These days, the Internet plays a very central role in most people's lives, increasingly more so in our day-to-day jobs. We use the Internet at work to exchange e-mail with colleagues and clients. We use the web to do research, and purchasing on-line, and we use tools such as Microsoft NetMeeting, or ICQ to collaborate in real-time.

However, the added conveniences that we have come to depend upon also bring headaches and troubles to the concerned network administrator-Crackers and other malicious individuals are continually probing systems and networks for weaknesses they can exploit. From a Denial-of-Service (DoS) attack, to a self-replicating virus, to trojaned executables, the attacks come from all fronts, both outside the company and inside.

This document will provide a guideline for designing a reasonably secure IP network, complete with a private subnet, a protected subnet, and an optional public subnet.

• What kind of network attacks can be launched against a computer to the Internet?

Viruses - self-replicating executable programs that may or may not explicitly cause damage to a host computer. Users can contract viruses by downloading unsafe files downloaded via FTP, e-mail, or HTTP. Recently, a new breed of 'macro-viruses' targeted towards Windows machines has become very popular (and successful).

Trojan horses-Typically, Trojan horses do not self-replicate, but like viruses, they contain potentially threatening code. Some Trojans are very immediate, such as a Trojan that deletes all your files when it is run. However these types of Trojans usually are less damaging than the other, less detectable kind. While the Trojan that formats your hard drive is quite catastrophic and instantly visible, others have less subtle effects. Consider the common trick of replacing the 'logon' program on an NT or Unix server. A cracker could rewrite the "Login:" software to not only log the user into the computer, but to also capture users names and passwords into a file for later retrieval by a malicious cracker (thereby gaining access to all the accounts on that system).

Denial of Service attacks - DoS attacks are easily launched against a target from a remote location. The purpose of DoS attacks are not to gain access to a specified computer, but rather to brutally disable it. Common DoS attacks are SYN floods, Ping floods, and ICMP fragmentation bombs.

• A ping flood is a very raw method of attack versus a computer network-It consists of a series of simple ICMP packets (specifically a 'ping'), which are sent out as fast as possible to the target network. If the attacker's bandwidth pipe is large enough, they can completely saturate the victim network by overloading it with more data than it can handle. Essentially this attack works by forcing the target network to waste all its time processing & transmitting "garbage".
  
• A SYN flood is a more efficient type of flood. Every TCP session begins by sending a SYN packet to a target computer, this SYN packet signals that the remote computer would like to begin a session. The SYN flood attack works by providing the target with a false 'return IP address'. The target computer responds with an ACK to the SYN packet, but the ACK is never completed since the address it is replying to is false. Although a timeout surely exists, if an attacker sends enough false SYN packets, the victim computer's resources are completely tied up waiting on the failing ACK packets, disallowing any further (legitimate or otherwise) inbound packets.
  
• An IP fragmentation bomb is an example of how malformed IP datagrams can crash an operating system. A few years ago, a number of bugs were discovered in the Microsoft Windows operating system's networking stack. Specifically, if the attacker created a number of purposefully misconfigured IP fragments, a bug in the windows OS would cause a buffer overflow crash when trying to reassemble datagrams. Although this specific bug has since been patched, it serves to illustrate how easy it can be for a remote attacker to crash or damage a target computer.

• What can a Network Administrator do to help prevent these sorts of attacks?

The responsibility to defend against these sorts of attacks is two-sided. For one, the user of the computer has to take it upon themselves to only run trusted applications. Easily 50% of all virus or Trojan attacks are propagated by end-users who do not realize the potential consequences of running "happy-kitty.exe".

The other half of the responsibility lies with the administrator of the system. Although up-to-date virus scanners can detect the majority of harmful files that a user could receive, they also need to configure the network to help prevent as many attacks as possible; through the use of packet filtering, private networks, proxy servers, and other methods not described here. Common practice involves three types of sub networks, Public, Protected, and Private.

1. What is a Public network?

A totally public network is rarely a good idea. Although an administrator can configure computers very tightly, there is always the possibility that a new exploit will be found (buffer overflows, etc). Sometimes however, it's just easier to put a non-critical computer on a public network rather than spending the time it takes to get it working behind a firewall.

2. What is a protected network?

A protected network, more commonly known as a Demilitarized Zone (DMZ) is similar to a public network in the fact that computers should be configured to be as secure as possible, however network connections are also filtered at the gateway level. The device that performs this filtering is termed a "firewall". A firewall also commonly acts as the router in smaller networks, only allowing packets inbound for certain ports.

3. What is a private network?

A private network is either completely shut off from the other networks, or its access is severely limited.

One method of giving a private network some limited access to resources outside that network is through the use of a proxy. Some proxies work at the application level (an HTTP proxy) while others work at the network layer (Transparent Proxying AKA NAT). The effect is the same-all communication to the outside network goes through the proxy and no initiating inbound connections are allowed, except under very strict conditions.

Consider a fictitious company, Xyz Corporation which has the following resources for their new network:

• One dedicated DNS server
• Three dedicated web servers
• One dedicated FTP server
• One dedicated NetMeeting server
• One dedicated SMTP/POP server
• 40 user workstations
  
• Xyz Corporation wants their office users to have limited internet access. HTTP, FTP, SMTP, POP, and DCOM protocols only
  
• Xyz Corporation has been allocated the block of IP addresses 150.10.10.0-31, or a 150.10.10.0/27 'CIDR' network (32-2 host addresses)

Let's begin by laying out the subnets and categorizing them as public, private, or protected.

• The users would be best placed in a private subnet in order to maximize security. Since the network will be completely private, and will never be connected directly to the Internet, we can just use a reserved block of IPs, 192.168.0.0/24, enough for 254 computers. Furthermore, we do not even have enough legitimate IP addresses to connect all the users workstations directly to the Internet, so this is a very good solution.
• · The servers will run a variety of services that should be accessible to people both externally (The Internet) and internally. Care will be taken to ensure that only access to those services is allowed. This will help increase the security of the site.
• Xyz Corporation, due to the inherent security risks, has decided to not have any public servers. Although nothing sensitive would be placed on a public server, an attacker could use that computer as a launch pad for attacks against other computers.

At this point, we have a network that looks like this:

Router / Firewall #1

We can begin by filtering TCP ports at router #1.

Router 1 should be configured to block any inbound packets to the 192.168.0 network. Although this network address is reserved for internal networks, a wily attacker could manually configure his routing table and gain access to those computers; therefore they will be discarded at Xyz's router in the case that they happen to get by the routers of the attackers ISP.

Furthermore, to guard against IP spoofing, the router will not accept any packets from the internet that have the source IP address of either the 150.10.10.0/27 network or the 192.168.0.0/24 network. There is no reason the router should receive a packet with one of those source addresses from the Internet. (Unless an attacker masquerades his/her IP packet)

Just in case, router 1 will refuse to send out any packets with the source IP address of the private network. There should be no reason that this would ever occur, but it is a simple process and we might as well cover all the bases.

Router 1 will only allow the connections for the following inbound TCP ports: (to the 150.10.10.0/24 network, specifically)

• 20,21 for FTP
•  25, 110 for SMTP & POP
•  53 for DNS
•  80 for HTTP
•  636 for LDAP (The 'netmeeting' server)

By only allowing these ports, we have a much greater degree of security. Now, an attacker is limited in these services they can attempt to exploit.

Router / Firewall #2

We are going to add some additional security to the private network. Firstly, the only inbound connections that will be allowed are going to be from the IP of the NAT proxy server-no other devices or computers should be communicating AT ALL to the private network. Remember, Internet packets are being filtered at Router 1; all Internet communication will be passing through the proxy server, which is a legal configuration.

Also, the only outbound packets that will be allowed are TCP and UDP packets with a destination address of the NAT proxy server. Only ports 80, 25, 53, 110, and 636 will be allowed.

There may be some problems with the NetMeeting clients. It may be more useful to place the NetMeeting server inside the private network since it is impossible for outside users to communicate with users in the private network anyway. This would be up to the administrator to decide.

Additional concerns (briefly)

Although following these steps will greatly secure your network from the outside world, it would be foolish to not consider attackers from within your own company. Some basic guidelines to follow would be:

Operate in a fully switched Ethernet environment - Switching Ethernet hubs are becoming less and less expensive, a 12 port-switching hub can now be bought for less than $500. Not only do these provide greater security by not broadcasting all data indiscriminately across the medium, but also they provide for a higher aggregate bandwidth.

Use Network Intrusion detection software - Software that can monitor your servers for suspicious network activity (such as port scanning). This software can often alert the administrator to a cracker even before he/she gains access.

Never send your password or username in clear text-if your network is ever compromised, an attacker could easily "sniff" the line and grab all usernames and passwords as they are transmitted across the wire. Use SSH (Secure Shell) instead of telnet, disable clear text authentication if you are using Windows NT, etc. This is not always possible, unfortunately.

Finally, subscribe to a network security mailing list so that you can keep up to date on any new cracks, weaknesses or exploits. There is no way one person can know everything about security; you have to partially rely upon other people as well.

Conclusions

It all boils down to these simple guidelines:

• Keep your virus software up to date.
• Filter anything that isn't needed (and even things that are borderline).
• Stay active; there is always a new hack that you don’t know about.