Get APLawrence.com by RSSThe network is always at risk
2005/07/29Sometimes it feels like you might as well be shoveling water against an incoming tide. The attempts to breach your security never stop, and it seems like new flaws in software are discovered daily.
Anytime a port is open, you have risk. The process listening obviously allows some remote person or persons to do something under some circumstances. The risk comes from four basic areas:
Unauthorized use: someone convinces the machine that they are someone other than who they actually are and lets them do whatever it is the protocol does or provides whatever it provides. That might have nothing to do with any flaws at the machine; it could be from bad passwords, "man in the middle" schemes, etc.
Perversion due to error in the protocol programming. A buffer overflow or other error allows unintended access, a programming error causes machine lockups, etc. This could allow shell access, could give up information from unrelated files (/etc/passwd, for example), or just tie up resources: a Denial of Service or DOS attack.
Perversion to to error in the tcp/ip programming itself. Denial of Service from flaws in the way the tcp/ip software itself handles any protocol. In the past, this type of thing has sometimes been as simple as a few unexpected bits in the right headers.
Tying up the machine or protocol with bogus activity. This is Denial of Service through quasi-legitimate means or sometimes even completely legitimate traffic. A web site mentioned on Slashdot might get a surge of activity too large for it to handle. The same effect can be created by deliberately focused attacks.
Some of this risk is impossible to avoid. You can't control what comes from the outside. If your machine is flooded with illegitimate activity, it may be impossible to filter that out and allow legitimate requests through. If passwords are compromised through social engineering, there's not much you can do (unless there are more barriers: your system might require the use of a password but only allow access from certain ip's). If someone has access to some other part of your network, they may be able to escalate their privilege onto other machines without much effort.
It's frustrating, isn't it? The solutions are no different now than they have ever been: don't run what you don't need (shut off all unneeded protocols), use firewalls and/or proxies to block access to protocols where appropriate (telnet may be allowed on the local lan but not from the internet), keep up with patches, and (often neglected) have a plan for what you'll do if you are breached. That plan obviously needs to include deep backup of data, but might also include provisions for switching to an alternate resource, or even plans and methods for continuing business without access to the affected resource. You may never experience a security incident, but you do need to be prepared, just in case.
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
I sell and support
Kerio Mail server
Click here to add your comments
Fri Jul 29 09:43:41 2005: Subject: drag
When it comes to network security I am a big fan of OpenBSD. It is probably the most secure operating system your going to find anywere that is actually usefull (aside from special purpose or theoretical/academic type things.)
Even with systems that many people hold in high regard, such as cisco routers, suffered from hidden flaws. (see http://attrition.org/security/rant/cisco01.html ) With OpenBSD you get severly audited code and such. The down side is only the core system is worked over, add-ons thru ports don't offer the same level of assurance.
Another reason I'd like it is that it provides a extra level of difficulty attackers to have a diversity. For instance, if all your machines are made up of one or two operating systems/enviroments then it's likely that any serious flaw that pops up in your configuration or in the system software will provide unfettered access to all points in your network for a lucky/skilled cracker. It's even common for many different Linux distros to suffer from the same/similar flaw. If your using a different OS for security monitoring of your systems and network then it reduces the likelihood of the attacker going undiscovered.
Also a couple thing that I noticed about backups.. The first thing is that keeping track of older revisions of backups would be very usefull. If your system gets successfully rooted then it could be some time before you notice the intrusion... So if you only keep one or two revisions of backups aviable then you could end up with a backup version of your data that is as suspect as the stuff on the rooted server.
At least thats what it seems like to me.
The second thing about backups is that it seems to becoming popular to attack the backup mechanisms that businesses use. There seems to be a number of severe vunerabilities discovered lately in popular commercial backup programs... (see: ttp://www.sans.org/top20/q2-2005update/detail.php ) Also since people tend to pay special attention to backing up the most important information first then. As a attacker, it's like that backups will likely provide the easy access to the most profitable information, which would also just happen to end up being in pre-packaged, easy to transport formats.
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar