Screened Subnet Architecture andFirewalls

A firewall’s function is to act as a gatekeeper, keeping Internet “bad guys” out of your internal network. Setting up an effective firewall requires careful planning.

In my view, the Screened Subnet Architecture is a preferred network setup for firewalls to protect your company’s network while at the same time allowing external visitors to access your public service hosts.

What is Screened Subnet Architecture?

Let’s take a look at how a typical Screened Subnet Architecture is setup:

From this diagram, note that there are two, not one, firewalls in the network structure.The exterior firewall is configured to allow external traffic to access the subnet section (Perimeter Network) where you have put the public service hosts (Bastion Hosts) such as your e-mail server, web server, and/or DNS server, for example. The Screened Subnet is  also called “DM Zone”  (demilitarized zone) or simply “DMZ”.The internal firewall acts a second gatekeeper to keep external visitors from directly coming into your internal corporate network.The subnet section where you have put the service hosts is called “Screened Subnet” or “Perimeter Network,” hence the name “Screened Subnet Architecture” has become used for this type of network architecture.

What is the benefit of using Screened Subnet Architecture for a firewall setup?

The advantage of this setup is that if your external hosts are exploited (as they could be since they are serving many external visitors’ requests and are exposed to a greater risk of being hacked), you still have the interior firewall as the second gatekeeper to defend the attacks of the hacker by the exploited hosts. Or if the exterior firewall has been compromised, then the interior firewall can still fend off the hackers’ possible direct intrusion to the corporate internal network.

There are variations of this network setup that serve similar functions. One variation uses a single firewall with three network interfaces: one for the external Internet connection, another for the Screened Subnet, and a third for the internal network. The firewall is configured to allow external visitors to visit the Screened Subnet only, without the authority to access the internal network interface.

This setup, of course, saves the hassle of maintaining two firewalls, making it easier to concentrate on the security maintenance of one single firewall.

However, the disadvantage is that if this only firewall becomes compromised, chances are the attackers can gain access to the internal network by the firewall’s internal interface. This, of course, poses a great security risk to a corporate environment.

Tags:  Exploit Firewall, Firewall Attack, Firewall Hacking, Hacking Firewall

Technorati Tags: Screened Subnet Architecture, Firewalls, Perimeter Network, Bastion Hosts, DM Zone, demilitarized zone, DMZ, Exploit Firewall, Firewall Attack, Firewall Hacking, Hacking Firewall

Buffer Overflow refers to what happens when an area of a program’s code is overwritten with new code using the technique of inputting data longer than the length expected when the program asks for input. This creates an overflow in the program’s buffer system, and causes the program to react negatively − sometimes even resulting in system crashes. Hackers can cause buffer overflows intentionally to sabotage systems.

This overflow of data can be written to a critical program area, such as where execution code was placed. With carefully planned code overwritten in this area, a hacker can seize control of the program and, as a result, the system where the program resides.

The main reason a hacker can do this is due to negligence in the programmer’s coding. We call these types of problems “bugs” in the program. A common bug that leads to the possibility of a hacker causing a buffer overflow is when a coder neglects to include proper validation of data type and length for user input into the program.

Some common programming tools such as SQL commands allow a user to input carefully crafted responses to embed a request that triggers the program to execute a nested SQL command.

A good example of this is demonstrated in the following situation:

Consider a program that asks a user for input to find the name of a student by his or her surname. A proper input will trigger the program to successfully search the database for a match to the Surname inputted by the user, and return all records matching that surname. For example, suppose the input variable is named S_NAME. The input will execute the following SQL command:

Select * from Student_Table Where Student_Table.Name = S_NAME
This command instructs the program to locate all records with surname equal to S_NAME.

If a skilled user inputs something for S_NAME such as as “Select Surname from Student_Table”, then the program may execute the unexpected nested SQL command as:

Select * from Student_Table Where Student_Table.Name = Select Surname from Student_Table

This literally instructs the program to locate all records for all surnames in the Student_Table, and this is certainly not the original intention of the programmer who wrote the code. Depending on the subsequent codes of this program, this could possibly list all of the student names in a row − or simply crash the program, if it does not know how to handle the command.

The fact that a hacker can do this depends on three factors:

• The hacker is an experienced SQL command writer

• The hacker understands the underlying database structure of the program

• The program does not exercise a careful input validation to verify the validity of the inputs

For the second factor, a hacker can come to understand the database structure in a lot of different ways. As we have noted in previous posts, most hackers are insiders of an organization. As such, they are able to gain access to related knowledge that aids in hacking. Another technique, Google hacking, is also an effective technique for hackers. (Click here to read our post on Google hacking.)

In the third factor, we’re talking about a bug in the program. If you have ever written computer programs, you probably understand that it is difficult − if not impossible − to write a bug-free program. Program input validation involves the consideration of so many exceptional input violation cases that a programmer cannot possibility foresee all of them. As long as even just one single case is missed (which usually is the case), the input process can be put into risk.

Throughout computing history, there are many examples of system exploitations by buffer overflow. Perhaps the most wide-spread example for Windows OS is one that happened in 2001, named “Code Red.”

If you are interested to know more about buffer overflow security incidents, refer to the information in Wikipedia:
http://en.wikipedia.org/wiki/Buffer_overflow

Technorati Tags: Buffer Overflow, SQL, Google hacking, Code Red

The Domain Name System (DNS) relies on a hierarchical database system. At the top of this system sit thirteen root servers with names following the format letter.root-servers.net, where the letter ranges from A to M.

Many people mistakenly assume that there are only 13 root servers in the world. In fact, each root server notation represents a cluster of servers dispersed all over the world. Each of these is administrated by different organizations.

The cluster of servers working for a particular letter of root servers uses the routing technique of “anycasting,” according to RFC 1546¹:

“There are a number of situations in networking where a host, application, or user wishes to locate a host which supports a particular service but, if several servers support the service, does not particularly care which server is used.  Anycasting is an internetwork service which meets this need.  A host transmits a datagram to an anycast address and the internetwork is responsible for providing best effort delivery of the datagram to at least one, and preferably only one, of the servers that accept datagrams for the anycast address.”

Check out these links for a geographical mapping of the root servers’ locations:
http://www.icann.org/maps/root-servers.htm
http://www.circleid.com/posts/dns_root_servers_google_maps/ (on Google Maps)

Root servers serve as the final point of resort to resolve the Top Level Domain (TLD). For example, if your DNS servers do not know where to locate the DNS record of the “.jp” of the domain name www.jetro.go.jp, it will query the root servers to locate the DNS server taking part in the resolution of TLD “jp” and then continue the resolution of the domain “go.jp” by the DNS server referred by the root server. This domain name resolution process works recursively until it gets an authoritative answer for the requested host of the domain name www.jetro.go.jp.

In fact, DNS servers rarely query the root servers as they cache any previously resolved domain names, including those of the TLDs. Depending on a DNS server’s configuration, it usually keeps those responses in the cache for two days. Therefore, considering the example given above, the DNS server will store the DNS server information to process TLD “jp” in the cache memory, so that each query related to TLD “jp” will go directly to the DNS server handling “jp” TLD without repeatedly querying the root servers.

Perhaps the most common reason for your DNS servers to query root servers is an error in typing a non-exiting TLD. For instance, if you mistakenly type “jq” instead of “jp” in the above domain name, your DNS servers have not yet resolved any TLD of “jq”. Therefore, it has to go to the root server to check for its related information. Of course, in this case, the root server will return a non-existing error message to your DNS servers, and you are notified of the failure to locate the domain name.

As the root servers are dispersed all over the world, it is quite difficult technically to launch an attack on all of them at the same time. Therefore, it is unlikely that this robust system will stop servicing the Internet community because of common attack such as DOS (Denial of Service), even by the most well planned hacking activity. This is fortunate, since the DNS root server system is a vital part of the Internet, serving thousands or millions of people online everyday.

If you are interested to understand more about root DNS servers’ operation, go to this link for more details:
http://www.isoc.org/briefings/020/

¹ Partridge, C., Mendez, T., Milliken, Walter. (1993) Request for Comments: 1546, Network Working Group, Available from: http://rfc.net/rfc1546.html [Accessed 4 April 2008]

Tags: DNS Root Servers Attack, anycasting, TTL

Technorati Tags: Domain Name System, DNS, letter.root-servers.net, 13 root servers, RFC 1546, Top Level Domain, TLD, DOS, Denial of Service, rfc1546, DNS Root Servers Attack, anycasting, TTL

What does the name Trojan Horse imply in way of network security, and what threats do Trojan Horses bring to a network computing system?

First let’s look at history to understand the name “Trojan Horse.” The Trojan War, as you may already know, is the ancient war between the Greeks and the city of Troy that took place during the thirteenth century. The Greeks won the war with Troy because of a very clever and deceptive trick. Greek soldiers pretended to withdraw from the battle, leaving behind a huge wooden horse. Troy, believing that they had won the war, dragged the wooden horse into their city and began to celebrate victory. However, by doing so, they walked right into the trap set by the Greeks. Greek soldiers were actually hiding inside the wooden horse. As they waited patiently inside the horse, the people of Troy celebrated heavily. When the soldiers emerged from the horse during the night, the inebriated citizens of Troy were easily defeated.

In today’s world of computer security, we now use the term “Trojan Horse” to refer to certain malicious software (or “spyware”) programs that are designed to remotely control a computer by a hacker. Much like the ancient Greeks, a hacker will attempt, in every conceivable way, to lure users to unknowingly install the Trojan Horse on their computers.

For example, hackers can start an attack by sending malicious emails inviting the recipient to download and install Trojan Horse programs that actually appear to be useful. Another way hackers lure unsuspecting users is by offering interesting or seemingly practical programs on a site as a free download. Users install these software programs containing malicious code, unknowingly giving the hacker access to their computers.

How Trojan Horses work
A Trojan Horse program works by opening a connection point in your computer (usually a designated TCP port) and waiting for the hacker to remotely connect to this port. Upon a successful connection, the hacker immediately takes control of the victim’s computer, reading and changing data inside the machine, remotely monitoring the user’s activities. Some versions of powerful Trojan Horse software can even monitor the user’s screen in real time, log his or her keyboard strokes, and remotely shut down the machine.

Since some popular Trojan Horse programs will open a well known connection port inside the victim’s computer, an attacker can regularly scan the Internet for computers being “planted” with Trojan Horse looking for opened ports. For example, popular Trojan Horse programs like Netbus uses TCP port 12345 and 12346, and Back Orifice uses 31337. You can always find popular Trojan Horse ports by doing a search on Google using the search phrase “popular ports of Trojan Horse.”

Once found, the hacker can immediately take control of the machine by connecting to these easily recognized ports. This means hackers don’t need to spend time implanting the program to the victim’s machine if someone else has previously introduced the Trojan Horse software to the user’s system.

Trojan Horse programs pose a very great threat to computer security. The user’s naiveté as to its existence gives the attacker further power to intrude on other computers within the same network associated with the victim’s machine. As you can imagine, this can cause problems in catastrophic proportions.

How to Know If Your Computer Has a Trojan Horse
You can find out if your computer is infected by performing a simple audit. Access your command prompt screen and type in the command “netstat –n”. This will show all the open local ports and remote ports.

If you are interested in determining what programs are tied to specific ports, you can use the program fport which is available here:
http://www.foundstone.com/us/resources/proddesc/fport.htm

How to Avoid Trojan Horses
A number of spyware monitoring and removal software programs are available. If you are using Windows XP, perhaps the easiest one you can attain is Windows Defender from Microsoft found here:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Also, the related spyware removal tool from Microsoft can be found here:http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0
-E72D-4F54-9AB3-75B8EB148356&displaylang=en

In addition to relying on Trojan Horse detection and removal tools, a better way to control problems with spyware is user education. A careful computer user should not casually download programs from unknown sources off the Internet or open email attachments that appear suspicious or unfamiliar.

Failure to follow simple preventative measures such as these can lead to serious security breaches. Remember in 2005, when the Atlanta-based credit card processing company CardSystems Solutions Inc. was hacked? A Trojan Horse program was implanted in the company’s network and it was estimated that the information of more than 40 million credit card customers was leaked as a result of this security incident.1 A class-action suit was then filed in the California Superior Court in San Francisco against CardSystems Solutions Inc, Visa, and MasterCard.²

You certainly don’t want you and your company to be the next victim, do you?

¹ Evers, J. (2005) Details emerge on credit card breach, CNET News.com, Available from: http://www.news.com/Details-emerge-on-credit-card-breach/2100-7349_3-5754661.html [Accessed 31 March 2008]

² Evers, J. (2005) Lawsuit seeks disclosure in credit card heist, CNET News.com, Available from: http://www.news.com/Lawsuit-seeks-disclosure-in-credit-card-heist/2100-7350_3-5765383.html [Accessed 31 March 2008]

Tags: CardSystems Solutions Inc. Spyware

Technorati Tags: Trojan Horse, spyware, Netbus, 12345, 12346, Back Orifice, 31337, Windows Defender, spyware removal tool, Visa, MasterCard, CardSystems Solutions Inc, Spyware

According to Convery, S.(2007)¹: “RADIUS was developed by Livingston Enterprises (now part of Alcatel-Lucent) in the early 1990s, became an Internet standard through the IETF in 1997, and today is the most widely accepted AAA protocol.

Another widely adopted AAA protocol, which predates RADIUS as an RFC by four years, is the Terminal Access Controller Access Control System (TACACS). Though never an Internet standard, TACACS evolved into XTACACS and then TACACS+, the latter of which is the only version of TACACS in use today.”

RADIUS server is one of the most popular remote access technology components.  Its main functions are to:

• consolidate the login request received by the remote network authenticator(s) within an organization,
• verify the eligibility of the remote user’s right to access inside the corporate network, and
• authenticate the user per the agreed-upon authentication methods.

The acronym AAA stands for Authentication, Authorization, and Accounting. The authentication process performs verification of a remote user’s identity, the authorization process determines what a remote user is allowed to do on the network, and the accounting process logs the user’s activities in relation to network access.  These actions are activities the RADIUS server performs with other network remote access components within a corporate network environment.

RFC 2865² describes in detail the authentication methods and the packet format of a RADIUS server, and RFC 2866³ describes a protocol for carrying accounting    information between a Network Access Server and a shared Accounting Server. It should be noted that RFC 2866 does not specify an Internet standard of any kind.

TACACS+ (Terminal Access Controller Access-Control System Plus) is another popular protocol that provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. The main difference between TACACS+ and RADIUS is that TACACS+ separates the two operations: authentication and authorization are combined within the RADIUS server.  Also, TACACS+ uses TCP to communicate, while RADIUS uses UDP. (Source: Wikipedia.org)⁴

¹ Convery, S. (2007), Network Authentication, Authorization, and Accounting: Part One, The Internet Protocol Journal - Volume 10, No. 1, Available from: http://www.cisco.com/web/about/ac123/ac147/
archived_issues/ipj_10-1/101_aaa-part1.html  [Accessed 31 March 2008]

² Rigney, C. Ed. (2000) Request for Comments: 2865, Network Working Group, Available from: http://rfc.net/rfc2865.html [Accessed 31 March 2008]

³ Rigney, C. (2000) Request for Comments: 2866, Network Working Group, Available from: http://rfc.net/rfc2866.html [Accessed 31 March 2008]

⁴ Wikipedia, the free encyclopedia (2008) TACACS+, Available from: http://en.wikipedia.org/wiki/TACACS%2B  [Accessed 31 March 2008]

Technorati Tags: AAA, Terminal Access Controller Access Control System, TACACS, XTACACS, TACACS+, RADIUS server, authentication, Authorization, Accounting, TCP, UDP, http://rfc.net/rfc2865, rfc2866

Point-To-Point Tunneling Protocol Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks that works on the data link layer. It serves the purpose of encrypting a remote computer’s network traffic to a host using Point-to-Point Protocol’s (PPP’s) authentication methods of PAP (Password Authentication Protocol) or CHAP (Challenge-Handshake Authentication Protocol). It was replaced by L2TP (Layer 2 Tunneling Protocol) or IPSEC (Internet Protocol Security) as a common remote network connection change, replacing dial-up network access to broadband access in recent years.

PPTP can be regarded as an extension of PPP, which provides router-to-router and host-to-network connections over asynchronous and synchronous connections. Since PPTP works on a data link layer (the second layer of a seven-layer model of network communications), it allows multi-protocol communications of the upper layers to be held using a secure communication channel over the Internet.

How does PPTP work?

According to Microsoft Corporation (2006) ¹, the benefits of PPTP are:

“Through PPTP, it is possible for remote users to access their corporate networks & applications by dialing into the ISP’s point of presence (POP), instead of dialing directly into the company network. PPTP connects directly to the target server by creating a virtual network for each remote client, one that the server administrator can monitor and manage like any other Remote Access port ”

The popularity of PPTP rests in the fact that it is the bundled dialup networking feature Microsoft put forth in most of its Windows Client products. (Microsoft was one of the members of the development group of PPTP).

RFC1334 defines both CHAP and PAP.

PAP according to RFC 1334 ²:

The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a 2-way handshake.  This is done only upon initial link establishment.

After the Link Establishment phase is complete, an Id/Password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated.

PAP is not a strong authentication method.  Passwords are sent over the circuit “in the clear”, and there is no protection from playback or repeated trial and error attacks.  The peer is in control of the frequency and timing of the attempts.

Any implementations which include a stronger authentication method (such as CHAP, described below) MUST offer to negotiate that method prior to PAP.

CHAP according to RFC1334 ²:

The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established.

After the Link Establishment phase is complete, the authenticator sends a “challenge” message to the peer.  The peer responds with a value calculated using a “one-way hash” function.  The authenticator checks the response against its own calculation of the expected hash value.  If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated.

This authentication method depends upon a “secret” known only to the authenticator and that peer.

(Comment: Usually the secret refers to the peer’s password.)

The secret is not sent over the link.

(Comment: There is no way an attacker can gain access to the secret.)

This method is most likely used where the same secret is easily accessed from both ends of the link.

(Comment: On the authenticator’s side, we usually use a Radius server to store the password database centrally inside of it. (The Radius Server verifies the “secret” for the remote access terminal carrying out the authentication process with the peer.) The Challenge packet from the authenticator contains one octet of “Identifier” field and a variable stream of “Challenge” values. These two variables MUST be changed every time a Challenge packet is sent.)

The Response Value is the one-way hash calculated over a stream of octets consisting of the Identifier, followed by (concatenated with) the “secret”, followed by (concatenated with) the Challenge Value.  The length of the Response Value depends upon the hash algorithm used (16 octets for MD5).

If the peer’s Response value matches what has been calculated by the authenticator using the same algorithm, then the authentication is successful.

References:

¹ Microsoft Corporation (2006), How to Set Up a Windows NT PPTP Client, Available from: http://support.microsoft.com/kb/154062 [Accessed 28 March 2008]

² Lloyd, B. Simson, W. (1992), Request for Comments: 1334, Network Working Group, Available from: http://rfc.net/rfc1334.html [Accessed 28 March 2008]

Technorati Tags: Protocol Point-to-Point Tunneling Protocol, PPTP, private networks, Point-to-Point Protocol’s, PPP’s, PAP, Password Authentication Protocol, CHAP, Challenge-Handshake Authentication Protocol, RFC1334, Radius server