old-www/REF/INTRO/Intrusion-INTRO.txt

Introduction to Intrusion Protection and Network Security

Jennifer Vesperman

jenn@linuxchix.org

Megan Golding

meggolding@yahoo.com

2002-02-24
Revision History                                                             
Revision 0.1           2002-02-17            Revised by: MEG                 
Converted from text file. Modified wording.                                  
Revision 0.2           2002-02-23            Revised by: MEG                 
Incorporated Jenn's suggestions.                                             
Revision 0.3           2002-02-24            Revised by: MEG                 
Conforming to LDP standards. Added abstract.                                 


In this introduction to protecting your computers from intrusion, the author
discusses concepts of computer security. Selecting good passwords, using
firewalls, and other security concepts are introduced.

-----------------------------------------------------------------------------
Table of Contents
1. Introduction
    1.1. Copyright Information
    1.2. Overview
   
   
2. The Locked Front Door
3. Passwords
4. Permissions
5. Firewalls
6. Other security measures
    6.1. Unused programs
    6.2. Bugs & patches
    6.3. Monitoring
    6.4. What do I do if I think I've been broken into?
    6.5. Final words
   
   
7. Links and further information

1. Introduction

1.1. Copyright Information

Copyright (c) 2002 by Jennifer Vesperman. This material may be distributed
only subject to the terms and conditions set forth in the Open Publication
License, v0.4 or later (the latest version is presently available at [http://
www.opencontent.org/openpub/] http://www.opencontent.org/openpub/).
-----------------------------------------------------------------------------

1.2. Overview

If your computer is not connected to any other computers and doesn't have a
modem, the only way anyone can access your computer's information is by
physically coming to the computer and sitting at it. So securing the room
it's in will secure the computer[1]. As soon as your computer is connected to
another computer you add the possibility that someone using the other
computer can access your computer's information.

If your network (your connected computers) consists only of other computers
in the same building you can still secure the network by securing the rooms
the computers are in. An example of this would be two computers sharing the
same files and printer, but not having a modem and not being connected to any
other computers.

However, it's wise to learn about other ways to secure a network of connected
computers, in case you add something later. Networks have a tendency to grow.
If you have a network, an intruder who gains access to one computer has at
least some access to all of them.
-----------------------------------------------------------------------------

2. The Locked Front Door

As soon as your network connects to somewhere outside your building, you need
the virtual equivalent of a locked front door. If you don't have that, all
the information you have on your computers is vulnerable to anyone who wants
to gain access.

Like real doors, virtual doors come in a wide variety of types, security
levels, and expense.

The simplest, but not the safest, way to secure your network is to keep
'moving' - if you're connected to the internet through a modem and have a
'dynamic IP address' (ask your service provider), your address keeps
changing. If your address keeps changing, and you're never on the internet
for very long, it's very hard for someone to deliberately intrude on you.
However, many computer intruders are like teenagers - they will go to great
lengths for what they perceive as 'fun'. I recommend at least some security
beyond this, even if all you ever do is read and write email.

As soon as you have a stable address and a permanent connection, you lose the
'obscurity' advantage that a dynamic IP and sporadic connection provides. You
must install a real 'front door'.
-----------------------------------------------------------------------------

3. Passwords

The most basic lock for your front door is a password. Ensure that every
computer on your network requires a password before anyone from the network
can read your information or write to your hard drive. If a password isn't
required, there is no front door at all. If you're not sure how to ensure
that passwords are necessary, I strongly recommend getting hold of a computer
expert, or at least a very good manual.

Note Most computer systems will not password-lock someone sitting at the     
     computer itself. There are ways to do it, but there's usually a way that
     someone at the computer itself (not on the network) can get in and      
     change the passwords. This is to prevent the computer from becoming an  
     expensive doorstop if the passwords are forgotten. This does, however,  
     mean that you still need physical security.                             

Changing forgotten passwords isn't easy, however. It's better not to forget
them in the first place. If your system has a 'master password' that has
access to everything, make sure two people in your company or household know
that password. If there's only one, what happens when that person is on
vacation on that tropical island with no phones?

Passwords are only as secure as they are difficult to guess - if your
password is your name, for instance, or the word 'password', it's like
putting a lock on the front door and never bothering to actually lock it.

There are a lot of suggestions for how to make passwords difficult to guess -
here're a few of them:

<EFBFBD><EFBFBD>*<2A>no less than eight characters long
   
<EFBFBD><EFBFBD>*<2A>include both upper and lower case letters, numbers and punctuation marks
   
<EFBFBD><EFBFBD>*<2A>don't use anything which can be guessed by someone who knows you or has
    your information - no names of family members or pets, no licence numbers
    or passport numbers or phone numbers or similar, not a street address
    (current or past!), not any words which are visible from your desk (like
    the brand of monitor)
   
<EFBFBD><EFBFBD>*<2A>no legitimate words in any language, brand names or logos
   
<EFBFBD><EFBFBD>*<2A>no swear words
   
<EFBFBD><EFBFBD>*<2A>not a simple substitution (ABC as 123, to as 2, Ziggy as 2166Y)
   
<EFBFBD><EFBFBD>*<2A>not the same password as on as another computer, or the same one you had
    last year. ANY password can be figured out in time, and if someone
    guesses one of your passwords they might try the same thing for another
    computer
   
<EFBFBD><EFBFBD>*<2A>not a common misspelling of a word
   

Suggestions for good passwords include

<EFBFBD><EFBFBD>*<2A>take something you'll recognise - a line from a book or a line of poetry
    - and use the third letter of each word. Include punctuation (but not
    spaces)
   
<EFBFBD><EFBFBD>*<2A>a really, REALLY bad misspelling of a word
   
<EFBFBD><EFBFBD>*<2A>two words from different languages stuck together with punctuation marks
   
<EFBFBD><EFBFBD>*<2A>a short phrase
   

Think up other suggestions. For passwords, weird and idiosyncratic is good.
-----------------------------------------------------------------------------

4. Permissions

Passwords usually come with usernames as well. A good username-and-password
system will enable you to set up several roles for your computers. Each role
will need different types of access, will use different programs and
different data.

If an intruder guesses or finds out one person's username and password, they
will have access to any programs or data that that person usually has access
to. For this reason, you might like to limit what each person is allowed to
access.

Most computer systems have something in place which does this. Under most
systems, it is called 'permissions'. Your computer manual or local expert can
help you set it up on your computers.

Give each person what they need to do their jobs, plus a little personal
space of their own. That personal space is often used to 'to-do' lists and
other minor things which make their job easier or more comfortable.
-----------------------------------------------------------------------------

5. Firewalls

If passwords provide a 'door' to cover the 'doorway' into your 'house', then
firewalls provide 'shutters' to cover the 'windows'. Bear with me, we're
extending the metaphor further than we probably should.

Your network has a lot of windows. These aren't just casual windows that let
you see out, the metaphor is closer if you think of them as service windows,
like at a drive-through of them have people (programs) at them to provide
service, some of them are empty.

A firewall provides shutters to close the empty service windows.

A firewall does absolutely nothing to protect the windows you leave open -
that's the job of the programs which provide the services at those windows.
But if you don't have a firewall, there's all those empty windows that an
intruder can use to break in through.

The firewall is ideally a separate computer which is between your network and
the internet. It can be a purpose-built device - there are some available
which are small black boxes which look like network hubs. Or it can be your
brother's old 486, with a highly secure operating system that provides an
inbuilt firewall. Whatever you choose, ensure that your local computer expert
approves of it, and do your best to ensure that he knows how to make sure it
really is secure.

None of your computers should be able to access the internet or be accessed
from the internet without going through the firewall.

Note The technical term for the windows is 'ports'.                          
-----------------------------------------------------------------------------

6. Other security measures

6.1. Unused programs

At each 'service window' that your firewall leaves open (technical term:
'open port'), you should have a computer program. This program should be
providing some sort of service to your users.

Any program which isn't being used, but which has a connection outside your
network, should be shut down and the 'service window' (port) closed at the
firewall. Every port which isn't specifically in use should be shut down.
Admittedly, this is a 'paranoia' position - the rationale for shutting them
down being that a closed port is safer than an open one, regardless of how
good the program is.
-----------------------------------------------------------------------------

6.2. Bugs & patches

Programs which you are using need to stay operational, and their ports
'open'. However, occasionally programs are vulnerable to clever attackers.

Vulnerabilities are reported to organisations on the Internet which make a
point of informing the companies or groups who write those programs, and
distributing the modifications that these companies or groups produce to
patch the vulnerabilities.

Every so often someone in your company should go to those sites, read their
reports for your programs, and install the patches. Once a month is common,
but you need to determine your own balance between security and convenience.
-----------------------------------------------------------------------------

6.3. Monitoring

How do you know if someone has broken into your system? The only way to know
for sure is to monitor it.

Some common types of monitoring tools are:

<EFBFBD><EFBFBD>*<2A>The tripwire: On a read-only medium (like a write-protected floppy),
    store a program and a small database. The program checks every file in
    the database to find out when it was last changed, and sends the user the
    list of all the files which have changed since it first ran. To prevent
    false reporting, the database should only include files which should
    never be changed.
   
    If any of the files have been changed, you may have been broken into. (Or
    your system administrator installed a new version of the operating system
    and forgot to warn whoever does the monitoring!)
   
<EFBFBD><EFBFBD>*<2A>The sniffer: This tool checks all the traffic which goes through the
    network, looking for suspicious activity. It's usually installed on the
    firewall, or on a special box just to one side or the other of the
    firewall - though it would be more useful on the outside.
   
    It doesn't attempt to block any activity, only to report it when it finds
    it.
   
<EFBFBD><EFBFBD>*<2A>The honeypot: One for special circumstances - this system has most of the
    useful programs (like directory listers or file removers or editors)
    removed and replaced with special programs that shut the computer down as
    soon as they're run. The shutdown prevents the intruder from further
    intrusion, and also from modifying the honeypot's logs.
   
    These aren't very useful as working computers - they're simply traps.
   
<EFBFBD><EFBFBD>*<2A>Log analysis: This is difficult - most intruders will be careful to wipe
    traces of their activity out of the logs. I don't recommend its use by
    laymen, and include it here only because it is an important tool for more
    experienced administrators.
   
    Most operating systems keep a set of logs of their network activity. This
    usually consists of things like 'opened this port', 'sent mail to this
    person', 'closed the port'. The content of the mail is not kept, but the
    fact of its being sent is. This sort of information is a useful tool for
    intrusion analysis (and for checking whether the system is running
    correctly).
   
    Log analysis involves whoever does the monitoring going through the logs
    and looking for strange occurrences. Logs look something like this:
                                                                                                                   
                May 13 09:57:03 gondwanah dhclient-2.2.x: DHCPDISCOVER on lo to 255.255.255.255 port 67 interval 2 
                May 13 09:57:05 gondwanah dhclient-2.2.x: No DHCPOFFERS received.                                  
                May 13 09:57:05 gondwanah dhclient-2.2.x: No working leases in persistent database - sleeping.     
                May 13 09:57:05 gondwanah dhclient-2.2.x: No DHCPOFFERS received.                                  
                May 13 09:57:05 gondwanah dhclient-2.2.x: No working leases in persistent database - sleeping.     
                May 13 10:00:21 gondwanah dhclient-2.2.x: DHCPREQUEST on eth0 to 10.0.3.1 port 67                  
                May 13 10:00:21 gondwanah dhclient-2.2.x: DHCPACK from 10.0.3.1                                    
                May 13 10:00:21 gondwanah dhclient-2.2.x: bound to 10.0.1.1 -- renewal in 3500 seconds.            
                                                                                                                   
                                                                                                                   
   
    You're not expected to understand what this is! It's an attempt by my
    computer to get an IP address (a number address) from the master computer
    on our home network. Log analysis involves reading a lot of stuff like
    this, knowing what's normal and what isn't, and dealing with the
    abnormalities.
   
    Which is why I don't recommend it for laymen.
   

-----------------------------------------------------------------------------
6.4. What do I do if I think I've been broken into?

If it was a physical break-in, call the police.

If it was a network break-in, either call the police or:

<EFBFBD><EFBFBD>*<2A>Shut your computer down.
   
<EFBFBD><EFBFBD>*<2A>Call your trusted computer-expert friend, or hire specialists in computer
    security.
   
<EFBFBD><EFBFBD>*<2A>Consider calling the police. Consider preserving the evidence.
   
<EFBFBD><EFBFBD>*<2A>Let the experts take your computer off the network, reboot it, and take a
    look at the logs. They will hopefully be able to figure out what type of
    attack it was.
   
<EFBFBD><EFBFBD>*<2A>If you chose to preserve the evidence, make sure your computer experts
    know this before they change anything.
   
<EFBFBD><EFBFBD>*<2A>Let the experts check your files for damage. They may recommend
    reinstalling the operating system, they may recommend restoring your data
    from your latest backup. Ask them for the pros and cons of each option
    they offer, and each recommendation they make. It's your data, but you
    hired them for their knowledge. So lean towards their advice, but you
    make the decision.
   
<EFBFBD><EFBFBD>*<2A>Get their advice on further securing your system. Listen to it.
   

-----------------------------------------------------------------------------
6.5. Final words

Your security system is only as strong as its weakest part. A determined
intruder will keep looking until they find a vulnerability.

Security through obscurity is weak. A hidden thing is more secure than a
highly visible one, but don't trust hiding on its own to protect your data. A
hidden safe is more secure than a sock under the floorboards.
-----------------------------------------------------------------------------

7. Links and further information

<EFBFBD><EFBFBD>*<2A>[http://www.w3.org/Security/Faq/www-security-faq.html] WWW Security FAQ
   
<EFBFBD><EFBFBD>*<2A>[http://www.cert.org/] CERT, one of the major centres for vulnerability
    reporting and patch coordination
   
<EFBFBD><EFBFBD>*<2A>[http://netsecurity.about.com/] About.com's Security page
   
<EFBFBD><EFBFBD>*<2A>[http://security.oreilly.com/] O'Reilly security books
   
<EFBFBD><EFBFBD>*<2A>[http://www.securityfocus.com] Security Focus, another centre for
    security news
   

Notes

[1]  Note that once someone has physical access to your computer, there are a
     number of ways that they can access your information. Most systems have 
     some sort of emergency feature that allows someone with physical access 
     to get in and change the superuser password, or access the data. Even if
     your system doesn't have that, or it's disabled, they can always just   
     pick up the computer or remove the hard drive and carry it out. More on 
     this in the physical security article.