Jing An Telescope Factory (JATF): A network security case study, The

Journal of Information Systems Education, Fall 2003 by White, Doug, Rea, Alan

ABSTRACT

This case-an examination of a real world break-in to a Web server-provides a forensic examination of what happened to the Jing An Telescope Factory (JATF) and a suggested model for preventing such attacks. The case specifically focuses on the "hack" break-in that is commonplace with Web servers and illustrates the well-known mistakes made in the security arrangements by JATF. Select hacking techniques and an overview of network vulnerabilities, as well as discussions about tools and techniques that security professionals use are discussed in this paper. The authors propose a set of techniques and models that business should follow to guard against similar attacks. Students are encouraged to assess and implement solutions using the tools and techniques presented in the case.

Keywords: Network security, network assessment, hacking techniques, system hardening, case studies

1. CASE SUMMARY

This case-an examination of a real world break-in to a Web server-provides a forensic examination of what happened to the Jing An Telescope Factory (JATF). Following a discussion of what happened to JATF's network, students are presented with common hacks and network vulnerabilities, as well as discussions about tools and techniques that security professionals use to prevent and analyze attacks.

In the classroom and networking lab, students are encouraged to explore how JATF's network was compromised. They must apply the tools and techniques discussed in the case to create a new network diagram that incorporates network security design and protocols to prevent additional attacks and protect data. This case specifically focuses on the "hack" break-in that is commonplace with Web servers and illustrates the common mistakes made in the security arrangements by JATF.

2. ABOUT JATF

The Jing An Telescope Factory (JATF) is a medium-sized business located in Ninjing, China. The factory employs about 250 people. Out of these 250, about 25 are directly responsible for Information Technology (IT) Operations in the areas of networking, Web development, database management, and other typical IT operations. The network security breach discussed in this case occurred during the summer of 2002.

In this case, we'll first discuss the existing network architecture before the security incident. Then, we'll discuss reasons why the incident might have occurred. We'll finish with sample consultant recommendations. It will be up to you or your team to write a recommendation as well as design new network architectures for increased security and data protection that JATF can implement.

3. JATF NETWORK ARCHITECTURE

JATF maintains a large network interlinking intra-building departments and inter-building operations systems. A wide variety of servers and workstations exist on the network and most employees have workstations on their desktops. The particular server of interest was running Windows NT 4.0 (Chinese), and was using the Internet Information Server (IIS) to serve Web pages to a private network. JATF's network was behind a firewall preventing all access from the Internet to the internal networks of the company. This included the Main Web Server (MWS) that was hacked. The MWS was connected to the primary intranet of the company via a Cisco switch. Employees of the company had access to the Web server pages via the intranet, but not the Internet.

3.1 JATF Network Services

When the break-in occurred, JATF's MWS was running a variety of services, including IIS as a primary Web HTTP daemon and FTP. Although other services were in use, they played no role in the break-in so are not discussed here.

The primary security issue was with the FTPD service. FTPD is an application layer daemon supporting the file transfer protocol which allows the exchange of files between two machines. FTPD is an old service but is still widely used. Along with TELNETD it is considered one of the more dangerous protocols in use because it can be easily misconfigured, can run for anonymous users, and sends packets that a re unencrypted. At JA TF, FTPD was run as an anonymous login type service where users could login to specific directory structures for uploading and downloading files without identifying themselves with a login or password. While this is not a safe practice, many companies with only internal users opt for this configuration.

3.2 JATF Firewall and Logging

However, JATF's intranet wasn't an open system. To protect its intranet from external traffic JATF used a standard firewalling approach that involved a CISCO IOS based access control list (ACL) to restrict all access to the internal networks from the Internet. Thus, a rule such as:

deny ip any any

was used on the inbound interface into the network. This rule denies all entrance to the network. The firewall also denied any sort of ICMP (Internet Control Message Protocol), SNMP (Simple Network Management Protocol), or other packets through the firewall by rule. The only rule allowing access from the outside was a TCP (Transfer Control Protocol) established rule: