How Vulnerable Are Internet Services?
The implementation of Internet services must be carefully considered due to its vulnerabilities and threats. This chapter lists some of the most common implemented services and discusses the risks associated with each one of them.
Protecting and Configuring Vulnerable Services
In this section, lets take a look at the industry standard protocols and services, its characteristics and how they interact with the Internet and firewall so we can be aware of security threats and countermeasures as well as a configuration checklist, with loopholes to watch for and security issues.
Electronic Mail Security Threats
Electronic mail (E-mail) is a wonderful tool to have on the Internet, but it brings threats to your privacy and security. This section discusses some of these threats, such as e-mail bombing and spamming, as well as the risks of downloading certain attachments.
One of the main weaknesses of e-mail messages is that not always it can be traced. The Reuters, awhile ago, published an article about President Clinton receiving a death threat over the Internet via e-mail. According to the article, the e-mail message was originated at a Taiwan university and contained the message
The United States asked Taiwan officials to investigate the incident, but the director of the university computer center concluded that there was no way to find a record of the person logging in and out on the Internet and sending the message to President Clinton. Thus, you should be aware of e-mail threats and what you can do to prevent against these pitfalls.
You can be threaten by anyone using an anonymous e-mail, and you wonít be able to track him or her down. Take this other example, of Jonathan Littman, one of the few journalists covering the computer underground. When Kevin Mitnick, was arrested, Littman had become the uber-hackerís inside, to the extend of even writing a book, entitled "The Fugitive Game." The problem is that on the book he was sympathetic to Mitnick, and ended up receiving some retaliation for some hackers, which sent him several e-mail threats, vowed through anonymous messages.
E-mail threats also includes people scanning your messages in search of valuable information, such as credit card, social security numbers or systems authentication information? When an e-mail message travels through the Internet it can be exposed to little programs that automatically will scan the mail feed into a computer, looking for specific information, just like you do in your mail program when you want to locate a particular message stored in one of your message folders.
A good preventive measure to this kind of attack is through message encryption. As discussed on chapter 3, "Cryptography, Is It Enough," encryption does hacking much more difficult. Also, there are lots of encryption tools out there, such as Pretty Good Privacy (PGP) and digital signatures to aid you on this process. You should encrypt and sign all your e-mail messages.
Simple Mail Transfer Protocol (SMTP)
Have you heart about e-mail bombing? This is a form of stalking, an anonymous type of harassment to which you canít reply back to the sender. E-mail bombing is illegal, but hard to track, because of the anonymous ways e-mail can be sent, usually consisting of sending large amount of messages, from hundreds to thousands of e-mail messages, to a single e-mail address, usually generating a denial-of-service on the mail server.
But donít confuse e-mail bombing with spamming. E-mail bombing is characterized by abusers repeatedly sending numerous copies of the same e-mail message to a particular address, whereas e-mail spamming is a variant of bombing; it refers to sending the same e-mail to hundreds or thousands of users (or to lists that expand to that many users). E-mail spamming can be made worse if recipients reply to the e-mail, causing all the original addressees to receive the reply. Spamming also may occur innocently, as a result of someone sending a message to a mailing list without realizing that the list explodes to thousands of users, or as a result of an incorrectly set-up responder message. If the identity of the account sending the message is altered, then e-mail bombing or spamming is being combined with "spoofing," which makes it almost impossible to track the author and the origin of the message. Later on this chapter there is a section on spoofing, make sure to read it.
As mentioned in the chapter above, the large amount of e-mails coming in to a server, as a result of e-mail bombing and spamming can generate a denial-of-service (where the server denies to honor a request or a task, to the extreme of freezing up) on the server, through loss of network connectivity, system crashes, or even failure of a service (where the ability to execute that service fails on the server) because of:
Preventing against E-mail Attacks
It is very important that you are able to detect e-mail bombing or spamming as soon as possible. One of the signs your system will present when under attack is sluggishness. If e-mail is slow or is not being sent or received, it could be that your mail server is either trying to process a large number of messages, or already has suffered a denial-of-service, as mentioned above.
If you are experiencing such a condition in your server, I recommend you do:
There is no way to block e-mail bombing and spamming. However, there are a few things you can do to protect yourself and decrease the likelihood of a bombing or spamming attack. One, you should keep your e-mail software up to date at all times. Two, make sure you maintain the updates, patches, and bug fixes that are released by your e-mail developer. The third thing is a little more technical. You could develop a tool that would check for and alert you to incoming messages that originate from the same user or same site in a short span of time. You then could block these connections at the router level.
For example, once you identify from where this messages are coming from, the sites domain (email@example.com, for example) you can go to your firewall and block, or deny, any messages coming from that site. You can even re-direct it to a wastebasket directory where it will be periodically deleted. You will probably not be able to identify the author of these messages but you can at least stop receiving them by blocking them before they hit your mailbox.
One alternative to keep in mind is that, if you have only one or two e-mail servers, make sure to set up your firewall to allow only SMTP connections coming from the Internet to your e-mail server. From there you will have to block the SMTP port not to allow connections arriving directly at the userís computers.
The way you do this will vary from firewall to firewall software. If you are using an router as firewall, you will have to insert a line on its configuration file, denying connections to the SMTP port. By blocking access to your SMTP port you will prevent the injection of spamming messages through it.
You can block the SMTP port by turning off your mailers SMTP daemon mode and run it out of inetd instead. If you combine this with running smap from the TIS Firewall Toolkit, the configuration will look like this:
At the /etc/inetd.conf:
At the /etc/hosts.allow:
at the /usr/local/etc/netperm-table:
You can use the above example as a boilerplate, as the paths will vary according to your environment as well as the site(s) youíre blocking. This should sufice to keep e-mail spamming and bombing coming from spammer.com or anyone in the IP range of 128.xxx.000.0 from accessing your SMTP server. Now, watch your server! This technique could overload your server as it will generate a process for every incoming mail message. If your server already works at more then 30% of its capacity, you may want to try a different technique discussed here.
Be Careful With E-Mail Attachments
Have you ever thought about the potential danger of e-mail attachments? The majority of the mail packages, such as MS Exchange and cc:Mail have a setting in which you can specify if you want attachments to go as separate files , or to be encapsulated. The risk with these attachments is that they can contain various threats, from viruses and malicious macros to small Trojan Horses applets.
According to Integralis, the developers of MIMESweeper e-mail security (http://www.mimesweeper.integralis.com/), viruses can be inserted into email attachments, just as part of the header or even in the body. Some of the most threatening and successful current viruses and logic bomb codes are document-based and as you probably know, most email attachments are also documents. Therefore, e-mail attachments becomes one of the easiest way to get a virus into your computer or company.
In order to protect yourself against such a threat you must be very careful with opening attachments, as they are the carriers of the threat. Make sure you know the origin of it and that you can trust the attachment is clean and free of bugs! If you canít, then you must use an e-mail virus detector to scan the messages you receive, such as MIMESweeper, .
An especial attention should be given to encoded and ZIPped file attachments, as many times they are skipped or not supported by anti-virus packages. This attachments could contain viruses and macro bombs.
There are viruses that can gain access to your computer via the attachments you download or open from your mail that could apparently damage your computer. Even though the media portraits that viruses can damage your computer hardware, I havenít yet seeing a single one capable of doing so. Nevertheless, there are viruses that can make your hard drive behave as it was faulty.
For instance, if you were to activate a virus, downloaded along with an attachment, known as Rainbow, this virus would alter the partition table located in the Master Boot Record of your hard drive in such a way that, if you attempt to boot from a clean uninfected system disk with MS-DOS 5.x or 6.x, the machine would simply hang.
The most notorious virus attached to e-mail messages of 1997 is the so called AOL4FREE.COM, which actually is a Trojan Horse. This Trojan is a simple .BAT file created to issue a DOS command (DELTREE) to delete the complete file directory tree on the hard drive. Although you can not activate this Trojan by simply reading your e-mail, you must be very careful when dealing with attachments.
Another famous e-mail attached virus that appeared on the Net around February of 1997 was ShareFun.A. Although a macro virus, this one has a new feature: once activated, there is a 25% chance that it will launch MS Mail and attach itself to a newly self-created email message and then grab 3 random mail addresses from your Personal Address Book (PAB) file, set the Subject line to read "You have GOT to read this!" and send it on it's way.
In order to protect yourself against e-mail attachments make sure you know the origin of it and that you can trust the attachment is clean and free of bugs! If you canít, then you must use an e-mail virus detector to scan the messages you receive, such as MIMESweeper, from Integralis.
E-mail anti-viruses packages can scan e-mail messages as they come in from the host mail system. By using a recursive disassembly, these applications can completely open your message and any attachments so that anti-virus tools can check for viruses embedded within the data.
As for macro viruses, make sure to download the latest version of Word/Excel macro anti-viruses, SCANPROT.DOT from Microsoft or even third-parties such as Datafellows, at URL://www.datafellows.com. Note that by simply installing SCANPROT.DOT will not protect you from being infected by macro virus attached to your e-mails. If you open a Word or Excel document simply by clicking with your mouse over the attachment, SCANPROT will not be started. You must download the file, launch Word or Excel and open the file from within the application.
If the security of your SMTP connections and corporate messages traveling through it is really important, I recommend you to consider using Riordanís Internet Privacy Enhanced Mail (RIPEM), which it is a still-to-be completed but practical implementation of Privacy Enhanced Mail (PEM).
PEM is a standard for allowing the transfer of encrypted electronic mail generated over a long period of time by a working group of specialists. Note that RIPEM is not really a complete implementation of PEM. RIPEM specifies certificates for authenticating keys, and RIPEM does not handle those yet. The addition of key authentication is planned for the near future, as well as for the Macintosh version, which are different from the PC version due to their distinct operating system. RIPEM provides your SMTP mail with the security facilities provided by PEM, which are:
You can use RIPEM with popular mailers such as Berkeley, mush, Elm, and MH. Code also is included in elisp to allow the easy use of RIPEM inside GNU Emacs. Post your interfaces or improvements for RIPEM to the newsgroup on USENET, alt.security.ripem.
Zimmermannís Pretty Good Privacy (PGP), is another product you can use to encrypt your SMTP messages. However, unlike RIPEM, PGP tries to approach the issue of trustworthiness, but as I understand it, it does so without respect to any enunciated criteria or policy. Thus the question remains: Can you trust someone youíre with whom you are interacting through e-mail, by signing a contract or something similar (using digital signatures), just because heís authenticated over PGP or RIPEM?
Post Office Protocol (POP)
As an Internet standard, POP (Post Office Protocol) defines the means of accessing and downloading electronic mail from a server. POP clients use the SMTP protocol to SEND messages, POP is only used to retrieve messages. POP version 2, or POP2 (or POP3) are standards wide in use, especially POP3, which added some new functionality to the interface. POP is also a TCP/IP based protocol, meaning you need a network connection between client and host.
POP2 or POP3 clients are available from a wide variety of sources on the Internet for MSDOS, Windows, OS/2, UNIX, Macintosh, and several other platforms. As you probably already know, POP clients look and feel just like PC-based e-mail packages and require no access to the host (server) other than a mailbox and mailbox password.
With POP, mail is delivered to a shared server, which then is retrieved by an user that connects to the server and downloads all of the pending mail to the "client" machine. Thereafter, all mail processing is local to the client machine.
But you must keep in mind that when you are dealing with POP configuration you ultimately are dealing with private information coming and going through it. You are dealing with issues such confidentiality, integrity and liabilities! Thus, I recommend you not to allow your users to transfer mail over the Internet through a POP, because it can reveal passwords and the messages are totally unprotected. If they must transfer it, then implement packet filtering. You might be able to implement some proxy too, but it will require some minor coding.
Recently, CERT Advisory CA-97.09 (August 27, 1997), reported on a vulnerability with POP and Internet Message Access Protocol (IMAP). According to CERT, some versions of the University of Washington's implementation of the IMAP and POP has a security hole that allows remote users to obtain unauthorized root access without even having access to an account on the system.
CERT/CC team recommends installing a patch if one is available or upgrading to IMAP4rev1. Until you can do so, CERT recommends you to disable the IMAP and POP services at your site.
If you are not able to temporarily disable the POP and IMAP services, then try to limit access to the vulnerable services to machines in your local network. This can be done by installing the tcp_wrappers, since POP is launched out of inetd.conf, for loggins and access control. This doesnít mean that your POP is safe now, and you still have to do run the fix, hopefully already available by the publishing of this book, or upgrade to IMAP4ver1. Additionally, you should consider filtering connections at the firewall to minimize the impact of unwanted connections.
The BorderWare firewall is an example of a product that runs all standard Internet servers including a full function electronic mail server with POP and SMTP support. But BorderWare is not the only one, check chapter 14, "Types of Firewall," for the complete list.
Multimedia Internet Mail Extensions (MIME)
MIME is an acronym for Multipurpose Internet Mail Extensions. The standard for attaching non-text files to standard Internet mail messages. Unfortunately, MIME is not secure. Thus, RSA developed S/MIME, which is a specification for secure MIME by offering authentication (using digital signatures) and privacy (using encryption).
S/MIME, PGP, and PEM are similar, as they specify methods for securing your electronic mail. However, PGP can be thought of as both a specification and an application as it relies on users to exchange keys and establish trust in each other. S/MIME, on the other hand, utilizes hierarchies in which the roles of the user and the certifier are formalized, which makes S/MIME more secure and more scaleable than PGP implementations.
If we were to compare PEM with S/MIME, weíll need to take in consideration that PEM is an early standard for securing e-mail that specified a message format and a hierarchy structure. The PEM message format is based on 7-bit text messages, whereas S/MIME is designed to work with MIME binary attachments as well as text. The guidelines for hierarchies are also more flexible in S/MIME. This should allow for both easy set-up for small workgroups that don't need to be part of an all-encompassing hierarchy, and an easy path to move workgroups to the hierarchy that best suits their needs.
Now, one way to have more control over your SMTP mail is to tunnel them to a specific server where they can be screened. You can easily do this by setting up an HTML email form and using the "Mailto" function. You would enter a line code it in HTML as
The firstname.lastname@example.org eventually will be replaced by an Internet address. Every time an user clicks on the email anchor, a special form pops-up. The user then writes his message and sends it to you.
However, there are many other options, in many different script languages. It all will depend on how much you want to invest on it, in time and effort, and the resources you have available.
To create an email comment form, you will need to create a form which sends mail to you from any browser that supports forms. For UNIX server, there is a very flexible CGI script, cgimail, which can be downloaded from MITís Web site. I have not seen any other tool for this purpose with such a level of flexibility. It is also very easy to install and use.
Since cgimail requires an ASCII form, it can be later emailed, which allows users with disabilities to access it. If you want to download it, check the mit-dcns-cgi at the URL: http://web.mit.edu/wwwdev/www/dist/mit-dcns-cgi.html.
If you rather work with ANSI C, there is very simple email form package called Simple CGI Email Handler, which I strong recommend. It is based on the post_query.c code provided with the NCSA httpd 1.1 package, released to the public domain.
You should be aware of AIX, which definitely is vulnerable to it. The SunOS 4.1.3 does not allow these escape sequences, unless mail is being run from an actual terminal. With version 2.1, you donít need to be concerned about it as the tilde escapes were replaced with spaces.
If you are interested on this script, you can download it from the URL: http://www.boutell.com/email/.
If you like Perl, there is another email form package called the "Web Mailto Gateway," developed by Doug Stevenson (email@example.com). The following source code can be found at URL: http://www.mps.ohio-state.edu/mailto/mailto_info.html.
If your server can run CGI scripts and is configured with sendmail, this is the right mail gateway script to have in your HTML, you will need to be able to run CGI scripts on your server though.
The use of firewalls can enhance your protection. It can restrict the access of outside mail to only few machines and re-enforce security on those machines. Usually these machines would act as a gateway to the company and a firewall as a guard, a security agent, controlling whatís coming in or going out.
Nevertheless, messages will need to come into the company, and a firewall will not be able to screen those messages for hostile applets or scripts. At most, there are few techniques to filter threatening characters in the mail address, if you can come up with a table so that the firewall can recognize it.
Thus, always keep in mind that, since SMTP lacks authentication, forging email is not something difficult. If your site allows connections to the SMTP port, anyone can connect to the that port and issue commands that will send emails that appears to be from you or even a fictitious.
File Transferring Issues
File transferring is one of the Internet services most used. With the Web, this service became much easier to use, and therefore, more difficult to control and secure. Thus, for security reasons, companies connected to the Internet often block FTP, TELNET, and GOPHER access. Firewalls and proxy servers can protect your site by controlling the access to authenticated FTP sites.
File Transfer Protocol (FTP)
Security is one of the major opponents of FTP services. Many companies bar FTP fearing been attacked by a hacker, or even having an intruder eavesdropping the site.
Using private FTP over the Internet has some security implications. As with rcp, the user name and password are transmitted in the clear, so anyone on the route between your client and server can sniff your user name and password. They can then use your user name and password to gain unauthorized access to the server. The data you transfer are also unencrypted and can be sniffed as well.
These two problems can be overcome by using a SSL (Secure Socket Layer) version of the FTP server and client program. When using SSL, all network traffic is encrypted, and the client and server can use strong authentication. There is one drawback however, the SSL protocol requires a third, independent party, as a CA (Certification Authority). This CA must be trusted by both parties and is used in establishing the true identity of the client and server. In the case of a Web browser, this CA is one of the "true" authorities, like Verisign is (for more information on VeriSign, check their URL at http://www.verisign.com). However, for a dedicated FTP connection between a client and a server this CA can be any party that is trusted by both.
To resolve this problem, there are firewall and proxy products available to incorporate a secured anonymous FTP server, which provides read-only access to a protected and limited file hierarchy. This products provide an interface mechanism that enables a writable incoming directory to allow the sending of files to a firewall. The data areas are then accessed only from the internal network. For more information on firewalls, refer to chapter 14, "Types of Firewalls," where it lists all the main firewall products available on the market.
Try to develop a configuration checklist based on the environment you have, donít go around coping recommendations from books or from the Web! Instead, used them as a template to be customized to the needs and systems characteristics of your company. The following are configuration suggestions to be considered (Remember! Add to the list depending on your needs!):
There should be no difference between the interaction with a local server and other Windows NT and most UNIX clients. This can also be used to determine whether the directories, permissions, and so on of the FTP Server service are configured properly.
Note that files and libraries, including those used by the FTP daemon and those in ~ftp/bin and ~ftp/etc, should have the same protections as these directories: not be owned by FTP or in the same group and be write-protected.
It is important to understand that there is a risk in allowing anonymous FTP connections to write to your server. Therefore, you must evaluate the risks involved before opening the door. Besides the risks already discussed earlier (temporary storage for contraband files, etc.), an attacker could generate a malicious upload of endless files to the point of causing denial of service problems in your server.
Trivial File Transfer Protocol (TFTP)
But FTP is not the only protocol used to transfer files, as defined in RFCs 783 and 951. Trivial File Transfer Protocol (TFTP) is commonly used by dedicated devices to transfer configuration files.
If you are running TFTP on a UNIX system, turn it off! TFTP provides significant security risks. If you take the AIX version 3.x, for example, it allows remote users to upload /etc/passwd.
Also, there are scanners, such as NSS (Network Security Scanner) and CONNECT, that will specifically search for open TFTP holes. If you must run TFTP, make sure to,
File Service Protocol (FSP)
File Service Protocol (FSP) is very similar to FTP in the way or works and its features. However, FSP has protection against network overload (never forks) and logs the username of the connection coming in to the server. There is a scanner, called FSPScan, developed by Wen-King Su, that scans for FSP servers. You can download it from the URL http://www.giga.or.at/pub/hacker/unix.
UNIX-to-UNIX Copy Protocol (UUCP)
UNIX-to-UNIX Copy Protocol (UUCP) is a software program that facilitates file transfer from one UNIX system to another UNIX system via dial-up phone lines. UUCP protocol also describes the international network used to transfer USENET News and electronic mail.
If using UUCP, make sure to disallow name service, as you donít want to be giving out potentially_ compromising information. In general, you don't want people to know what the internal structure of your network really is. Also, for any open port above 1023, as long as your system isn't listening on a port, that port is not vulnerable.
Nonetheless, try to use a proxy server, rather than allowing the packet through directly. This allows some logging, possibly some action to be taken on the firewall.
The Network News Transfer Protocol (NNTP)
NNTP is a protocol used for moving around Usenet News, a bulletin board-like on the Internet, with a variety of articles in many subjects. Grouped into newsgroups, the articles are selected by their content.
When setting up news to be accessed through your Web server, you will use NNTP to link news to your site. You will have to decide where your news server will be located in order to preserve security. Assuming that you have or will be installing a firewall at your site, you have the option to place NNTP at the firewall machine, the bastion host. Or you can have NNTP outside of your protected network, if your Web server is placed outside of it.
However, to secure news links is not something difficult to do. The major issue you will face is on controlling the private news your internal users may create. Chances are your users will be exchanging sensitive information among each other, but if external users have access to these groups, then you may have a breach of confidentiality situation to deal with. NNTP can help you to control access to these private groups.
The proxing capabilities of NNTP can help you to filter the Usenet news postings by receiving and storing it than forwarding it to a server you have designated.
NNTP is a TCP-based service with store-and-forward characteristics protocol. For the most part, NNTP is a very secure protocol, carrying a very secure service. The reason being is that all the incoming connections to your site will be coming from a licit connection from a news feed location.
Regardless where you place your firewall, make sure to have the news being feed straight from your news provider to your news server. You will be able to do this very easily by using packet filtering or, in case you have a firewall, through a proxy server.
Although NNTP is a fairly secure protocol and easy installation, the following are few recommendations you should keep in mind when configuring news at your Web site:
If you ever decide to install Usenet-Web, make sure not to run the usenet-web-index-rebuild.pl program at the same time as the usenet-web-archiver.pl.
Also, make sure to disable any cron jobs that could be running the usenet-web-archiver.pl before you run usenet-web-index-rebuild.pl.
It might look obvious to place the news server on your firewall machine, as discussed above, avoid doing so. If you must, then you may want to consider a dual firewall system, which will increase cost and maintenance.
If you are using a firewall at your site, one of the easiest way to configure your news gateway is through packet filtering. The following is a small list of recommendations:
The Web and the HTTP Protocol
The Hypertext Transfer Protocol (HTTP) is an application-level protocol developed for distributed, collaborative, hypermedia information systems. The HTTP protocol is very generic and stateless, allowing systems to be built independently of the data being transmitted. It is also an object-oriented protocol with capabilities to be used for a variety of tasks, which includes but is not limited to name servers, distributed object management systems and extension of its request methods, or commands.
One of the great features of HTTP is the typing and negotiation of data representation. This protocol has been in use since 1990, with the W3 global information initiative.
The most current version of HTTP is version 1.0, which is supported by all Web servers in the market. But there is also another version of the protocol, HTTP-NG (Next Generation), which promises to use the bandwidth available more efficiently and enhance the HTTP protocol.
Further, HTTP is a protocol that can be generically used for communication between user agents and proxies or gateways to other Internet protocols, such as SMTP, NNTP, FTP, Gopher and WAIS.
Nevertheless, all this flexibility offered by HTTP comes at a price: it makes Web server, and clients, very difficult to secure. The openness and stateless, characteristics of the Web, accounts for its quick success, but makes it very difficult to control and protect.
On the Internet, HTTP communication generally takes place over TCP/IP connections. It uses as default port 80, but other ports can be used, which does not prevent HTTP from being implemented on top of any other protocol. In fact, HTTP can use any reliable transport.
When a browser receives a data type it does not understand, it relies on additional applications to translate it to a form it can understand. These applications are usually called viewers, and should be the one of the first concerns you should have when preserving security. You must be careful when installing one, because, again, the underlying HTTP protocol running on your server will not stop the viewer from executing dangerous commands.
You should be especially careful with proxy and gateway applications. You must be cautions when forwarding requests that are received in a format different than the one HTTP understands. It must take into consideration the HTTP version in use, as the protocol version indicates the protocol capability of the sender. A proxy or gateway should never send a message with a version indicator greater than its native version. Otherwise, if a higher version request is received, both the proxy or the gateway must either downgrade the request version, respond with an error, or switch to a tunnel behavior.
The majority of HTTP clients, such as Purveyor and Netscape Navigator, support a variety of proxying schemes, SOCKS and transparent proxying.
Purveyor, for instance, provides proxy support for not only HTTP, but also FTP and GOPHER protocols, creating a secure LAN environment by restricting Internet activities of LAN users. The proxy server offers improved performance by allowing internal proxy caching. Purveyor also provides proxy-to-proxy support for corporations with multiple proxy servers.
If you are running your Web server on Windows NT, Windows 95 or NetWare, you can use Purveyor Webserverís proxy features to enhance security. In addition, you can increase the performance of your server as Purveyor can locally cache Web pages obtained from the Internet.
You should consider installing a firewall at your site, regardless if you are placing your server outside or inside your protected network. The openness of HTTP is too great for you to risk. Besides, you still have all the viewers and applets to worry about.
When selecting a firewall, make sure to choose one that includes HTTP proxy server. It will be useful for protecting your browsers. Some firewalls, such as the TIS Firewall Toolkit, provide HTTP proxying totally transparent to the user.
HTTP Security Holes
The HTTP protocol has some more security holes to justify a firewall. One of them is that it allows remote users to request communication to a remote server machine, and to execute commands remotely. This security hole compromises the Web server and the client in many ways, including but not being limited to:
Most of these security holes are well known. Some applications like Netscapeís SSL and NCSAís S-HTTP try to address the issue, but only partially.
Web servers are very vulnerable to clientís behavior over the Internet. Therefore, clients should prompt a user before allowing HTTP access to reserved ports other than the port reserved for it. Otherwise, these could cause the user to unadvertedly cause a transaction to occur in a different and danger protocol.
You must be careful also with the GET and HEAD methods! The so trivial link to click an anchor to subscribe or reply to a service can trigger an applet to run without the userís knowledge, which enables the abuse by malicious users.
Another security hole of HTTP has to do with server logs. Usually, a Web server logs a large amount of personal data about information requested by different users. Evidently, this information should remain confidential. HTTP allows the information to be retrieved without any access permission scheme.
Many other HTTP limitations and security holes exist if we were to break down the ramifications of the above security issues presented by the protocol. Here are few HTTP configuration checklist to help you out:
Security of Conferencing
Of course, there must be a practical reason for you to use the Web for conferencing. Not only there is a large variety of hardware and software, but the fact that the Web provides a common user interface for Internet utilities like FTP, Telnet, Gopher, and WAIS allows the users to reach all the resources available on the Internet without having to leave the Web.
Despite the advances of Web technology in the past three or four years, there are still a series of issues to be addressed before considering conferencing, at least in a large scale. The following is a summary list of the main challenges affecting Web conferencing deployment:
The bottom line, you must take in consideration the clientele accessing your site, the Web conferencing technology to be deployed and the bandwidth you have available to deploy this service. Conferencing involves skimming over a lot of stuff to find the most interesting nuggets, so you need to be able to move around quickly.
Watch This Services
Besides all, you should keep an eye on these following services, as they also can affect the security of your site if you donít configure them appropriately
Gopher is not as used as before, but it is still fast and efficient. Believe it or not, Gopher is fairly secure but there are some issues I would like to alert you about. One of the most popular Gopher server is the one of the University of Minnesota (found at boombox.micro.umn.edu), which is run by a lot of the Gophers available out there.
You should know that there is a bug on both Gopher and Gopher+ in all versions that were available before August of 1993, as reported in CERT Advisory CA-93:11. This bug allows hacker to obtain password files, both remotely or locally, by potentially gaining unrestricted access to the account running the public access client and reading any file accessible to this account. This includes the /etc/passwd and other sensitive files.
If you want to review this bug, you can check it at the Defense Data Network Bulletin 9315, which can be viewed at the URL HTTP://www.arc.com/database/security_bulletins/DDN/sec-9315.txt.
You should be alert about Gophers proxying an FTP session. Even if access is restricted to an FTP directory on your server, the Gopher can be used to perform a bounce attack. Thus, be careful when protecting an FTP server behind a firewall. If the Gopher server is not protected, a hacker can use it to trespass the firewall.
Another vulnerability, reported by NASA Automated Systems Incident Response Capability (NASIRC), indicates a failure in the gopher servers gpopher1.1 (Gopher) and gopher2.012 (Gopher+) internal access controls, which can allow files in directories above the gopher data directory, such as the password file, to be read if the gopherd does not run chroot. This vulnerability only affects servers that are started with the option "-c". Without this option, gopherd runs chroot and access to files above the gopher-data directory is disabled.
Finger is a program that tells you whether someone is logged on to a particular local or remote computer. Through finger you might be able to learn the full name, terminal location, last time logged in, and other information about an user logged onto a particular host, depending on the data that is maintained about users on that computer. Finger originated as part of BSD UNIX.
To finger another Internet user, you need to have the finger program on your computer or you can go to a finger gateway on the Web and enter the name of the user. The user's computer must be set up to handle finger requests. A ".plan" file can be created for any user that can be fingered.
An intruder can use finger to find information about a site, and use finger gateways to protect his identity.
Whois is a program run by InterNIC that will tell you the owner of any second-level domain name. For example, you can look up the name of the owner of your own access provider by entering for example, "process.com" and whois will tell you the owner of that second-level domain name. The InterNIC Web whois is at http://rs.internic.net/cgi-bin/whois.
whois can also be used to find out whether a domain name is available or has already been taken. If you enter a domain name you are considering and the search result is "No match," the domain name is likely to be available and you can apply to register it through your service provider.
The security risk with whois is that a hacker can look-up information about his/her target before striking. As a matter of fact, this information can be used for exploring security weaknesses in your system.
For instance, there is program on a Gopher server that will produce similar results as whois, but this one will tell you the names of all domain name holders associated with a specific second-level domain name. This program is at gopher://rs.internic.net/7waissrc%3A/rs/whois.src. At IBM, for example, you can lookup information about its employees by checking their whois service at http://whois.ibm.com. The same goes for Stanford University, which you can look-up information about their students.
Talk is a UNIX service that allows two users to communicate over the Internet via text-based terminals. Itís much similar to the Net send command and IRC, only that the connection is directed by the persons e-mail address. Thus, if you were to talk to me via the Internet you would issue a command:
By issuing this command the local talk program would contact the remote talk daemon. If Iím available, assuming that I have talk connections enabled, my screen would split and conversation would take place. If youíre familiar with the chat command of Windows for Workgroups, bundled with the network tools, you know what Iím talking about.
The risk with this service is that information can be gathered from an unadvertised user that engage in conversation with someone unknown out on the Internet.
Internet Relay Chat (IRC), just like talk, allows the communication over the Internet. However, IRC allows multiple users conversing at the same time.
The main risk is that file transferring can be done over IRC without any traced left behind, its like a cash transaction without receipts! Even though these file transferring can be done through FTP, etc., IRC makes it possible without any server software running.
As you already know, Domain Name System (DNS) is the way that Internet domain names are located and translated into Internet Protocol (IP) addresses. Because maintaining a central list of domain name/IP address correspondences would be impractical, the lists of domain names and IP addresses are distributed throughout the Internet in a hierarchy of authority. There is probably a DNS server within close geographic proximity to your access provider that maps the domain names in your Internet requests or forwards them to other servers in the Internet.
As far as risks with DNS, you should be aware of spoofing. When a DNS machine is compromised, this machine has been a victim of a spoofing. Not that it happens very often, but there has been reports, both at DDN and CIAC, about DNS spoofing.
CIACís advisory, entitled "Domain Name Server Vulnerability alerts about the possibility of an intruder to spoof BIND into providing incorrect name data at the DNS server, allowing for unauthorized access or re-routing of connections. Can you imagine if all private connections of the Secret Services were re-routed to a hackers home server? Fortunately (or should I say hopefully), the Secret Service is already using Skipjack or some other kind of strong encryption in their IP connections!
But fear not! A DNS spoofing is not an easy task. Itís not enough for an intruder to gain access to the DNS server. The intruder will have to re-route the addresses of that database, which would easily give him away. Itís like breaking the window of a jewelry store, itís just a matter of minutes before the police arrives. But again, with a good plan, how much time would a hacker need to get what he wants?
Network Management Station (NMS)
As described by Aday Pabrai and Vijay Gurbani in their book "Internet and TCP/IP Network Security, by McGraw-Hill, "Network Management Station (NMS)is a system responsible for supporting a network management protocol and applications necessary for it to process and access information from entities (managed nodes) on the network."
The only security feature provided by NMS is access control. NMS, additionally provides authentication and privacy.
Simple Network Management Protocol (SNMP)
Simple Network Management Protocol is the protocol governing network management and the monitoring of network devices and their functions. It is not necessarily limited to TCP/IP networks. The details of SNMP are in these Internet Engineering Task Force (IETF) Requests for Comments (RFCs):
There are two versions of SNMP, SNMPv1 and SNMPv2. SNMPv1 is the older of the two SNMP versions, of course, and offers very rudimentary security features. The only security feature offered by SNMPv1 is that of access control. In an SNMPv1 environment there are a number of agents that are monitored or controlled by an manager. Thus a manager contains a set of agents.
At this stage two concepts can be introduced firstly, an MIB should be viewed as a database with tables and relationship between the tables. Secondly the concept of community. An SNMP community is a relationship between an SNMP agent and a set of SNMP managers that defines authentication, access control, and proxy characteristics. The community is established locally at an agent and is given a name. The community is addressed by its name. Thus a community is a relationship between an agent and a manager for certain privileges of the agent MIB.
The SNMPv2 Working Group recently completed work on a set of documents which makes up version 2 of the Internet Standard Management Framework. Unfortunately, this work ended without reaching consensus on several important areas -- the administrative and security framework and remote configuration being two of the most important.
The IETF has charted a Working Group to define SNMPv3, which, if successful, will replace the SNMPv2. The SNMPv3 effort has been underway since April 1997.
Van Jacobson is the author of traceroute, which is a tool to trace the route IP packets take from the current system to some destination system. What it does is, by using the IP protocol "time_to_live" field it attempts to elicit an ICMP TIME_EXCEEDED response from each gateway the packet goes through on its way.
The danger here is that this utility can be used to identify the location of a machine. Worse, you donít even need to run Unix to have access to traceroute. There are several gateways on the Net, such as the one at the URL http://www.beach.net/traceroute.html. Figure 8.01 is a traceroute to my server at Process Software Corp.
Network File System (NFS)
Network File System (NFS), was popularized by Sun to provide a shared file system for UNIX machines. NFS, like its relative NIS, is based on a trust model of network machines that exchange information based on account information. NFS only allows certain machines to access shared file systems, but determining which machines are allowed to access the file systems is accomplished by a simple lookup of the address of the accessing machine, which can be done by anyone with access to the system running NFS.
A system can be impersonated by another system to obtain its rights to a file system. This was one of the strategies used by Kevin Mitnick to break into systems, and how NFS systems are commonly attacked.
If you are to use NFS, employ NFS version 3, which can handle encryption and much stronger authentication of connecting machines. Distributed file systems are historically vulnerable, but as a UNIX standard and as widely deployed as it is in educational and research arenas, NFS tends to gain more than its fair share of examination and dissection.
NFS is one of the most important and vulnerable network service in Sunís system, as it provides full access to files and directories. The major security hole is that NFSís access control mechanisms are very hard to maintain, and are hardly adequate. Another hole is that it doesnít have user authentication, even when using the so-called secure NFS implementation.
Every user can write his own NFS client, specify any identity and read or write files. An NFS client that provides this basic functionality can easily be written in about 300 lines of C code. The secure NFS tries to fix this security hole but it doesnít totally succeeds. The problem is that the underlying cryptosystem doesnít work, and can be broken very easily.
File handles also used to (it has been fixed!) represents a major vulnerability. They can be constructed without the help of the mount daemon, which allows a client to directly go to the NFS daemon, and bypass the access control mechanisms which are enforced by the mount daemon.
Nowadays, hackers are very aware of the typical security models utilized by MIS and deployed all over the Internet. Hackers can write simple applets to act as NFS clients and bypass all the access control system normally used, gaining total access to internal networks or users files. But this is not merely a security hole of NFS, it extends to almost every network service available.
Confidentiality and Integrity
The Internet itself will not protect your confidential or sensitive information. If you donít take care of it, nobody will! The fact that neither users or Internet providers are regulated makes security even more difficult, because the Internet is open to everyone. It is like trying to protect your home, but without any locks on the doors.
Authentication mechanisms are very important to safeguard the integrity, confidentiality and security of your users, specially if you are involved with electronic commerce, which becomes a requirement. Therefore, clients must authenticate themselves to Web servers, and Web server must also authenticate themselves to clients, and that both authenticate to each other. When applying authentication methods, it is important to take into consideration the spoofing risks. Cryptography methods, as discussed on chapter 3, "Cryptography: Is It Enough?," will help you to implement a security policy not so easy to be spoofed by hacker.
Confidentiality, is also very important for users dealing with sensitive data. Again, the credit card example comes to mind, your account number would be the last thing you want publicized! In the corporate world, this requirement will be amplified as financial data, marketing and sales forecasts are exchanged over the Web. The data traversing the Web needs to be protected.
As for integrity, just keep in mind that certain transactions not only require confidentiality, but also that contents will not be modified. The banking industry, for example, relies on confidentiality, but the integrity of the data is as important as the privacy of the information being exchanged.
There are tools to help you preserve the confidentiality and integrity of your connections. Firewalls and encryption are definitely necessary, but you can also increment security by using tool such as swIPe, developed by John Ioannidis. This tool is actually a a network-layer security protocol for the IP protocol suite. swIPe provides confidentiality, integrity, and authentication of network traffic and can be used to provide both end-to-end and intermediate-hop security. swIPe is concerned only with security mechanisms; policy and key management are handled outside the protocol.
SwIPe is a network level encryptor of datagrams, not a simple application level process. Be advised that the secure use of swIPe also requires other problems to be solved, such as key management, which are far beyond what many firewalls are instructed to do. You could be a little bit creative and try to splice in user level encryption into the firewall, but this would not be swIPe. It would also increase their complexity somewhat, decreasing confidence in the security of the modules themselves.
If you want to use swPIe with a firewall, I know for a fact that Gauntlet Internet Firewall runs on BSD/OS and uses swIPe.