Security tends to be recognised as a key issue when connecting a network to the Internet. Less clear are the practical steps which can be taken to protect a network against unauthorised intrusion.
Security is broad umbrella and covers many issues ranging from physical access control to encryption technologies. This paper focuses on the most apparent concern:
what steps can be taken to reduce the risk of unauthorised access to a network from the Internet
At first glance this concern appears well expressed; it evokes an image of someone, somehow, logging on to a network over the Internet. However, this is not typical of an attack and unauthorised access should be treated more broadly as: someone being able to read or write data in files held on a computer on a network
Note that a person does not need to be 'connected' to a network to have gained unauthorised access. Any unauthorised distribution of data by software on your network is a breach of security.
Click on next for common approaches to breaching network security.
Security Risks
Security risks are created by software. Software can allow (wittingly or unwittingly) someone to make a connection to a computer. Software can send files and data from one computer to another. Three main points of attack on software are:
1. | Exploiting weaknesses in software which is intended to accept incoming connections (web servers, email servers etc) where the weakness allows the software to be 'crashed' and program code issued by the hacker to be run on the host computer
|
2. | Connecting to software which is intended to accept incoming connections and impersonating a user with data access rights
|
3. | Installing software which sends data from computers on the local network out of the network
|
Note: |
for exploits 1 and 2 to operate, software must be installed on a computer that can be addressed from the Internet, either by having a direct connection to the Internet, or by being accessible through a tunnel from a router, or being accessible from another computer on the network which has been compromised by a hacker.
for exploit 3 to operate, the hacker must either have gained physical access to a computer on the network or a user has been persuaded to install software on the network, probably, without being aware of its function
|
Click on next for common to reducing the risk of unauthorised access.
Reducing the Risk of Unauthorised Access
The fundamental principal of improving network security is to carefully control the software which has direct access to the Internet.
1. | Preferably only one computer should have direct access to the Internet. This may be through a modem, ISDN card, ADSL device or router. If a router is used then a second network card should be installed on this computer and the router attached to the second network card. Software on other computers on your network will now be required to talk through this computer to access the Internet. This is your firewall.
|
2. | If possible the firewall computer should be dedicated to its purpose (ie:its only job should be to act a gateway for other computers to access the Internet) The only software installed on this computer should be the gateway software such as Terrapin MultiNet
|
3. | The gateway computer should be prepared for use. Ideally its operating system should be removed and reinstalled from scratch. All unnecessary operating system components should be removed. Specifically the only networking component installed should be TCP/IP. TCP/IP MUST NOT be bound to any network services such as 'Client for Microsoft Networking'. All unnecessary application software should be removed.
|
Click on next to continue
4. | On the gateway computer validate what software is using TCP/IP (on Windows NT, 2000 or XP type netstat -na, on other operating systems use port blocker or personal firewall to find this information. With only the core services installed. MultiNet should be the only user of TCP/IP and the following ports will be in used:
|
5. | If possible, set the gateway software to require authentication from client applications before routing requests. Preferably, authentication should not be based on the client machine's network authentication. This will ensure that all applications attempting to access the Internet will need to be explicitly authorised to do so by a user. Terrapin MultiNet requires authentication by default.
|
6. | Physically secure access to the gateway computer. Your time spent cleaning the gateway computer will soon be eroded if people are able to install software on the machine. Remove unnecessary users from the machine, change the administrator's account.
|
Click on next to continue
What is a Personal Firewall ?
A personal firewall is software which alerts the user of a particular computer if a program on that computer is attempting to access the Internet or listen for incoming connections.
A personal firewall is potentially a useful addition to your armoury if you are not able to dedicate a computer to be your gateway. The personal firewall will alert the user of the gateway computer of any software installed on it which may represent a security risk
Index of Technical Papers
privacy policy
