Packet Filtering with Windows NT Enabling Packet Filtering Configuring Packet Filtering A Final Word on NT Ports Securing DCOM Selecting the DCOM Transport Limiting the Ports Used by DCOM DCOM and NAT Ports Used by Windows Services Additional Registry Key Changes Logon Banner Hiding the Last Logon Name Securing the Registry on Windows NT Workstation Cleaning the Page File The Future of Windows NT Summary

CHAPTER 15—UNIX

UNIX History UNIX File System Understanding UID and GID File Permissions Account Administration The Password File The Group File Limit Root Logon to the Local Console Optimizing the UNIX Kernel Running Make Changing the Network Driver Settings IP Service Administration IP Services inetd Working with Other Services Summary

CHAPTER 16—The Anatomy of an Attack

Collecting Information The whois Command The nslookup Command Search Engines The traceroute Command Host and Service Scanning Passive Monitoring Checking for Vulnerabilities Launching the Attack Hidden Accounts Man in the Middle Buffer Overflows SYN Attack Teardrop Attacks Smurf Brute Force Attacks Physical Access Attacks Summary

CHAPTER 17—Staying Ahead of Attacks

Information from the Vendor 3COM Cisco Linux Microsoft Novell Sun Microsystems Third-Party Channels Vulnerability Databases Web Sites Mailing Lists Auditing Your Environment Kane Security Analyst Putting the Results to Use Summary Appendix A Appendix B Index Copy r igh t © Sy be x , I n c. Acknowledgments I would like to thank all the Sybex people who took part in pulling this book together. This includes Guy Hart-Davis a.k.a. “The Text Butcher” for getting me started on the right track. Yet again I owe you a bottle of home-brewed mead. I also want to say thank you to Maureen Adams for kicking in on the initial development and CD-ROM work. Thanks go out as well to Dann McDorman, the keeper of the holy schedule, for being very understanding of an author suffering from sleep deprivation. I also wish to thank my technical editor, Jim Polizzi, whose up-front and challenging style helped to keep me on my toes. I want to give a very heartfelt thank you to Nancy Conner, who has to be the world’s greatest editor. Your editing style, attention to detail, and organization made it much easier to deal with writing this book than it could have been otherwise. Thank you for knowing how to go easy on my ego while still producing text that can be read by the rest of the world. Finally, many thanks to Bill Gibson, electronic publishing specialist, and Charlie Mathews and Jeremy Crawford, production coordinators, for working so hard to put this book onto the written page. I also wish to thank a few people over at Alpine Computers in Holliston, Mass., for giving input, making suggestions, and just being a cool crew. This includes Cheryl “I Was the Evil Queen but Now I’m Just the Witch Who Lives in the Basement” Gordon for her years of experience and mentoring. Thanks to Chuckles Ahern, Dana Gelinas, Gene Garceau, Phil Sointu, Ron Hallam, Gerry Fowley, the guys in the ARMOC, Bob Sowers, Steve Howard, Alice Peal, and all the members of the firewall and security group for keeping me challenged technically or technically challenged, whichever the case may be. On a more personal note, I would like to thank Sean Tangney, Deb Tuttle, Al “That Was Me behind You with the BFG” Goodniss, Maria Goodniss, Chris Tuttle, Toby Miller, Lynn Catterson, and all the Babylonian honeys for being such an excellent group of friends. Thanks to Morgan Stern, who is one of the smartest computer geeks I know and is more than happy to share his knowledge with anyone who asks. Thanks also to Fred Tuttle for being a cool old-time Vermonter and for showing that people can still run for political office and keep a sense of humor. I also wish to thank my parents Albert and Carolee, as well as my sister Kym. The happiness I have today comes from the love, guidance, and nurturing I have received from you over many years. I could not have wished for a better group of people to call my family. Finally, I would like to thank my wonderful wife and soul mate Andrea for being the best thing ever to walk into my life. My life would not be complete without you in it, and this book would not have been possible without your support. Thank you for making me the luckiest man alive. Introduction S ecurity has become a major concern for every network administrator. Nearly every day we are The network security field has not always been this crazy. Most of us can remember a time when securing a network environment was a far easier task. As long as every user had a password and the correct levels of file permissions had been set, we could go to sleep at night confident that our network environment was relatively secure. This confidence may or may not have been justified, but at least we felt secure. Then along came the Internet and everything changed. The Internet has accelerated at an amazing rate the pace at which information is disseminated. In the early 1990s, most of us would not hear about a security vulnerability unless it made it into a major magazine or newspaper. Even then, the news release typically applied to an old version of software that most of us no longer used, anyway. These days, hundreds of thousands of people can be made privy to the details of a specific vulnerability in less than an hour. This is not to say that all this discussion of product vulnerabilities is a bad thing. Actually, quite the opposite is true. Individuals with malicious intent have always had places to exchange ideas. Pirate bulletin boards have been around since the 1980s. Typically, it was the rest of us who were left out in the cold with no means of dispersing this information to the people who needed it most: the network administrators attempting to maintain a secure environment. The Internet has become an excellent means to get vulnerability information into the hands of the people responsible for securing their environments. Increased awareness also brings increased responsibility. This is not only true for the software company that is expected to fix the vulnerability; it is also true for the network administrator or security specialist who is expected to deploy the fix. Any end user with a subscription to a mailing list can find out about vulnerabilities as quickly as the networking staff. This greatly increases the urgency of deploying security-related fixes as soon as they are developed. As if we didn’t have enough on our plates already So along with all of our other responsibilities, we need to maintain a good security posture. The first problem is where to begin. Should you purchase a book on firewalls or on securing your network servers? Maybe you need to learn more about network communications in order to be able to understand how these vulnerabilities can even exist. Should you be worried about running backups or redundant servers? This book can help to answer these questions and more. Security is a package deal—you cannot focus on one single aspect of your network and expect your environment to remain secure. This book provides the system and network administrators with the information they will need to run a network with multiple layers of security protection. What This Book Covers Chapter 1 starts you off with a look at why someone might attack an organization’s network resources. You will learn about the different kinds of attacks and what an attacker stands to gain by launching them. At the end of the chapter you’ll find a worksheet to help you gauge the level of potential threat to you network. Chapter 2 introduces risk analysis and security policies. The purpose of a risk analysis is to quantify the level of security your network environment requires. A security policy defines your organization’s approach to maintaining a secure environment. These two documents create the foundation you will use when selecting and implementing security precautions. In Chapter 3, you’ll get an overview of how systems communicate across a network. The chapter looks at how the information is packaged and describes the use of protocols. You’ll read about vulnerabilities in routing protocols and which protocols help to create the most secure environment. Finally, the chapter covers services such as FTP, HTTP, and SMTP, with tips on how to use them securely. Chapter 4 gets into topology security. In this chapter, you’ll learn about the security strengths and weaknesses of different types of wiring, as well as different types of logical topologies, such as Ethernet and Frame Relay. Finally, you’ll look at different types of networking hardware, such as switches, routers, and layer 3 switching, to see how these devices can be used to maintain a more secure environment. Chapter 5 discusses perimeter security devices such as packet filters and firewalls. You will create an access control policy based on the security policy created in Chapter 2 and examine the strengths and weaknesses of different firewalling methods. Also included are some helpful tables for developing your access control policy, such as a description of all of the TCP flags as well as descriptions of ICMP type code. In Chapter 6, we’ll discuss creating access control lists on a Cisco router. The chapter begins with securing the Cisco router itself and then goes on to describe both standard and extended access lists. You’ll see what can and cannot be blocked using packet filters and take a look at a number of access list samples. The end of the chapter looks at Cisco’s new reflexive filtering, which allows the router to act as a dynamic packet filter. You’ll see how to deploy a firewall in your environment in Chapter 7. Specifically, you’ll walk through the setup and configuration of Check Point’s FireWall-1: securing the underlying operating system, installing the software, and implementing an access control policy. Chapter 8 discusses intrusion detection systems IDS. You’ll look at the traffic patterns an IDS can monitor, as well as some of the technology’s limitations. As a specific IDS example, you will take a look at Internet Security Systems’ RealSecure. This includes operating system preparation, software installation, and how to configure RealSecure to check for specific types of vulnerabilities. Chapter 9 looks at authentication and encryption. You will learn why strong authentication is Read Chapter 10 to learn about virtual private networking VPN, including when the deployment of a VPN makes sense and what options are available for deployment. As a specific example, you will see how to use two FireWall-1 firewalls to create a VPN. You will also see before and after traces, so you will know exactly what a VPN does to your data stream. Chapter 11 discusses viruses, Trojan horses, and worms. This chapter illustrates the differences between these applications and shows exactly what they can and cannot do to your systems. You will see different methods of protection and some design examples for deploying prevention software. Chapter 12 is all about disaster prevention and recovery, peeling away the different layers of your network to see where disasters can occur. The discussion starts with network cabling and works its way inside your network servers. You’ll even look at creating redundant links for your WAN. The chapter ends by discussing the setup and use of Qualix Group’s clustering product OctopusHA+. Novell’s NetWare operating system is featured in Chapter 13. In this chapter, you’ll learn about ways to secure a NetWare environment through user account settings, file permissions, and NDS design. We’ll discuss the auditing features that are available with the operating system. Finally, you’ll look at what vulnerabilities exist in NetWare and how you can work around them. Chapter 14 discusses Windows NT server. You’ll look at designing a domain structure that will enhance your security posture, as well as how to use policies. We’ll discuss working with user accounts’ logging and file permissions, as well as some of the password insecurities with Windows NT. Finally, you’ll read about the IP services available with NT and some of the security caveats in deploying them. Chapter 15 is all about UNIX. Specifically, you’ll see how to lock down a system running the Linux operating system. You’ll look at user accounts, file permissions, and IP services. This chapter includes a detailed description of how to rebuild the operating system kernel to enhance security even further. Ever wonder how an evil villain might go about attacking your network resources? Read Chapter 16, which discusses how attackers collect information, how they may go about probing for vulnerabilities, and what types of exploits are available. You’ll also look at some of the canned software tools that are available to an attackers. Chapter 17 shows you how you can stay informed about security vulnerabilities. This chapter describes the information available from both product vendors and a number of third-party resources. Vulnerability databases, Web sites, and mailing lists are discussed. Finally, the chapter ends with a look at auditing your environment using Kane Security analyst, a tool that helps you to verify that all of your systems are in compliance with your security policy. The book is specifically geared toward the individual who does not have ten years of experience in the security field—but is still expected to run a tight ship. If you are a security guru who is looking to fill in that last five percent of your knowledge base, this may not be the book for you. If, however, you are looking for a practical guide that will help you to identify your areas of greatest weakness, you have come to the right place. This book was written with the typical network or system administrator in mind, those administrators who have a pretty good handle on networking and the servers they are expected to manage, but who need to find out what they can do to avoid being victimized by a security breach. Network security would be a far easier task if we could all afford to bring in a 350-per-hour security wizard to audit and fix our computer environment. For most of us, however, this is well beyond our budget constraints. A strong security posture does not have to be expensive—but it does take time and attention to detail. The more holes you can patch within your networking environment, the harder it will be for someone to ruin your day by launching a network-based attack. If you have any questions or comments regarding any of the material in this book, feel free to e-mail me at cbrentonsover.net . Previous Table of Contents Next Copyr ight © Sybex, I nc. CHAPTER 1 Why Secure Your Network?