Network security fundamentals
This is the first in (hopefully) a series of security articles. These
will mainly be aimed at web developers, but I hope they will be helpful
to anyone wanting to learn more about the subject.
As developers we are in a constant struggle – we are required to
make our applications as easy as possible for the user, but we must also
make them as hard as possible for hackers to crack. An important note
at this stage – traditionally hackers were good programmers, while
malicious programmers/hackers were known as crackers. Unfortunately thanks
to Hollywood, crackers are now known as hackers. For the moment I shall
continue to call them crackers – feedback on this issue would be
A basic corporate network from a security standpoint:
Corporate networks should be behind a firewall. Any home pc that has a
permanent (broadband/ADSL) connection should also at least have at least
a software firewall such as Zonealarm (www.zonelabs.com) . Firewalls basically
work as follows
There are 3 areas to a firewall – Untrusted, Trusted and
DMZ (demilitarised zone).
The untrusted port takes in the connection to the outside world (eg ADSL
The DMZ is an area of your network containing servers which the
world can see, the most common example is your web server. Mail
relay servers also sit in this area.
The trusted area is the inside LAN of your network.
All your users sit in the trusted area. It is wise to use two totally
different IP address ranges and subnets on your DMZ and trusted area’s
of the network (you have no choice on the Untrusted IP – this is
allocated by your ISP). This means that even if a cracker should manage
to compromise a machine in your DMZ he will not have any information on
how you have set the trusted area of your network up. It is also wise
to have one administrator username and password for your trusted network,
and totally separate ones for each of your servers in the DMZ. Again,
should a cracker compromise an administration user name and password for
one web server, your other web servers in the DMZ will remain safe. However,
this should NEVER happen.
Prevention is better than cure – this cannot be over-emphasized
with network security.
Picture this – you have an e-commerce site, people are happily purchasing
goods through you, using their credit cards. Some malicious individual
finds that he can’t get in and steal any information on people using
your site, or their credit card details. He does however manage to place
his own index.htm page on your site containing a skull and crossbones,
and the words “You’ve been hacked!”. At this stage you
may as well close down shop. It doesn’t matter how much you try
to explain that no information was stolen – the bad press will destroy
you. And promising to improve security in the future will not help either,
the general public will have lost all confidence in your brand.
Initial Steps to protect your network:
Never have an account called administrator, guest, test or user. Remove
or disable the guest account immediately. Rename the administrator account
– but not to admin! Having too many usernames and passwords to remember
can cause slip-ups in itself, but fortunately the entire trusted side
only needs one administrator account. As I said above, it would be wise
to have separately named administrator accounts for each machine in the
DMZ area. These servers are the most likely to be attacked as they must
have at least one port open to the world (80 and 443 for a web server),
and when a window is open , someone determined enough will manage to find
a way in.
Find a reliable port scanner and scan for open ports from outside of
your network (eg. from home in the evenings). There are 65353 ports, with
the first 1024 known as common ports (they have something assigned for
them – if programming network software, always use a port above
1024). If one of these ports are open, there is a window in. Unfortunately
to be useful, servers must have at least one port open. The main ones
we are concerned with in a DMZ are 80 (http), 443 (https – secure)
and 25 (smtp - for mail relay servers). All other ports should be closed
down. Unfortunately Windows tends to open many ports, in order to save
processing time should a program you run wish to use one of them. Nice
from a user point of view, really bad from a security point of view. Portscan
your network frequently from home, a friends office, etc. If you find
open ports, close them down.
It is also necessary to scan both TCP and UDP ports. As many firms only
check that their TCP ports are closed, crackers will hide on the UDP ports
in order to break into your machines.
Another important thing is never to call your homepage index , default
or home. Set your web server to look for something else (eg. companynamehome.asp),
this way if a hacker does manage to copy his own version of index to your
web server, it won’t be displayed as your server will be looking
for something else.
Check your server logs daily. This is useful for a couple of reasons.
Firstly, you can see how many people use your site each day. You can use
reporting software (eg. Crystal Reports) to show this information in a
more friendly format than the text file your firewall provides. Also,
you will notice if someone is repeatedly looking for suspicious things
on your server – I regularly see requests for cmd.exe on our logs.
If someone can get to cmd.exe they have control over your machine. It
will not take long to learn to spot suspicious activity. Fortunately there
are things you can do about this – if you see an IP address constantly
requesting things that aren’t part of your web site, perform a whois
lookup on it. The easiest way to do this is to go to www.samspade.org
and enter the IP address in the IP Whois field. This will give you information
on which country the person is in, and who their ISP is. If this activity
continues, contact the ISP. They are then required to contact the person
and explain that cracking is not an acceptable through their portal.
Checking your logs regularly in this way is your best defence against
crackers. If you can stop them before they get any useful information
about your network, they have no way in.
Early vigilance will save you a lot of headaches and your firm a lot
The methods above are just a sample of the ways you can avoid huge losses.
Fortunately people are becoming more aware of the benefits of proper network
security. The methods of programming you use can also have a huge impact
on whether crackers can abuse your site or not. My next article will focus
on these methods.
In closing I would like to say that my eyes were only opened to the importance
of tight network security 6 months ago. What I found most amazing is that
most crackers are not highly sophisticated individuals with great understanding
of computer systems. The majority are “script kiddies” –
13 year olds who have downloaded free network security tools such as port
scanners and merely learnt to run them, without any understanding of how
they work. When the scanner alerts them to a vulnerability they go in
and graffiti the site – they have little or no interest in stealing
your data. Unfortunately, their graffiti is often enough to bring a good
firm down. When I realised this, I decided that from that point onwards
I wanted to have total control of my site, rather than leaving it at the
mercy of such individuals. It seems to me that the best way to accomplish
this is for developers to share information they same way crackers do.