Network Security and System Logging

What is Computer Security?

Most people think of security as a big guy, probably born on an island in the Pacific, who throws you out of the pub if you don't match the dress code. They also think of guys at the airport with conspicuously unremarkable suits and black hearing aids who regularly nod at each other and thus keep us safe from terrorists. Computer security has very little in common with these guys.

For a shopkeeper, security might be a roller shutter to pull down when they lock up at night, a couple of steel pillars to halt a ram raid and maybe a camera that scans constantly and keeps the last 12 hours on video tape. This stuff is more like the sort of security we are talking about here.

Let's face it, enough can go wrong with your computer system without having to also worry about people deliberately trying to stuff it up... but we all know that if an opportunity exists, someone will exploit it. Morality, honesty and decency are a lot less common in the modern world than they would be in an ideal world so you have to ask some fundamental questions about methods and motivation:

• What advantage/profit can an attacker gain?
• What sort of attacks are feasible?
• What risks does the attacker face?
• Who is in a position to achieve this?

The Fundamental Security Trade-Off

On the one hand good security wants plenty of locks, doors, fences and barriers... on the other hand human convenience wants easy access to everything at any time. It should be obvious that these are opposing requirements. Thus, better security tends to imply less convenience and better convenience implies worse security.

An excellent example is wireless networks. Wireless is convenient because you can move around without a cable, you don't have to drag cables through walls and ceiling spaces, you don't have to worry about numbered wall sockets or any of that other difficult stuff. On the bad side, wireless networks are less secure than cables.

Why Would Someone Bother Cracking Your Computers?

The common media image of a gifted but misguided kid turning into a computer hacker and going wild on international networks may have seeds of truth but it does not describe the real problem. If a gifted kid breaks into your system they are almost certainly doing you a favour because they usually can't wait to tell you (and the whole world) about what they have done and how they did it, they probably also won't cause too much damage while they are there and you can be sure it is better than having a professional criminal break into your system.

Your real problem begins when a professional breaks in and he/she will hide from detection for the longest possible time. This person will be patient, methodical and keep eyes open for opportunities to make advantages for themselves:

• Your link may be valuable to provide an anonymous front for further break-in attempts. If illegal activity is detected, the trace will come back to you and the real culprit can delete their footprints and slip away leaving you to explain what happened.
• Your link may be valuable as a source of "spam" email. Someone who has invaded your system may use the servers and bandwidth that you have paid for as a launching pad for annoying email advertising. Other people will trace this back to you. This is very common. These people get paid for the advertising. It is unscrupulous, illegal and profitable.
• Your servers may provide valuable storage space for material that is difficult to store and distribute legally. Various content is actively suppressed by our common cultural values and our legal system: content such as some types of pornography, materials from covert organisations, black market trading, stolen credit card numbers, stolen passwords, copyright protected software, etc. Since people are understandably nervous about using their own servers to distribute such material, they will look for ways to borrow other people's servers.
• Your business data may be valuable. The obvious target is any credit card transactions that your business handles but all sorts of data can be valuable. Name and address lists can be sold to advertisers or they can be used to assist in identity theft. Information about contracts or preparation for tenders can be sold to your competitors.
• Employee data may be valuable. Many employees keep private emails and personal data on work machines (you should discourage this but you cannot prevent it). Many businesses keep personal details regarding their employees.
• You might be the target of fraud. For example, if someone can adjust your computer records they might set themselves up as one of your customers, order goods and services, then delete themselves out of existence.
• Knowledge of your business might be useful in planning some other crime. For example, by studying your server an intelligent observer can discover when the office is unattended, when valuable laptop machines are left "docked" at the office, how much cash is in the tills at any given moment, what stock is in the warehouse and when stock shipments arrive and depart.
• In a capitalist free-market economy, criminals trade skills and services just like any other commodity is traded so information which may seem trivial can be distributed to where it will be used. For example, a rapist may be an active buyer of information regarding female employees who regularly work late, take taxi home and who are not involved in martial arts as a hobby. In other words, the final crime may be perpetrated by someone quite different to the person who attacked your system.

In summary: anyone who says, No one would bother breaking into my system, and if they did I wouldn't care because there is nothing much they could do, is wrong and is just making excuses.

What Opportunities Does an Attacker Have?

The simple answer is, a great many. The fundamental problem is that computer systems are complex. Humans and computers interacting are even more complex. It is impossible to be sure that there are no loopholes that an attacker can exploit, there is no such thing as a perfectly secure system.

However, it's not all doom and gloom. Perfect security is not possible for the attacker either -- they must risk their own safety by exposing themselves to detection (and capture) in order to gain access to your system. More than this, each successful break-in that gets eventually found out will be studied so that the mechanism can be understood. Once the bug is found, software can be patched and the attackers will have to try harder next time. We need a method to retrace the steps of an attacker in order to follow them back to their hideout and report the evidence to the police.

In general, the easiest attack is to go for weak points and if you watch any public network connection you can see regular traffic as random people come past and try the locks to see what might be easy to take advantage of. This activity is also called probing and while not illegal, it does tend to be frowned upon. Watching the probes gives you a list of internet addresses that you should keep an eye on, or possibly blacklist.

Other than the direct attack, another method is spreading viruses into the public arena. The virus code will replicate itself and spread by various methods from system to system. Often they will spread through email, sometimes the virus embarks on a direct attack of nearby systems. Viruses can also attach themselves to files (for example Microsoft Word documents) and make use of badly designed macro languages to activate themselves on other systems when the document is passed around.

The intention of virus code is more than just self-replication. Each virus will have a payload which might open a back door into the target system. Because the virus can spread by indirect means, it cannot reliably be stopped by a firewall. Once inside the firewall, it can probe and invade other machines inside the local network. Virus activity within your network has the effect of punching a hole in the firewall and weakening your network defenses.

Software Updates

Just about all Linux distributions have a method of getting updates. In fact, there are a bunch of different methods. The simplest is just to get a new pack of CDROMs once every 6 months or so and run the upgrade option. It's easy, and it keeps you up to date. The down side of this is that features of software may change with the newer version and you find that some continual learning is required to keep on top of it.

For larger businesses, a support agreement with a major linux vendor will provide a steady supply of bug-fix releases that don't change the major version of the system but just fix the security holes. These support agreements can be expensive, but then again, bugs can be expensive too. Software update tools such as RedHat's up2date take a lot of the pain out of keeping a system free of known security bugs.

Robust System Logging

Computer systems maintain a log of their activity (called, not surprisingly, the system log or just syslog for short). In fact a number of different logs are maintained (mail, web, etc). Most of these are maintained on the system itself. While this is handy for debugging and maintenance, it is not so good for security because someone who breaks in can also tinker with the logs and disrupt later forensic examination.

A stronger defense is to continually copy the logs off onto some dedicated machine that has no other job than collecting information and making sure detailed footprints are available should anything go wrong.

Network Logging

As well as keeping track of system activity, it is a good idea to keep track of network activity as well. There are various tools to do this but the general idea is to watch which machines connect to which other machines, how much and when. This data can be searched for anomalous activity in order to detect potential mischief or it can be used as a forensic record to backtrace events prior to a known break-in.

For example, if a virus leaves a back door server in your machine, someone who wants to access that back door will need to come across the network and leave some trace (similar to tracing a phone call). Watching the trace won't stop them coming in but it will let you figure out which machine is infected and might provide additional clues as to how they broke in.

Another example is some virus code will probe machines around it, some probe aggressively and are easy to detect, others probe gently and may be difficult to find. Either way, watching closely for unusual network activity is a good idea.

• snort is an intrusion detection and network monitoring system that allows user configurable rules to be added in a modular fashion. The results can trigger alerts and/or get dumped into an SQL database.
• tcpdump is a network protocol analyser that expands packet contents out into human-readable text and allows the user to define a filter for extracting particular types of packet from heavy traffic.
• ethereal is another network protocol analyser, similar to tcpdump but with more detailed output.
• kismet is a wireless sniffer that shows base stations, clients and whether encryption is enabled or not. It is a handy way to keep an eye on what sort of wireless activity is occuring in your area.
• Sam Space is a website that does various lookups on IP addresses and URLs to give you some idea of where traffic might be coming from (it isn't perfect).

Firewall Logging

The linux firewall can keep track of the real world usage of each firewall rule. When this is logged it shows what the rules are doing and shows which services are active at what times. In addition, the firewall can log the packets that are rejected. All of these logs give feedback to the system administration who can use it to tune up your defenses.

Security Related Reading

• Institute for Security and Open Methodologies