Staying one step ahead on network security is a challenge

Enterprise Networks & Servers, May 2005 by Prakasha, Swayam

Network and information security refers to the confidence that unauthorized users cannot access the information and services available on a network. Security implies safety. It assumes data integrity, freedom from unauthorized access of resources and freedom from disruption of services. As far as security is concerned, we need to protect both physical and abstract resources, such as information. Protecting the latter is more difficult.

Information security is concerned with three main areas: confidentiality (information should be available only to those who rightfully have access to it), integrity (information should be modified only by those who are authorized to do so) and availability (information should be accessible to those who need it when they need it).

Authentication attack

On the Internet, where data passes across intermediate routers and networks, source authentication can be easily attacked at one of the intermediate routers. For example, an impostor can gain control of a router R that lies between a valid client and a server. He can then alter the routes in R to direct return traffic to, him and generate a request using the authorized client's address as a source address. The server will, in this case, accept the request and send the reply to the authorized client. When it reaches R, the reply will be forwarded along the incorrect route to the impostor.

The above example illustrates the need for the server and client to not communicate with impostors. One way of ensuring this is to use the authentication mechanism (also known as IP address authentication). This is a simple security mechanism to verify identification. Here, a server is configured with a list of valid IP source addresses. And when a request arrives, the server makes sure that it's from a valid client by matching the client's IP address with the ones in the configured list. Only if the client is authorized does the server grant it the service requested.

Another method is the public-key encryption mechanism. In this case, we will be using a pair of keys - a public key and a private key. The sender using the public key of the receiver will encrypt the message and when the receiver receives it, he decrypts it using his private key (which only he knows). Thus the sender can make sure that only the intended receiver will receive the message. The public key encryption can be used for authentication, confidentiality and integrity of the messages.

Password cracking

Another common security attack is password cracking. To crack a password, you need to know the encrypted password file and. the encryption algorithm used. There are two methods to crack the passwords: Dictionary method and brute-force method. Each involves encrypting the password and comparing to see if there is a match.

Some ways to avoid password cracking include changing passwords after a specified period (say 90 days), using complex passwords and setting a length for passwords.

URL rewriting

In URL rewriting, the attacker's first trick is to re-write URLs so that they point to the attacker's server rather than to the real server. In this case, the attacker can fool the server and modify the responses coming from the real server before passing them back to the victim. Assuming the attacker's server is on the machine www. attacker.org, the attacker rewrites a URL by adding http://www.attacker.org to the front of the URL. For example, http:// home.netscape.com becomes http://www. attacker.org/http://home.netscape.com.

The browser's location line displays the URL of the page currently being shown. A JavaScript program can hide the real location line and replace it by a fake location line that looks right and is in the expected place. The fake location line can show the URL the victim expects to see

DoS and DNS hijack

DNS (Domain Name Server) translates readable host names (such as www.myfirm. com) to machine-readable IP addresses (such as 200.192.56.32). The common attacks associated with DNS are Denial of Service (legitimate users are denied of services) and DNS hijack (redirection of services).

In a typical scenario, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and is allowed onto the server. In a DoS attack, the user sends several Auth requests to the server. All these requests have false return addresses, so the server can't find the user when it tries to send the auth approval. The server waits, sometimes more that a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests and the process begins again - tying up the service indefinitely.

DoS (Denial of Service) attacks are probably the nastiest and the most difficult to address. The premise of a DoS attack is simple: send more requests to the machine than it can handle. Toolkits in the underground community make this simply a matter of running a program and telling it which host to blast with requests. The attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection. If the host is able to answer 20 requests per second, and the attacker is sending 50 per second, obviously the host will be unable to service all of the attacker's requests.