Current State of Network Security 2005

Print
Details
Hits: 4143

Abstract

Since computer networks and the Internet have been around, they have been vulnerable to malicious attacks. The trend of network security has been to prevent known network attacks while monitoring the network for new attacks. Recently, network administrators have also been trying to react to and prevent these attacks dynamically, meaning, as the attack occur. The action taken to block the intruder is taken immediately. Over the years, network administrators have been closing up ports and securing resources to improve security via firewalls and access control lists. This has caused attackers to increase their sophistication of attacks and level of knowledge about the existing network and system. Ever since, this has been an on-going struggle between attacker and network administrator. When the attacker finds a vulnerability in the network and exploits it, the network administrator needs to identify the intrusion and launch an application to take the appropriate action and block against future attacks. This leaves the attacker to find a new more sophisticated attack. And the cycle continues.

1. Introduction

As it stands now, the main tool network security personnel use to identify attackers is an IDS or "Intrusion Detection System". And the main problem the network security personnel face is parsing and analyzing the torrent of log entries made by the IDS in order to make meaningful sense of it all. It's favorable to have the data analyzed and parsed in a timely manner so action can be taken to block the intruder in time if necessary. The way network administrators are dealing with the problem is through a few commercial software solutions [2] and by fine tuning IDS rule sets to eliminate false positives to return a more successful valid alert ratio.

2. Popular Methods of Intrusion

As of late, popular methods of intrusion or attack are viruses and DDoS or Distributed Denial of Service attacks. Viruses are successful often through the proliferation of email messages and popular insecure email clients like Microsoft Outlook, along with malicious web pages and insecure web browsers such as Microsoft Internet Explorer. The virus typically would appear as a valid email attachment, such as a zip file, and upon opening the file, the virus application installs itself. Or if a malicious URL is accessed on an insecure browser, the application can just be willingly installed by the web browser. Once the virus is installed, any number of resources can be exploited. One common application is to log and transmit the infected user’s keystrokes in hopes of gaining sensitive information such as passwords and financial data. Another application is to run a TCP proxy on the machine to allow remote users access to the infected user’s resources. This could be using the infected user as a mail proxy for spam, or a web proxy used in concert with a DDoS attack, or any number of TCP/UDP services. DDoS attacks can occur to any number of hosts on the network. All the attacker does is over load the exposed and vulnerable network service with legitimate requests from multiple clients. If the number of clients and the number of requests from each client exceed the load capacity of the server, the server can get too loaded down to serve regular requests, resulting in latency or packet loss. As of March 2005, these attacks occur every few months on a wide scale, and prove successful in causing latency and occasional downtime. This is mostly due to the popularity of Microsoft and the fact that their applications frequently have security flaws.
 
 
3. Other Methods of Intrusion
 
For Unix users, flaws in Microsoft applications aren’t a problem, but they still face the same issues. On a seemingly much less frequent basis, security flaws are found in popular open source applications, and open source operating system kernels. These exploits are typically patched within hours of discovery and usually the exploit doesn’t do any more damage than a DoS. Rarely is information or system control compromised. It is worthy to note that certain Unix operating systems are historically known to have chronic problems with kernel security, the biggest one, and most popular one is the Linux kernel. It is probable that because of it popularity, it is more often a target for malicious attackers looking for exploits, but the regular occurrence of serious kernel bugs are unmistakable[3] Another method of intrusion on Unix operating systems is a Trojan virus, also called a “root kit”. The root kit is an application usually written around a known security flaw in a kernel or an application running as root that exploits the flaw giving the attacker partial or full control over the system as super user.

4. Methods of Defense and Prevention

When it comes to protecting networks, the security administrator has a few mechanisms. One method is to use a firewall. This essentially blocks traffic based on rule sets consisting of host addresses and/or port numbers. The more firewalls you set up between hosts on a network, the more you can isolate traffic and protect surrounding networks from an attack if an attack were to try to spread though out your network. Another mechanism is to use access control lists for your hosts and their applications. An access control list or acl is just a list of hosts that you want to allow access to. In this way, you can assure only known host addresses are being allowed to use the system and services. A 3rd line of defense isn’t really a defense but more of an alert system, its called IDS, or “Intrusion Detection System”. IDS is used to monitor and report known attack signatures contained in network data packets. Using firewalls, acls and an IDS are good for blocking the problems that are known, but what about preventing the unknown? As far as prevention goes, there really isn’t any good solid solution yet. Open source and commercial vendors are attempting to bring forth something called an IPS or Intrusion Prevention System. The main difference between an IDS and IPS is an IPS will not only log the attack but also take appropriate action to prevent the current attack to prevent any more damage. While this sounds like a good idea, its not quite being implemented successfully at the time. The problem is still identifying an attack from just random network “noise” (false positives). Attackers are always trying to disguise their intent so by the nature of the problem, it is hard to determine what is really an attack and what isn’t. Another problem for large non-homogenous networks is coordinating the response between hosts on the multiple large networks. On a large network, there might be many different hosts and many different firewalls all running different operating systems (such is the Internet) and they all need to take action against blocking a certain malicious host or vulnerable port or application. The difficulty of negotiating the proper response sometimes gets bogged down in semantics and non-homogeneous security APIs all existing on one network. It is favorable to have all hosts and firewalls to use the same APIs or protocols. This is possible on networks for a business but not likely to happen on the Internet as a whole. Even on a network with all the same host systems and security APIs, problems can arise when preventing an on-going attack.

5. Conclusion

Network security is still an emerging and fast evolving profession. Commercial vendors still fall short of their promises and the only real way to secure a network is to have as many sets of human eyes on security log files as often as possible to ensure the most reliable security. Most of the process can be automated but a human is still needed to look at the packet or intrusion attempt to determine if its malicious or not.

6. References

[1]The Role of IntrusionDetection Systems http://www.computer.org/software/so2000/pdf/s5042.pdf - page 2