by Matthew Tanase
|Always On, Always Vulnerable: Securing Broadband Connections
by Matthew Tanase
last updated March 26, 2002
You finally got it. No more late nights at the office wasted on downloading sprees. No more screeching modems or constant busy signals. Streaming media, lightning quick file transfers and online gaming, all within your reach. Yes - you finally have broadband Internet access!
While it may not be necessarily change user's lives, broadband access - primarily cable and DSL connectivity - is nonetheless a great enhancement for any household or small business. The speed and always-on convenience are certain to change the way users work and play on-line. But the leap to broadband comes with a major snag - security. This article will look at the threats that accompany broadband access and the requirements necessary to protect this growing component of the Internet.
It's A Whole New Game
The major advantage of broadband is the speed with which users can access and download material from the Net. Another significant change, one that is often overlooked by beginners, is the constant connection that broadband enables. The notion of continuous access requires a new mind-set. Before broadband, most users were Internet nomads. They would dial in for a few minutes, check their mail and log off, only to log on again later for a half-hour of surfing. But with broadband access, most users leave their computers on all day, which means they are constantly connected to the Internet.
In theory, a device that is connected by a dial-up modem is no more secure than one connected using broadband or an office LAN. A dialup user's machine is assigned an IP address similar to every other device on the Internet. However, reality is, as usual, a bit different than theory. Although dial-up machines can be compromised, as many have, the intermittent nature of their connectivity makes them a difficult target. The random elements of modem access, varying connection times and changing IP addresses, add a layer of security - albeit a thin one. Most crackers, unless they are after a specific target, are not looking for vulnerable dial-up machines. They want to have access to something they can use without being noticed, something that is always available. Sound familiar? A few years ago the only such devices were Web and mail servers on large networks. Times change. Now broadband users provide crackers with these constantly connected systems. In many ways, the transition to broadband brings the same concerns IT departments and security consultants address, and struggle with, everyday. Most Internet users are ill-prepared to handle such issues. And who can blame them? They lack the time, resources and experience to do so. Thankfully, a basic understanding of potential threats and security principals are great foundations for remedying this nightmare of a problem.
Threats To Broadband Security
People often assume they possess nothing of interest to crackers. Some believe that, with millions of potential targets on the Net, they can safely slip under the security radar. Such assumptions are false. Crackers are not necessarily after secret files or valuable corporate data, many just want a machine - fast. Most victimized machines are merely launch pads for other attacks, such as a denial of service or an automated worm. They serve as one link in a chain of several breached machines. Like most criminals, crackers go after easy targets. Victims are culled, often randomly, from the results of massive network scans, such as the one illustrated below.
[/home/matt]$ /usr/local/bin/nmap -sP -v -v 192.168.1.1-10 Starting nmap V. 2.53 by firstname.lastname@example.org (www.insecure.org/nmap/ ) Machine 192.168.1.1 MIGHT actually be listening on probe port 80 Host (192.168.1.1) appears to be up. Host (192.168.1.2) appears to be down. Host (192.168.1.3) appears to be up. Host (192.168.1.4) appears to be down. Host (192.168.1.5) appears to be up. Host (192.168.1.6) appears to be down. Host (192.168.1.7) appears to be down. Host (192.168.1.8) appears to be down. Host (192.168.1.9) appears to be down. Host (192.168.1.10) appears to be up. Nmap run completed -- 10 IP addresses (4 hosts up) scanned in 1 second
The text above shows the output of a scan of ten hosts on a private network performed by the popular scanning tool Nmap. The option "-sP" is used to determine which hosts are on-line via ping sweeps. The response "appears to be up" means the scanned machine replied to the ICMP echo request, implying that it is on-line. Those that did not reply are labelled "appears to be down", and are likely off-line (or they do not reply to such requests - a good security practice).
Of note is the fact that the scan illustrated here was completed in less than a second. Using scanning tools such as Nmap, it is quite possible to scan thousands of hosts in a few minutes. Security professionals regularly use assessment tools designed to automate the process of scanning hosts and exploring potential vulnerabilities. Using these tools, a cracker could probe and review thousands of hosts, ultimately producing a large list of potential targets in mere hours.
Once a vulnerable machine is located and compromised, it may be used in different ways. Some may be used for storage space, others as chat or FTP servers. One cracked device often leads to others on the same network, since sniffers and other analysis tools can be installed to capture local data. This may enable the cracker to view and alter vital personal information that is stored on the machine.
Aside from the value of any data that may be lost or compromised, such an intrusion will be costly in terms of time and effort required to resolve the problem. This includes the time spent discovering the incident, researching the ramifications and implementing a fix, time spent restoring, reinstalling and patching the vulnerability, and time spent on the phone with ISPs, technical support and, in some extreme cases, legal authorities. So, with this much at stake, it would be helpful for users to know how to prevent such scenarios from ruining their broadband experience.
The Defense - Securing a Broadband Connection
Earlier in this article it was stated that broadband users face many of the same concerns as that of larger organizations. Naturally then, the defense methodology employed by such professionals is ideal when scaled down for broadband use. No matter the size of the home or office configuration, even if it consists of one machine, the user will have a dedicated line and a group of machines to protect, just like system administrators all over the world. Instead of a T3, multiple servers and several workstations, the home user has a cable/DSL connection, a desktop and maybe a laptop. See the similarities?
The heart of always-on protection is the firewall (for a good introductory resource on personal firewalls, see the SecurityFocus article, Firewalls for Beginners). These devices are the gate-keepers for any network. They filter traffic based on a rule-set designed to reject everything but legitimate traffic.
If the system to be protected consists of more than one computer, a dedicated firewall is strongly recommended. This stand-alone device runs the firewall (and nothing else) designed to protect a network. Since low cost is a priority, commercial network firewalls may not be practical; however, there are a few other options.
The SOHO (small office/home office) networking boom over the past few years has created a fantastic market for quality, yet scaled down networking gear. Four port router and switch combinations can be found for under a hundred dollars. Hardware vendors, such as Linksys and Dlink cater to the broadband market and have bundled basic filtering software into many of their devices. Although they don't include the ability to fine-tune rule-sets, they are easy to set up and maintain. Additionally, they often ship with default configurations that protect against unsolicited activity from the Internet. This combination of networking hardware with built-in firewall features is hard to beat.
For the more advanced, or paranoid, we turn to the open source solutions such as Linux and the BSD variants. A relatively old machine (18-36 months) can get new life as a firewall running one of these excellent operating systems. Both have the ability to act as a firewall and router, with a feature set matching that of several commercial products. It's also easy to grow with these devices; they have no problems handling a few dozen machines, as well as more advanced options such as a DMZ. Several graphic and Web interfaces are available to simplify the administration process. Coupled with a quality switch, these set-ups are ideal in terms of price, performance and expandability for a small office.
If the system in question consists only of a single PC connected via broadband, a dedicated firewall might be overkill. Windows users can choose from several quality products to protect their desktops. ZoneAlarm and BlackICE Defender are well-known commercial solutions. Another option is Tiny Personal Firewall a good program that is free for personal use. All three of these products act as single user versions of their larger counterparts, but are easier to configure and maintain since they handle duties for only one machine.
It's hard to go wrong implementing any of the aforementioned setups. The choice depends on your current situation and future expansion plans. It is important that you choose one, and deploy it correctly. These devices are a small network's strongest defense.
Hardening the Host Computer
Having protected the perimeter of a broadband connection, we need strengthen the computer or computers that are connected by broadband. By this, we do not mean protecting the network, but protecting the individual machines that make up the network. This discussion could consist of several articles in and of itself, but the message can be generalized as follows. Each device on a network must be "locked down" before going on-line. By this I mean removing unnecessary features, services and components. Windows users need to disable print and file sharing, remove nonessential network protocols, install a virus scanner and keep up to date on service packs. Unix users should follow a similar plan by shutting down most ports and services, and religiously upgrading patches.
It's helpful to look at your own network through the eyes of a cracker. Run assessment tools such as Nessus and Nmap on each machine, research the results and learn how they could lead to potential vulnerabilities. There is no better way to protect a network than to try and break it.
Securing individual hosts adds another important layer to our defense strategy. If a firewall fails to perform as expected in some way (and, believe me, it happens), the machines themselves must be able to resist an attack.
The final line of defence in any network or system is operational security. An industry term, it's a bit of a catch-all that implies the rules of "use" for a network and its components. In short, operational security means secure on-line user behavior. (For a more comprensive look at this topic, refer to the SecurityFocus series, Secure On-line Behavior). For the purposes of this discussion, we will simply define operational security as including the following considerations:
All of these inquiries focus on methods and procedure, crucial elements of security. The answers, always based on minimizing risk and exposure, should be reflected in how a network is maintained and usage guidelines.
The arrival of broadband access has the potential to change how we work, entertain, communicate and learn. For now, however, it comes with the burden of security. There is no single product, organization or corporation that can fully protect users on-line. A popular quote in the security industry claims that "security is a process". This is especially true for the growing number of broadband users. Even after deploying a firewall, reviewing machines and operating securely, users need to be aware of security in their daily on-line activities.
Matthew Tanase is President of Qaddisin a network security company based in St. Louis. He has studied computer security for 10 years and holds a dual degree in Electrical Engineering and Computer Science. Currently, he provides network and security consulting services for universities, start-ups, small businesses and large corporations.
A Brief History of the Worm
Sniffers: What They Are and How to Protect Yourself
Firewalls for Beginners
Linux Firewall - The Traffic Shaper
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.