network.
Network designers use bastion computers as the first line of defense. The bastion computer is a kind of “barrier” for all communications between the network and the Internet. In other words, no computer on the network can access the Internet other than through the bastion computer, and, on the other hand, no user external to the network can access the network without going through the bastion computer.
By using centralized network access through one computer, network security is simplified. Moreover, by providing Internet access to only one computer on the network, the developer makes it much easier for the developer to select the appropriate software to protect the network. Most Unix environments, including Linux, are well suited to using a bastion computer. In a Unix environment, you can install a bastion computer at the cost of a workstation or server machine because the operating system already has the ability to support and configure an IP firewall. This way, you can save the cost of installing a firewall router (i.e., without having to purchase additional network hardware that could cost you thousands of dollars). In addition, with Unix you can freely configure and view network traffic.
Most companies provide their employees with access to the Internet. If employees have access to the Internet, the company should ensure that the connection to the Internet occurs through a firewall. At the beginning of this chapter, we said that a firewall is a combination of hardware and software to protect the connection between two or more networks. A firewall provides central control over network security. It is usually built on the basis of a so-called bastion computer.
In addition to traditional firewall hardware and software, for greater security, you can use a firewall router, which is hardware and software that filters data packets based on administrator-specified criteria. You can create a shielding router based on a PC or a computer running Unix.
The first layer of intrusion protection on interconnected networks is a shield router, which performs packet filtering at the network and data link layers, independent of the application layer. Therefore, a shielding router allows you to control the movement of data on the network without changing the client or server applications.
Although this router is relatively inexpensive and easy to use, it may not provide much security. Its main advantage is that it works exclusively at the network and transport layers of the ISO/OSI model.
However, this is a double-edged sword. To truly protect a network from unwanted outside interference, a firewall must protect each layer of the TCP/IP protocol. The main disadvantage of shield routers is that they filter data based on insufficient data. Restrictions placed on the network and link layers allow access only to IP addresses, port numbers, and TCP flags. Due to the lack of context information, routers may have problems filtering protocols such as UDP.
Administrators who work with screening routers should be aware that most packet filtering devices, including screening routers, do not have auditing or alarming mechanisms. In other words, routers can be attacked and repel large numbers of them without administrators even being aware of it. Therefore, to protect networks, administrators must additionally use other packet filtering technologies in conjunction with the use of firewalls.
Because firewalls provide filtering capabilities at the higher layers of the ISO/OSI model, rather than just at the network and data link layers, full application layer information can be used for selection criteria. At the same time, filtering will occur at both the network and transport levels. Here the firewall checks the IP and TCP headers of packets passing through it. Thus, the firewall discards or allows packets to pass based on predefined filtering rules.
As already mentioned, a firewall controls the mutual access of networks to each other. Typically a firewall is installed between a local network and the Internet. It prevents users around the world from entering a private network and controls access to data stored on it. However, it is important to remember that a firewall is not a piece of hardware or software that will do everything for you (despite what vendors may say). It just provides extensive opportunities for maximum network protection from outside interference, without creating any particular inconvenience for registered network users. To create the best firewall, simply physically disconnect your network from the Internet.
As you already know, all network communications require a physical connection. If the network is not connected to the Internet, its users will never be able to infiltrate or attack the local network. For example, if a company only needs an internal network that provides access to a sales database, and does not need the network to be infiltrated from the outside, it can physically isolate the computer network from the rest of the world.
The need for a firewall arises when a company wants to connect its local network to the rest of the world using the Internet.
To meet the needs of a wide range of users, there are three types of firewalls: network layer, application layer and schema layer. Each of these three types takes a different approach to network security. Consider each type separately. Your decision must take into account the type and degree of protection required for the network, and this is what determines the required firewall design. Remember that most firewalls support one or more levels of encryption. Encryption is a way to protect transmitted information from interception. Many firewalls that provide encryption capabilities protect data leaving the network by automatically encrypting it before it is sent to the Internet. In addition, they automatically decrypt incoming data before sending it to the local network. By using the encryption features provided by firewalls, you can send data over the Internet to remote users without worrying about someone accidentally intercepting and reading it.
A network layer firewall is a shielding router or a special computer that examines packet addresses in order to determine whether the packet should be allowed into the local network or not. As discussed, packets contain source and destination IP addresses, as well as a host of other information that the firewall uses to control access to the packet.
You could, for example, configure a network layer firewall or router to block all messages coming from a particular competitor's site and all messages sent to a competitor's server from your network. Typically, configuring a screening router to block certain packets is done by using a file that contains the IP addresses of the sites (destinations) whose packets should be blocked. When the screening router encounters a packet containing the address defined in this file, it discards the packet and prevents it from entering or leaving the local network. Network developers often call this method “blacklisting.” Most shielding router software allows you to blacklist (block) messages from external sites (in other words, external networks), but not from specific users or computers on your network.
Remember that the packet arriving at the shielding router can contain any amount of information, such as an email message, a Telnet login request (a request from a remote user to access your computer). Depending on how you construct the shield router file, the network layer router will provide different functionality for each type of request. For example, you can program your router so that Internet users can view your Web page, but cannot use FTP to transfer files to or from your server. Or you can program your router to allow Internet users to download files from your server to theirs, but not to allow them to download files from their servers to yours. Typically, a shielding router is programmed so that it considers the following information to decide whether or not to let a packet pass through:
– packet source address;
– packet destination address;
– data session protocol type (for example, TCP, UDP or ICMP);
– source port and destination application port for the required service;
– whether the packet is a connection request. If you have installed and configured your network layer firewall correctly, its operation will be quite fast and almost invisible to users. Of course, for those who are on the blacklist, this will not be the case at all.
An application-level firewall is typically a personal computer that uses mediation server software. Therefore, it is often called a proxy server. The name “intermediary server” comes from the word “proxy” - deputy, intermediary.
Intermediary servers provide communication between local network users and servers of the connected (external) network. In other words, the intermediary server controls the transfer of data between the two networks. In some cases, it can manage all messages of several network users. For example, a network user who accesses the Internet through a proxy server will appear to be the proxy server to other computers on the Internet (in other words, the user is using the proxy server's TCP address).
In a network, an intermediary server can provide access to certain secret information (for example, a secret database) without transmitting (in plain text) the client's password. When you use a network layer firewall, your local network is not connected to the Internet. Moreover, the data flow that moves on one network never intersects with the data flow that moves on another network, because the network cables of these networks are not connected to each other. The Mediation Server transmits a separate copy for each packet coming from one network to another, regardless of whether the packet contains incoming or outgoing data. An application layer firewall effectively masks the origin of the connection request and protects your network from Internet users who might try to gain information about your private network.
Because the Mediation Server understands network protocols, you can program it to track which service you require. For example, a proxy server can be configured to allow clients to ftp download files from your server, but will not allow clients to ftp download files to your server.
Mediation servers provide many access functions such as HTTP, Telnet, FTP. Unlike a router, you need to install different proxy servers for different network services. The most popular intermediary servers for Unix and Linux based networks are TIS Internet Firewall Toolkit and SOCKS. For more information about the TIS Internet Firewall Toolkit Mediation Server, visit the Web site at http://www.tis.com/docs/products/fivtk/index.html.
If you are using a Windows NT-based server, the proxy server is supported by both Microsoft Internet Information Server and Netscape Commerce Server. After you install the Application Layer Mediation Server, users on your network must use client software that supports the Mediation Server.
Network designers have created many TCP/IP protocols, including HTTP, FTP, and others, that support an intermediary server. Most Web browsers can be easily configured by users to support a proxy server using the browser's software preferences. Unfortunately, other Internet protocols are not capable of supporting intermediary servers. In such cases, you must select an Internet application based on whether or not it is compatible with standard intermediary protocols. For example, applications that support the SOCKS proxy protocol are a good choice if your entire network is based on SOCKS.
When you install an application-level firewall, you should also evaluate whether users on your network will be using client software that supports broker services. An application layer firewall provides the ability to easily monitor the types and quantities of data transfers on your site. Because application layer firewalls establish a defined physical separation between the local network and the Internet, they meet the highest security requirements. However, because the program must analyze packets and make decisions about how to control access to them, application-level firewalls inevitably reduce network performance. In other words, they are significantly slower than network-level firewalls.
If you decide to use an application-level firewall, you should use a faster computer as the proxy server.
A communication layer firewall is similar to an application layer firewall in that they are both proxy servers. The difference is that a communication layer firewall does not require special applications to communicate between the Mediation Server and the client. As mentioned, application layer firewalls require special mediation server software for each network service such as FTP or HTTP.
A communication layer firewall creates a connection between a client and a server without requiring applications to know anything about the service being provided. In other words, the client and server communicate through the link-layer firewall without communicating with the firewall itself. Communication layer firewalls protect only the initial stage of the transaction and do not interfere with its further progress.
The advantage of link-layer firewalls is that they support a large number of protocols. As you already know, an application layer firewall requires a separate application layer broker for each type of service that is provided by the firewall. On the other hand, if you use a link-layer firewall for HTTP, FTP, or Telnet, you don't need to change existing applications or add new proxy servers for each service. The link layer firewall allows users to work with existing software.
In addition to this, link-layer firewalls use only one proxy server. As you might expect, using one proxy server is much easier than installing several.
So, let's move from theory to practice. Let's consider enhancing personal protection for your computer using the well-known Agnitum Outpost Firewall 2.1. This is the undoubted leader among the family of personal firewalls, which has repeatedly brilliantly confirmed its reputation. I note that we are not talking about a professional firewall installed on a server, but about personal protection. Although the author has experience using this program on servers, server protection is still a matter for other programs.
Agnitum Outpost Firewall (http://www.agnitum.com/products/outpost/) is one of the youngest representatives of this class of programs. But, despite its youth, it is a serious competitor even for Zone Alarm. The program, which came out of beta testing not so long ago, has settled on the computers of many Internet users and, it seems, the majority are not going to part with this software product.
The wide popularity of the program is quite understandable: a powerful firewall, the ability to connect additional modules, and everything that an ordinary user may need is already there from the moment of installation, and in addition, one of the decisive moments when choosing a program is the Russian interface.
It can be compared to a lock on the door of your house. You probably trust most of your neighbors without fear that they will invade your home, damage or steal anything. Usually only a few of them are not trustworthy. However, if your area is densely populated, the number of untrustworthy people increases.
On the Internet we see a similar situation, only the number of neighbors is in the hundreds of millions. Only a small percentage of this number of people have hooligan tendencies, but that is already a lot. Outpost Firewall not only closes the doors to your computer, but also makes it invisible on the Internet. Under normal conditions, a computer sends its address over the network. It's like your house number plate or your car license plate. This address can be seen by other users. Outpost makes it invisible on the Internet, including to hackers: they simply will not be able to determine that your computer is connected to the network.
Main advantages of Outpost Firewall:
– protects the computer immediately after installation;
– has default settings for new users;
– optimal protection occurs automatically during installation;
– experienced users can configure the firewall as they wish;
– makes the computer invisible on the Internet;
– protects open computer ports from intrusions;
– the user can assign a list of trusted applications;
– the use of plug-ins to improve the functionality of the firewall;
– protects the computer from control from a remote host;
– warns the user about an attempt by a hidden application to send a “response signal” to the hacker;
– supports all the latest versions of Windows, maintaining its functions in case of system updates;
– uses few system resources for its work and will not significantly affect the performance of your system;
– Event Log allows you to see any event occurring within the system;
– successfully passed the well-known “vulnerability tests”;
– multilingual support: Outpost Firewall comes in 14 languages, including Russian.
The appearance of the program does not stand out in any way among Windows applications, everything is strict. The program window is divided into three main parts: the main menu bar at the top; on the left are the main components such as connections, log files and plugins; on the right is the information panel.
Immediately after installing Outpost Firewall, you should look at “Settings”. There you can determine whether the program should be launched along with loading the operating system, whether the settings should be protected with a password, add basic applications that will need to be able to access the Internet, set general rules for “active” applications, understand the program policy and configure/download additional modules.
Outpost Firewall pro comes with 6 additional modules - Advertising, Content, DNS, Active Content, File Protection, Attack Detector:
- Advertising. The module is used to clean HTML pages from intrusive advertising banners, the task of which, according to many users, is to bite off more traffic for themselves. The method of dealing with it is quite simple: either cut off a previously described line from the html code, or cut out the picture to a certain size, which you can set yourself. If the banner still continues to irritate, then there is a special basket for this purpose, into which you can send it by simply transferring it;
– DNS. This module saves DNS names for subsequent use in the Active Content module;
– Active content. This module controls the operation of the following elements: ActiveX; Java applets; programs in Java Script and VB Script languages; cookie; popup windows; links (referers), i.e. the ability to obtain the URL from which you went to a given Web page. It’s up to you to decide what should be prohibited or allowed, but I highly recommend paying attention to the “Pop-up windows” item. But don’t forget that the more restrictions you set on the content of a web page, the less likely you are to see it in the form in which its author intended;
– File protection. The module is designed to organize checking of attached files arriving in your mailbox. You can set the file to be scanned for viruses, or receive an alert from Outpost Firewall.
You can create your own rule for each file type;
– Attack Detector. The module allows you to set the conditions under which a warning is issued when an attack is made on your computer. There are three main levels:
paranoid alarm level – a warning is issued if even a single port scan is detected;
normal alarm level - a warning is issued if several ports or ports with numbers defined in the system are scanned (i.e. in situations that the system recognizes as an attack on the computer); indifferent alarm level – a warning is issued in the event of a clear multiple attack. To download new versions of program components from the developer’s website, it is convenient to use the automatic update system, so that you will always have the latest version of the program.
So, if you need an impenetrable personal firewall with advanced settings, useful plug-ins and a Russian interface, then Outpost Firewall pro is for you.
Outpost Firewall works with all versions of Windows, including Windows XP. True, the development company demands 500 rubles for all the pleasure, but this is not a reason to fall into despair. There is a free version of the program that lacks some additional features, but is still an excellent personal firewall. By the way, in my opinion, 500 rubles. quite a realistic amount to purchase this program, especially for those who actively use the Internet.
Now let's look at setting up this program.
Some of the settings are carried out directly at the product installation stage: Outpost will search for programs that exchange data via the Network and create rules for them that it considers necessary. The user is asked to accept these terms by checking the checkbox. A list of programs that go online is available for viewing by clicking the More details button.
In the case shown in the figure, this list is quite large. For example, it is absolutely not necessary for, for example, Adobe Acrobat to connect to its server without my knowledge to check for updates, which is the reason why the flag opposite this product was removed: if it’s needed, we’ll turn it on. I am glad that even at the installation stage, Outpost bothered to create rules for all browsers of mail and FTP clients available in the system.
The next step asks you to accept the rules for network connections, if any. Curiosity in this regard is satisfied by clicking the familiar “More” button.
The seeming excessive suspicion of Outpost is understandable: if a spyware module (remember about hacking “from the inside”?) or another unwanted application has settled in the system, it is much easier to prohibit the enemy’s network activity at the very initial stage.
Now let’s configure the main parameters of the firewall, for which in the “Options” menu of the main window we select the “General” (F2) command. By default, the “Normal mode” of loading the program is selected, in which Outpost turns on every time the operating system boots and places its icon in the notification area.
To download in the background, you should check the parameter of the same name in the “Download” section, and if for some reason the automatic launch of the firewall is undesirable, just enable the “Do not download” option.
All program settings can be protected with a password. I would not recommend neglecting this opportunity: computer security does not tolerate frivolity.
In the “Password Protection” section, you need to check the “Enable” option and use the “Set” button to enter the required characters.
Then, in the settings window, go to the “Policies” tab, where 5 modes of program operation are indicated. The “Allow” mode will give freedom to all applications that were not explicitly prohibited, i.e., were not in the “Banned applications” list; in the “Block” mode, all applications that are not explicitly allowed will be prohibited; The “Deny” mode will definitely block access to the network for all applications, and the “Disable” mode will completely lull all vigilance of Outpost Firewall.
By default, the training mode is selected: in this case, the user is each time asked to either accept a ready-made rule for an application (for example, for a standard e-mail client), or create such a rule himself, or unconditionally prohibit a particular application from network activity. This mode is perfectly suitable for the vast majority of users.
Now about setting up applications and creating rules. Setting up applications is controlled by the tab of the same name in the settings window (Fig. 3). The User Level section lists all applications that are allowed network activity. But doubts often arise about whether it is necessary, for example, to allow DWWIN.EXE to access the Internet. To find out the “real name of the scout,” you should select the application name, click the “Edit” button and select the “Create rule” command from the drop-down menu.
In the window that opened, I was told that the DWWIN.EXE application is nothing more than Microsoft Application Error Reporting, connecting via TCP to a server known to everyone. I prefer to avoid sending bug reports. Therefore, I prohibited the launch of DWWIN.EXE with the command “Change” › “Prohibit” the launch of this application. For many programs, Outpost comes with optimal rules from the start. For example, if you decide to install and run Outlook Express, the firewall will immediately offer to allow this application to be active based on a ready-made rule specifically for this particular email client.
Now let's try to create rules for applications using two specific examples. When launching the well-known P2P client eMule, the firewall prompts the user to make a choice about what to do with this application. In this case, the “donkey” seeks to connect to the IP address 207.44.142.33 via port 4661 (Fig. 4.).
Let's imagine that this is not eMule, but a certain program that is allowed to access the Internet, but not to every address. Then select the only option “Other” and click the “OK” button, after which the rule creation window will open with a description of what exactly this program was trying to do.
Of course, the mule activity shown is absolutely normal, moreover, it is welcomed by us, so we will select “Allow this data”, after which we will have a rule like EMULE Rule # 1, which describes and allows this particular type of application activity (Fig. 5).
Next time, if the activity is of a different kind (different remote address, protocol or port), you will need to repeat these manipulations.
If the network activity that requests access to the Network is unacceptable (for example, we are not satisfied with the remote address), then in the rule editing dialog we should select “Block”. Next time (in our example, in the case of a different, desired IP address), we can create a rule, on the contrary, allowing such activity. Eventually, when an application has exhausted all of its typical activities, we will have all the rules that describe that application created.
Another example: the vigilant Outpost warned me that the computer was trying to establish a connection using the so-called IGMP protocol with the remote address 224.0.0.22 and asked me to confirm its right to do so. On the one hand, I have no reason not to trust Outpost, on the other hand, there is already something to think about here.
In this case, my operating system sends a so-called “broadcast” packet with the purpose of informing all computers on my local home network that my computer is turned on, and nothing more. If you do not have a network and your connection to the provider is made directly, then this packet and message are intended specifically for the provider. In other words, it is nothing more than Windows activity. If you have a permanent IP address and you do not want people on your network to know that you are “out in the world,” then it is better to prohibit such activity. As for the address 224.0.0.22, this is the standard address used by Windows in this case: the routing program periodically sends requests to the workgroup to request the membership of a particular machine on a given local network.
Let's move on to setting up network parameters. "System" tab. By default, Outpost automatically finds and applies new network connection settings, allowing all NetBIOS connections. Whether or not to trust this or that local address is up to you (section “Network Settings”).
In the “ICMP” › “Parameters” section there are settings for ICMP protocol messages that are transmitted when various situations occur, including erroneous ones. They are generated by programs that analyze the state of the Network, including ping and traceroute. For normal operation on the Internet, you need to be able to receive three types of ICMP messages (“echo reply”, “recipient unreachable” and “datagram timed out”), and send two (“recipient unreachable” and “echo request”) . It is advisable to disable the reception and sending of other messages - then they will be blocked.
Outpost uses these settings by default, so you won't have to reconfigure anything. However, if you are an experienced user and you need to allow the reception or sending of ICMP messages blocked by the firewall, you can easily do this with one click in the corresponding settings window (Fig. 6).
Stealth mode is enabled by default (section “Operation mode”), and the parameters for editing general rules are located in the section of the same name. In my humble opinion, there is no need to change the general rules laid down by the developers.
As mentioned above, Agnitum Outpost Firewall has a modular structure, that is, it has the ability to connect some executable modules. Let's look at the settings of the main plugins.
The Interactive Elements module can block unwanted ActiveX elements, Java applets and pop-ups (all are allowed by default). To call the settings, select the name of this module and select the “Properties” command from the context menu (Fig. 7). There you can also prohibit calling unwanted URLs: “Exceptions” tab › “Add” button.
The Attack Detector plugin is enabled by default and is one of the main and most useful tools of this firewall. In the context menu, select the “Options” command and open the attack detector settings window. Using the engine, we will set one of three alarm levels at which the program will issue a warning.
By default, the level at which the attack is detected when scanning multiple ports is selected. It’s a good idea to check the “Block attacker”, “Block attacker’s subnet” and “Block local port if a DoS attack is detected” options. All information about attempts to connect to your computer will be displayed in the information panel on the right. Let's take a closer look at two practical examples.
If Outpost reports connection requests but shows zero values for attacks and port scans, don't worry - this is normal network activity. Of course, a local network computer with the address shown in the message may be infected with a virus. But this is not an attack.
But life is not always so cloudless: in Fig. 8. (screenshot from the previous version of the program) shows an example of a real RST attack, and Outpost instantly provides information about the attacker’s IP and the real URL.
The Advertising module settings make it possible to block ads both by HTML strings and by banner size (both parameters are enabled by default). The “Trash” tool for advertising is convenient when surfing: just drag an unwanted banner into this basket to rid yourself of specific advertising forever.
On the “General” tab in the settings window, you can add a list of trusted sites whose banners will not be blocked.
The “Content” module allows you to “fine-tune” the ban on certain Internet pages. On the “Blocking by content” tab, it is enough to enter “obscene” words so that the page containing these lines is not displayed by the browser: very useful for child-loving parents...
On the “Web Site Blocking” tab, a home system administrator can enter a group of forbidden URLs that home users do not want to see.
Of course, such a program needs a journal where work logs will be kept. The Outpost Log window is used to view current information provided by the firewall.
To call the “Log” you need to open the “Tools” menu of the main window and select the “View Log” command or use the “Show Log” button in the information panel.
Moreover, all reports on the work done for a given period can be viewed: for example, what attacks were undertaken (and whether there were any); what suspicious packages passed before the watchful eye of Outpost, etc.
From the book Protecting Your Computer author Yaremchuk Sergey AkimovichChapter 5 Attack Reflection Systems Reasons for appearance and principle of operation Protecting your computer using Kaspersky Internet Security Public security system Prevx1 To protect computer systems, many programs have currently been developed that perform a specific task.
From the book Working on a Laptop author Sadovsky AlexeyChapter 20 Virus protection Kaspersky Anti-Virus NOD32 Doctors say: prevention is the best cure. These words apply not only to medicine. Several decades ago, computers also began to become infected. Computer viruses were created by humans. For what? This is not true
From the book Protect your computer 100% from viruses and hackers author Boytsev Oleg Mikhailovich1.3. Some types of network attacks Network attacks have long been the background of modern cyberspace. Theft of confidential data, theft of access passwords, defacement (hacking, which results in the substitution of the main page of the site) of sites and
From the book Wi-Fi. Wireless network by Ross JohnChapter 4 Anti-malware protection? Brief classification of malware? Choosing the best antivirus? Protecting your computer from Trojan horses? Practical exorcism - expelling "evil code" with bare hands The latest versions of malware that are not detected
From the book Fundamentals of Computer Science: Textbook for Universities author Malinina Larisa AlexandrovnaChapter 4. Installing and Configuring Network Interfaces Installing a wireless network adapter is easier than installing an access point, since most network adapters are plug-and-play devices. Regardless of physical
From the book Linux Network Tools by Smith Roderick W.Chapter 11 Information protection 11.1. Fundamentals of the protection of information and information constituting state secrets The concept of “information” today is used very widely and versatilely. It is difficult to find an area of knowledge where it is not used. Huge information
From the book Firebird DATABASE DEVELOPER'S GUIDE by Borri HelenChapter 1 Configuring kernel networking “All roads lead to Rome,” says the proverb. Something similar can be said about Linux networking tools; in this case, the operating system kernel plays the role of Rome. Sooner or later, all network traffic will be processed by the kernel. Various
From the book Creating Games for Mobile Phones by Morrison MichaelChapter 2 Configuring TCP/IP Networking Although the kernel is the main component of a Linux system and, among other tasks, controls the process of communication over the network, setting up a system for networking does not end with configuring the kernel. In this
From the book Attack on the Internet author Medvedovsky Ilya DavydovichCHAPTER 34. Server protection. The server installation includes a user identity database to store a description of all users who have access to the Firebird server. A case sensitive password must be defined for each user and must be
From the book Protecting Corporate Networks from Hackers author author unknownChapter 14 Basics of Online Mobile Games
From the book IT security: is it worth risking the corporation? by Linda McCarthyChapter 6 Reasons for the Success of Remote Attacks “What is invented by one person can be understood by another,” Holmes said. A. Conan Doyle. Dancing men In the two previous chapters it was shown that the general principles of constructing distributed computers make it possible to distinguish a whole
From the author's bookChapter 8 How to protect yourself from remote attacks on the Internet - ...Tell me honestly - is there any way out of this nightmare? “There is always a way out,” replied Hercule Poirot. A. Christie. The Labors of Hercules Before talking about the various aspects of providing information
From the author's bookChapter 9 The Past and Present of Network Operating Systems The eternal and sinister dream of viruses is absolute world domination, and no matter how terrible the methods they currently use, they cannot be denied persistence, ingenuity and the ability to
From the author's bookChapter 3 Attack Classes This chapter discusses the following topics: Overview of Attack Classes Vulnerability Testing Techniques Summary · Notes · Frequently Asked Questions
From the author's bookChapter 12 Spoofing Network Objects: Attacks on Trusted Identity This chapter discusses the following topics: Definition of spoofing Theoretical foundations of spoofing The evolution of trust Establishing identity in computer networks The ability to doubt Deception
From the author's bookChapter 1 Deflecting Attacks Detecting, isolating, and resolving incidents is much like disarming explosive devices—the faster and better you do it, the less damage a security incident will cause to your system. Gene Schultz, Chief
Which are forced to wait for the creation of a physical file on the user's computer, network protection begins to analyze incoming data streams entering the user's computer through the network and blocks threats before they enter the system.
The main areas of network protection provided by Symantec technologies are:
Drive-by downloads, web attacks;
- “Social Engineering” attacks: FakeAV (fake antiviruses) and codecs;
- Attacks through social networks like Facebook;
- Detection of malware, rootkits and systems infected with bots;
- Protection against advanced threats;
- Zero-day threats;
- Protection against unpatched software vulnerabilities;
- Protection from malicious domains and IP addresses.
Network Protection Technologies
The "Network Protection" level includes 3 different technologies.
Network Intrusion Prevention Solution (Network IPS)
Network IPS technology understands and scans over 200 different protocols. It intelligently and accurately penetrates binary and network protocols, looking for signs of malicious traffic along the way. This intelligence allows for more accurate network scanning while still providing robust protection. At its “heart” is an exploit blocking engine that provides open vulnerabilities with virtually impenetrable protection. A unique feature of Symantec IPS is that this component does not require any configuration. All its functions work, as they say, “out of the box”. Every Norton consumer product, and every Symantec Endpoint Protection product version 12.1 and later, has this critical technology enabled by default.
Browser Protection
This security engine is located inside the browser. It is capable of detecting the most complex threats that neither traditional antivirus nor Network IPS are able to detect. Nowadays, many network attacks use obfuscation techniques to avoid detection. Because Browser Protection runs inside the browser, it is able to examine not-yet-hidden (obfuscated) code as it runs. This allows you to detect and block an attack if it was missed at lower levels of program protection.
Un-Authorized Download Protection (UXP)
Located within the network defense layer, the last line of defense helps cover and mitigate the effects of unknown and unpatched vulnerabilities, without the use of signatures. This provides an additional layer of protection against Zero Day attacks.
Focusing on problems
Working together, network security technologies solve the following problems.
Drive-by downloads and web attack kits
Using Network IPS, Browser Protection, and UXP technology, Symantec's network protection technologies block Drive-by downloads and essentially prevent malware from even reaching the user's system. Various preventive methods are practiced that include the use of these same technologies, including Generic Exploit Blocking technology and web attack detection tools. A general web attack detection tool analyzes the characteristics of a common web attack, regardless of the specific vulnerability that the attack targets. This allows you to provide additional protection for new and unknown vulnerabilities. The best thing about this type of protection is that if a malicious file were to “silently” infect a system, it would still be proactively stopped and removed from the system: this is precisely the behavior that traditional antivirus products usually miss. But Symantec continues to block tens of millions of variants of malware that typically cannot be detected by other means.
Social Engineering Attacks
Because Symantec's technology monitors network and browser traffic as it travels, it detects "Social Engineering" attacks such as FakeAV or fake codecs. Technologies are designed to block such attacks before they appear on the user's screen. Most other competing solutions do not include this powerful capability.
Symantec blocks hundreds of millions of these types of attacks with online threat protection technology.
Attacks targeting social media applications
Social media applications have recently become widely popular as they allow you to instantly share various messages, interesting videos and information with thousands of friends and users. The wide distribution and potential of such programs make them the No. 1 target for hackers. Some common hacker tricks include creating fake accounts and sending spam.
Symantec IPS technology can protect against these types of deception methods, often preventing them before the user even clicks on them. Symantec stops fraudulent and spoofed URLs, applications, and other deception techniques with online threat protection technology.
Detection of malware, rootkits and bot-infected systems
Wouldn’t it be nice to know exactly where on the network the infected computer is located? Symantec's IPS solutions provide this capability, also including detection and recovery of threats that may have evaded other layers of protection. Symantec solutions detect malware and bots that attempt to make auto-dialers or download “updates” to increase their activity on the system. This allows IT managers, who have a clear list of systems to review, to have assurance that their enterprise is secure. Polymorphic and complex stealth threats using rootkit techniques like Tidserv, ZeroAccess, Koobface and Zbot can be stopped and removed using this method.
Protection against obfuscated threats
Today's web attacks use complex techniques to increase the complexity of their attacks. Symantec's Browser Protection sits inside the browser and can detect very complex threats that traditional methods often cannot detect.
Zero-day threats and unpatched vulnerabilities
One of the past security additions the company has added is an additional layer of protection against zero-day threats and unpatched vulnerabilities. Using signatureless protection, the program intercepts System API calls and protects against malware downloads. This technology is called Un-Authorized Download Protection (UXP). It is the last line of support within the network threat protection ecosystem. This allows the product to “cover” unknown and unpatched vulnerabilities without using signatures. This technology is enabled by default and has been found in every product released since Norton 2010 debuted.
Protection against unpatched software vulnerabilities
Malicious programs are often installed without the user's knowledge, using vulnerabilities in the software. Symantec network security provides an additional layer of protection called Generic Exploit Blocking (GEB). Regardless of whether the latest updates are installed or not, GEB "mostly" protects underlying vulnerabilities from exploitation. Vulnerabilities in Oracle Sun Java, Adobe Acrobat Reader, Adobe Flash, Internet Explorer, ActiveX controls, or QuickTime are now ubiquitous. Generic Exploit Protection was created by "reverse engineering" by figuring out how the vulnerability could be exploited in the network, while providing a special patch at the network level. A single GEB, or vulnerability signature, can provide protection against thousands of malware variants, new and unknown.
Malicious IPs and domain blocking
Symantec's network protection also includes the ability to block malicious domains and IP addresses while stopping malware and traffic from known malicious sites. Through STAR's rigorous website analysis and updating, Symantec provides real-time protection against ever-changing threats.
Improved Evasion Resistance
Support for additional encodings has been added to improve the effectiveness of attack detection using encryption techniques such as base64 and gzip.
Network audit detection to enforce usage policies and identify data leakage
Network IPS can be used to identify applications and tools that may violate corporate usage policies, or to prevent data leakage across the network. It is possible to detect, warn or prevent traffic like IM, P2P, social media, or other "interesting" types of traffic.
STAR Intelligence Communication Protocol
Network security technology does not work on its own. The engine communicates with other security services using the STAR Intelligence Communication (STAR ICB) protocol. The Network IPS engine connects to the Symantec Sonar engine, and then to the Insight Reputation engine. This allows you to provide more informative and accurate protection.
In the next article we will look at the Behavior Analyzer level.
Based on materials from Symantec
Found a typo? Highlight and press Ctrl + Enter
Exercise. Install and configure a firewall.
The text below is taken from one of the sites, preserving the author's style.
Initially, a firewall (firewall) served to restrict access to local networks from the outside. Integrated solutions are now popular. If we are talking about a “professional” application, then this is a separate device that can not only filter packets, but also detect an attempt at a network attack. For us, ordinary users, it is enough to have a software firewall. Even a “simple” firewall is not limited to monitoring Internet traffic; it warns about any suspicious application activity, asking the user what to allow the application to do and what not to do. This is also a "disadvantage". The first time you will have to answer questions, and answer correctly. I have seen situations where a user mistakenly blocked Internet access to their Internet browser. As a result, a connection with the provider is established, but not a single site opens.
We will return to firewalls very soon, because the time has come to move on to pure network security.
Before covering network attacks, it's a good idea to familiarize yourself with how networks operate. This knowledge can also be useful for troubleshooting problems on your own. I refer those who wish to seriously study the problem to serious materials. An ordinary person does not need to read all sorts of RTFSs. My goal is to help the user make an informed choice of protection level. Here we have to be guided by the necessary sufficiency, and the definition of this “sufficiency” is individual.
If you are an Internet user, your computer is constantly sending and receiving data. Requests for information are sent, the information itself (for example, mail). Service responses are received (server readiness, data on the size of the downloaded file, etc.), and the data itself.
Let's imagine the work of two headquarters of friendly armies during joint exercises. The Russian general asks the Chinese to support the offensive with fire from the sea. How is information exchanged? A letter is compiled, transmitted to the cipher operator, and already encrypted - to the radio operator. The latter taps the letter into the air in Morse code. The Chinese radio operator receives Morse code, the cryptographer deciphers it, is surprised to discover that the message is in Russian and gives it to the translators. Only now can we assume that the letter has reached the addressee. Note that our generals by rank are not supposed to think about Morse code, encryption methods and radio transmitters. Also, the user is not required to know anything about the seven network levels of interaction. The most interesting thing for us is the Internet Protocol. This protocol should be understood by any computer on the Internet, just as all radio operators are able to use Morse code. It is known that cable lines are often used when organizing communications. If there is an obstacle on the way, for example a river, then two transceivers (repeaters, this is more profitable than pulling a cable along the bottom) are installed at the break point along the banks; then satellite channels and again a cable line can be used. Two “radio operators” use Morse code and may not know anything about the methods of signal transmission over cable or radio channels with their compression equipment. The data networks on which the Internet is based are just as complex, but end devices such as your computer understand IP, regardless of the operating system installed.
In accordance with the IP concept, data is converted into separate “packets”, which can (but are not required to) contain, in addition to a piece of data and information about the point of departure and destination, information about a piece of what exactly is contained in the packet, how to connect it with the remaining parts. It is clear that there are no ideal channels for data transmission, which means that some packets will contain errors, packets reach the target in the “wrong” sequence or do not reach it at all. Sometimes this is not critical. Since only a small fraction of the packets are lost, the transmission can be repeated several times (a reasonable approach if the message is small). The networker will see here the datagram protocol (UDP), which is based on the IP protocol and does not guarantee message delivery. TCP/IP protocols provide a means for reliable delivery by establishing a virtual connection. During such a connection, two user programs already communicate. The “receiving” party is notified of the number of packets sent and the method of joining them, and if any packet did not arrive, it asks to resend. Here we can already draw two practical conclusions. First: if the signal is heavily distorted or there is a lot of interference, then a significant part of the packets are transmitted with errors, which leads to many repeated sendings, that is, the actual data transfer rate decreases. This is where the concept of channel width (capacity) arises. The second conclusion: if it sends all the declared packets except one, the receiving side will not close the virtual connection, waiting for the late one. If you create many such connections, it will be difficult for the receiving computer, since a section of memory is reserved for each connection, and memory is not rubber. Network attacks were based on this principle, “hanging” the victim’s computer.
To understand the process of establishing a connection, it is necessary to consider the system for identifying computers on the network. If we are talking about the Internet, then each computer has a unique name called an IP address. it might look something like this: 213.180.204.11 It’s a bit difficult to remember, so they came up with domain names consisting of “normal” characters, for example www.yandex.ru. If you type http://213.180.204.11 in the command line of your Internet browser, it will be equivalent to http://www.yandex.ru. Each domain name corresponds to a specific IP address. How did I find out the IP of the famous search engine? You can use a special program, or you can execute the “ping” command. If you have Windows, click the "Start" button, click on "Run". We are offered to execute some command on the computer, we will command cmd (enter cmd in the “open” field), and a command interpreter window will open. Now we can see the commands entered and the result of their execution. So, we command ping yandex.ru, press “Enter” and get the result. The result will be positive if your computer is connected to the Internet. In this case, you will be shown the transit time of the test packets to the Yandex server, and at the same time the ip address. The role of “translator” is played by a DNS server, a special computer that stores tables of correspondence between domain names and IP addresses, and there can be many such computers. The Internet was originally conceived as a fault-tolerant network (for the US military), and reliability was to be ensured by the absence of a single center. A group of packets sent over the same connection can take different paths (that’s why it’s the World Wide Web); this process is controlled by routers that store different paths to different subnets. Now it is clear why the order in which packets arrive at the recipient may differ from the original one. It is also clear that if a villain replaces an entry in the address table, then instead of the desired site, the client may end up on a duplicate site, where he will enter his passwords and other data. The consolation is that spoofing public DNS tables is a very difficult task. But, you should remember that the browser first looks at the local table, which is stored in a special file on your computer. If the virus manages to make its entry there, then by entering www.yandex.ru, you can easily end up on a completely different site, perhaps similar in appearance. If your firewall reports that some program is trying to change the address table file, you should examine your computer for a dangerous infection.
To establish a connection, it is not enough to know the computer address. The essential attributes of a connection request are the protocol (the language in which it is decided to communicate) and the port number to which we are connecting. We indicate the protocol each time in the address bar of the browser (the same http, although you can type ftp and contact the ftp server, if there is one on the server). The port number is usually not explicitly indicated; in this case, http means port 80, on which the Internet server “hangs” (not in the sense of “a powerful computer,” but in the sense of “a program that serves client applications.” A computer can run many services (the same ftp), each listens to “its own” port. If Internet browsers mainly provide connection via http and viewing web pages, then for connecting to other services there are special programs, both standard and “hacker” ones. If installed. ICQ program, then it opens its port and “listens” to it for those who want to connect and communicate. The more network services are running on the machine, the greater the likelihood that among them there will be a vulnerable one, because every open port is a door to the system, and is the lock secure? - that’s another question. There is a whole class of programs - port scanners, which poll a given range of ports, sorting through the numbers and producing a list of open ones. Looking ahead, I will say that there are “security scanners” that not only scan ports, but also examine them automatically. the target host for all known vulnerabilities.
So, network attacks. Banks will deal with hackers even without my help; the problems of an ordinary user are closer to me. Let's talk about this.
Remotely hacking a computer is no longer so simple. If you are interested in who did this and how five years ago, here is a link to the verdict against would-be hackers, which describes the entire hacking technology (at the beginning and end of the document). In the days of Windows 98, any schoolchild could do such things. These tricks don’t work with Windows XP, and only pros know the methods of hacking Linux, who even make good money at their bank. To penetrate someone else's computer, you now need to have decent qualifications, and not everyone receives the personal attention of an intelligent villain. My computer is unlikely to interest anyone. Another thing is that many people still indulge in port scanning. I don’t know what they are looking for there, but it’s very annoying. I pay for the traffic! I note that the address from which scanning is carried out often belongs to an unsuspecting, respectable user. Most likely, a worm has settled in the latter, looking for its next victim.
If someone is interested in your computer, then these are people close to you. I'm talking about business partners, bosses and jealous spouses. You can find a lot of spyware, such as keyloggers, on the Internet. If such a program is installed on the computer, then everything typed on the keyboard, including email passwords, is recorded in a special file and can be secretly sent by email to the “owner”.
Even if you have nothing to hide, Trojans living on your computer can intensively load the line, increasing traffic and interfering with the passage of useful information. In addition, illiterately written programs often take away system resources from the computer, and even violate the integrity of the operating system. The unfortunate result is reinstallation and the associated loss of time and money.
Now let's look at the most popular ways to get a Trojan on your computer (how to avoid this is in the next chapter).
The first method is to infect your computer with a compact virus, the only function of which is to download from the Internet and install a full-fledged “Trojan horse”
The second method is to go to the “wrong” site. And forcing someone to open a page containing dangerous content is a matter of technology and psychology.
The third method is to let the attacker sit at your computer. There are also cases when a visitor to an organization simply quietly inserted a specially prepared “flash drive” into a USB port, then it’s clear.
Another unpleasant reality of online life is sniffing. Simply put, traffic interception. From the previous chapter (using common sense) it is clear that outgoing packets go “on the air” in a sense. At least within one subnet they are available to everyone, and this is not so little. Another thing is that a “decent” computer only perceives information addressed to it. If the villain installed a sniffer program, he can read the transmitted data. Restoring the entire flow is an impossible task, since the connection with the source is not established and it will not be possible to request resending of lost packets (it would be arrogance to eavesdrop on neighbors behind the wall, and even ask again when they didn’t hear). Sniffing is used to intercept passwords transmitted in clear (unencrypted) form.
Knowing the level of real danger, you can take a reasonable approach to protecting your computer from various attacks. The approach here is simple: the cost of the safe should not exceed the cost of the valuables stored in it. You can do a lot yourself, let's start with this.
1. Install a normal operating system. We have to assume that most users are suitable for OS from Microsoft. In this case, there are no options - Windows XP with SP2 (at least). SP2 is the second update package that closed many security holes. Windows 2000 would have worked, but they stopped supporting it, and more and more vulnerabilities are being found.
2. Set up minimal protection: enable the firewall (if SP2 is installed, it is enabled by default) for all connections. This is done like this: Start>Control Panel>Network Connections, a window with icons for configured connections will open. Right-click on the connection icon, select “properties”, click on the “advanced” tab, then in the “Windows Firewall” area click the “settings” button. If the value is set to “disable”, change it to “enable” and confirm with the OK button.
3. Install anti-virus software. No matter how much they criticize Kaspersky Anti-Virus (it slows down the computer), I don’t see a reasonable alternative. We update anti-virus databases via the Internet to the latest state. Now you can delve into the settings (it looks different in different versions, so I won’t describe it in detail). It makes sense to disable the daily full computer scan. I usually turn off automatic updates since most computers are not connected to the Internet all the time.
4. In the “Control Panel” we find the “administration” section, in it “services” and disable everything unnecessary. First of all, the messaging service. I'll explain why. Perhaps you have encountered a situation where, while working on the Internet, a message periodically pops up in which you are scared of various errors in the system and other viruses, asking you to go to such and such a site where they will help you get rid of your problems. In fact, by visiting such a site, these problems can be incurred. The messaging service is designed primarily to work on a local network; with its help, the network administrator can notify users about anything. Villains use it to lure people to trap sites. You can also safely disable “Telnet”, “Remote Registry” and “Server” if you do not plan to use your computer as a server. The fewer services are running, the faster the computer runs. There is still a lot that can be disabled, but you should proceed with caution. If you are not sure, it is better to invite a specialist.
5. If you have not done this previously, set passwords for all users. The latter means that a good password should be long and consist of numbers, letters in different cases and special characters.
When I set up a client's computer, I usually stop there. For most, this is a completely sufficient level of protection. Those who are seriously concerned about safety should take a number of other precautions.
6. Grant all users only the minimum necessary rights. For example, prohibit everyone except the “Administrator” from installing programs. Even if you are the only user, create a second account with limited rights, and log in as Administrator only when necessary. The fact is that some vulnerabilities allow an attacker to execute commands on a computer on behalf of the current user. And if such person has minimum rights, then it will not be possible to exploit the vulnerability.
7. Sometimes when entering a password, for example to access your mailbox, the system prompts you to save the password. I always refuse, which is what I advise you to do. This is a good habit.
8. Install a full firewall. The built-in Windows firewall simply does not track many program actions.
06/20/05 37KThe Internet completely changes our way of life: work, study, leisure. These changes will occur both in areas we already know (electronic commerce, access to real-time information, increased communication capabilities, etc.) and in those areas about which we do not yet have an idea.
The time may come when a corporation will make all its telephone calls over the Internet, completely free of charge. In private life, special Web sites may appear, with the help of which parents can find out at any time how their children are doing. Our society is just beginning to realize the limitless possibilities of the Internet.
Introduction
Simultaneously with the enormous growth in the popularity of the Internet, an unprecedented danger of disclosure of personal data, critical corporate resources, state secrets, etc. arises.
Every day, hackers threaten these resources by trying to gain access to them using special attacks that are gradually becoming more sophisticated on the one hand and easier to execute on the other. Two main factors contribute to this.
Firstly, this is the widespread penetration of the Internet. There are millions of devices connected to the Internet today, and many millions of devices will be connected to the Internet in the near future, making it increasingly likely that hackers will gain access to vulnerable devices.
In addition, the widespread use of the Internet allows hackers to exchange information on a global scale. A simple search for keywords like “hacker”, “hacking”, “hack”, “crack” or “phreak” will return you thousands of sites, many of which contain malicious code and how to use it.
Secondly, this is the widest distribution of easy-to-use operating systems and development environments. This factor sharply reduces the level of knowledge and skills required by a hacker. Previously, in order to create and distribute easy-to-use applications, a hacker had to have good programming skills.
Now, to gain access to a hacker's tool, you only need to know the IP address of the desired site, and to carry out an attack, just a click of the mouse.
Classification of network attacks
Network attacks are as varied as the systems they target. Some attacks are very complex, while others are within the capabilities of an ordinary operator, who does not even imagine the consequences of his activities. To evaluate the types of attacks, you need to know some of the inherent limitations of the TPC/IP protocol. Net
The Internet was created for communication between government agencies and universities to assist educational process and scientific research. The creators of this network had no idea how widespread it would become. As a result, the specifications of early versions of the Internet Protocol (IP) lacked security requirements. This is why many IP implementations are inherently vulnerable.
After many years, after many complaints (Request for Comments, RFC), security measures for IP finally began to be implemented. However, due to the fact that security measures for the IP protocol were not initially developed, all its implementations began to be supplemented with a variety of network procedures, services and products that reduce the risks inherent in this protocol. Next, we'll briefly look at the types of attacks that are commonly used against IP networks and list ways to combat them.
Packet sniffer
A packet sniffer is an application program that uses a network card operating in promiscuous mode (in this mode, the network adapter sends all packets received over physical channels to the application for processing).
In this case, the sniffer intercepts all network packets that are transmitted through a specific domain. Currently, sniffers operate on networks on a completely legal basis. They are used for fault diagnosis and traffic analysis. However, due to the fact that some network applications transmit data in text format ( Telnet, FTP, SMTP, POP3, etc..), using a sniffer you can find out useful and sometimes confidential information (for example, usernames and passwords).
Login and password interception poses a major threat because users often use the same login and password for multiple applications and systems. Many users generally have a single password to access all resources and applications.
If the application runs in client-server mode, and authentication data is transmitted over the network in readable text format, then this information can most likely be used to access other corporate or external resources. Hackers know and exploit human weaknesses too well (attack methods are often based on social engineering methods).
They are well aware that we use the same password to access many resources, and therefore they often manage to gain access to important information by learning our password. In the worst case scenario, a hacker gains access to a user resource at the system level and uses it to create a new user who can be used at any time to access the Network and its resources.
You can reduce the threat of packet sniffing by using the following tools:
:Authentication. Strong authentication is the most important way to protect against packet sniffing. By “strong” we mean authentication methods that are difficult to bypass. An example of such authentication is One-Time Passwords (OTP).
OTP is a two-factor authentication technology that combines what you have with what you know. A typical example of two-factor authentication is the operation of a regular ATM, which identifies you, firstly, by your plastic card, and secondly, by the PIN code you enter. A PIN code and your personal card are also required for authentication in the OTP system.
A “card” (token) is understood as a hardware or software tool that generates (by random principle) a unique one-time, one-time password. If a hacker finds out this password using a sniffer, then this information will be useless, since at that moment the password will already be used and retired.
Note that this method of combating sniffing is effective only in cases of password interception. Sniffers that intercept other information (such as email messages) remain effective.
Switched infrastructure
. Another way to combat packet sniffing in your network environment is to create a switched infrastructure. If, for example, the entire organization uses dial-up Ethernet, hackers can only access traffic coming into the port they are connected to. A switched infrastructure does not eliminate the threat of sniffing, but it does significantly reduce its severity.Antisniffers. The third way to combat sniffing is to install hardware or software that recognizes the sniffers running on your network. These tools cannot completely eliminate the threat, but, like many other network security tools, they are included in the overall protection system. Antisniffers measure host response times and determine whether hosts are having to process unnecessary traffic. One such product, available from LOpht Heavy Industries, is called AntiSniff.
Cryptography. This most effective way to combat packet sniffing, although it does not prevent interception and does not recognize the work of sniffers, but makes this work useless. If the communication channel is cryptographically secure, then the hacker does not intercept the message, but the ciphertext (that is, an incomprehensible sequence of bits). Cisco network-layer cryptography is based on IPSec, which is a standard method for secure communication between devices using the IP protocol. Other cryptographic network management protocols include SSH (Secure Shell) and SSL (Secure Socket Layer) protocols.
IP spoofing
IP spoofing occurs when a hacker, inside or outside a corporation, impersonates an authorized user. This can be done in two ways: the hacker can use either an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources.
IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack, which starts from someone else's address, hiding the hacker's true identity.
Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices.
For two-way communication, the hacker must change all the routing tables to direct traffic to the false IP address. Some hackers, however, don't even try to get a response from the applications - if the main goal is to get an important file from the system, then the applications' responses don't matter.
If a hacker manages to change the routing tables and direct traffic to a false IP address, he will receive all packets and will be able to respond to them as if he were an authorized user.
The threat of spoofing can be mitigated (but not eliminated) by the following measures:
- Access control. The easiest way to prevent IP spoofing is to properly configure access controls. To reduce the effectiveness of IP spoofing, configure access control to reject any traffic coming from an external network with a source address that should be located inside your network.
True, this helps combat IP spoofing, when only internal addresses are authorized; if some external network addresses are also authorized, this method becomes ineffective;
- RFC 2827 filtering. You can stop users on your network from spoofing other people's networks (and become a good online citizen). To do this, you must reject any outgoing traffic whose source address is not one of your organization's IP addresses.
This type of filtering, known as RFC 2827, can also be performed by your Internet Service Provider (ISP). As a result, all traffic that does not have a source address expected on a particular interface is rejected. For example, if an ISP provides a connection to the IP address 15.1.1.0/24, it can configure a filter so that only traffic originating from 15.1.1.0/24 is allowed from that interface to the ISP's router.
Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible. Additionally, the further away you are from the devices being filtered, the more difficult it is to perform accurate filtration. For example, RFC 2827 filtering at the access router level requires passing all traffic from the main network address (10.0.0.0/8), while at the distribution level (in a given architecture) it is possible to restrict traffic more precisely (address - 10.1.5.0/24).
The most effective method to combat IP spoofing is the same as in the case of packet sniffing: you need to make the attack completely ineffective. IP spoofing can only work if authentication is based on IP addresses.
Therefore, the introduction of additional authentication methods makes such attacks useless. The best type of additional authentication is cryptographic. If this is not possible, two-factor authentication using one-time passwords can give good results.
Denial of service
Denial of Service (DoS) is without a doubt the most well-known form of hacking attacks. In addition, these types of attacks are the most difficult to create 100% protection against. Among hackers, DoS attacks are considered child's play, and their use causes contemptuous grins, since organizing DoS requires a minimum of knowledge and skills.
Nevertheless, it is precisely the ease of implementation and the enormous scale of harm caused that DoS attracts the close attention of administrators responsible for network security. If you want to learn more about DoS attacks, you should consider the most famous types, namely:
- TCP SYN Flood;
- Ping of Death;
- Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K);
- Trinco;
- Stacheldracht;
- Trinity.
An excellent source of security information is the Computer Emergency Response Team (CERT), which has published excellent work on combating DoS attacks.
DoS attacks are different from other types of attacks. They are not aimed at gaining access to your network, nor at obtaining any information from that network, but a DoS attack makes your network unavailable for normal use by exceeding the acceptable limits of the network, operating system, or application.
In the case of some server applications (such as a Web server or FTP server), DoS attacks can involve taking over all connections available to those applications and keeping them occupied, preventing ordinary users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP ( Internet Control Message Protocol).
Most DoS attacks do not target software bugs or security holes, but rather general weaknesses in the system architecture. Some attacks cripple network performance by flooding it with unwanted and unnecessary packets or misleading information about the current state of network resources.
This type of attack is difficult to prevent because it requires coordination with the provider. If you do not stop the traffic intended to overwhelm your network at the provider, then you will no longer be able to do this at the entrance to the network, since all the bandwidth will be occupied. When this type of attack is carried out simultaneously through many devices, we talk about a distributed DoS attack ( distributed DoS, DDoS).
The threat of DoS attacks can be reduced in three ways:
- Anti-spoofing features. Properly configuring anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. At a minimum, these features should include RFC 2827 filtering. If a hacker cannot disguise his true identity, he is unlikely to carry out an attack.
- Anti-DoS functions. Proper configuration of anti-DoS features on routers and firewalls can limit the effectiveness of attacks. These features often limit the number of half-open channels at any given time.
- Traffic rate limiting. An organization may ask its Internet Service Provider (ISP) to limit the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic that passes through your network. A typical example is limiting the volume of ICMP traffic, which is used only for diagnostic purposes. (D)DoS attacks often use ICMP.
Password attacks
Hackers can carry out password attacks using a number of methods, such as brute force attack, Trojan horse, IP spoofing and packet sniffing. Although login and password can often be obtained through IP spoofing and packet sniffing, hackers often try to guess the password and login through multiple access attempts. This approach is called a simple search (brute force attack).
Often, such an attack uses a special program that tries to gain access to a public resource (for example, a server). If, as a result, the hacker is granted access to resources, then he receives it with the rights of a regular user whose password was selected.
If this user has significant access privileges, the hacker can create a "pass" for future access that will remain valid even if the user changes his password and login.
Another problem arises when users use the same (even very good) password to access many systems: corporate, personal, and Internet systems. Since the strength of a password is equal to the strength of the weakest host, a hacker who learns the password through that host gains access to all other systems where the same password is used.
Password attacks can be avoided by not using plain text passwords. One-time passwords and/or cryptographic authentication can virtually eliminate the threat of such attacks. Unfortunately, not all applications, hosts and devices support the above authentication methods.
When using regular passwords, try to come up with one that would be difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters (#, %, $, etc.).
The best passwords are difficult to guess and difficult to remember, forcing users to write them down on paper. To avoid this, users and administrators can use a number of recent technological advances.
For example, there are application programs that encrypt a list of passwords that can be stored in a pocket computer. As a result, the user only needs to remember one complex password, while all others will be reliably protected by the application.
There are several methods for an administrator to combat password guessing. One of them is to use the L0phtCrack tool, which is often used by hackers to guess passwords in the Windows NT environment. This tool will quickly show you whether the user's chosen password is easy to guess. For more information, visit http://www.l0phtcrack.com/.
Man-in-the-Middle attacks
For a Man-in-the-Middle attack, a hacker needs access to packets transmitted over the network. Such access to all packets transmitted from a provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack.
Attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distortion of transmitted data and entering unauthorized information into network sessions.
Man-in-the-Middle attacks can only be effectively combated using cryptography. If a hacker intercepts data from an encrypted session, what will appear on his screen is not the intercepted message, but a meaningless set of characters. Note that if a hacker obtains information about a cryptographic session (for example, a session key), this could make a Man-in-the-Middle attack possible even in an encrypted environment.
Application level attacks
Application-level attacks can be carried out in several ways. The most common of them is the use of well-known weaknesses in server software (sendmail, HTTP, FTP). By exploiting these weaknesses, hackers can gain access to a computer as the user running the application (usually not a regular user, but a privileged administrator with system access rights).
Information about application-level attacks is widely published to give administrators the opportunity to correct the problem using corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to improve.
The main problem with application-level attacks is that hackers often use ports that are allowed to pass through the firewall. For example, a hacker exploiting a known weakness in a Web server will often use port 80 in a TCP attack. Since the Web server provides Web pages to users, the firewall must provide access to this port. From the firewall's point of view, the attack is treated as standard traffic on port 80.
Application-level attacks cannot be completely eliminated. Hackers are constantly discovering and publishing new vulnerabilities in application programs on the Internet. The most important thing here is good system administration. Here are some measures you can take to reduce your vulnerability to this type of attack:
- read operating system and network log files and/or analyze them using special analytical applications;
- Subscribe to the application vulnerability reporting service: Bugtrad (http://www.securityfocus.com).
Network intelligence
Network intelligence refers to the collection of information about a network using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information about it as possible. Network reconnaissance is carried out in the form of DNS queries, pings and port scanning.
DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging addresses revealed by DNS allows you to see which hosts are actually running in a given environment. After receiving a list of hosts, the hacker uses port scanning tools to compile a complete list of services supported by those hosts. Finally, the hacker analyzes the characteristics of the applications running on the hosts. As a result, he obtains information that can be used for hacking.
It is impossible to completely get rid of network intelligence. If, for example, you disable ICMP echo and echo reply on edge routers, you get rid of ping testing, but you lose the data needed to diagnose network failures.
In addition, you can scan ports without preliminary ping testing - it will just take more time, since you will have to scan non-existent IP addresses. Network- and host-level IDS systems typically do a good job of alerting administrators to ongoing network reconnaissance, allowing them to better prepare for an upcoming attack and alert the Internet Service Provider (ISP) on whose network the system is being overly curious:
- use the latest versions of operating systems and applications and the latest correction modules (patches);
- In addition to system administration, use attack detection systems (IDS) - two complementary ID technologies:
- Network IDS System (NIDS) monitors all packets passing through a specific domain. When the NIDS system sees a packet or series of packets matching the signature of a known or probable attack, it generates an alarm and/or terminates the session;
- IDS system (HIDS) protects the host using software agents. This system only combats attacks against a single host.
In their work, IDS systems use attack signatures, which are profiles of specific attacks or types of attacks. Signatures define the conditions under which traffic is considered hacker. Analogues of IDS in the physical world can be considered a warning system or surveillance camera.
The biggest disadvantage of IDS is their ability to generate alarms. To minimize the number of false alarms and ensure correct functioning of the IDS system in the network, careful configuration of the system is necessary.
Breach of trust
Strictly speaking, this type of action is not in the full sense of the word an attack or assault. It represents the malicious exploitation of trust relationships that exist in a network. A classic example of such abuse is the situation in the peripheral part of the corporate network.
This segment often houses DNS, SMTP, and HTTP servers. Since they all belong to the same segment, hacking any one of them leads to hacking all the others, since these servers trust other systems on their network.
Another example is a system installed on the outside of the firewall that has a trust relationship with a system installed on the inside of the firewall. If an external system is compromised, the hacker can use the trust relationship to penetrate the system protected by the firewall.
The risk of breach of trust can be reduced by more tightly controlling the levels of trust within your network. Systems located outside the firewall should never have absolute trust from systems protected by the firewall.
Trust relationships should be limited to specific protocols and, if possible, authenticated by parameters other than IP addresses.
Port Forwarding
Port forwarding is a form of abuse of trust in which a compromised host is used to pass traffic through a firewall that would otherwise be rejected. Let's imagine a firewall with three interfaces, each of which is connected to a specific host.
An external host can connect to a shared host (DMZ), but not to one installed on the inside of the firewall. A shared host can connect to both an internal and external host. If a hacker takes over a shared host, he can install software on it that redirects traffic from the external host directly to the internal one.
Although this does not violate any of the rules on the screen, the external host gains direct access to the protected host as a result of the redirection. An example of an application that can provide such access is netcat. More information can be found at http://www.avian.org.
The main way to combat port forwarding is to use strong trust models (see previous section). In addition, a host IDS system (HIDS) can prevent a hacker from installing his software on a host.
Unauthorized access
Unauthorized access cannot be identified as a separate type of attack, since most network attacks are carried out precisely to gain unauthorized access. To guess a Telnet login, a hacker must first get a Telnet hint on his system. After connecting to the Telnet port, the message “authorization required to use this resource” appears on the screen (“ Authorization is required to use this resource.»).
If the hacker continues to attempt access after this, they will be considered unauthorized. The source of such attacks can be either inside the network or outside.
Methods to combat unauthorized access are quite simple. The main thing here is to reduce or completely eliminate the hacker's ability to gain access to the system using an unauthorized protocol.
As an example, consider preventing hackers from accessing the Telnet port on a server that provides Web services to external users. Without access to this port, a hacker will not be able to attack it. As for the firewall, its main task is to prevent the simplest attempts of unauthorized access.
Viruses and Trojan horse applications
End user workstations are very vulnerable to viruses and Trojan horses. Viruses are malicious programs that are inserted into other programs to perform a specific unwanted function on the end user's workstation. An example is a virus that is written in the command.com file (the main interpreter of Windows systems) and erases other files, and also infects all other versions of command.com it finds.
A Trojan horse is not a software insert, but a real program that at first glance seems to be a useful application, but in fact plays a harmful role. An example of a typical Trojan horse is a program that looks like a simple game for the user's workstation.
However, while the user is playing the game, the program sends a copy of itself by email to every subscriber in that user's address book. All subscribers receive the game by mail, causing its further distribution.
The fight against viruses and Trojan horses is carried out with the help of effective anti-virus software that works at the user level and, possibly, at the network level. Antivirus products detect most viruses and Trojan horses and stop their spread.
Getting the latest information about viruses will help you fight them more effectively. As new viruses and Trojan horses emerge, businesses must install new versions of antivirus tools and applications.
When writing this article, materials provided by Cisco Systems were used.
Good bad
