Preventing of viruses on a network is of up most importance as they can cause massive damage and open up a network to a whole variety of attacks. Anti virus programs and hardware have been developed to combat viruses. They work by searching for evidence of a virus program (by checking for appearances or behaviour that are characteristic of computer viruses), then finds infected files, and thus remove the virus. It is not enough just to purchase anti-virus software because it must be configured to protect all parts of the system and the best anti-virus software covers the day to day activates carried out by the user. Viruses are forever changing and new forms and strains are being discovered on a daily basis thus anti-virus software should be updated frequently. In some cases daily updated might need to be made to the anti-virus software, which is true of many large corporate networks. There are three main types of virus which are a bomb, worm and Trojan horse, they are all classified by their properties. There are two kinds of bomb viruses, which are logical bomb and time bomb. A time bomb is a program the carries out its purpose when the computer reaches a set time / target date and a logical bomb works in a very similar way but is triggered by a certain event such as the user opening an mp3 file. A worm is a destructive program that copies itself over a network or even wider still over the Internet, reproducing as it goes. Lastly a Trojan horse is a malicious program that passes itself off as being an application used for another purpose.
Viruses can enter a network in many ways and the majority of the time it is due to lack of knowledge by the internal user on a network. A very common way viruses enter a network is by users clicking on e-mail attachments which in recent years have been to blames for the fastest ways viruses have spread across the internet. Users click on attachments such as Word documents and the virus is executed. Now any document they produce in Word and send to other users via e-mail, ftp, Telnet etc will also include the virus. However viruses can enter in just about any way data can enter a network / computer such as through FTP, CDs / DVDs, floppy disks, P2P programs and networks etc. Also a virus could be planted by an internal user to cause malicious damage or weaken a network so a hacker could attack the network from the outside.
External attacks to the network have to be dealt with in a very different way to internal attacks as nothing can actively be done until an attack is launched against a network. This means that detection and protection needs to start at the front door of the network (firewall) and protect against any forms of malicious acts from external sources such as DoS attacks. Such attacks can target various parts of the network such as e-mail servers (STMP), FTP servers, web servers (HTTP) and so forth. However in some cases the aim of the hacker will not be to destroy data or bring a network down but to obtain confidential information for instance financial accounts.
A firewall is a system or group of systems that controls access between a private network and a public network. The actual means by which this is done varies widely, but the principle behind a firewall is to either block traffic (data packets) or allow traffic to enter a private network from an external source such as the Internet. The main purpose of a firewall is to protect the private network from other untrusted networks. On one side you have a public network, which you have no kind of control over what is being done, how or where. On the other side you have the private network such as a corporate network that must be protected against any damaging action. There are a number of different types of firewalls such as packet filters, application proxy (application gateway), Dual-Homed and Tri-Homed firewalls. All of which work in different ways and have unique features and methods of filtering data packets. In general firewalls operate at either Network level or at the Application level of the ISO OSI model but have the ability to watch data at all levels.
A simple firewall set up on a LAN network is shown in figure 2. Placement of the firewall is very important but in general it is normally placed just before the private network so that data packets can be turned away at the door and nothing actually enters the network. In figure 2 the firewall is installed on a separate network know as the demilitarised zone (DMZ), which has only two connections, which are to the router, and the firewall connection. This enables the firewall to process any incoming data packets before they are transferred to the private network. There is no one way to set up a firewall that best suites the needs of the network but the topology of the network has to be analysed to determine if the various components of your network, such as hubs, switches, routers and cabling are suitable for an specific firewall set up. Firewalls can help secure the network in a number of ways but it is important to remember that there are well over 50 vendors actively marketing firewalls so the range of features can differ considerably. For example alerts can be set up to inform the network administration of suspicious activity such as a banned IP trying to access the network. For each alert you could specify a name and a definition of the alert. This information could then be sent out via e-mail for example and thus the information sent out by the firewall be acted upon. One of the main jobs of a firewall if to filter packets however a firewall can be configured in a similar fashion to a router but firewalls can be configured far more intelligently. Packet filtering as the name suggests is allowing data packets to be let into the network or rejected. The firewall could be configured so that the HTTP server could only take 150 simultaneous connections at any given time and the rest would have to wait. This would ensure that network capability is not exceed which could cause heavily loaded servers to crash. As a result monitoring activity could help balance the loads on heavily used services as if it is found that the network is over loaded steps can be taken to upgrade hardware. A Proxy server is a component of a firewall (sometimes referred to as an application gateway) that mediates traffic between a protected network and the Internet. The Proxy is basically made for anonymous or "safe" Internet browsing. It works by holding the most commonly accessed and recently viewed website in order to provide quicker downloads for users as pages are stored on the network. This also increase server security as less requests will have to be made by the sit and the networks activity on the network will decrease. Proxy servers differ from firewalls because they can control how internal users access the outside world also they can block all outside connections and only allows internal users to access the Internet. Proxy services run at the application level of the network as figure 3 illustrates. Proxy servers run on protocols such as HTTP, FTP, Telnet etc and thus must be updated when new protocol comes into existence. One key aspect of firewalls is that the software used to run them must always be updated as new holes in security are found by hackers and thus must be sealed. If a firewall is to be effective, monitoring and maintenance must be carried out on a regular basis.
A denial of service (DoS) attack is an incident in which a user or organisation is deprived of the services or a resource they would normally expect to have. The network / server is flooded with a continuous stream of bogus requests such as a HTTP server constantly being asked for web pages. Usually a denial of service attack can sometimes happen accidentally such as to many users trying to view a popular website. Such an attack is a type of security breach to a computer system that does not normally result in the theft of information or other security loss however data can be lost. Attacks of this nature can cost the company a great deal of time and money as the service could be brought down for several hours.
In terms of prevention there are only a few measures which can be taken to protect a network from a DoS. Checking to see if unauthorised / unknown changes have been made to the file system, registry, user account database, etc. This will ensure that if some area of the system has been changed firstly you know someone is interfering and secondly you can take the necessary steps to prevent access to the network in the future. Regularly monitoring logs on servers within the network and look for suspicious activity such as IP addresses being recorded, which do not look familiar. The best way to protect a network from a DoS is to have a firewall configured properly as this can be thought as the first defence of any network. In all fairness trying to prevent a DoS can be difficult because the attack is coming from an external source and it is hard to predict when the network will be attacked.
There are many forms of DoS attacks as the term its self is very vague as anything which prevents access to a service or resource can be described as a DoS. However a common form of DoS is a distributed denial-of-service (DDoS) attack. Such an attack can involve hundreds or thousands of machines all over the Internet, which will be used to launch the attack (Figure 4). Weakly secured computers are broken into and then software is installed which makes the hacker able to remotely control the burgled server / machine. Many machines will be attacked which will mainly be on fast Internet connections such a T1 lines. Then with a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. This technique works by sending 1000s of data packets from 100s of machines which basically overwhelm the server, machine or network and causes it to crash as it is unable to handle such a large volume of data / requests. What is often over looked by system administrators in the case of a DDoS attacks are that the network must be protected both ways as you can be attacked by a DoS or the network can be used in a DDoS. Figure 4 is just an example, as many more computers would be used in an actual attack.
Passwords protection is the most frequently employed method of preventing unauthorised access to a network. It can be used to protect a network from the inside and prevent access from the outside world as well. Normally a user would enter a login / username and password to access the network which may include FTP servers, databases, SMTP servers etc. The purpose of a password is to protect access to the network and only allow legitimate users access. It is however important to remember that using passwords to protect a network is not a full proof method and does have its shortcomings. For example it would be easy for a person to glimpse over someone’s shoulder and watch him or her entering the password. Also often they are written down, printed out or recorder in some form as users have difficulty remembering them, letting users set their own passwords can solve this problem but this method makes the password prone to being guessed by people who know them such as work colleges. There are however practices that prevent illicit access to the network far less likely. Firstly password combinations must include both numbers and letters, which if possible should be in a totally random order. Limitations are placed on the number of characters available to be used in a password (ASCII) as you are limited by the set amount of characters on a keyboard and many keys cannot be used in a password such as the Esc key. Ideally the longer the password the less liable it will be to discovery but it must not defy an average user’s ability to remember the password as they maybe be tempted to records the password elsewhere. Another technique, which is commonly used, is to limit the amount of times a password can be entered and the time in which it must be entered in. Figure 5 demonstrates how a network can be entered externally and what measures can be put into place to prevent illicit access. The most likely point of entry would be a remote device out of sight from the building the actual terminal is based in as no physical presence would be needed which decreases the chances of a illegitimate user getting caught trying to penetrate a network. An actual example of an attack could be that the illegitimate user might try to discover the password by attempting many combinations. He / she may set up an intelligent modem and microcomputer to repeatedly try a password over a set period of time e.g. dictionary attack. For example it might be possible to make 10 tries at the password in 10 seconds. If all 10 tries are wrong the terminal may disconnect and not allow access for another 20 seconds. The equipment mentioned above could be set so 10 passwords are tried in 10 seconds and then waits 20 seconds until another attempt it made. This would mean that in a minute 20 attempts could be made to enter a password. In an hour 1200 (20 * 60) attempts could be made thus is a 24 hour period 28800 (1200 * 24) attempts could be executed. Depending on the password it maybe possible for the password to be obtained in a short space of time. Therefore measures would have to be established to monitor network activity and in such a case described above did occur then network administration could be alerted thus action could be taken to stop the security of the network being breached.
If all else fails and network security is breached, back up can be thought as the last defence. Back up can be defined as “ ing to a second (a or ) as a precaution in case the first medium fails. If a computer virus or an invading hacker destroys data the easiest way to restore the destroyed data may be to reformat the hard drive and then copy files from a recent backup. Backups also offer protection from more common threats such as accidental deletion of a file by an authorised user or failure of a hard disk drive. The method of back up used can vary depending how much data is being back up, what the data type is and how important the data is. It is advised that data is backed up regularly but this is often not done because backing up data can take hours depending on the size of data and the speed of the device being used. Such devices include tape drives, zip drives, CD / DVD writers, floppy disks, etc. There are three recommended ways to back up data. Firstly a full backup of all of files at a set times determined by network administration, and immediately after completing a major project (e.g., writing a book). Secondly incremental backup of only those files that were changed since the previous incremental backup and lastly an archival backup where a full backup of all of my files to newly formatted media is carried out. This method is carried out least frequently then the other two methods but it still none the less important. Once back ups have been made it is advisable for them to be stored in a separate location to prevent them being destroyed in events such as fires.
Educating users would also greatly decrease the chances of a network becoming subject to an attack. What maybe seem obvious and logical to a network administrator may not to the average user of a network. Therefore education is key to securing a network as users can be taught the correct approach to dealing with various data files and formats. In recent years many viruses have spread via e-mail but this problem could be avoided if users were educated not to open an e-mail attachment from an unknown source and to always virus check an attachment before opening it. Also users must be educated in the significance of password security. Many write there passwords down which would make the password prone to being discovered. Ideally network administration want to retain total control over a network and know exactly what is installed and how every system is configured. Network users maybe tempted to install software, which may change the way a system works thus weakening the network. To prevent such events network administration should try to actively educate the users of the network to act responsibly and this in turn would minimise security breaches.
Host hardening would be a complementary measure. Most computers are set up with very little protection. A network could be protected but weakness will still remain if the individual computers are not configured correctly. Host hardening involves making any part of an individual system safer from attack. For Host hardening to be effective the Host’s function must be identified which is where the user would explain to network administration what tasks, programs, actions are carried out on his / her computer then necessary steps can be taken to configure the machine against attack. For example if a computer is used to store important documents a password system maybe set up to combat intrusion. However the same level of protection may not be needed on a different computer because it may be used for a totally different purpose. There are four many aspects which must be considered before Host hardening can be carried out. Firstly the primary function of the machine must be determined e.g. is it a mail server, workstation, print server and so on. Secondly who will access the machine e.g. external users, administration, customers etc? Thirdly how the machine will be accessed must be determined, will it be access by an internal network user or an external user. Lastly what peripherals are attached to the machine such as monitors, keyboards, scanners, printers etc? The majority of this information may come from the users, as they will be most familiar with the functions on a particular computer. Once network administration know the use of the computer relevant steps can be take to insure that it is made secure.
Monitoring and maintenances is crucial in enabling a network to run smoothly and effectively. Monitoring is needed to ensure that the network is working correctly and that servers for example are not being overloaded by too much traffic or to test for hardware problems, which could expose security holes in the network. The network in practice should be monitored periodically to test for known operating system vulnerabilities. This is must be done on a day to day basis and over time the network administration will have a detailed picture of how the network reacts under different conditions. Maintenance is even more important as you can monitor a network in great detail but if hardware / software is not updated you will still be subject to attack. Monitoring maybe reveal that the networks ftp server is constantly crashing. Such an event should be investigated and it might be found that the firewall software is outdated or has security floors and thus must be updated. Most hardware and software manufacturers make patches available to the public.
In conclusion it is clear to see that there are many issues associated with network security and in order to fully protect a network nothing can be left to chance.
If the topology of a network is studied it will reveal how the network is made up of many separate components, which work together to form the network. Every aspect of the network should be looked as part of a whole system. Whether this is actually achieved depends on a businesses network security policy. Every organisation, which has a network, must ensure that its network security policy is adequate to deal with the majority of risks posed by a network. When determining a network security policy an organisation must ask its self four key questions. Firstly all resources that need to be protected must be identified. Secondly identify which people need to protect the networks resources from. Thirdly how likely are these threats going to occur which can help determine what prevention methods should be put in it place. Lastly what measures would best protect the network while taking into account cost and time management. It is of up most importance for an organisation to have well defined network policy, which can help ensure that the safety of the network is not compromised.
In summary networks are forever subject to internal and external change and with those changes come new dangerous to security. The best tool available to protect a network is extensive knowledge of ones own network and of the eternal environment in which the network operates.
Figure 1: Different types of network topology
The above diagram helps to show that there are many ways to set up a network therefore many ways in which networks can be protected. There is no one set way to protect any network.
Figure 2: A firewall connected to a DMZ LAN
Figure 3: Proxy / Firewall
Figure 4: Distributed Denial of Service Attack.
Please note the term computer is used
loosely as it could be a server / network
etc.
Represent the flow of data (such
as data packets)
Figure 5:
Start