by November 1, 2004 0 comments



The basic aim of network security is to ensure that (a) access to information is restricted-both to insiders and outsiders-and does not fall into the wrong hands, and (b) rogue items like viruses and worms do not enter and wreak havoc with the files on your PCs. While the second has received much attention and action, the importance of the first, information security, has generally been underplayed.

Let us begin with information security.

How do you ensure that critical information-like the rate at which you picked up that big order or the address of the contact who helped you secure it; or like the details of the salary you are paying your key people-do not fall into the wrong hands?

The first step is to ensure that network access is regulated. The simplest way to do this is to ensure that access is protected through enforcing network rights, login names and passwords. That is, not all the drives on network servers and on PCs are open to everyone. You first define who has access to what and then enforce this through passwords.

How can this system be defeated? Compromised passwords are at the top of the list. This includes users who proudly announce their passwords. Next come users who do not set any password at all. Improperly configured rights can also give access to people who are not supposed to. Users sharing folders on their PCs running Windows is another area of concern. If users create such shared documents for meeting temporary requirements, then they should be removed once that need is over.

There are advanced mechanisms for access control are typically deployed on large networks. They are beyond the scope of this discussion.

Vendors

Anti spam tools
Spampal
Igate Spam
Norton Anti spam
Anti virus vendors
See the anti virus shootout in this issue
Firewall vendors
Cisco
Zonealarm
Checkpoint
Norton
Watchguard
Juniper -Netscreen
 

Just assigning usernames and passwords is not enough. Users have to be educated about the need to choose and use the right passwords as well as the need to be secretive about them.

A good password includes alphabets, numbers and special characters (like *&%# and so on), is at least six characters long and is not easily recognizable by association with the user – wife’s name, car number, date of birth and the like. Also, do not write passwords at places where others can easily look for it, such as under the keyboard or on the desk itself. It is good practice to change your passwords at regular intervals. 

Is it advisable to keep machines with very sensitive information like the company accounts disconnected from the network, or keep such information away from PCs all together? Absolutely not, since this is not a practical solution. A number of techniques like subnetting can be used to further enhance the security of such machines. Keeping them in separate sub
networks makes them invisible to other users as long as you do not announce the existence of such subnets. 

How do you subnet? Subnetting is done by changing the IP address allocated to the machine. We have discussed this in previous issues of PCQuest. In case you are not familiar with the process, it is advisable to get an expert to do it for you.
That brings us to the issue of outside threats.

The two biggest visible outside threats are viruses and spam. Spam not only chokes your Internet bandwidth, but also acts as a conduit for viruses, worms and trojans to enter your network.

There are solutions for these that either run on individual machines or ones that run centrally. If you are running mid-size network, say of twenty PCs or more, then it is recommended that you opt for a centralized solution for anti virus and spam instead of running separate ones on each PC. That way, you can ensure that the protection levels on all machines are up to date, and that time and bandwidth are not wasted when each machine tries to separately update its software. Another system that needs anti virus protection is your mail server. If you are running one on your own, ensure that there is an anti virus solution installed. If you have rented the server from an ISP, insist on one that has an anti virus.

As newer threats evolve, anti virus and anti spam vendors keep updating their software and the signature files to identify the threats. So, it is essential that you update these on all systems regularly. The best way is to set the software to be automatically updated.

Typically, when you buy the software, you get subscribed to a year’s updates while you may have to pay for any further updates.

Anti virus and anti spam software, which is not up to date, is as good as one not there at all.

Another threat comes from faulty OSs and applications. All software is prone to this problem. So, developers and vendors regularly bring out updates to handle such situations. Such updates are called patches or service packs. New functionality may also be added to the software.

OSs like Windows and Linux, and software like firewalls have features that automatically download the updates and install them. You need to enable these to stay up to date and safe. Like in the case of anti virus and anti spam, you need to ensure that all systems are up to date, and the best way to do this is to have a centralized update management rather than separate ones for each machine.

To get the initial security setup done, it may be advisable to call in an expert. While at it, ask the expert to help set up a security policy for you. 

What is a security policy? It is nothing but a list of do’s and don’ts, along with advice on what to do if there is a problem.

Implementation: KFSensor
KFSensor acts both as a  HoneyPot and an IDS by opening ports on the machine it is installed on and waiting for connections to be made to those ports.
It does this in exactly the same way as conventional server software, such as a Web server or an SMTP server. By doing this it sets up a target, or a HoneyPot server, that will record the actions of a hacker. 

KFSensor is not a complete security solution in itself, it complements other forms of security such as firewalls and anti virus/
anti spam. 

KFSensor works on Windows and to install it you must be logged on to the machine with full administrator rights. You can do a typical install. 

In the next step you will be asked to choose the folder where KFSensor should be located. You will need to restart your machine before it can become operational.

There are two main components of the KFSensor system, the server and the monitor. The KFSensor server provides the 
core functionality of the KFSensor system. It has no user interface and runs in the background. 

The KFSensor Monitor contains the user interface of the KFSensor system. 

Running the KFSensor Server
The KFSensor Server is configured via the KFSensor Monitor. There are two ways in which the KFSensor Server can be run: 

As a console application: In this mode of operation the KFSensor Server is started directly by the KFSensor Monitor when it is launched. If you quit the KFSensor Monitor, the KFSensor Server will be shut down. This is the only mode of operation available to Win 98 and Win Me users. 

As a systems service: KF 
Web Server can be installed as systems service on Win NT, 2000, 2003 and XP only. A systems service is a special type of application that Windows runs in the
background. 

Running it as a systems service is preferred. To install KFSensor Server as a systems service select the File menu on the KFSensor Monitor, select the Service menu option, and then select ‘Install As System Service’. You will need to be logged on with Administrator rights for this to work. 

Monitoring
The KFSensor Monitor is used to configure the KFSensor Server and monitor the events generated by the KFSensor Server. 

The interface of the monitor is divided into two parts, the left pane displays the kind of view selected in tree format, which may either
be the ports, events or visitors. 

The right pane of the display shows the details of the specific port, event or visitor selected. 

The view can be changed from the View menu in the KFSensor Monitor display.

Ports view
The Ports View is displayed on the left panel of the main window. It comprises a tree structure that displays the name and status of the KFSensor Server and the ports on which it is listening. 

Intrusion detection systems and honeypots

As the names suggests, an intrusion detection system is one which detects when an unwanted outsider tries enter into your network. The system raises alarms and usually has a safeguard built in to protect you against the intruder. One method of protection is to use a HoneyPot. HoneyPot is the name given to a software, which lures the intruder a dummy server that it creates, leaving your real servers safe.

The Ports View is linked to the Events View and acts as a filter to it. For example if you select port 110, then only those events related to port 110 will be displayed in the Events View. 

The right pane displays detailed information about the port or visitor selected in the left pane. The information displayed includes of the protocol being run, the port being used, starting date and time. All this information is displayed in a number of columns and the user can decide which columns are displayed by going to the Add/Remove Columns dialog box in the View menu. 

Visitors view
The Visitors View is displayed on the left panel of the main window. It comprises a tree structure that displays the name and status of the KFSensor Server and the visitors who have connected to the server. Just like the Ports View, the Visitor view is also linked to the Events View.

Events view 
The events, which are displayed are filtered by the currently selected item in the
Port View or the Visitors View. 

Firewall in Linux




Every recent Linux distribution has the IPTable functionalities in-built into its kernel. This provides a high level of control over the TCP/IP connections made by the system and can be configured as a very powerful firewall. But configuring IPTable is not a child’s play and requires good knowledge of the Protocols (IP) and Linux. But as security threats have gone far higher in recent years, with every distro carrying some easy to use front end for configuring and manipulating the IPTable settings to instantly prevent the machines from intrusion attempts. Some of these configuration agents are redhat-config- securitylevel and firewal builder. 

RedHat config-security level
When you are installing the distro (redhat/fedora/pcqlinux), this command automatically pops up here and asks you to set the security level. This is the best time to configure your firewall but if by any case you have missed configuring it, you can still configure it later. To run the application from an installed Linux machine, run the command from any xterminal from your X Window as

Configure the Linux firewall

#redhat-config-securitylevel

It will pop-up a dialogue box. At the top of the dialogue box you will find a drop down menu (see screen shot above), which has options like (High, medium, No Firewall and Custom). 

As the name suggests ‘High’ doesn’t allow any connection to the machine except DNS and DHCP replies so that the machine can connect to a network. ‘Medium’ allows some common applications to work such as
ftp and telnet. And ‘No  Firewall’ disables the firewall completely. 

If you have selected the ‘Custom’ option then the menus below the drop down list will get
highlighted and from here you can define by yourself which applications you want to pass through the firewall and which you want to block. 

Q&A




Where do I  firewall?
A firewall is a system that sits between your network and your connection to the Internet. It runs software that prevents unwanted outsiders from gaining entry in to your machine or network. If you connect a single PC or notebook to the Internet, you can have a firewall (personal firewall) running on it. But if you are connecting a large network to the Internet, it is desirable that the firewall runs on a separate machine. For instance, for smaller networks the firewall could run on, say, the mail server.
It is not advisable to run personal firewalls on all PCs on a network as a tool for providing network security. 

You could buy a firewall appliance, a dedicated firewall device, and run firewall software on a dedicated PC/server. Or share a PC for firewall duties depending on the load the machine is to take and the budgets at your disposal.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<