Recently, a new law was passed in the United Kingdom that gives police the
power to detain suspects for 48 hours without a warrant. The Terrorism Act
of 2000 recognizes the growing threat of cyber terrorists for the first
time, and was designed to prevent dissident political groups from using the
U.K. as a base of online terrorism.
Personally, I wasn't too surprised by this law, especially in light of
the latest wave of terrorists defacing Web sites worldwide. There is even a
new term used to describe those people this law is supposed to affect --
"Hacktivists" are politically motivated hackers bent on destroying
or defacing Web sites for political reasons.
Computer attacks are on the rise and these types of attacks are growing
to menacing levels. Do you remember when viruses were the only threat we had
to deal with? Now organizations from Microsoft to NSA are being hacked...
Their systems are either being defaced or driven to crash through the use of
SYN flood and ping-of-death attacks. (Please see the sidebar entitled SYN
Flood Versus Ping-of-Death for more information.)
Top Layer Networks
I recently spoke with executives from Top
Layer Networks, a company that specializes in helping companies provide
network security as well as providing secure QoS on the networks of service
providers and corporate customers. During the course of our discussion, we
explored the various levels of vulnerability a company has to be aware of
such as VPNs, IP telephony, and DCOM -- all of which punch holes in
protective firewalls.
Negligence And Liability
Perhaps a scarier notion than having a hacker break into your network and
crash some of your servers or delete some files is the potential for
lawsuits driven by what courts may consider corporate negligence. Stolen
credit card information, medical records, and other sensitive information
from your network can be used to damage your customers in many ways,
including online impersonation. A Top Layer representative summed it up
aptly, "Just take all the ways that people can be evil and multiply
these by the speed of the computer and network bandwidth!" They think
we are at the infancy of legality issues underlying these cases; and this
area will most likely drive a new branch of the legal profession.
Perhaps the worst thing that you can do is put your head in the sand for
security while a hacking war is waged overhead. Anyone can be a target,
including the above-mentioned NSA and Microsoft, as well as many other large
corporations. Unfortunately for legitimate businesses, hackers continuously
conduct random Web searches looking for systems with weaknesses that they
can exploit. Remember a VPN is still only "virtual" -- you just
can't have a false sense of security about security!
Why is it getting harder to protect ourselves? Two words -- network
convergence -- point to the heart of the problems we'll all face securing
our networks in the future. Openness is great...at least until you realize
that your most sensitive data can be tapped into in myriad ways as it
travels along any number of network routes.
Beyond just open networks, consider that the more complex the software
and network infrastructure is, the more inadvertent holes that open up.
Companies that frequently change software revs are at a great risk. Even
though many companies such as Microsoft, SUN, and Linux maintain great Web
sites explaining all the latest security holes and packages, it is hard for
many companies to continually check these and other sites, and then quickly
patch the systems in time to ward off security issues. Does your network
have the latest patch for Outlook? Bind? VBScript? JavaScript? You'd better
hope so.
Protecting Yourself From You
Just when you thought it was safe to fire up your new firewall, logoff,
and leave your network, an entirely new wave of attacks, which originate
within the heart of your network, are becoming more common. The simple fact
is that you have just as many vulnerabilities leaving your network as you do
when entering. Let's say someone on your network wants to get even with
someone else beyond your network? It has become increasingly easy for that
person to start a DoS attack against your competitor or against a personal
enemy. Can your workers send out intentional viruses to effect internal and
external computers and networks? Are you making sure this can't be done on
your network? How good is your anti-virus software?
Security Is A Journey, Not A Destination
Top Layer stresses that computer security is a process similar to security
in the real world where one takes precautions like buying insurance, being
careful when and where to go out at night, using travelers checks, etc. --
one needs to have the appropriate protections for appropriate resources. The
need for monitoring your internal and external security levels never ends;
hackers are always working to hack systems.
Does A Firewall Fully Protect You?
According to Top Layer, firewalls are a piece of the puzzle that has
inherent weaknesses. One weakness is created in dealing with gigabit level
data streams where every packet cannot be physically checked by most
firewalls. Another occurs in the use of VPNs and IP telephony, which opens
up a range of ports, thereby reducing your security level. Top Layer
suggests a hardware and software solution so that the hardware may provide
the brute force processing power and the software may provide flexibility as
well as functionality.
The best VPN and firewall is only as good as the implementation and other
areas of your network. Perhaps one of the most interesting points that I
gleaned from my conversation with Top Layer is this: "Security is
something you do, not something you buy."
Top Layer's Products
Top Layer's AppSwitch (a hardware device with software for functionality)
can sit on either side of your firewall. The product inspects data coming
through open ports. When placed in front of the firewall, the device can
help to prevent distributed denial of service attacks. The AppSwitch is a
Layer 7 device that sits at the application control layer in the OSI model,
enabling it to analyze information, which can be embedded in http.
Top Layer wanted to prove the security of their systems in action as long
as I wouldn't disclose their customers' names based on the sensitive nature
of network security. The following are two examples.
Where's The Bandwidth?
One success story took place at a financial services firm where traders
needed access to live Bloomberg broadcasts. Although the company kept
increasing bandwidth, the traders couldn't get the bandwidth they needed. It
turns out that unauthorized users were streaming media to their computers,
so the company decided to bring in Top Layer to help prevent these
unauthorized users from using RealAudio.
Top Layer blocked RealAudio at layer 4 and thought the problem was
solved. As it turns out the problem resurfaced soon thereafter. They found
that RealAudio scans ports and can morph itself if you disable port 80.
RealAudio then embeds recognizable headers as HTTP packets, and unless you
can read layer 7, you won't be able to stop these packets from flooding your
network.
You Call This Higher Learning?
Another example took place at a college that wasn't too concerned with
intruders but rather was afraid of what their students could do to the rest
of the world. This is a concern because the college might be held liable in
the case that a student performs illegal network activity. As it turns out,
two days after installing the system, the college discovered a distributed
DoS attack originating from their network and were able to stop it!
Conclusion
The more we know about network security, the better off we are. Security
must be defined not as a product, but as a process that must be continually
evaluated. Companies that frequently update their software as well as those
running IP telephony or using VPNs should be especially careful to make sure
that their security system is bullet proof. And always remember -- our
networks are two-way streets, and to guard them effectively, we must be
careful to guard against both the hacker within, as well as without.
[ Return
To The April 2001 Table Of Contents ]
|