Chapter 22
Hardening Your Network
In This Chapter
Understanding what firewalls do
Examining the different types of firewalls
Using the built-in Windows firewall
Looking at virus protection
Patching your computers
If your network is connected to the Internet, a whole host of security issues bubble to the surface. You probably connected your network to the Internet so that your network’s users could get out to the Internet. Unfortunately, however, your Internet connection is a two-way street. Not only does it enable your network’s users to step outside the bounds of your network to access the Internet, but it also enables others to step in and access your network.
And step in they will. The world is filled with hackers who are looking for networks like yours to break into. They may do it just for the fun of it, or they may do it to steal your customer’s credit card numbers or to coerce your mail server into sending thousands of spam messages on their behalf. Whatever their motive, rest assured that your network will be broken into if you leave it unprotected.
This chapter presents an overview of three basic techniques for securing your network’s Internet connection: controlling access via a firewall, detecting viruses with antivirus software, and fixing security flaws with software patches.
Firewalls
A firewall is a security-conscious router that sits between the Internet and your network with a single-minded task: preventing them from getting to us. The firewall acts as a security guard between the Internet and your local area network (LAN). All network traffic into and out of the LAN must pass through the firewall, which prevents unauthorized access to the network.
Some type of firewall is a must-have if your network has a connection to the Internet, whether that connection is broadband (cable modem or DSL), T1, or some other high-speed connection. Without it, sooner or later a hacker will discover your unprotected network and tell his friends about it. Within a few hours your network will be toast.
You can set up a firewall using two basic ways. The easiest way is to purchase a firewall appliance, which is basically a self-contained router with built-in firewall features. Most firewall appliances include a web-based interface that enables you to connect to the firewall from any computer on your network using a browser. You can then customize the firewall settings to suit your needs.
Alternatively, you can set up a server computer to function as a firewall computer. The server can run just about any network operating system, but most dedicated firewall systems run Linux.
Whether you use a firewall appliance or a firewall computer, the firewall must be located between your network and the Internet, as shown in Figure 22-1. Here, one end of the firewall is connected to a network hub, which is, in turn, connected to the other computers on the network. The other end of the firewall is connected to the Internet. As a result, all traffic from the LAN to the Internet and vice versa must travel through the firewall.
Figure 22-1: A firewall router creates a secure link between a network and the Internet.
The term perimeter is sometimes used to describe the location of a firewall on your network. In short, a firewall is like a perimeter fence that completely surrounds your property and forces all visitors to enter through the front gate.
In large networks — especially campus-wide or even metropolitan networks — it’s sometimes hard to figure out exactly where the perimeter is located. If your network has two or more wide area network (WAN) connections, make sure that every one of those connections connects to a firewall and not directly to the network. You can do this by providing a separate firewall for each WAN connection or by using a firewall with more than one WAN port.
The Many Types of Firewalls
Firewalls employ four basic techniques to keep unwelcome visitors out of your network. The following sections describe these basic firewall techniques.
Packet filtering
A packet-filtering firewall examines each packet that crosses the firewall and tests the packet according to a set of rules that you set up. If the packet passes the test, it’s allowed to pass. If the packet doesn’t pass, it’s rejected.
Packet filters are the least expensive type of firewall. As a result, packet-filtering firewalls are very common. However, packet filtering has a number of flaws that knowledgeable hackers can exploit. As a result, packet filtering by itself doesn’t make for a fully effective firewall.
Packet filters work by inspecting the source and destination IP and port addresses contained in each TCP/IP packet. TCP/IP ports are numbers that are assigned to specific services that help to identify for which service each packet is intended. For example, the port number for the HTTP protocol is 80. As a result, any incoming packets headed for an HTTP server will specify port 80 as the destination port.
Port numbers are often specified with a colon following an IP address. For example, the HTTP service on a server whose IP address is 192.168.10.133 would be 192.168.10.133:80.
Literally thousands of established ports are in use. Table 22-1 lists a few of the most popular ports.
Table 22-1 Some Well-Known TCP/IP Ports
|
Port |
Description |
|
20 |
File Transfer Protocol (FTP) |
|
21 |
File Transfer Protocol (FTP) |
|
22 |
Secure Shell Protocol (SSH) |
|
23 |
Telnet |
|
25 |
Simple Mail Transfer Protocol (SMTP) |
|
53 |
Domain Name Server (DNS) |
|
80 |
World Wide Web (HTTP) |
|
110 |
Post Office Protocol (POP3) |
|
119 |
Network News Transfer Protocol (NNTP) |
|
137 |
NetBIOS Name Service |
|
138 |
NetBIOS Datagram Service |
|
139 |
NetBIOS Session Service |
|
143 |
Internet Message Access Protocol (IMAP) |
|
161 |
Simple Network Management Protocol (SNMP) |
|
194 |
Internet Relay Chat (IRC) |
|
389 |
Lightweight Directory Access Protocol (LDAP) |
|
396 |
NetWare over IP |
|
443 |
HTTP over TLS/SSL (HTTPS) |
The rules that you set up for the packet filter either permit or deny packets that specify certain IP addresses or ports. For example, you may permit packets that are intended for your mail server or your web server and deny all other packets. Or, you may set up a rule that specifically denies packets that are heading for the ports used by NetBIOS. This rule keeps Internet hackers from trying to access NetBIOS server resources, such as files or printers.
One of the biggest weaknesses of packet filtering is that it pretty much trusts that the packets themselves are telling the truth when they say who they’re from and who they’re going to. Hackers exploit this weakness by using a hacking technique called IP spoofing, in which they insert fake IP addresses in packets that they send to your network.
Another weakness of packet filtering is that it examines each packet in isolation, without considering what packets have gone through the firewall before and what packets may follow. In other words, packet filtering is stateless. Rest assured that hackers have figured out how to exploit the stateless nature of packet filtering to get through firewalls.
In spite of these weaknesses, packet filter firewalls have several advantages that explain why they’re commonly used:
Packet filters are very efficient. They hold up each inbound and outbound packet for only a few milliseconds while they look inside the packet to determine the destination and source ports and addresses. After these addresses and ports have been determined, the packet filter quickly applies its rules and either sends the packet along or rejects it. In contrast, other firewall techniques have a more noticeable performance overhead.
Packet filters are almost completely transparent to users. The only time a user will be aware that a packet filter firewall is being used is when the firewall rejects packets. Other firewall techniques require that clients and/or servers be specially configured to work with the firewall.
Packet filters are inexpensive. Most routers include built-in packet filtering.
Stateful packet inspection (SPI)
Stateful packet inspection (SPI), is a step up in intelligence from simple packet filtering. A firewall with SPI looks at packets in groups rather than individually. It keeps track of which packets have passed through the firewall and can detect patterns that indicate unauthorized access. In some cases, the firewall may hold on to packets as they arrive until the firewall has gathered enough information to make a decision about whether the packets should be authorized or rejected.
Stateful packet inspection was once found only on expensive, enterprise-level routers. Now, however, SPI firewalls are affordable enough for small- or medium-sized networks to use.
Circuit-level gateway
A circuit-level gateway manages connections between clients and servers based on TCP/IP addresses and port numbers. After the connection is established, the gateway doesn’t interfere with packets flowing between the systems.
For example, you could use a Telnet circuit-level gateway to allow Telnet connections (port 23) to a particular server and prohibit other types of connections to that server. After the connection is established, the circuit-level gateway allows packets to flow freely over the connection. As a result, the circuit-level gateway can’t prevent a Telnet user from running specific programs or using specific commands.
Application gateway
An application gateway is a firewall system that’s more intelligent than a packet-filtering, stateful packet inspection, or circuit-level gateway firewall. Packet filters treat all TCP/IP packets the same. In contrast, application gateways know the details about the applications that generate the packets that pass through the firewall. For example, a Web application gateway is aware of the details of HTTP packets. As a result, it can examine more than just the source and destination addresses and ports to determine whether the packets should be allowed to pass through the firewall.
In addition, application gateways work as proxy servers. Simply put, a proxy server is a server that sits between a client computer and a real server. The proxy server intercepts packets that are intended for the real server and processes them. The proxy server can examine the packet and decide to pass it on to the real server, or it can reject the packet. Or the proxy server may be able to respond to the packet itself, without involving the real server at all.
For example, web proxies often store copies of commonly used web pages in a local cache. When a user requests a web page from a remote web server, the proxy server intercepts the request and checks to see whether it already has a copy of the page in its cache. If so, the web proxy returns the page directly to the user. If not, the proxy passes the request on to the real server.
Application gateways are aware of the details of how various types of TCP/IP servers handle sequences of TCP/IP packets, so they can make more intelligent decisions about whether an incoming packet is legitimate or is part of an attack. As a result, application gateways are more secure than simple packet-filtering firewalls, which can deal with only one packet at a time.
The improved security of application gateways, however, comes at a price. Application gateways are more expensive than packet filters, both in terms of their purchase price and in the cost of configuring and maintaining them. In addition, application gateways slow down the network performance because they do more detailed checking of packets before allowing them to pass.
The Built-In Windows Firewall
All versions of Windows since Windows XP come with a built-in packet-filtering firewall. If you don’t have a separate firewall router, you can use this built-in firewall to provide a basic level of protection. See Chapter 8 for the steps to follow to configure the Windows Firewall.
Do not enable the Windows Firewall if you’re using a separate firewall router to protect your network. Because the other computers on the network are connected directly to the router and not to your computer, the firewall won’t protect the rest of the network. Additionally, as an unwanted side effect, the rest of the network will lose the ability to access your computer.
Virus Protection
Viruses are one of the most misunderstood computer phenomena around these days. What is a virus? How does it work? How does it spread from computer to computer? I’m glad you asked.
What is a virus?
Make no mistake — viruses are real. Now that most people are connected to the Internet, viruses have really taken off. Every computer user is susceptible to attacks by computer viruses, and using a network increases your vulnerability because it exposes all network users to the risk of being infected by a virus that lands on any one network user’s computer.
Viruses don’t just spontaneously appear out of nowhere. Viruses are computer programs that are created by malicious programmers who’ve lost a few screws and should be locked up.
What makes a virus a virus is its capability to make copies of itself that can be spread to other computers. These copies, in turn, make still more copies that spread to still more computers, and so on, ad nauseam.
Then, the virus waits patiently until something triggers it — perhaps when you type a particular command or press a certain key, when a certain date arrives, or when the virus creator sends the virus a message. What the virus does when it strikes also depends on what the virus creator wants the virus to do. Some viruses harmlessly display a “gotcha” message. Some send e-mail to everyone it finds in your address book. Some wipe out all the data on your hard drive. Ouch.
A few years back, viruses moved from one computer to another by latching themselves onto floppy disks. Whenever you borrowed a floppy disk from a buddy, you ran the risk of infecting your own computer with a virus that may have stowed away on the disk.
Nowadays, virus programmers have discovered that e-mail is a much more efficient method to spread their viruses. Typically, a virus masquerades as a useful or interesting e-mail attachment, such as instructions on how to make $1,000,000 in your spare time, pictures of naked celebrities, or a Valentine’s Day greeting from your long-lost sweetheart. When a curious but unsuspecting user double-clicks the attachment, the virus springs to life, copying itself onto the user’s computer and, in some cases, sending copies of itself to all the names in the user’s address book.
After the virus has worked its way onto a networked computer, the virus can then figure out how to spread itself to other computers on the network.
Here are some more tidbits about protecting your network from virus attacks:
The term virus is often used to refer not only to true virus programs (which can replicate themselves) but also to any other type of program that’s designed to harm your computer. These programs include so-called Trojan horse programs that usually look like games but are, in reality, hard drive formatters.
A worm is similar to a virus, but it doesn’t actually infect other files. Instead, it just copies itself onto other computers on a network. After a worm has copied itself onto your computer, there’s no telling what it may do there. For example, a worm may scan your hard drive for interesting information, such as passwords or credit card numbers, and then e-mail them to the worm’s author.
Computer virus experts have identified several thousand “strains” of viruses. Many of them have colorful names, such as the I Love You virus, the Stoned virus, and the Michelangelo virus.
Antivirus programs can recognize known viruses and remove them from your system, and they can spot the telltale signs of unknown viruses. Unfortunately, the idiots who write viruses aren’t idiots (in the intellectual sense), so they’re constantly developing new techniques to evade detection by antivirus programs. New viruses are frequently discovered, and antivirus programs are periodically updated to detect and remove them.
Antivirus programs
The best way to protect your network from virus infection is to use an antivirus program. These programs have a catalog of several thousand known viruses that they can detect and remove. In addition, they can spot the types of changes that viruses typically make to your computer’s files, thus decreasing the likelihood that some previously unknown virus will go undetected.
Although Windows doesn’t come with built-in antivirus software, you can download an excellent free antivirus solution from Microsoft called Microsoft Security Essentials. Popular alternatives to Microsoft’s free product include Norton AntiVirus, Webroot SecureAnywhere Antivirus, and Kapersky Antivirus.
The people who make antivirus programs have their fingers on the pulse of the virus world and often release updates to their software to combat the latest viruses. Because virus writers are constantly developing new viruses, your antivirus software is next to worthless unless you keep it up-to-date by downloading the latest updates.
The following are several approaches to deploying antivirus protection on your network:
You can install antivirus software on each network user’s computer. This technique would be the most effective if you could count on all your users to keep their antivirus software up-to-date. Because that’s an unlikely proposition, you may want to adopt a more reliable approach to virus protection.
Managed antivirus services place antivirus client software on each client computer in your network. Then, an antivirus server automatically updates the clients on a regular basis to make sure that they’re kept up to date.
Server-based antivirus software protects your network servers from viruses. For example, you can install antivirus software on your mail server to scan all incoming mail for viruses and remove them before your network users ever see them.
Some firewall appliances include antivirus enforcement checks that don’t allow your users to access the Internet unless their antivirus software is up to date. This type of firewall provides the best antivirus protection available.
Safe computing
Besides using an antivirus program, you can take a few additional precautions to ensure virus-free computing. If you haven’t talked to your kids about these safe-computing practices, you had better do so soon.
Regularly back up your data. If a virus hits you and your antivirus software can’t repair the damage, you may need the backup to recover your data. Make sure that you restore from a backup that was created before you were infected by the virus!
If you buy software from a store and discover that the seal has been broken on the disk package, take the software back. Don’t try to install it on your computer. You don’t hear about tainted software as often as you hear about tainted beef, but if you buy software that’s been opened, it may well be laced with a virus infection.
Use your antivirus software to scan your disk for virus infection after your computer has been to a repair shop or worked on by a consultant. These guys don’t intend harm, but they occasionally spread viruses accidentally, simply because they work on so many strange computers.
Don’t open e-mail attachments from people you don’t know or attachments you weren’t expecting.
Use your antivirus software to scan any CD-ROM or flash drive that doesn’t belong to you before you access any of its files.
Patching Things Up
One of the annoyances that every network manager faces is applying software patches to keep the operating system and other software up to date. A software patch is a minor update that fixes the small glitches that crop up from time to time, such as minor security or performance issues. These glitches aren’t significant enough to merit a new version of the software, but they’re important enough to require fixing. Most of the patches correct security flaws that computer hackers have uncovered in their relentless attempts to prove that they are smarter than the security programmers at Microsoft.
Periodically, all the recently released patches are combined into a service pack. Although the most diligent network administrators apply all patches when they’re released, many administrators just wait for the service packs:
For all versions of Windows, you can use the Windows Update website to apply patches to keep your operating system and other Microsoft software up to date. Windows Update scans your computer’s software and creates a list of software patches and other components that you can download and install. To use Windows Update, open the Control Panel, click System and Security, and then click Windows Update.
You can configure Windows Update to automatically notify you of updates so you don’t have to remember to check for new patches.
You can subscribe to a service that automatically sends you e-mail to let you know of new patches and updates.
Keeping a large network patched can be one of the major challenges of network administration. If you have more than a few dozen computers on your network, consider investing in server-based software that's designed to simplify the process. For example, Lumension (www.lumension.com) is a server-based program that collects software patches from a variety of manufacturers and lets you create distributions that are automatically pushed out to client computers. With software like Lumension, you don't have to rely on end users to download and install patches, and you don't have to visit each computer individually to install patches.