You set up firewalls, e-mail filtering, Intrusion Detection Systems (IDS), personal firewalls, Censor Software (both on network and personal level) and they still get in. What I’m referring to are those pesky VBSes, similar worms inhibiting the Windows platform right now and maybe a few real life crackers here and there. For the network administrator, this can be a real problem. Even when he has secured his network with the latest tools and patches, there is still a big chance of his kingdom getting infected, especially if it’s made up of MS Windows machines, and its trusting users.
The main problem lies in the user’s activities. Normally, the administrator is expected to shut off inbound connections so that malicious users cannot connect to the internal network. However, we are increasingly seeing that this is only one side of the coin. Most users will be accessing hostile networks, like IRC, even if they have no business to do so.
In this article I will be outlining some of the protocols that most Security related tools do not cover or even think of protecting users from. The HTTP protocol provides a backdoor for hackers and malicious crackers to get into your network; much the same goes for e-mail. While this is getting a lot of press right now, there’s a lot more to network security than just HTTP and e-mail.
Newsgroups basically have the same problems as e-mail. The difference is that instead of infecting just the target user, a malicious newsgroup post targets more than just one. So if you’re using Outlook Express to read Newsgroups, and have your mind at rest ’cause you’re filtering your e-mails from known exploits and attachments, you could be in trouble.
Newsgroups although similar to e-mail, cannot be filtered in the exactly same way. A solution to this would be to deploy a newsgroup relay, that copies and filters all newsgroup posts to an internal host from a public newsgroup. Of course this can produce a number of problems, like slow updating times, clogged servers, and large hard disk space. Of course you could always perform a secure installation of the newsgroups clients on each and every machine in your network, but this is certainly not the most practical way to improve security, especially in a large network.
Then there are the so called instant messenger and similar networks like IRC, ICQ, AOL-CHAT and other similar networks. Different from Newsgroups and e-mail, these offer almost instant message reply. Obviously, these networks allow support for sending and receiving files, and many users are very, maybe overly willing to receive any file as longs it’s named myself_nude.jpg.exe or anything similar.
This also means that users are more easily fooled into giving out personal information, some of which can give attackers some real advantage when trying to get into your network. Apart from this, accessing IRC and similar networks, exposes your firewall’s IP address, or the user’s NAT.
It is very common for users on IRC to get scanned for vulnerabilities. So if any user is accessing IRC, and has for example, PCAnywhere, telnetd or whatever running on the IP address shown on IRC, you’ll be sure to get some bruteforcing one day or another.
ICQ is also known to be a very unsecured “protocol”. In fact, ICQ makes no claim on the security of their product. Much the same goes to most other chatting networks, since they are generally not designed with security in mind, but rather overall “efficiency” and multitude of features to satisfy a big number of users. Of course, giving access to these services to users on a supposedly secure network, will create a backdoor in the network, and easily compromise the overall security.
These kindof problems exist in any network that trusts it’s own users. It’s quite necessary to only allow users to only access trusted or filtered protocols and maybe sites where security is critical and data simply cannot be shared unless legal access is given. This applies to most Corporate networks, where compromising just one machine means a compromise on the whole network. The solution would be to add the required rules to the firewall and restrict access. Besides that it’s very reasonable to educate the users and set up security policies. The traditional virus scanner always helps as well.
Visit http://www.eyeonsecurity.org, covering overall computer security, with articles,
papers, tools, original advisories and exploits.