SECURITY ON THE NET - II
Determining Security Breaches
You might have difficulty in determining whether security has been breached. If you are using wrappers and firewalls then you can find if any intrusion (without permission entry) to the network happened.
1. Other than that one of the best indications of an intruder is excessive quantity of local hard disk space disappearing without any reason.
2. Another good indicator is increasingly slower communication speed.
Note: If you find illegal software on your machine, do not execute any of the executable software because it could be infected with viruses.
You can follow an easy set of rules to ensure that your security is not breached.
• Protect your system
• Monitor for intrusion
• Trap any intruders
• Report to correct authorities
• Destroy the pirated data
The first and important thing is protecting your system but only protection does not mean the network is secure.
You need to monitor your system on periodic intervals to improve your security. Because monitoring is the only way to know whether the system security has been breached. One should monitor the following aspects in regular intervals.
• Disk space usage
• Communication lines
• Login files
• Attempts to change user privileges
• Network statistics logs
The network statistics logs informs about socket and port connections to your machine and it records who has used what socket and when. This information helps to find pirates trying to hack into ports and can go a long way in tracking them.
Finding out the Damage
When you have identified that you have a pirate or a cracker, accessing your system take immediate action to identify and isolate the damage. If the pirate has free access to your system or you suspect the pirates roaming about in areas that contain sensitive information, terminate the user’s connection immediately. ,Simple’ method to terminate the user session is to kill the user cell or FTP process. Otherwise more severe mechanism includes resetting the communication system or entire computing system (like hanging up the modem or turning off the computer).
1. In case of severe cracking or pirating, you should disconnect your system of the network and refuse user logins until the damage has been isolated. This ensures that other users as well as the pirate will not be able to disrupt the recovery of your system and data.
2. If you have a WWW page on a provider site (hosting web site through a third party) and think you have been accessed illegally report it to the provider immediately. The provider will help to isolate the problem and track down the pirate.
Finding out the suspect is not an easy method, but it has several solutions.
1. If the user has penetrated through a known login, you can assume that either the password was easy to break or that the specified user has let the login information out.
2. If the password appears secure, its time to examine the user’s logs. One should also look for unusual activities such as finding out the use of login accounts during normal time as well as at late night. The owner of the login account might be using during normal hours but the pirate might be accessing it in late hours. Like wise it may be possible that someone logs in more than ones at one point of time is an indication of a security breach.
3. If the users come in through FTP, you can look at the FTP log to find out for any security breach. Log files such as FTP log, and WWW log enables you to determine you had accessed your system. Some versions also track all the commands entered ,by the user.
Note: The WUSTL (Washington University in St. Louis) archives provide good amount of public domain software that is especially built into log transactions (ftp:// ftp.wustl.edu).
Many organizations stand by help you with security needs. These organizations exist all the way from the federal government level down to the private sector.
The most respected organization on the Internet for issues of networking security is CERT (Computer Emergency Response Team). CERT was created in 1988 by DARPA to address computer security incidents. CERT is currently run out of Carnegie-Mellon University in Pittusburgh,Penn.
CERT runs a server that can be found at info.cert.org via FTP.
FTP site contains copious quantities of advisories on various computer systems and their security holes. Advice and instructions for plugging the holes are also included. We highly suggest that you visit this site, because you know the pirates have. The site also includes question and answer files that contain advice on determining whether your system is secure, as well as programs that analyze your security and help you identify holes.
Many organizations that deal with security issues post and read the various security Net News. The following groups have information that you can read concerning security.
alt.security
camp.risks
comp.security.announce
comp.security .misc
comp.virus
The FBI, not surprisingly, maintains a Computer Crime Squad.
You can report any serious intrusion to them. First report your intrusion to CERT and then, if advised by them, also file a report with the FBI. When we called the FBI to report the intrusion on your system, we were told that an agent would call us right back-but nobody ever did. CERT, on the other hand, was very informative and helpful.
Other groups that examine the Internet and security issues include the following:
The Better Bureau (BBB)
http://www.cbbb.()rg/cbbb/
The Internet Society
http://info.isoc.org/home.html
The Electronic Commerce Association
http://www.globalx.net/eca/
Creating a Secure System
It’s a known saying Prevention is the best medicine and this implies equally well to compute security. The” first step is to keep the security of your data files such that only the right people can see them. This is especially crucial for any of the following types of data and files.
• User passwords
• Billing files
• System and user logs
• Credit card information
• Trusted remote system information
• Compiler
• Administration tools
User passwords and usage logs should be kept secure to keep pirate from looking at those files to figure out how to gain further access to your system. Keeping your password files shadowed or hidden keeps pirates from remotely acquiring your file and then running password cracking programs on the file in their own time.
Finally, be sure to protect administration tools as well as compiler. General users to your system should not have access to these tools because, if they fall into wrong hands, the tools can be used to create programs that aid the pirate in greasing security.”
Note: If you’re running your own WWW server, you should look at your server’s configuration file for the DirReadme Off selection. If DirReadme Off is not your configuration file, add it. Adding this feature enables you to turn off your directory capability and increases your WWW security.
Working with Firewalls, Wrappers, and Proxies
Firewalls, Wrappers and proxies offer a good line of defense for
WWW server owners and system administrators.
Firewalls can be either software or hardware that protects your ports and keeps pirates from penetrating ,your security: The concept of firewalls is to only allow certain trusted domain names to access your system. Other domains are simply not allowed in and get a connection refused message. By restricting the millions of domain names such that only one or two get in, you are instantly restricting access to your system from the outside.
Firewalls can be configured to run on certain ports and not on others. This allows you to have security on all your systems except the areas where you don’t want it. For example, you might want users to access your Web site from anywhere, but not be able to ftp or telnet in. In this case, you would not have a firewall running on the Web port, but would have one running on your FTP and Telnet ports. Users from anywhere could access your Web information without a problem, but attempts to ftp and telnet would be refused unless they were coming from a trusted user.
It is as crucial to maintain firewalls and security system of other computer systems, as the initial setup and installation is. At the same time, we should stay current with updates to security software and trends in security technology.
Wrappers are the second lines of defense available from CERT as well as other Internet archives. Wrappers run as a layer of software around your other software. In other words, a user doing ftp to you should first get the wrapper, which would then engage FTP. The user does not know that wrapper exist and cannot detect any difference in the system.
Wrappers are interesting because they’re flexible. Wrappers can act as firewalls and can actually refuse users based on their use names as well as their domain names. Secondly, wrappers log all accesses and thus can serve as a good indication of whether your security is working correctly.
Wrappers also enable you to create blind alleys that help to trap pirates. These can be tied into alarms that alert you to penetration of certain directories that you can set up to look like juicy archives of all sorts of good information. While the pirate is busy downloading basically garbage (made to look like valuable data), you have ample time to trace the user.
Proxy Servers also allow you to hide data in most convenient manner. Proxy mode is most useful for users behind a firewall.
The users set their browser’s proxy address to point at your
Web server The Web server then handles the actual direction of data to the outside world. This narrows the direction the users are taking when they leave the system, enabling you to route data through holes in your own firewalls. The other major advantage to this is that the server software can filter the request. By filtering .the information, you can restrict the content and track the usage as well as modify the information on the fly.
Proxy servers can also be pointed to other proxy servers, which allows them., to effectively hide data. The actual data can sit on machines far away from the server itself. The server accepts the contact from either a local or a remote user. However, instead of simply fulfilling the request, the server in turn sends the request to another server. The second server sends the requested information backs to the primary server, which is then sent back to the user. The user never knows where the information actually comes from.
One other advantage to proxy servers is that each major services, such as FT!’, Telnet, Gopher, NetNews and so on. can be routed to different servers. This enables you to distribute your various WWW servers” loads to different physical servers.
Not only do you benefit from data hiding, but you also benefit reduced server load.
Determining Security Breaches
You might have difficulty in determining whether security has been breached. If you are using wrappers and firewalls then you can find if any intrusion (without permission entry) to the network happened.
1. Other than that one of the best indications of an intruder is excessive quantity of local hard disk space disappearing without any reason.
2. Another good indicator is increasingly slower communication speed.
Note: If you find illegal software on your machine, do not execute any of the executable software because it could be infected with viruses.
You can follow an easy set of rules to ensure that your security is not breached.
• Protect your system
• Monitor for intrusion
• Trap any intruders
• Report to correct authorities
• Destroy the pirated data
The first and important thing is protecting your system but only protection does not mean the network is secure.
You need to monitor your system on periodic intervals to improve your security. Because monitoring is the only way to know whether the system security has been breached. One should monitor the following aspects in regular intervals.
• Disk space usage
• Communication lines
• Login files
• Attempts to change user privileges
• Network statistics logs
The network statistics logs informs about socket and port connections to your machine and it records who has used what socket and when. This information helps to find pirates trying to hack into ports and can go a long way in tracking them.
Finding out the Damage
When you have identified that you have a pirate or a cracker, accessing your system take immediate action to identify and isolate the damage. If the pirate has free access to your system or you suspect the pirates roaming about in areas that contain sensitive information, terminate the user’s connection immediately. ,Simple’ method to terminate the user session is to kill the user cell or FTP process. Otherwise more severe mechanism includes resetting the communication system or entire computing system (like hanging up the modem or turning off the computer).
1. In case of severe cracking or pirating, you should disconnect your system of the network and refuse user logins until the damage has been isolated. This ensures that other users as well as the pirate will not be able to disrupt the recovery of your system and data.
2. If you have a WWW page on a provider site (hosting web site through a third party) and think you have been accessed illegally report it to the provider immediately. The provider will help to isolate the problem and track down the pirate.
Finding out the suspect is not an easy method, but it has several solutions.
1. If the user has penetrated through a known login, you can assume that either the password was easy to break or that the specified user has let the login information out.
2. If the password appears secure, its time to examine the user’s logs. One should also look for unusual activities such as finding out the use of login accounts during normal time as well as at late night. The owner of the login account might be using during normal hours but the pirate might be accessing it in late hours. Like wise it may be possible that someone logs in more than ones at one point of time is an indication of a security breach.
3. If the users come in through FTP, you can look at the FTP log to find out for any security breach. Log files such as FTP log, and WWW log enables you to determine you had accessed your system. Some versions also track all the commands entered ,by the user.
Note: The WUSTL (Washington University in St. Louis) archives provide good amount of public domain software that is especially built into log transactions (ftp:// ftp.wustl.edu).
Many organizations stand by help you with security needs. These organizations exist all the way from the federal government level down to the private sector.
The most respected organization on the Internet for issues of networking security is CERT (Computer Emergency Response Team). CERT was created in 1988 by DARPA to address computer security incidents. CERT is currently run out of Carnegie-Mellon University in Pittusburgh,Penn.
CERT runs a server that can be found at info.cert.org via FTP.
FTP site contains copious quantities of advisories on various computer systems and their security holes. Advice and instructions for plugging the holes are also included. We highly suggest that you visit this site, because you know the pirates have. The site also includes question and answer files that contain advice on determining whether your system is secure, as well as programs that analyze your security and help you identify holes.
Many organizations that deal with security issues post and read the various security Net News. The following groups have information that you can read concerning security.
alt.security
camp.risks
comp.security.announce
comp.security .misc
comp.virus
The FBI, not surprisingly, maintains a Computer Crime Squad.
You can report any serious intrusion to them. First report your intrusion to CERT and then, if advised by them, also file a report with the FBI. When we called the FBI to report the intrusion on your system, we were told that an agent would call us right back-but nobody ever did. CERT, on the other hand, was very informative and helpful.
Other groups that examine the Internet and security issues include the following:
The Better Bureau (BBB)
http://www.cbbb.()rg/cbbb/
The Internet Society
http://info.isoc.org/home.html
The Electronic Commerce Association
http://www.globalx.net/eca/
Creating a Secure System
It’s a known saying Prevention is the best medicine and this implies equally well to compute security. The” first step is to keep the security of your data files such that only the right people can see them. This is especially crucial for any of the following types of data and files.
• User passwords
• Billing files
• System and user logs
• Credit card information
• Trusted remote system information
• Compiler
• Administration tools
User passwords and usage logs should be kept secure to keep pirate from looking at those files to figure out how to gain further access to your system. Keeping your password files shadowed or hidden keeps pirates from remotely acquiring your file and then running password cracking programs on the file in their own time.
Finally, be sure to protect administration tools as well as compiler. General users to your system should not have access to these tools because, if they fall into wrong hands, the tools can be used to create programs that aid the pirate in greasing security.”
Note: If you’re running your own WWW server, you should look at your server’s configuration file for the DirReadme Off selection. If DirReadme Off is not your configuration file, add it. Adding this feature enables you to turn off your directory capability and increases your WWW security.
Working with Firewalls, Wrappers, and Proxies
Firewalls, Wrappers and proxies offer a good line of defense for
WWW server owners and system administrators.
Firewalls can be either software or hardware that protects your ports and keeps pirates from penetrating ,your security: The concept of firewalls is to only allow certain trusted domain names to access your system. Other domains are simply not allowed in and get a connection refused message. By restricting the millions of domain names such that only one or two get in, you are instantly restricting access to your system from the outside.
Firewalls can be configured to run on certain ports and not on others. This allows you to have security on all your systems except the areas where you don’t want it. For example, you might want users to access your Web site from anywhere, but not be able to ftp or telnet in. In this case, you would not have a firewall running on the Web port, but would have one running on your FTP and Telnet ports. Users from anywhere could access your Web information without a problem, but attempts to ftp and telnet would be refused unless they were coming from a trusted user.
It is as crucial to maintain firewalls and security system of other computer systems, as the initial setup and installation is. At the same time, we should stay current with updates to security software and trends in security technology.
Wrappers are the second lines of defense available from CERT as well as other Internet archives. Wrappers run as a layer of software around your other software. In other words, a user doing ftp to you should first get the wrapper, which would then engage FTP. The user does not know that wrapper exist and cannot detect any difference in the system.
Wrappers are interesting because they’re flexible. Wrappers can act as firewalls and can actually refuse users based on their use names as well as their domain names. Secondly, wrappers log all accesses and thus can serve as a good indication of whether your security is working correctly.
Wrappers also enable you to create blind alleys that help to trap pirates. These can be tied into alarms that alert you to penetration of certain directories that you can set up to look like juicy archives of all sorts of good information. While the pirate is busy downloading basically garbage (made to look like valuable data), you have ample time to trace the user.
Proxy Servers also allow you to hide data in most convenient manner. Proxy mode is most useful for users behind a firewall.
The users set their browser’s proxy address to point at your
Web server The Web server then handles the actual direction of data to the outside world. This narrows the direction the users are taking when they leave the system, enabling you to route data through holes in your own firewalls. The other major advantage to this is that the server software can filter the request. By filtering .the information, you can restrict the content and track the usage as well as modify the information on the fly.
Proxy servers can also be pointed to other proxy servers, which allows them., to effectively hide data. The actual data can sit on machines far away from the server itself. The server accepts the contact from either a local or a remote user. However, instead of simply fulfilling the request, the server in turn sends the request to another server. The second server sends the requested information backs to the primary server, which is then sent back to the user. The user never knows where the information actually comes from.
One other advantage to proxy servers is that each major services, such as FT!’, Telnet, Gopher, NetNews and so on. can be routed to different servers. This enables you to distribute your various WWW servers” loads to different physical servers.
Not only do you benefit from data hiding, but you also benefit reduced server load.
I find this article very helpful. So many great techniques and promising ideas have been suggested in this article to secure information online. I will do use all these techniques. Thanks.
ReplyDeletedigital signature