April 2001

The Hacker Within

BY RICH TEHRANI

Personally, I wasn't too surprised by this law, especially in light of the latest wave of terrorists defacing Web sites worldwide. There is even a new term used to describe those people this law is supposed to affect -- "Hacktivists" are politically motivated hackers bent on destroying or defacing Web sites for political reasons.

Computer attacks are on the rise and these types of attacks are growing to menacing levels. Do you remember when viruses were the only threat we had to deal with? Now organizations from Microsoft to NSA are being hacked... Their systems are either being defaced or driven to crash through the use of SYN flood and ping-of-death attacks. (Please see the sidebar entitled SYN Flood Versus Ping-of-Death for more information.)

Top Layer Networks
I recently spoke with executives from Top Layer Networks, a company that specializes in helping companies provide network security as well as providing secure QoS on the networks of service providers and corporate customers. During the course of our discussion, we explored the various levels of vulnerability a company has to be aware of such as VPNs, IP telephony, and DCOM -- all of which punch holes in protective firewalls.

Negligence And Liability
Perhaps a scarier notion than having a hacker break into your network and crash some of your servers or delete some files is the potential for lawsuits driven by what courts may consider corporate negligence. Stolen credit card information, medical records, and other sensitive information from your network can be used to damage your customers in many ways, including online impersonation. A Top Layer representative summed it up aptly, "Just take all the ways that people can be evil and multiply these by the speed of the computer and network bandwidth!" They think we are at the infancy of legality issues underlying these cases; and this area will most likely drive a new branch of the legal profession.

Perhaps the worst thing that you can do is put your head in the sand for security while a hacking war is waged overhead. Anyone can be a target, including the above-mentioned NSA and Microsoft, as well as many other large corporations. Unfortunately for legitimate businesses, hackers continuously conduct random Web searches looking for systems with weaknesses that they can exploit. Remember a VPN is still only "virtual" -- you just can't have a false sense of security about security!

Why is it getting harder to protect ourselves? Two words -- network convergence -- point to the heart of the problems we'll all face securing our networks in the future. Openness is great...at least until you realize that your most sensitive data can be tapped into in myriad ways as it travels along any number of network routes.

Beyond just open networks, consider that the more complex the software and network infrastructure is, the more inadvertent holes that open up. Companies that frequently change software revs are at a great risk. Even though many companies such as Microsoft, SUN, and Linux maintain great Web sites explaining all the latest security holes and packages, it is hard for many companies to continually check these and other sites, and then quickly patch the systems in time to ward off security issues. Does your network have the latest patch for Outlook? Bind? VBScript? JavaScript? You'd better hope so.

Protecting Yourself From You
Just when you thought it was safe to fire up your new firewall, logoff, and leave your network, an entirely new wave of attacks, which originate within the heart of your network, are becoming more common. The simple fact is that you have just as many vulnerabilities leaving your network as you do when entering. Let's say someone on your network wants to get even with someone else beyond your network? It has become increasingly easy for that person to start a DoS attack against your competitor or against a personal enemy. Can your workers send out intentional viruses to effect internal and external computers and networks? Are you making sure this can't be done on your network? How good is your anti-virus software?

Security Is A Journey, Not A Destination
Top Layer stresses that computer security is a process similar to security in the real world where one takes precautions like buying insurance, being careful when and where to go out at night, using travelers checks, etc. -- one needs to have the appropriate protections for appropriate resources. The need for monitoring your internal and external security levels never ends; hackers are always working to hack systems.

Does A Firewall Fully Protect You?
According to Top Layer, firewalls are a piece of the puzzle that has inherent weaknesses. One weakness is created in dealing with gigabit level data streams where every packet cannot be physically checked by most firewalls. Another occurs in the use of VPNs and IP telephony, which opens up a range of ports, thereby reducing your security level. Top Layer suggests a hardware and software solution so that the hardware may provide the brute force processing power and the software may provide flexibility as well as functionality.

The best VPN and firewall is only as good as the implementation and other areas of your network. Perhaps one of the most interesting points that I gleaned from my conversation with Top Layer is this: "Security is something you do, not something you buy."

Top Layer's Products
Top Layer's AppSwitch (a hardware device with software for functionality) can sit on either side of your firewall. The product inspects data coming through open ports. When placed in front of the firewall, the device can help to prevent distributed denial of service attacks. The AppSwitch is a Layer 7 device that sits at the application control layer in the OSI model, enabling it to analyze information, which can be embedded in http.

Top Layer wanted to prove the security of their systems in action as long as I wouldn't disclose their customers' names based on the sensitive nature of network security. The following are two examples.

Where's The Bandwidth?
One success story took place at a financial services firm where traders needed access to live Bloomberg broadcasts. Although the company kept increasing bandwidth, the traders couldn't get the bandwidth they needed. It turns out that unauthorized users were streaming media to their computers, so the company decided to bring in Top Layer to help prevent these unauthorized users from using RealAudio.

Top Layer blocked RealAudio at layer 4 and thought the problem was solved. As it turns out the problem resurfaced soon thereafter. They found that RealAudio scans ports and can morph itself if you disable port 80. RealAudio then embeds recognizable headers as HTTP packets, and unless you can read layer 7, you won't be able to stop these packets from flooding your network.

You Call This Higher Learning?
Another example took place at a college that wasn't too concerned with intruders but rather was afraid of what their students could do to the rest of the world. This is a concern because the college might be held liable in the case that a student performs illegal network activity. As it turns out, two days after installing the system, the college discovered a distributed DoS attack originating from their network and were able to stop it!

Conclusion
The more we know about network security, the better off we are. Security must be defined not as a product, but as a process that must be continually evaluated. Companies that frequently update their software as well as those running IP telephony or using VPNs should be especially careful to make sure that their security system is bullet proof. And always remember -- our networks are two-way streets, and to guard them effectively, we must be careful to guard against both the hacker within, as well as without. 

[ Return To The April 2001 Table Of Contents ]

Two of the more popular denial of service (DoS) attacks are SYN flood and ping-of death, in each case a server is overloaded to a point where it crashes due to a memory leak, memory shortage, or some other catastrophic event.

SYN Flood
When data is sent over TCP/IP, the transmission follows a simple "handshake protocol" -- a client sends a SYN (synchronized data packet) with a sequence number to the server, the server then returns a SYN/ACK (to acknowledge receipt of the packet) and a sequence number of its own. The connection between the client and server is now established and they can communicate with each other.
A SYN flood attacker sends numerous connection requests to a server from a false address. As a result, the server is unable to respond, and places the request in a queue awaiting a SYN/ACK (acknowledgement frame from the false address). After several minutes the server's TCP sockets time out. If enough false requests are made, the server's pending connection queue will fill up and it will be unable to respond to even valid requests.

Ping-of-Death
Ping-of-Death is a DoS attack that works by sending very large ping packets to the victim computer. As a result of receiving a hostile ping, victim systems will crash or hang because there is not enough memory to cope with the incoming flood of data.

PING (Packet Internet Groper) is a utility/diagnostic tool that is used to test if an IP address is reachable. An ICMP Echo packet is sent to an Internet host and the utility awaits a reply. This is a common program used to determine where your computer or a remote system is connected to the network.

You may want to check out www.insecure.org and www.securityfocus.com for more details on these and other attacks as well as a list of previously defaced Web sites. 

[ Return To The April 2001 Table Of Contents ]

International Feeding Frenzy! It's the best term to describe what I witnessed at the recent INTERNET TELEPHONY CONFERENCE & Expo Miami (February 79, 2001). If there was one trend that exemplified the enormous interest in IP telephony products and services it was without a doubt the growing opportunity to deploy long-distance services internationally. According to many of the exhibitors I spoke with, the best business of their careers is being had selling to entrepreneurs that are establishing themselves as phone companies all over the world.

One show participant in particular -- Science Dynamics, an IP telephony gateway manufacturer -- did so well at the show that I just had to stop in and see what they had that piqued the interest of so many attendees. I had a chance to speak with the company's director of engineering as well as a sales team that is extremely excited at the prospect of international IP telephony and their ability to sell products into this growing market.

The strength of Science Dynamics' positioning is in the turnkey systems they provide: They will install, configure, and track the bandwidth availability between countries for your gateways. Science Dynamics is a relatively small company in the gateway business; and besides offering turnkey systems, they must find other ways to differentiate themselves. Interoperability differentiates a company in a very important manner. In fact this company was one of the most successful participants in the ConvergeNET interoperability demonstration at the show. In case you aren't familiar with ConvergeNET, it is the world's first, longest running, and largest showcase of IP telephony interoperability. ConvergeNET "lives" on the show network at Internet Telephony Conference & Expo twice a year in Miami and San Diego. (please see A Stand For The Interoperability Demand article on page 34 for more info). Gateway customers are looking for interoperability in the systems they purchase, and Science Dynamics is constantly making sure their equipment interoperates correctly with the variety of other players in the market.

For the most part, IP telephony gateway vendors besides Lucent, Nortel, and Cisco are typically start-ups that have been in business for five years at the most. There is no need to imagine why I was more than pleasantly surprised to hear that Science Dynamics has been in the telecom business for over twenty years. In fact, they tell me they are one of the oldest Internet start-ups -- they started off by making announcer systems in the telephony market, as well as pay per view and IVR systems.

Science Dynamics feels that their background in telecom has allowed them to build a system that is extremely flexible and scalable. They use text files to manage their gateways -- this is designed to make their products easy to configure and customize. Their gateways provide for limited gatekeeper functionality and control redundant systems. These interesting features are coupled with a call rating and least cost routing engine that determines the cost of a call before placing it. The FCC requires all interstate calls going from state to state to provide the caller with the rate of the call before it is placed. This requirement is for public phones as well as inmate telephone calls, originating from prisons. There is also at least one state, where this requirement exists for IntraLATA calls.

Currently their gateways are H.323-based, with SIP support coming soon. Some of their pet peeves about H.323 are vendors producing products that assume that H.323 is point-to-point (meaning a call is answered as soon as it connected). These vendors forget to take into account the gateways between the callers.

The INTERNET TELEPHONY Conference and EXPO felt like my first true exposure to the international communications market and I can tell you that the interest level is much greater than you can imagine. Now is the best time for you to strike it rich in the international Internet telephony market. 

[ Return To The April 2001 Table Of Contents ]

Since his days in the House and Senate, the honorable Al Gore has been an early leader on cutting-edge technological issues. As a member of Congress, he popularized the term "information superhighway," and he later introduced legislation to invest in the research networks that led to today's Internet. We are very excited to have the most technology savvy Vice President of all time delivering a keynote at the upcoming Communications Solutions Expo.

Attendees can be sure to hear a unique perspective on many technologies from one of the most well known figures of our time. Please check www.csexpo.com for details. 

[ Return To The April 2001 Table Of Contents ]