In a previous article, I talked about what makes a hacker tick. Obviously, knowing how the hacker’s mind works is only half of the battle. You must also know your network inside and out, identify its vulnerable points, and take the necessary steps to protect it. This article will look at some tips and tools administrators can use to prevent those vulnerabilities.
Diagram your network
You should begin by diagramming the topology of your network. You can do this with a sophisticated tool such as Visio, or you can use a less complex tool such as Word. Simpler yet, you can draw it by hand. Once you’ve diagrammed your network, identify all the machines that are connected to the Internet, including routers, switches, servers, and workstations. Then, evaluate the security precautions in place on those machines. You want to pay close attention to machines that have a public IP address on the Internet, since they’re the ones that will be scanned by hackers.
Always-on means always-vulnerable
Currently, the greatest security vulnerability is always-on Internet access using static IP addresses. With always-on access and a static IP you are a like a big bull’s-eye sitting on the Internet waiting to get hit. The question is, once hackers get in your network can they do any damage, or will they be frustrated and move on to the next target?
If you have an always-on Internet connection, hopefully you already have a basic security policy and firewall in place on your network. If you have a Web server, mail server, and/or other servers constantly connected to the Internet, your security responsibilities are even greater. Because the Internet is built upon the TCP/IP protocol, many hacker attacks will seek to exploit the TCP ports of these servers with public IP addresses. A number of common ports are scanned and attacked:
- FTP (21)
- Telnet (23)
- SMTP (25)
- DNS (53)
- HTTP (80)
- POP3 (110)
- NNTP (119)
- IMAP (143)
- SNMP (161)
You need to identify whether your servers are utilizing any of these ports because these represent known vulnerabilities.
Ways to protect the network
There are a number of ways to compensate for these vulnerabilities. First, you can implement firewall filtering. One of the best protections against port attacks is to implement a firewall with dynamic packet-filtering, also called stateful inspection firewalls. These firewalls open and close ports on an as-needed basis, rather than permanently leaving a port open where it can be identified by one of the hackers’ port scans and then exploited.
You can also analyze your system log files in order to track hacker activity. Click here for an excellent paper by Lance Spitzner on this subject. A third option is to install an intrusion detection program that will do much of the log file examination for you. Click here for a list of available intrusion detection programs.
Seeing what the hacker sees
In addition to protecting against the well-known vulnerabilities, you need to see what the hacker sees when he looks at your network. The best way I’ve found to do this is to use nmap, a program that gives you a look at your network from a hacker-like perspective. A company called eEye has released a new version of this program for Windows NT. You can download it here. The company also offers an industrial-strength network security scanner called Retina, which helps discover and fix known and unknown vulnerabilities. This is an expensive, yet valuable, product.
You can download the Linux version of nmap here.
Hackers also often exploit software security problems. They take advantage of these behind-the-scenes parts of the software to gain access to your system. Thus, you should take stock of all the software running on your Internet-exposed systems. Go to the Web sites of the vendors that make each of the software packages and bookmark the page that has updates and patches for that software. You’ll want to check these sites regularly and always keep your software up-to-date with the latest patches. Some companies even have services that will e-mail you whenever there’s a new update or patch.
Security expert Web sites
In addition to staying on top of your vendors’ security updates and patches, you should also stay current on the security risks and problems that are identified by security experts in the industry. Often, vulnerabilities may become known long before a vendor issues a patch. Therefore, your systems could be vulnerable for a period during which the hackers may know about it, but you don’t. Two Web sites that will keep you informed are L0pht.com and 403-security.org.
What Web sites do you use in your fight against hackers?
If you'd like to share your opinion, start a discussion below or send the editor an e-mail.