Denial of Security Holes Can Lead to Denial of Service

By Linda Paulson | Dec 19, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/943221/Denial-of-Security-Holes-Can-Lead-to-Denial-of-Service.htm

Vigilance of security-related issues -- not just breaches -- remains a key issue for network administrators. Issues essential to enterprise security are multifold. To truly be prepared, IT professionals should be aware of basic issues, such as Denial of Service (DoS) attacks and user authentication, as well as potential vulnerabilities.

Perhaps the biggest problem is denial. Denial, as in failure to admit security problems. Estimated security-related losses are routinely under-reported. Although it is too early yet to estimate such losses for 2001, once analysts have sifted through the data, those figures will undoubtedly be low. "We see it every day, where companies don't want to admit that their networks have gotten infected with a virus or compromised by a backdoor Trojan," says Joe Hartmann, director of North American Anti-Virus Research for TrendMicro.

This is a profound problem with implications directly affecting the bottom line. There remains enterprises with poor firewall installations, if any. Network administrators fail to provide minimal or adequate virus protection. These extremely basic elements are now requirements.

One need only think about the words Denial of Service to know how adversely not having network resources available can be to an enterprise.

DoS attacks are most often initiated by something as simple as an employee unwittingly downloading an e-mail message to which a malicious executable file is attached.

"One of the biggest problems I have seen over the last 12 month is that many employees have outside e-mail accounts, which are often not scanned by anti-virus software," says Hartmann. Some anti-virus software does not scan attachments downloaded from web-based or POP3 e-mail accounts.

Additional problems arise from using instant messaging, now vectors for virus infection. "System administrators now have to make the difficult decision if they want to permit these type of chat programs -- which can be indeed quite useful," he says, "or if they want to block them, due to all the potential security problems."

Authentication and authorization has become increasingly important to protect specific resources. Traditionally, this has been as simple as issuing and monitoring passwords, but authentication has reached increasingly elaborate proportions with technologies such as smart cards and biometrics.

An added concern is Virtual Private Networks. What happens when a formerly secure network is connected with an unknown -- say a supplier or customer network? What vulnerabilities do they have? What is their administrator doing to make sure their network is secure?

Timothy J. Shimeall of the Software Engineering Institute Networked Systems Survivability Program and senior member of the technical staff at CERT, says "The security issues with VPNs are not with protocols or applications. They are with the VPN itself." Assumptions are that these are relatively secure networks. However, they aren't perfectly safe. The issue is trust. "Is that trust warranted? Is it in most cases?" This is a difficult issue according to Shimeall.

Tangible Solutions
Several organizations routinely publish timely and useful security information online. Administrators would be well-advised to check with sites including CERT.

For example, the Federal Computer Incident Response Center (FedCIRC) released a comprehensive paper in late 2001 aimed to help administrators enact defensive maneuvers against Distributed Denial of Service (DDoS) attacks -- either before and during attacks. For instance, defending against a SYN flood, a type of DoS attack, entails reconfiguring the router or firewall to intercept packets before they reach the client.

Tools designed to monitor networks for DoS attacks, such as StealthWatch by Lancope Inc. and Arbor Networks' Peakflow DoS, have an added benefit. These tools can examine bandwidth usage and discover other network traffic anomalies, which can result in added savings.

Hartmann and others say it is vital, but often difficult, for system administrators to ensure software running on clients run is the very latest software. This includes all patches to protect against vulnerabilities. "During the CodeRed or Nimda outbreak, we quickly learned that there are literally thousands of unpatched systems or default installations," he says. "Our suggestion to administrators is to identify the vulnerable systems and then start to close one security hole after another."

Shimeall says software vulnerabilities have grown by 850 percent, "which is staggering." He says this taxes administrators who typically have to deal with some five security patches per day, on average. These security problems are preventable. "If you don't need it, don't have it," he says. "There is an upkeep expense associated with everything you have not just with those things you use. It's not a small expense."

As for automating tasks such as authentication, there are some third party services -- such as Passport or iChain -- designed to help. There are also admin tools such as Authentication Suite 4.0 from BioNetrix Systems designed to comprehensively provide means to secure networks.

Halting potential problems on VPNs is an issue of access, says Shimeall. "Do what you can to limit the services even on VPNs. If a service not required over the VPN, turn it off." He says a key mistake most administrators make is to assume the VPN is secure. "Don't assume that. That's the attitude you want to fight."

Compromises often happen when there is no validation of the networks to which you are now connected. "You need to validate what the security is on the other ends of the VPN. Usually firewalls don't monitor traffic over the VPN." He says there are added issues if the partners on the VPN have public gateways -- a huge vector for transmission of viruses and conduit welcoming intrusions and disruptions.

He suggests administrators secure their network by asking questions as if you were contracting with an ISP. This can help shore up weak points and formulate responses to possible network compromises or intrusions.

Administrators must have a comprehensive security strategy. It's important not only to have perimeter defenses, but each desktop client should be protected to, for example, keep viruses from spreading unchecked.

Hartmann says system administrators "should be prepared for a worse case scenario. Simply ask yourself...what do you do when your system gets infected or when your system is being hacked? Who do you call? ... There are many questions, which should be covered in a proper plan."

Once that perimeter is breached, then what? Increasingly, administrators are advised to enact a proactive overall security plan. These can, says Hartmann, be expensive and difficult to manage, especially without sufficient staff to monitor the entire network. But being proactive can be as simple as installing content filtering software at gateways or Exchange servers.

User behavior -- not downloading potentially infected files or breaching protocols, opening attachments, changing preferences in e-mail software, etc. -- is a huge factor in network security, regardless of the size of the enterprise. Hartmann says it is wisest for administrators "to move the decision making away from the desktop and to your first layer of defense -- the gateway, which is managed by one of the administrators."

Users should be involved in developing security protocols. "Don't ignore them. Involve them," advises Shimeall. Security plans, he says, "should be done with your users, not done to your users."

--
Realted Article: DoS Attacks Go For the Throat