You've Been Targeted!
Too often you are tempted to put in a quick fix and consider a problem solved. However, in the complex matter of network security, you'll find there are no quick fixes. Because a network is composed of many components, hackers, crackers, and detractors have a large number of devices they can target, such as these:
Routers These devices stand at the perimeter of your network and sometimes perform firewall functions. The main thing a router can do is to block certain IP addresses or ports. This is the basic function performed by a firewall. Routers, though, are easy targets for many reasons. First, a router is your network's connection to the Internet, so it's directly exposed to the whole world. Second, routing protocols can be abused when hackers damage the routing table on your router. What good is a router if it doesn't know where to relay network traffic to and from? You learn this in more detail later in this chapter when you read about ICMP redirects. Although there isn't a lot you can do to protect a router from an attack over the Internet, you can take some steps to make it more difficult for potential intruders. You'll learn about that subject later, in the section titled "Protecting Routers." And another thing to consider is denial-of-service attacks. Because your router(s) stand at the periphery of your network, a constant stream of network traffic can be used to overwhelm a router and prevent you from receiving incoming data, much less sending data out onto the network. Host computers Servers on your network are supposed to provide data, print, email, or other important services to your users. After a host computer has been infiltrated, however, these services can be corrupted or made unavailable. If a hacker gets past the router or firewall, the host computers on your network are usually the next target. This is one good reason to use a private address space on the internal LAN and save your registered IP addresses for use by the routers and firewall devices that actually need a valid address on the Internet. This technique is known as Network Address Translation (NAT). If the intruder does not know the addresses of computers on your network, the intruder will have more difficulty connecting to them and causing trouble. As a general rule, it's best to always hide information about the configuration of all computers on your internal LAN. If you must create a Web presence on the Internet, consider using a demilitarized zone (DMZ) to segment part of your network that interfaces with the Internet from the inside network. 
| For more information on firewalls in general and using DMZs, see Chapter 45, "Firewalls." |
Applications and services There is a great debate on the Internet about open source code. One side of the debate is this: If the actual code for particular applications is known, it's easier for patches or modifications to be made when some hacker detects a loophole in the application or service. The opposite argument goes like this: The bad guys also have a copy of the code and can spend all the time they need looking for vulnerable parts of the code that can be used to their advantage. When you are considering installing mission-critical software on a server, which should you use? I can't really offer an opinion on this because both sides have good arguments. If you use a proprietary program purchased from a vendor, can you depend on the technical support staff of the vendor to help you if the application becomes a target? Microsoft and other vendors regularly post security warnings and patches. Do you install them? You must pick your vendors carefullyfor example, what is the response time when you place a service call for a minor issue? Can you count on vendor support in an emergency, or would you rather have the open source code so that your own staff (and others around the world who use the same code) can immediately begin trying to plug the loophole? Firewalls Yes, because most commercial firewall products are well documented, they can be compromised by someone who studies what they protect, and how the firewall does it. Not all firewalls use the same techniques. No single firewall will ever protect you from every threat from the Internet. A skilled staff of professionals, however, can help you mitigate the threats that do get past your firewall. Your network If you're the sort of person who enjoys causing problems for other people, attacking the entire network is probably going to give you more pleasure than going after only a few host computers or applications. Think of how expensive it is to a large company such as eBay, CNN, or Microsoft when their networks are taken offline due to an attack. If a hacker can disable your entire network, the damage done can become quite expensive.
Usually, an attack is not as clearly defined as indicated here. Instead, many attacks are sophisticated combinations of several of the previously described varieties.
|
Main Menu
|
