Presented at Networld + Interop London, October 1996.
What makes you think you have a choice, anyway?
The importance of making one's company accessible to the internet community is already well understood. Very few companies of any stature attempt to operate without, at the very least, a promotional presence on the web, and the ability to exchange smtp mail with the outside world.
However, what distinguishes the effectiveness of a company's relationship with the internet is the degree of integration between its internal information systems and the company's interface to external networks. The internet community become bored with purely promotional material very quickly, and require interaction with a company via the internet to be at least as effective as they might achieve by telephone, or by letter, or by visiting the offices of the company.
One example of a company trying to achieve this level of integration is Blackwells Bookshops, where the bookseller's stock control database is accessed via the website, so that the prospective purchaser can see how many copies of a book the shop has in stock. The company also uses the site to promote its Personal Accounts. With at least 300 internet bookshops, and competition from mail order and catalogue booksellers; being able to demonstrate that a book can be promptly delivered from stock, and promoting customer bonding through account facilities are cornerstones in its approach.
Another example, that has become a classic within its own industry is the Federal Express parcel tracking system. Here, people can follow the progress of their shipment by directly interrogating FedEx's tracking system through a web based interface.
Other well established business models which depend on a successful technical and cultural integration with the internet include Walnut Creek's CDROM publishing business, Jobserve's contract computer consultancy listings, and O'Reilly's book and software publishing business where prospective authors, developers and customers can all successfully interact with the company via the internet.
Eighteen months ago, companies such as these attracted considerable esteem through their activities on the internet. It was then unusual for a company to have the internet as a key part of the way in which it managed its customer relationship throughout the sales cycle, from promotion and awareness forming to pre-sales, sales support, transaction processing, and after sales support.
However, this is now becoming the norm rather than the exception. FedEx's competitors also have internet interfaces to their parcel tracking systems and many booksellers other than Blackwells are properly equipped to fulfill requirements from the internet community.
People now expect, as a matter of course, to be able to deal effectively with their suppliers via the internet, and whereas eighteen months ago, a company that was able to properly support a relationship with its customers via the internet might have been thought innovative, today a company that cannot promptly support its relationships via the internet is clearly losing the respect of its customers. Whereas people once thought well of FedEx because they offered internet based parcel tracking, people now think poorly of Parcelforce because they don't.
Hence, the question is not so much Is it safe to connect our Network to the Internet?, but We have to connect our Network to the Internet, how can we defend it?
We have to connect our Network to the Internet, how can we defend it?
Intuitively, one would expect that the defence of the company network from outsiders is at the forefront of corporate management's mind. Information is the primary asset for companies operating in most industries, and management is brought up to be fearful of data loss, corruption, and unauthorised disclosure.
Further, security incidents on the internet regularly receive a high profile in the media. Replacement of material at the Dept of Justice and CIA web sites has recently caught the public eye, and this is not exceptional. Internet security has been a rich source of journalistic material ever since the Internet Worm. Management should by now, be familiar with the idea of people attacking networks from the outside with some significant degree of networking knowlege and expertise, and with access to an array of suitable tools.
Consequently, most people you speak to say that security is important to their company, that they are aware of Internet security issues, and, indeed, security is often given as the justification for some surprising and arcane network configurations.
However, in practice there does seem to be a polarisation between stated intent and achievement. When companies networks are examined from the internet, often the range of hosts and protocols offered to the internet speak for themselves about the corporate commitment to security, and the well intentioned statements about the level of attention given to security are shown to be complacent platitudes. Analysis of around one hundred sites requesting trials of the Netcraft Network Examination service has given us a good deal of empirical knowledge about the state of corporate internet gateways and the people who manage them.
Does anyone do any testing?
Very few people test the configuration of their internet gateways at all, never mind doing it on a regular basis. Of the companies, primarily based in the UK, who requested a free trial of our own Network Examination Service, only three had done a visibility test of their own network from outside their own router previously, and none were doing it on a frequent and regular basis.
This points to a gap in the education of corporate MIS management. Probably none of the companies concerned would release an untested program into a production environment, because they are familiar with the indigeonous risk and likely consequences. But, nearly all of them have connected networks to the internet without testing to see which hosts in their own network address space are visible from the internet, which services (protocols) these machines offer to the internet at large, or whether these services have well known vulnerabilities.
Those companies who have tested their network configurations have typically done it as a one-off exercise, often immediately after connecting to the internet. This misses the point that security is temporal; a site which has no known vulnerabilities one day, may be trivially vulnerable the next, perhaps because someone has made a configuration change to a router or a piece of software, or because a feature becomes known in a piece of software not previously known to be insecure.
Who cares?More than half the people running corporate internet gateways are complacent about security to the point of comic theatre. Classic quotes I've heard in conversations with prospects for our own Network Examination Service during the course of this year include;
- We wouldn't have connected to the internet if we weren't secure.
- National Newspaper
- There's no point in testing our security from the internet at the moment because we haven't defined our security policy yet.
- We haven't finished configuring our firewall yet, so it's bound to be insecure.
- If I wanted to check what protocols were visible to the internet I'd look at our router configurarion.
- Computer Manufacturer
- We had a firm of consultants check our internet gateway when we installed it.
- When I saw the report I phoned our ISP, and they say they don't configure routers to offer those protocols, so there must be something the matter with your software.
- The router's not our problem. Our ISP manages our router for us, so it would be their problem if there was something wrong with it.
The counterpoint to this lack of care and responsibility are the antedotes that well known internet security consultants throw into their presenatations; one remark of Brent Chapman's particularly springs to mind;
It's not unusual for big name companies to be attacked within a couple of hours of connecting to the internet, and it's not unheard of for those attacks to be successful.
What are the most common mistakes?
Insufficient protocol filtering
The most obvious network configuration error is insufficient protocol filtering. Lack of protocol filtering invites probes on any of the machines on the network, and this means there are simply too many points of entry to defend them all. Gaining control of any machine on the local area network gives an attacker a bridgehead into the orgainisation; even if the machine is not in itself a particularly valuable one, it can be used as a platform to attack others, and makes access to broadcast packets available.
The most commonly encountered host configuration error to date has been the enabling of the udp services echo, chargen, and time, especially on routers. Even otherwise well protected networks often have this vulnerability, probably because it has been the default configuration on Cisco routers until recently and Cisco is a very popular choice of router; all the major UK ISPs use them. The impact is that someone who takes a dislike to a site can use up its bandwidth by sending a packet the chargen port on their router with the source port and source address set to the echo port on someone else's router. This will likely cause both routers to loop sending packets to each other, and use up a substantial portion of the sites available bandwidth.
Relatively few sites devote time to actively tracking security information and patches from vendors. Consequently, it's common to see smtp banners from versions of sendmail long since known to be insecure. Sendmail, though, is not by any means the totality of the problem. For example, the October 1996 Netcraft Web Server Survey found 9316 sites running NCSA/1.3 which has been known to be insecure since February 1995. And in the Network Examination trials we have only found one site running Microsoft-Internet-Information-Server/1.0 that was not vulnerable to trivial attacks that have been well known since March 1996.
So, how should we defend our network?
The first thing is to realise that there's nothing easy about it. Security, like reputation, has to be continually earned, and can be lost in an instant.
Compile a list of exactly what services need to be offered to the internet at large from your network. Implement filtersets on your router to ensure that exactly these services are available and no more. If you don't already have one, a simple router such as the Cisco 2501 can be bought for around £1200 and is the best value individual purchase you can make in defending your network.
Test it. These tests should be run from outside your own router, so that the tests by defintion see your network from the same perspective as other internet users, and should be performed on the entire network address space. Only the omniscient can tell what their network looks like from the outside without actually being there.
Test it again. Regular automated testing is necessary to accomdate change. Wheras a one-off consultants report is a very fine thing, it is out of date the next time someone makes a router configuration change or a vulnerability is found in a commonly used service. Frequent testing mitigates this risk.
Religeously track the status of all the software you use to provide services to the internet, for security information. If you use an external supplier to do your testing, they will help with this.