Network devices are vulnerable to many types of attacks ranging from DoS attacks to unauthorized administrative access. Network devices are also typical entry points for attackers to escalate a comprehensive attack. Even a passive attack such as scanning and sniffing can provide valuable information to an attacker. Based on default port numbers, banners, and other protocol responses, an attacker can create a map of the network that can aid him in performing other attacks. This type of malicious activity is also known as a reconnaissance, which basically means checking out the target before performing the real attack.
Knowing what goes on in your network is an important aspect of network security. There are several different methods available to monitor the network. Intrusion detection systems can be implemented to monitor network traffic for suspicious activity, network monitors such as sniffers on a computer with a NIC in ‘promiscuous’ mode can capture raw network traffic, and an administrator can use the same scanning tools that are popular amongst hackers (and vice versa).
The Simple Network Management Protocol (SNMP) is an application layer protocol that is used to monitor, and gather information about, network systems and devices. An SNMP agent is installed on managed devices and sends statistics, events, and other information to a central network management station. On the management station, the information is stored in a database that can be used to produce graphs, reports, baselines and other useful overviews of the network. Because the information SNMP provides can be valuable to an attacker as well, outgoing SNMP traffic should be blocked at border routers or firewalls. SNMP uses UDP port 161 and 162. Besides passively monitoring, SNMP can also be used to configure network devices by using SNMP write commands. Although not all devices support this feature by default, if it is and you do not necessarily need it, make sure it not configured.
SNMP uses community strings as a password to provide access. The default community string for read operations is Public, and for read-write operations it is Private. These ‘passwords’ are well known and should be changed to something confidential. Even then, an attacker can use publicly available hacker tools to gain access to SNMP information. SNMP version 3 supports MD5 and SHA-1 authentication, as well as message encryption, and should be used if available.
Unless a network device completely fails, it is usually managed remotely through a terminal sessions or webpage. To reduce the risk of a malicious individual gaining administrative access and threaten the availability of the device and its services or use it for other attacks, the device should require strong authentication methods. If username/password is the only available option, make sure it is a very strong password. If remote administration is not needed, i.e. because the device is managed through a directly connected console, it should be turned of entirely.
Hardening network devices is similar to hardening operating systems and applications. It often starts with a security assessment or penetration test. Based on the results, the devices will usually require some reconfiguration, such as disabling unnecessary services and protocols, and enabling security features. Also just as regular software, most network devices allow firmware updates to address newly discovered vulnerabilities and add new security features to the devices.
A firewall is a hardware device or software application on a computer that protects private networks from unauthorized external intruders. A firewall filters both inbound and outbound traffic by checking if it meets certain criteria. The most common firewall operates at the Network layer and is known as a packet filter. The criteria for blocking or forwarding packets are typically source and destination addresses, and the TCP/UDP port numbers. For example, you can configure a packet filter, also known as access control list, on a router that connects to the Internet to allow port 25 for inbound and outbound SMTP traffic but deny port 110 to block POP3 traffic. Because packet filtering firewalls inspect only the header of packets it has little impact on network performance. Most operating systems and routers include a packet filter options and are therefore inexpensive to implement.
The network diagram above shows a simple firewall setup. All outbound and inbound traffic must be authorized by the firewall before it can pass. The firewall can be a dedicated hardware device with two network interfaces, or a computer with two NICs running firewall software. The latter is also known as a m ulti-homed firewall.
The higher in the OSI model a firewall operates the more advanced criteria it can use. Application layer firewalls are able to inspect traffic all the way up to layer 7 of the OSI model. This means they do not only inspect the header of a packet, but also the data payload, allowing you to set criteria for applications without allowing or denying them entirely. For example, the firewall could allow FTP GET commands to allow users to download through FTP, but deny FTP PUT commands to deny user to upload through FTP. Because application layer firewalls need to read the entire contents of packets, they have a negative impact on network performance. Application layer firewalls are also known as proxies because they act as an intermediate between internal clients and external servers.
Another type of firewall is the circuit-level firewall that operates on the Transport layer of the OSI model. This firewall checks if the TCP and UDP messages used to establish a connection meet certain criteria. Once a connection is established (i.e. the TCP handshake completed successfully), traffic can pass the firewall without further checking.
A newer and more advanced type of firewall, stateful firewalls, combines features of the previous types. Stateful firewalls can use more advanced criteria than simple packet filter firewalls, and they are aware of the state of connections. This means a stateful firewall is aware of the connections and knows when they started and when they end. For example, if an internal client initiates a HTTP connection to a web server on the Internet, and the firewall blocks inbound HTTP traffic, it will still allow the HTTP reply to the client as the firewall will ‘know’ it is part of an established session. In addition to being the most secure, it is also the most expensive type of firewall. Well-known examples of stateful firewalls are Checkpoint Firewall-1 and Cisco PIX.
The next network diagram shows a firewall configuration with a demilitarized zone (DMZ). The hosts in the DMZ are typically web servers, e-mail servers, and the alike, and are accessible for both internal and external users. This allows user on the Internet to access the servers without accessing the organization’s internal network. Although the servers in the DMZ can be accessed only through the firewall, security is less strict, and they are connected to the Internet, and therefore should be locked down and hardened.
Another common firewall configuration that creates a DMZ is the screened firewall shown in the following network diagram. This setup involves two firewalls of which the screening host is often a simple packet filter and the screened host a more advanced firewall. This is a more complicated and more expensive setup but can have a great impact on performance and security. The packet filter blocks the majority of invalid traffic and provides access to the servers in the DMZ, alleviating the workload for the screened firewall.
Routers are used to interconnect multiple (sub)networks and route information between these networks by choosing an optimal path (route) to the destination. They operate on the Network layer (Layer 3) of the OSI model and in contradiction to hubs, bridges, and switches, routers are protocol-aware. Examples of these network protocols are IP, IPX, and AppleTalk. Common use of routers is connecting two different types of networks (for example Ethernet and Frame Relay) or to interconnect LANs into a WAN. Routers make forwarding decisions based on a table with network addresses and their corresponding ports; this table is known as the routing table.
Routers use routing protocols, such as RIP, OSPF, and BGP, to exchange route table information with other routers in the internetwork. If the routing protocol supports it, authentication should be required before routers can receive route updates. If any update is accepted, a malicious attacker can send forged updates to reroute legitimate traffic, or create a denial of service situation, by removing or changing valid routes.
As mentioned in the firewalls section above, routers usually offer a built-in packet filter that can be used to allow and deny addresses, address ranges, and ports. These access lists can also be used to limit administrative access, through Telnet for example, to a specific host or subnet. Even without these access control lists routers provide some level of security because they segment networks and do not forward broadcasts. This offers the hosts on the network behind the router some privacy up to layer 3 in the OSI model, which means an attacker cannot easily capture packets on the other side of a router.
NAT (Network Address Translation)
Network Address Translation (NAT) is used to translate public IP addresses to private and vice versa and is typically configured on access routers and firewalls that connect home and office networks to the Internet. These networks use IP addresses from the private address ranges and therefore cannot have a routed connection to the Internet. NAT translates network addresses, thus it operates at the Network layer (Layer 3) of the OSI model.
A common type of NAT is dynamic NAT, in which case the router maintains a list of internal addresses and a list of external addresses that are dynamically mapped to each other. When a client from an internal network communicates with a web server on the Internet, the NAT router will change the source IP address in the header of the IP packet. The source address is changed from internal client’s IP address to the public IP address of the router’s external interface. For the web server, the packets will appear to be coming from the NAT router, hence that is were it sends the replies with the requested data. The NAT router will in turn forward the replies to the client that initially made the request.
With static NAT, the router is configured with an address table. This table contains static entries that maps public address to local addresses. Static NAT entries are typically used when a web or mail server resides on the internal LAN. The clients and servers on each side of the router are not aware of the translating process and do not require any additional software. A NAT router is typically also a DCHP server and DNS Proxy for its internal clients. Besides using NAT on routers connected to the Internet, NAT is also used in corporate WANs when multiple LANs use the same IP subnet. NAT offers some security as well, because only a single public IP addresses needs to be visible to external hosts while the internal network addressing schema can remain hidden.
Instead of using a list of internal and external addresses, a single external address can be used by changing the source port, which is essentially part of the complete address known as socket (the combination of an IP address and a port number). This is also known as Port Address Translation (PAT).
Switches break up networks into smaller segments to improve network performance. A switch is basically a combination of a bridge and a hub. It maintains a table with MAC addresses per port to make switching decisions, operates at the Data Link layer (layer 2) of the OSI model, and is protocol transparent. Although switches by do not control broadcast domains, each port/connection on the switch is a separate collision domain. In a non-switched Ethernet network, every attached network interface ‘hears’ every frame that is transmitted in the local network (LAN) – this is why Ethernet is called a broadcast network. Each device in the network must check all frames to see if the destination address in a frame matches its own address, in which case the device should process the frame. In a switched Ethernet network, a switch learns the MAC addresses of the devices attached to its ports. This allows the switch to forwards frames only out of the port to which the destination device is attached. This increases overall network performance because the network devices do not hear traffic that is not addressed to them, allowing more efficient use of bandwidth for legitimate traffic.
Besides better performance, switches provide a level of privacy in a similar way routers do, but for each port separately instead of an entire (sub)network. If a malicious individual is able to attach a computer with a NIC in capturing mode to a switched segment, he will not be able to sniff anything on segments or devices on other ports even though they are in the same LAN. This also provides a challenge for system administrators and intrusion detection systems using a legitimate sniffer.
If an attacker gains physical access to a switch, or other network device, he may not be able to remove it without going unnoticed but he may be able to plug in a rogue network device. Therefore, unused ports should be disabled in the configuration of the device, and enabled ports should use 802.1x port-based authentication.
VLANs (Virtual Local Area Network)
Switches can control broadcast domains in addition to collision domains when Virtual Local Area Networks (VLANs) are configured. Most modern switches support VLANs, which are logical groups of network devices of which the members can be located in different physical segments. A VLAN can be based on Port IDs, MAC addresses, protocols or applications even. For example, port 1 to 12 on a switch could be assigned to VLAN 1, and port 13 to 24 to VLAN 2, resulting in two different broadcast domains. An example of a large network with VLANs is an office building with a switch on each of the three floors and a main switch connecting them all together. An administrator would be able to maintain a list of MAC addresses, assign stations from different floors to a single VLAN, and for example create a VLAN (hence separate broadcast domain) for each department in the company.
The primary advantages of VLANs are s calability, because members of a VLAN can be miles apart and still act as a single physical LAN, and m anageability, because members can be relocated easily to a different VLAN without having to change the physical connection. A third benefit of VLANs is s ecurity , because each VLAN acts as a separate LAN and uses a different IP (sub)network. This means that members from one VLAN cannot communicate with members in another VLAN unless a router is used to route traffic between the VLANs. If a router is used, it can be configured with access control lists to filter traffic transmitted between the VLANs.
In a similar way as routers, switches can share their MAC address table and VLAN information with other switches so the path to a destination can be found quickly. This also presents a similar vulnerability as with routing updates; a malicious individual can forge VLAN information updates to remove members from VLANs or delete entire configurations and cause havoc on the network. Therefore, switches using VLAN update protocols should always be configured to require authentication.
Telecom / PBX (Private Branch Exchange)
A PBX is a switch that allows companies to interconnect different telephone devices and services such as voice, pagers, SMS, voicemail, and data. It is basically an extension of the telephone company’s network that allows an organization to manage their own telecommunication services without requiring constant involvement of the telco. The PBX is usually connected to the telephone company with a dedicated T1 connection or higher. PBXs are vulnerable to several types of attacks and abuse. Examples are eavesdropping on phone calls, unauthorized access to voicemails, tampering with SMS messages, and unauthorized remote administrative access. The latter is particularly interesting for so-called Phreakers, who hack into telecommunication systems to place free long-distance calls for example. Not only can compromised PBXs result in denial of service for legitimate users, it can result in serious financial damage. Unfortunately, PBXs are still too often not included sufficiently in an organizations security program.
Although the PBX makes the organization less dependant of the telco, they often still need them to solve problems and incidents in case something is wrong with the PBX. This usually involves a remote administration session from the telco to the PBX. A local administrator should turn these remote administration services on only when requested by the telco. When remote administration is enabled, it should require strong authentication using encryption and preferably a separation of duties system. For example, when someone from the telco requires a remote administration session, a local administrator’s presence should be mandatory. Make sure that default password is changed and if possible, the user name of the administrative account. PBXs usually support some sort of auditing and accounting, of which the log files should be compared with telephone bills and checked for any suspicious activity.
Although mobile devices mostly used to stay out of the range of hackers and crackers, it was only a matter of time before the first mobile phones and PDAs were hacked. Traveling by train checking your agenda on your PDA for example, can make you a vulnerable target. A malicious individual a couple of seats away could potentially access your PDA through a wireless (Bluetooth, WiFi, or infrared) connection, steal or alter data, and use your smartphone/PDA to place long-distance calls. Therefore, all wireless communication should be encrypted, and when connecting to a corporate network, a VPN should be established. Incoming connections should require strong authentication and connections should be made only to trustworthy resources.
PDAs and smartphones are often used to access email accounts, and since email is the medium for receiving viruses, anti-virus products should be installed. Receiving spam on a mobile device can be even more annoying than receiving spam in a full-blown email client, so spam filters should be installed as well, including spam filters for SMS messages. There are products available that provide these services and can be installed on the mobile devices, but preferably they should be installed on the server hosting the mailbox as well.
Mobile devices are especially prone to theft, which can lead to disclosure of sensitive information including authentication credentials that may allow the thief to access the corporate network. Most mobile devices can be protected by a PIN or password and support content encryption. The processing power on many mobile devices is inadequate for using encryption with large keys, but setting a strong password can make it harder for the thief to access the content.
Another security issue that is often overlooked when it comes to mobile devices including laptops is backups. Even today’s smallest devices can store gigabytes of data internally or on removable media. Backing up this data should be included in a corporate backup plan.