The Scoop
INTRANETS AND NETWORK ACCESS CONTROL
By Mimi Carpenter
Note: this paper was originally drafted for the purposes of the company I was working for in 1998, and is presented as a writing sample more than anything else, though I've made an attempt to update and genericize it.
I. Stating the Problem: Why are Intranets Vulnerable?
When putting together a network, two of the key questions that an administrator should keep in mind are: How can I make sure that this network is accessible to the needs of its users? And, how can I make sure that this network is as secure as possible under the circumstances?
It's become de rigueur to put up a firewall at the Internet Gateway, for most companies. And well it should; the Internet has long been known as a source of unfriendly attacks. However, according to the Rotherwick Firewall Resource's White Paper on Network Security (http://www.zeuros.co.uk/firewall/query/whtpaper.htm):
A common fear is that a network will be compromised by "outsiders". Data from the FBI suggests that over 85% of all computer crime is perpetrated by individuals who are authorised to use the systems they are working on. They may be disgruntled employees, they may have been bribed, or they may just be larcenous.
Regardless of the motivation, user authentication systems like smart cards or non-reusable passwords are important parts of an overall security policy, but by themselves, do not provide adequate protection or security to the overall network. Employees are legal users. Once they get onto one machine, networks can fall like dominoes. And, according to an Ernst and Young study, one in four North American companies have suffered financial losses ranging from $100,000 to $1 million due to computer security breakdowns.
Ergo, it's just as important to secure the servers on your network from within as from without, in order to protect your data. If you have several intranets, it may be wise to put a firewall behind the router for each, in order to control access in and out of these networks as well.
A. What's an Intranet?
1. Defining Terms
Network
A network is any group of machines linked together to pass data over a medium such as cable, microwave, infrared, or similar. Each machine on the network must be able to "speak" the same protocol, or have the protocol it does speak translated by a gateway to the protocol of other machines with which it wishes to communicate. There are many different kinds of network protocol types, each with its advantages and disadvantages.
Internet
When people think of an Internet, they usually think of The Internet, which is simply the largest and all-encompassing example of an Internet. However, the term refers to a large network formed of many smaller networks. If a site has two or three networks gatewayed together, then they have an internet. Most larger sites are like this, with perhaps an Ethernet, Token Ring, and Novell component of their internet all gatewayed together. Sometimes, the different networks all "speak" the same protocol, but they are segregated for other reasons.
Intranet
James Brancheau of the University of Colorado at Boulder defines an intranet thusly (http://www.colorado.edu/infs/jcb/sinewave/network/firewall-intro/index.html):
An intranet is a subnet of, or an enterprise wide internal network based on the TCP/IP protocols. These are the same protocols used by the Internet and World Wide Web. The use of TCP/IP protocols makes the sharing of data and information within an organization as easy as surfing the Web. The only requirement of a network to be considered an intranet is the use of the TCP/IP protocol.
Logically speaking, an intranet could really be an internet also – there is some overlap in the definitions. However, for our purposes, it's safe to assume that an internet is going to be one subnet, or one department/section, of a company's large internet.
2. The New Network Paradigm
The term "intranet" is being heard more and more in the marketplace, particularly as security issues regarding internal networks continue to crop up. Sometimes it's not clear exactly what an "intranet" is, as opposed to any other kind of network. Very often, "intranet" simply means "internal network", as opposed to not just the corporate internet, but the Internet itself. However, for the purposes of this paper, we will be using the term to mean a subset of a site or company's internet, used by the company to present necessary employment-related data to its employees.
B. Servers and OS's
In order to discuss the role of security as regards intranets, it's necessary to understand the various platforms and OS's that one may encounter in the intranet environment. Below we discuss some of the more common types of platforms, and the type of security they offer.
UNIX
UNIX comes in various "flavors", often dependent on the hardware being used. For example, Sun Microsystems and Hewlett-Packard each have their own "flavor" (Solaris and HP/UX respectively), plus there are a number of "flavors" that run on Intel Platforms. The two main types of UNIX are BSD, developed at the University of California at Berkeley, and System V (or SysV), originally developed by AT&T. All other types or brands of UNIX are offshoots of one, or both, of these.
UNIX was designed to be an open, accessible, networkable type of system. As such, security was initially at a minimum. Users are required to log in to establish a networking session; however, passwords over the network are typically sent in the clear, and the password file itself, while writable only by the administrator, or "root" user, is readable by anyone, and the passwords, though hashed, can be cracked by any one of several methods. Different flavors and brands of UNIX have tried to offer more protection by hiding the password file, and various third-party applications can be used to provide strong authentication and/or strengthen protocols, but in general, the only type of security that UNIX provides natively is file/program access security.
NT/Win2K/XP
>NT orginally stood for "New Technology" and is proprietary to Microsoft. It has often been compared to VMS, developed by DEC before UNIX was a widely-used OS and still in use at many sites, partially because many of the same people developed NT. However, as time goes on, NT bears less and less resemblance to VMS.
NT is, in OS terms, very "young", and is not taken seriously by some as a viable OS because of its many security holes. However, because of its ease of use and wide distribution, it is the OS of choice for many installations, and as time goes on more and more networks are based on its protocols. As time goes on, we may expect to see its various holes plugged, in the same manner that UNIX holes have been plugged over the years since its inception as a widely used OS.
Like UNIX, the only type of security provided natively by NT is file access security, plus some additional controls on what certain users can and cannot do. However, again, passwords are easily cracked by a number of methods, at which point the system can easily be compromised.
Other platforms
UNIX and NT are, at this time, the most widely used platforms for networks. However, other platforms exist such as Novell, Macintosh, VMS, MS Windows and so on. The important thing to keep in mind is that, for a particular machine to interact with other machines on the network, they must speak the same protocols as those other machines, or there must be a translating gateway between them and the other machines. In general, none of these systems has any sort of network access security – as in NT and UNIX, security, if any, is limited to file access security.
C. The Open Access Model
Why Networks Tend to Be Open
The reason networks tend to be open-access is that, traditionally, users have wanted it that way. Getting access to the data on a server, whether or not one needs to log onto the server, is what users, and managers, have deemed the most important function of networks.
It's a sad fact that most network administrators don't think about securing the network until after the horse has escaped from the barn (so to speak) – when possibly hundreds, thousands, or even millions of dollars might already have been lost. Securing the network can be as simple as putting sensitive data where users cannot easily get to it, either physically or through the network, but it is something that often does not occur to network administrators, whose main concern is to make sure that needed data is accessible to everyone.
Advantages of an Open Network
The main advantage of an open network is convenience.
D. Types of Attacks
There are probably as many types of attacks as there are attackers. However, below we discuss seven of the most common types.
1. Social Engineering
Social engineering is a term meaning a non-electronic type of attack. One of the simplest forms of social engineering is for the attacker to ask his victim to log in, and watches her hands as she types, gaining knowledge of her password that way. Another common social engineering scheme is to pose as someone in authority or someone from the IS department and ask for data such as passwords or other sensitive information. At many sites, users have become used to the idea that anything on the corporate network belongs to the company, so they will willingly give such data to someone they think they can trust.
2. Password Sniffing
On a network where passwords are transmitted in the clear, it's trivial to set up a network sniffer program to listen to connections and gather passwords. If strong authentication, i.e. one time passwords or some such device, are not being used, then the attacker has full access to the account. If he happens to sniff the root password, so much the better. Sniffer programs come with most flavors of UNIX and with the NT distribution, so the ability to sniff passwords is trivial.
3. Denial of Service
Denial of service attacks occur when the attacker manages to overload the server, causing it to crash or at the very least be unable to handle important user connections. Email "spam", for instance, is often seen as a denial of service attack because it may overload a mail server or mail gateway, causing the domain behind, which has nothing to do with the spam, to lose their internet connectivity. It's fairly trivial to create connections that will overload most servers.
4. Address "hijacking"
Address hijacking happens when the attacker "poses" as the server that a user is trying to connect to, or poses as a workstation with a valid IP address for connection. The most obvious way to do this is to arrange for the server, or workstation, to be shut down and to configure one's own station with one of those IPs before it can be brought back up, but there are other more sophisticated ways to accomplish hijacking as well.
5. Session "hijacking"
Session hijacking occurs when the attacker discovers a connection in progress and "snatches it". The connection was made in a legitimate fashion, but the attacker gains control of it and is able to manipulate it for his own ends. X Windows sessions are particularly vulnerable to this kind of attack, but it is possible to use other types of protocols as well.
6. Insecure Protocols
Some protocols are simply very easy to exploit, such as the aforementioned X Windows. Other examples of easily exploitable protocols are finger, tftp (trivial ftp), and http, all of which can be easily "hijacked".
7. New and Improved Hacks
Most hackers have nothing to do all day but sit around and think of new ways to exploit networks. The bad news for you is that they post the tools they create and use on their web sites, where your own employees can download them and use them against your internal network. Winnuke, Asmodeus (which is a scanning tool that can create a denial of service attack), BackOrifice and NetBus are just a few of the hacks that your employees have access to, and can use against you.
II. Solving the Problem: Applying a Firewall
If you're like most sites these days, you probably have a firewall between your internal networks and the Internet. The presence of a firewall makes it much harder, if not impossible, for outside attackers to get into your intranet. However, this firewall does nothing to prevent your employees from using various types of attacks to exploit your company's resources; for that, you need one or more internal firewalls to protect your servers.
A. Types of Firewalls
Most firewalls are one of three main types, discussed below. Some firewalls are combinations of all three. Each type has its advantages and disadvantages.
1. Static Filter
According to Frederick Avolio in his white paper on Stateful Inspection vs. Application Gateways, "Packet filtering is a process of allowing or denying the passage of traffic between networks based on the information in the header of each packet of data. Source, destination, port (service) and some other information is available to a packet filtering device for use in establishing rules to allow or deny the flow of network traffic."
One of the greatest advantages to static filtering is that it is quite fast. However, it is also the least secure type of firewall, since what it does is punch permanent "holes" in the firewall and does nothing to manage the traffic otherwise. Also, in complex environments, it can be quite difficult to keep track of all the necessary rules.
2. Dynamic Filter ("Stateful Inspection")
Dynamic filtering addresses one of the disadvantages of static filtering, that being the problem of permanent "holes" in the firewall. According to Avolio, "Dynamic packet filters open and close "doors" in the firewall based on header information in the data packet as described above. Once a series of packets has passed through the "door" to it's destination, the firewall closes the door."
With dynamic filtering, you get all the advantages of a static filter, i.e. the low overhead and easy maintenance, with a little more security. However, there is no way to have authentication, and as such, security can still be compromised.
3. Application Gateway
About application gateway (or "proxy") firewalls, Avolio says: "An application gateway is a firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application gateway firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host."
With an application gateway, the firewall handles the connection. The user, rather than making a connection to a server on the other side, makes a connection to the firewall, and the firewall handles the connection. The firewall may be able to filter content and so on, or redirect the connection, through the gateway process. The gateway can be completely transparent to the user; he may never know he's connecting to a firewall rather than the server.
The advantage of using an application gateway is that the gateway is more versatile than a packet filter; features can be added to it such as authentication or content scanning to make the connection more secure. The main disadvantage is overhead; an application gateway does add some latency to the connection. However, depending on the gateway in question, the latency per connection is generally negligible and well worth the added security.
B. Network Access Control
Bill Hancock, in his white paper on defending intranet servers from attacks, says about Network Access Control:
Network Access Control (NAC) is, simply put, the ability to set rules and parameters on a machine-by-machine basis about what network traffic is allowed to enter or leave an operating system. The system could be a server, desktop, laptop, minicomputer, superminicomputer, mainframe, minisupercomputer or supercomputer architecture. The granularity of NAC requirements is a function of how critical the system is to the organization and what data must be restrained from leaving or entering the system. Other issues involve the logging of network events, legal and evidentiary requirements based on the server type (e.g. patient database information and the Electronic Communications Privacy Act of 1986 in the U.S.), intellectual property protection issues, baseline security issues (e.g. certificate database on a trusted certificate server) and many other items of interest in the assurance of security for a server system.
There are two types of NAC, dealing with network layer (static and dynamic packet filtering) and application layer (application gateways). Bill states in his paper that it's best to have both types of access control protecting your intranet servers.
III. Summary
Because an estimated 85% of attacks come from within corporate sites, not from hackers on the Internet, it's important to make sure that your internal servers are secure from attack, and it also may be necessary to secure departments from each other in order to protect sensitive data on each network.