389 lines
18 KiB
Plaintext
389 lines
18 KiB
Plaintext
|
Introduction to Intrusion Protection and Network Security
|
|||
|
|
|||
|
Jennifer Vesperman
|
|||
|
|
|||
|
jenn@linuxchix.org
|
|||
|
|
|||
|
Megan Golding
|
|||
|
|
|||
|
meggolding@yahoo.com
|
|||
|
|
|||
|
2002-02-24
|
|||
|
Revision History
|
|||
|
Revision 0.1 2002-02-17 Revised by: MEG
|
|||
|
Converted from text file. Modified wording.
|
|||
|
Revision 0.2 2002-02-23 Revised by: MEG
|
|||
|
Incorporated Jenn's suggestions.
|
|||
|
Revision 0.3 2002-02-24 Revised by: MEG
|
|||
|
Conforming to LDP standards. Added abstract.
|
|||
|
|
|||
|
|
|||
|
In this introduction to protecting your computers from intrusion, the author
|
|||
|
discusses concepts of computer security. Selecting good passwords, using
|
|||
|
firewalls, and other security concepts are introduced.
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Table of Contents
|
|||
|
1. Introduction
|
|||
|
1.1. Copyright Information
|
|||
|
1.2. Overview
|
|||
|
|
|||
|
|
|||
|
2. The Locked Front Door
|
|||
|
3. Passwords
|
|||
|
4. Permissions
|
|||
|
5. Firewalls
|
|||
|
6. Other security measures
|
|||
|
6.1. Unused programs
|
|||
|
6.2. Bugs & patches
|
|||
|
6.3. Monitoring
|
|||
|
6.4. What do I do if I think I've been broken into?
|
|||
|
6.5. Final words
|
|||
|
|
|||
|
|
|||
|
7. Links and further information
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
1.1. Copyright Information
|
|||
|
|
|||
|
Copyright (c) 2002 by Jennifer Vesperman. This material may be distributed
|
|||
|
only subject to the terms and conditions set forth in the Open Publication
|
|||
|
License, v0.4 or later (the latest version is presently available at [http://
|
|||
|
www.opencontent.org/openpub/] http://www.opencontent.org/openpub/).
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.2. Overview
|
|||
|
|
|||
|
If your computer is not connected to any other computers and doesn't have a
|
|||
|
modem, the only way anyone can access your computer's information is by
|
|||
|
physically coming to the computer and sitting at it. So securing the room
|
|||
|
it's in will secure the computer[1]. As soon as your computer is connected to
|
|||
|
another computer you add the possibility that someone using the other
|
|||
|
computer can access your computer's information.
|
|||
|
|
|||
|
If your network (your connected computers) consists only of other computers
|
|||
|
in the same building you can still secure the network by securing the rooms
|
|||
|
the computers are in. An example of this would be two computers sharing the
|
|||
|
same files and printer, but not having a modem and not being connected to any
|
|||
|
other computers.
|
|||
|
|
|||
|
However, it's wise to learn about other ways to secure a network of connected
|
|||
|
computers, in case you add something later. Networks have a tendency to grow.
|
|||
|
If you have a network, an intruder who gains access to one computer has at
|
|||
|
least some access to all of them.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2. The Locked Front Door
|
|||
|
|
|||
|
As soon as your network connects to somewhere outside your building, you need
|
|||
|
the virtual equivalent of a locked front door. If you don't have that, all
|
|||
|
the information you have on your computers is vulnerable to anyone who wants
|
|||
|
to gain access.
|
|||
|
|
|||
|
Like real doors, virtual doors come in a wide variety of types, security
|
|||
|
levels, and expense.
|
|||
|
|
|||
|
The simplest, but not the safest, way to secure your network is to keep
|
|||
|
'moving' - if you're connected to the internet through a modem and have a
|
|||
|
'dynamic IP address' (ask your service provider), your address keeps
|
|||
|
changing. If your address keeps changing, and you're never on the internet
|
|||
|
for very long, it's very hard for someone to deliberately intrude on you.
|
|||
|
However, many computer intruders are like teenagers - they will go to great
|
|||
|
lengths for what they perceive as 'fun'. I recommend at least some security
|
|||
|
beyond this, even if all you ever do is read and write email.
|
|||
|
|
|||
|
As soon as you have a stable address and a permanent connection, you lose the
|
|||
|
'obscurity' advantage that a dynamic IP and sporadic connection provides. You
|
|||
|
must install a real 'front door'.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3. Passwords
|
|||
|
|
|||
|
The most basic lock for your front door is a password. Ensure that every
|
|||
|
computer on your network requires a password before anyone from the network
|
|||
|
can read your information or write to your hard drive. If a password isn't
|
|||
|
required, there is no front door at all. If you're not sure how to ensure
|
|||
|
that passwords are necessary, I strongly recommend getting hold of a computer
|
|||
|
expert, or at least a very good manual.
|
|||
|
|
|||
|
Note Most computer systems will not password-lock someone sitting at the
|
|||
|
computer itself. There are ways to do it, but there's usually a way that
|
|||
|
someone at the computer itself (not on the network) can get in and
|
|||
|
change the passwords. This is to prevent the computer from becoming an
|
|||
|
expensive doorstop if the passwords are forgotten. This does, however,
|
|||
|
mean that you still need physical security.
|
|||
|
|
|||
|
Changing forgotten passwords isn't easy, however. It's better not to forget
|
|||
|
them in the first place. If your system has a 'master password' that has
|
|||
|
access to everything, make sure two people in your company or household know
|
|||
|
that password. If there's only one, what happens when that person is on
|
|||
|
vacation on that tropical island with no phones?
|
|||
|
|
|||
|
Passwords are only as secure as they are difficult to guess - if your
|
|||
|
password is your name, for instance, or the word 'password', it's like
|
|||
|
putting a lock on the front door and never bothering to actually lock it.
|
|||
|
|
|||
|
There are a lot of suggestions for how to make passwords difficult to guess -
|
|||
|
here're a few of them:
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>no less than eight characters long
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>include both upper and lower case letters, numbers and punctuation marks
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>don't use anything which can be guessed by someone who knows you or has
|
|||
|
your information - no names of family members or pets, no licence numbers
|
|||
|
or passport numbers or phone numbers or similar, not a street address
|
|||
|
(current or past!), not any words which are visible from your desk (like
|
|||
|
the brand of monitor)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>no legitimate words in any language, brand names or logos
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>no swear words
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>not a simple substitution (ABC as 123, to as 2, Ziggy as 2166Y)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>not the same password as on as another computer, or the same one you had
|
|||
|
last year. ANY password can be figured out in time, and if someone
|
|||
|
guesses one of your passwords they might try the same thing for another
|
|||
|
computer
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>not a common misspelling of a word
|
|||
|
|
|||
|
|
|||
|
Suggestions for good passwords include
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>take something you'll recognise - a line from a book or a line of poetry
|
|||
|
- and use the third letter of each word. Include punctuation (but not
|
|||
|
spaces)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>a really, REALLY bad misspelling of a word
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>two words from different languages stuck together with punctuation marks
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>a short phrase
|
|||
|
|
|||
|
|
|||
|
Think up other suggestions. For passwords, weird and idiosyncratic is good.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4. Permissions
|
|||
|
|
|||
|
Passwords usually come with usernames as well. A good username-and-password
|
|||
|
system will enable you to set up several roles for your computers. Each role
|
|||
|
will need different types of access, will use different programs and
|
|||
|
different data.
|
|||
|
|
|||
|
If an intruder guesses or finds out one person's username and password, they
|
|||
|
will have access to any programs or data that that person usually has access
|
|||
|
to. For this reason, you might like to limit what each person is allowed to
|
|||
|
access.
|
|||
|
|
|||
|
Most computer systems have something in place which does this. Under most
|
|||
|
systems, it is called 'permissions'. Your computer manual or local expert can
|
|||
|
help you set it up on your computers.
|
|||
|
|
|||
|
Give each person what they need to do their jobs, plus a little personal
|
|||
|
space of their own. That personal space is often used to 'to-do' lists and
|
|||
|
other minor things which make their job easier or more comfortable.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5. Firewalls
|
|||
|
|
|||
|
If passwords provide a 'door' to cover the 'doorway' into your 'house', then
|
|||
|
firewalls provide 'shutters' to cover the 'windows'. Bear with me, we're
|
|||
|
extending the metaphor further than we probably should.
|
|||
|
|
|||
|
Your network has a lot of windows. These aren't just casual windows that let
|
|||
|
you see out, the metaphor is closer if you think of them as service windows,
|
|||
|
like at a drive-through of them have people (programs) at them to provide
|
|||
|
service, some of them are empty.
|
|||
|
|
|||
|
A firewall provides shutters to close the empty service windows.
|
|||
|
|
|||
|
A firewall does absolutely nothing to protect the windows you leave open -
|
|||
|
that's the job of the programs which provide the services at those windows.
|
|||
|
But if you don't have a firewall, there's all those empty windows that an
|
|||
|
intruder can use to break in through.
|
|||
|
|
|||
|
The firewall is ideally a separate computer which is between your network and
|
|||
|
the internet. It can be a purpose-built device - there are some available
|
|||
|
which are small black boxes which look like network hubs. Or it can be your
|
|||
|
brother's old 486, with a highly secure operating system that provides an
|
|||
|
inbuilt firewall. Whatever you choose, ensure that your local computer expert
|
|||
|
approves of it, and do your best to ensure that he knows how to make sure it
|
|||
|
really is secure.
|
|||
|
|
|||
|
None of your computers should be able to access the internet or be accessed
|
|||
|
from the internet without going through the firewall.
|
|||
|
|
|||
|
Note The technical term for the windows is 'ports'.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6. Other security measures
|
|||
|
|
|||
|
6.1. Unused programs
|
|||
|
|
|||
|
At each 'service window' that your firewall leaves open (technical term:
|
|||
|
'open port'), you should have a computer program. This program should be
|
|||
|
providing some sort of service to your users.
|
|||
|
|
|||
|
Any program which isn't being used, but which has a connection outside your
|
|||
|
network, should be shut down and the 'service window' (port) closed at the
|
|||
|
firewall. Every port which isn't specifically in use should be shut down.
|
|||
|
Admittedly, this is a 'paranoia' position - the rationale for shutting them
|
|||
|
down being that a closed port is safer than an open one, regardless of how
|
|||
|
good the program is.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.2. Bugs & patches
|
|||
|
|
|||
|
Programs which you are using need to stay operational, and their ports
|
|||
|
'open'. However, occasionally programs are vulnerable to clever attackers.
|
|||
|
|
|||
|
Vulnerabilities are reported to organisations on the Internet which make a
|
|||
|
point of informing the companies or groups who write those programs, and
|
|||
|
distributing the modifications that these companies or groups produce to
|
|||
|
patch the vulnerabilities.
|
|||
|
|
|||
|
Every so often someone in your company should go to those sites, read their
|
|||
|
reports for your programs, and install the patches. Once a month is common,
|
|||
|
but you need to determine your own balance between security and convenience.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.3. Monitoring
|
|||
|
|
|||
|
How do you know if someone has broken into your system? The only way to know
|
|||
|
for sure is to monitor it.
|
|||
|
|
|||
|
Some common types of monitoring tools are:
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>The tripwire: On a read-only medium (like a write-protected floppy),
|
|||
|
store a program and a small database. The program checks every file in
|
|||
|
the database to find out when it was last changed, and sends the user the
|
|||
|
list of all the files which have changed since it first ran. To prevent
|
|||
|
false reporting, the database should only include files which should
|
|||
|
never be changed.
|
|||
|
|
|||
|
If any of the files have been changed, you may have been broken into. (Or
|
|||
|
your system administrator installed a new version of the operating system
|
|||
|
and forgot to warn whoever does the monitoring!)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>The sniffer: This tool checks all the traffic which goes through the
|
|||
|
network, looking for suspicious activity. It's usually installed on the
|
|||
|
firewall, or on a special box just to one side or the other of the
|
|||
|
firewall - though it would be more useful on the outside.
|
|||
|
|
|||
|
It doesn't attempt to block any activity, only to report it when it finds
|
|||
|
it.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>The honeypot: One for special circumstances - this system has most of the
|
|||
|
useful programs (like directory listers or file removers or editors)
|
|||
|
removed and replaced with special programs that shut the computer down as
|
|||
|
soon as they're run. The shutdown prevents the intruder from further
|
|||
|
intrusion, and also from modifying the honeypot's logs.
|
|||
|
|
|||
|
These aren't very useful as working computers - they're simply traps.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Log analysis: This is difficult - most intruders will be careful to wipe
|
|||
|
traces of their activity out of the logs. I don't recommend its use by
|
|||
|
laymen, and include it here only because it is an important tool for more
|
|||
|
experienced administrators.
|
|||
|
|
|||
|
Most operating systems keep a set of logs of their network activity. This
|
|||
|
usually consists of things like 'opened this port', 'sent mail to this
|
|||
|
person', 'closed the port'. The content of the mail is not kept, but the
|
|||
|
fact of its being sent is. This sort of information is a useful tool for
|
|||
|
intrusion analysis (and for checking whether the system is running
|
|||
|
correctly).
|
|||
|
|
|||
|
Log analysis involves whoever does the monitoring going through the logs
|
|||
|
and looking for strange occurrences. Logs look something like this:
|
|||
|
|
|||
|
May 13 09:57:03 gondwanah dhclient-2.2.x: DHCPDISCOVER on lo to 255.255.255.255 port 67 interval 2
|
|||
|
May 13 09:57:05 gondwanah dhclient-2.2.x: No DHCPOFFERS received.
|
|||
|
May 13 09:57:05 gondwanah dhclient-2.2.x: No working leases in persistent database - sleeping.
|
|||
|
May 13 09:57:05 gondwanah dhclient-2.2.x: No DHCPOFFERS received.
|
|||
|
May 13 09:57:05 gondwanah dhclient-2.2.x: No working leases in persistent database - sleeping.
|
|||
|
May 13 10:00:21 gondwanah dhclient-2.2.x: DHCPREQUEST on eth0 to 10.0.3.1 port 67
|
|||
|
May 13 10:00:21 gondwanah dhclient-2.2.x: DHCPACK from 10.0.3.1
|
|||
|
May 13 10:00:21 gondwanah dhclient-2.2.x: bound to 10.0.1.1 -- renewal in 3500 seconds.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
You're not expected to understand what this is! It's an attempt by my
|
|||
|
computer to get an IP address (a number address) from the master computer
|
|||
|
on our home network. Log analysis involves reading a lot of stuff like
|
|||
|
this, knowing what's normal and what isn't, and dealing with the
|
|||
|
abnormalities.
|
|||
|
|
|||
|
Which is why I don't recommend it for laymen.
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
6.4. What do I do if I think I've been broken into?
|
|||
|
|
|||
|
If it was a physical break-in, call the police.
|
|||
|
|
|||
|
If it was a network break-in, either call the police or:
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Shut your computer down.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Call your trusted computer-expert friend, or hire specialists in computer
|
|||
|
security.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Consider calling the police. Consider preserving the evidence.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Let the experts take your computer off the network, reboot it, and take a
|
|||
|
look at the logs. They will hopefully be able to figure out what type of
|
|||
|
attack it was.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>If you chose to preserve the evidence, make sure your computer experts
|
|||
|
know this before they change anything.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Let the experts check your files for damage. They may recommend
|
|||
|
reinstalling the operating system, they may recommend restoring your data
|
|||
|
from your latest backup. Ask them for the pros and cons of each option
|
|||
|
they offer, and each recommendation they make. It's your data, but you
|
|||
|
hired them for their knowledge. So lean towards their advice, but you
|
|||
|
make the decision.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Get their advice on further securing your system. Listen to it.
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
6.5. Final words
|
|||
|
|
|||
|
Your security system is only as strong as its weakest part. A determined
|
|||
|
intruder will keep looking until they find a vulnerability.
|
|||
|
|
|||
|
Security through obscurity is weak. A hidden thing is more secure than a
|
|||
|
highly visible one, but don't trust hiding on its own to protect your data. A
|
|||
|
hidden safe is more secure than a sock under the floorboards.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7. Links and further information
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>[http://www.w3.org/Security/Faq/www-security-faq.html] WWW Security FAQ
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>[http://www.cert.org/] CERT, one of the major centres for vulnerability
|
|||
|
reporting and patch coordination
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>[http://netsecurity.about.com/] About.com's Security page
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>[http://security.oreilly.com/] O'Reilly security books
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>[http://www.securityfocus.com] Security Focus, another centre for
|
|||
|
security news
|
|||
|
|
|||
|
|
|||
|
Notes
|
|||
|
|
|||
|
[1] Note that once someone has physical access to your computer, there are a
|
|||
|
number of ways that they can access your information. Most systems have
|
|||
|
some sort of emergency feature that allows someone with physical access
|
|||
|
to get in and change the superuser password, or access the data. Even if
|
|||
|
your system doesn't have that, or it's disabled, they can always just
|
|||
|
pick up the computer or remove the hard drive and carry it out. More on
|
|||
|
this in the physical security article.
|