Phishing, the new information gathering technique, is spreading and becoming more sophisticated. Phishing e-mails either ask the victim to fill out a form or direct them to a Web page designed to look like a legitimate banking site.The victim is asked for personal information such as credit card numbers, social security number, or other data that can then be used for identity theft.There has been at least one insidious phishing scheme that uses a Secure Sockets Layer (SSL) certificate so that the data you give to the hacker is safely encrypted on the network.

Vengeful Hackers

Hackers motivated by the desire for revenge are also dangerous.Vengeance seeking is usually based on strong emotions, which means that these hackers could go all-out in their efforts to sabotage your network. Examples of hackers or security saboteurs acting out of revenge include:

- Former employees who are bitter about being fired or laid off, or who quit their jobs under unpleasant circumstances.

- Current employees who feel mistreated by the company, especially those who are planning to leave soon.

- Current employees who aim to sabotage the work of other employees due to internal political battles, rivalry over promotions, and the like.

- Outsiders who have grudges against the company, such as dissatisfied customers or employees of competing companies who want to harm or embarrass the company

- Outsiders who have personal grudges against someone who works for the company, such as employees’ former girlfriends or boyfriends, spouses going through a divorce, and other relationship-related problems Luckily, the intruders in this category are generally less technically talented than those in the other two groups, and their emotional involvement could cause them to be careless and take outrageous chances, which makes them easier to catch.

Back to Basics Transmission Control Protocol/Internet Protocol

Transmission Control Protocol/Internet Protocol (TCP/IP) is the network protocol that pushes data around the Internet. (Other protocols you may have heard of are Windows NETBeui, Mac Appletalk, and Novell IPX/XPS, however none of these concern us.) You don’t need to understand the intricacies of TCP/IP; however, a basic understanding will make your firewall deployment much easier. TCP/IP is based on the idea that data is sent in packets, similar to putting a letter in an envelope. Each packet contains a header that contains routing information concerning where the packet came from and where it is going (similar to the address and return address on an envelope), and the data itself (the letter contained in the envelope).

- Version Indicates the version of IP currently used.

- IP Header Length (IHL) Indicates the datagram header length in 32-bit words.

- Type of Service Specifies how an upper-layer protocol wants a current datagram to be handled, and assigns various levels of importance to datagrams.

- Total Length Specifies the length, in bytes, of the entire IP packet, including the data and header.

- Identification Contains an integer that identifies the current datagram. This field is used to help piece together datagram fragments.

- Flags Consists of a 3-bit field of which the two low-order (least significant) bits control fragmentation.The low-order bit specifies whether the packet can be fragmented.The middle-order bit specifies whether the packet is the last fragment in a series of fragmented packets.The third or high-order bit is not used.

- Fragment Offset Indicates the position of the fragment’s data relative to the beginning of the data in the original datagram, which allows the destination IP process to properly reconstruct the original datagram.

- Time-to-live Maintains a counter that gradually decrements down to zero, at which point the datagram is discarded.This keeps packets from looping endlessly.

- Protocol Indicates which upper-layer protocol receives incoming packets after IP processing is complete.

- Header Checksum Helps ensure IP header integrity.

- Source Address Specifies the sending node.

- Destination Address Specifies the receiving node.

- Options Allows IP to support various options, such as security.

- Data Upper-layer information.

TCP/IP Header

The “envelope” or header of a packet contains a great deal of information, only some of which is of interest to firewall administrators, who are primarily interested in source and destination addresses and port numbers. Only application proxies deal with the data section. There is also a group of IP addresses known as self-assigned addresses, which range from 169.254.0.0 to 169.254.255.255.These addresses are used by the OS when no other address is available, making it possible to connect to a computer on a network that doesn’t automatically assign addresses (Dynamic Host Configuration Protocol [DHCP]), and there are no valid static IP addresses that can be typed into the network configuration. All routers, switches, firewalls, and other appliances are designed to stop these addresses. One address is reserved as the loopback address. Address 127.0.0.1 refers to the machine itself, and is generally used to confirm that the TCP/IP protocol is correctly installed and functioning on the machine. Networks 224.0.0.0 to 254.255.255.255 are reserved for special testing and applications. While Internet-routable, the standard organization or individual does not generally use them.The Class D network provides multicast capabilities.A multicast is when a group of IP addresses is defined in such a way as to permit individual packets to have a destination address of all the machines, rather than a single machine.

Class E is for research by particular organizations and has limited broadcast capabilities. A broadcast is when a single device sends out a packet that has no particular recipient. Instead, it goes to every machine on the subnet. On standard (non- Class E) networks, this is defined by address 255.255.255.255.The Class E network is different and is not accessible to devices on the other classes of networks. While there are legitimate uses for broadcasts (e.g., obtaining a DHCP address), we want to keep them to a minimum.To this end, all routers and firewalls block broadcasts by default.Too many broadcasts will slow network performance to a crawl. Every device on the Internet must have a unique IP address. If a device has a valid IP address (i.e., not a private, non-routable address or self-assigned address) and is not behind a firewall, it is available for connection to any other device on the Internet. A computer in Berlin can print to a printer in London. A mail server in Chicago can deliver e-mail directly to a machine in Singapore. This ubiquitous communication and ability to transfer data directly from one machine to another is what makes the Internet so powerful. It is also what makes it so dangerous. It is impossible to stress strongly enough that no machine on the public Internet is hidden. No machine is safe from detection. Firewalls are the only method of safely hiding a device on a private network, while still providing access to the Internet as a whole. Firewalls are able to hide a device by doing address translation. Address translation is when firewalls convert a valid Internet address to a private address on a private subnet. Almost all firewalls do this type of address translation, which has several advantages:

- An Additional Layer of Security Without the firewall in place to do the translations, Internet addresses can’t communicate with the private network and vice versa.

- Expansion of Available IP Addresses Not every device in your organization needs to be accessible from the Internet. User workstations require access to the Internet, but do not need to have incoming traffic originating on the Internet.They only require responses to inquiries sent out. Most firewalls handle this by converting every internal address to a single, Internet-routable address.This address is usually the address of the firewall itself, but does not necessarily have to be.

- Ability to Completely Hide a Device from the Internet Is it necessary to have your printers available to the Internet? Does that Web server that is only available to employees at their desks, need to have an Internet address? The answer to both questions is probably “no.”With a firewall capable of address translation, both of these examples can be assigned a private address with no translation to the outside.The device is hidden from anyone on the public Internet and is completely inaccessible.

IP Half-scan Attack

Half scans, also called half-open scans or Finish Packet (FIN) scans, attempt to avoid detection by sending only initial or final packets rather than establishing a connection. Every IP connection starts with a Synchronous (SYN) packet from the connecting computer.The responding computers respond with a SYN/Acknowledgement (ACK) packet, which acknowledges the original packet and establishes the communication parameters. SYN/ACK continues until the end of the communication when a FIN packet is sent and the connection is broken.A half scan starts the SYN/ACK process with a targeted computer but does not complete it. Software that conducts half scans, such as Jakal, is called a stealth scanner. Many port-scanning detectors are unable to detect half scans.

IP Spoofing

IP spoofing involves changing the packet headers of a message to indicate that it came from an IP address other than the true source.The spoofed address is normally a trusted port that allows a hacker to get a message through a firewall or router that would otherwise be filtered out. Modern firewalls protect against IP spoofing. Hackers use spoofing whenever it is beneficial for one machine to impersonate another. It is often used in combination with another type of attack (e.g., a spoofed address is used in the SYN flood attack to create a “half-open” connection.The client never responds to the SYN/ACK message, because the spoofed address is that of a computer that is down or doesn’t exist. Spoofing is also used to hide the true IP address of the attacker in ping of death, teardrop, and other attacks. IP spoofing can be prevented using source address verification on your firewall.

Denial of Service Attacks

In February 2000, massive DoS attacks brought down several of the biggest Web sites, including Yahoo.com and Buy.com. DoS attacks are a popular choice for Internet hackers who want to disrupt a network’s operations.The objective of DoS attackers is to bring down the network, thereby denying service to its legitimate users. DoS attacks are easy to initiate, because software is readily available from hacker Web sites and warez newsgroups that allow anyone to launch a DoS attack with little or no technical expertise.

NOTE

Warez is a term used by hackers and crackers to describe bootlegged software that has been “cracked” to remove copy protections and made available by software pirates on the Internet, or in its broader definition, to describe any illegally distributed software. The purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that will crash the servers, overwhelm the routers, or otherwise prevent the network’s devices from functioning properly. DoS can be accomplished by tying up the server’s resources (e.g., by overwhelming the central processing unit (CPU) and memory resources. In other cases, a particular user or machine can be the target of DoS attacks that hang up the client machine and require it to be rebooted.

NOTE

DoS attacks are sometimes referred to in the security community as nuke attacks. Distributed DoS (DDoS) attacks use intermediary computers (called agents) on which programs (called zombies) have previously been surreptitiously installed, usually by a virus or Trojan (see below). The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs which could potentially be on networks anywhere in the world the hacker is able to conceal the true origin of the attack. It is important to note that DDoS attacks pose a two-layer threat. Not only could your network be the target of a DoS attack that crashes your servers and prevents incoming and outgoing traffic, but your computers could be used as the “innocent middlemen” to launch a DoS attack against another network or site. The Domain Name Server (DNS) DoS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network’s bandwidth is tied up by bogus DNS queries.The attacker uses the DNS servers as “amplifiers” to multiply the DNS traffic. The attacker begins by sending small DNS queries to each DNS server, which contain the spoofed IP address of the intended victim (see “IP Spoofing” in this article).The responses returned to the small queries are much larger in size, so if there are a large number of responses returned at the same time, the link will become congested and DoS will take place. One solution to this problem is for administrators to configure DNS servers to answer with a “refused” response (which is much smaller than a name resolution response) when they receive DNS queries from suspicious or unexpected sources.

Source-routing Attack

TCP/IP supports source routing, which is a means to permit the sender of network data to route the packets through a specific point on the network.There are two types of source routing:

- Strict Source Routing The sender of the data can specify the exact route (rarely used).

- Loose Source Record Route (LSRR) The sender can specify certain routers (hops) through which the packet must pass. The source route is an option in the IP header that allows the sender to override routing decisions normally made by the routers between the source and destination machines. Network administrators use source routing to map the network or to troubleshoot routing and communications problems. It can also be used to force traffic through a route that will provide the best performance. Unfortunately, hackers can also exploit source routing. If the system allows source routing, an intruder can use it to reach private internal addresses on the Local Area Network (LAN) (normally not reachable from the Internet), by routing the traffic through another machine that is reachable from both the Internet and the internal machine. Source routing should be, and is disabled on most routers to prevent this type of attack. If it is not disabled on your router, disable it now.