In today’s world it is very rare to find a business or an organisation that is not reliant on a computer network of some sort, whether it is a hospital, a school, large bookstore, small shop or even a home business. This sets a challenge for IT professionals around the world, especially with the increased number of network attacks that are happening every day. The challenge is how to keep these networks secure?
What is network security?
Network security to IT professionals doesn’t mean that a network is 100% secure because that is impossible unless you completely disconnect your network from the outside world and even that doesn’t protect the network from internal attacks or the physical theft of the computer and the data inside it. The only way to have 100% security is to power off all computers and for businesses these days that isn’t an effective decision.
Network security doesn’t only take under consideration the protection of the network from remote attacks, it also takes under consideration everything surrounding the network infrastructure that could lead to an unauthorised access to your network. That is everything from the building, rooms, wiring and employees all the way up to the software that is installed on the computer. The aim is to make it harder for attackers to penetrate the network and if they do the administrator is alerted and the attack is logged so the network owners can take appropriate action.
A nice definition of computer security that also applies to network security is given by Simon Garfinkel, Gene Spafford and Allan Schwartz (2003, p 5)
“Computer Security. A computer is secure if you can depend on it and its software to behave as you expect.
If you expect the data entered into your machine today to be there in few weeks and to remain unread by anyone who is not supposed to read it. Then the machine is secure. This concept is often called trust:
you trust the system to preserve and protect your data. By this definition, natural disasters and buggy software are as much threats to security as unauthorised users are. This definition is obviously true from a practical standpoint.”
This means that when IT professionals talk about network security, they are describing the methods used to ensure that the following key areas are kept:
- Confidentiality – Sensitive data are kept from unauthorised eyes.
- Integrity – Data is kept authentic and protected from corruption.
- Availability – The systems are available at all times with the correct privileges set for each user, system or software.
- Auditing – Important actions (failed logins, file deletion, file creation/ modification and software installation/un-installation) are logged.
These are controlled by the following mechanisms:
- Authentication – Verifying user, system and software ID.
- Access control – Defining whether a resource should be available or not.
- Authorisation – allowing suitable usage according to the ID.
How is the security of a network tested?
After careful steps have been taken in designing, installing, configuring your network and keeping it updated and patched, it is very important to keep testing the network to make sure there is no vulnerabilities that could compromise your network and to ensure that your organisation’s security policy is complied with.
To do this we need to think like an attacker and perform the same steps an attacker takes to attack our network. This would reveal to us everything an attacker can see about our network that would aid him/her in their attack, also this would give us an indication of how well/bad our network stands against such attacks and the countermeasures that we need to take to prevent or make it very hard for the attackers to succeed. To do this we need to have an understanding of the types of attacks our networks could face.
There are four main classes of network attacks:
- Reconnaissance attacks – gathering information about a network.
- Access attacks – gaining access by exploiting vulnerabilities.
- DOS – Causes a system to crash or overload so to deny services to other users.
- Worms, Viruses and Trojan Horses
This is also confirmed by William Stallings (2000, page 7) illustration of the main four classes of attacks.
He mentioned that information flows from source to destination and so he described the attacks that could be applied to a network can be in four main categories:
In case the categories wasn’t clear from the above figure, they’re:
- Interruption (DoS) – The data or system was made unavailable or offline so it can not be accessed. Thus this is an attack on availability.
- Interception (Sniffed) – The data is intercepted or sniffed by the attacker and therefore it no longer is private. Thus this attacks privacy.
- Modification – The data is modified, which attacks the integrity of data.
- Fabricated – attack on authenticity.
With a clear picture of the ways our networks could be attacked, we can now start testing our network for any flaws.
Before an attacker (the bad person) and a penetration tester (the good person) can gain access to a network he/she needs to perform 3 steps:
- Foot Printing
These steps can be completed by many tools available free for Unix and Windows.
Area of focus
In this series of posts I’ll try to focus on describing how these tools (Unix only) can be used to help in the development of secure systems. It is split into four parts:
- Foot Printing
These are the steps mentioned above, that have to be completed by an attacker or tester before they can move on to the fourth step:
The reason this report illustrates these tools from a penetration test point of view is that it simulates the steps attackers take to compromise a network. Also it is the area that is mostly neglected if not overlooked by many IT professionals and so it is very important for them to keep improving their skills in these areas so that their tasks of protecting their networks is more effective.