ISP Network Challenges: Network Security, Spam & Virus Controls By Carter Manucy, FMPA Outline Securing Your Networks Windows vs. Unix Security Protecting Your Customers Controlling Spam Securing Your Networks What is a secure computer? Any computer that is buried in concrete, with the power shut off and the network cable cut. Anything less is a compromise. Securing Your Networks What protects computers and networks? Passwords Firewalls Virus protection Passwords Security guidelines for passwords All passwords must be at least 20 characters All passwords must not be in the dictionary Must contain tissue samples from at least 3 vital organs They must be different from all other passwords on the internet They must be changed prior to every use Binary representation of passwords must not contain any of the following sequences, as they are know about by hackers: 00, 01, 10, 11 May not contain ASCII characters Color passwords must use a 32-bit pallet Passwords Demand that your edge devices (anything that answers requests on the internet) have secure passwords on ALL accounts, not just the administrator accounts! Passwords do need to be 8 or more characters that include numbers, letters and special characters. Passwords Control root/administrator accounts. DO NOT use these accounts for casual use! Only use them when you are required to. Firewalls Firewalls selectively isolate two or more networks Firewalls permit and deny traffic based on rules Organizations need written policies about what these firewall rules are Firewalls are not just to protect your internet presence from your networks Firewalls need to be on all DMZ servers Firewalls Enable local firewalls on all DMZ servers, such as IPTABLES on Linux, or TCP/IP filtering in Windows Unfortunately, you have to allow some traffic in or out – otherwise you wouldn’t need an internet connection! By allowing traffic, you open yourself up to attack. No firewall can protect you 100% of the time! Firewalls Widgets Inc uses a firewall in “UltraParanoid” mode Only HTTP (port 80) traffic allowed No JavaScript, Java or ActiveX allowed Only allow .gif and .jpg files along with web pages (HTML) Only allow access to 50 approved sites Firewalls Joe Blow Hacker wants in! But Widgets Inc is safe… right? Joe Blow uses some crafty social engineering on Widgets, Inc Joe Blow turns his attention to the new “Top 50” Joe Blow uploads his new program Joe Blow renames his program Joe Blow resumes his attack Firewalls Joe Blow’s new friend runs his program Joe’s new program is now giving Joe an invisible shell on the secretary’s computer Joe uses his hacked server as a stepping point… Game over! Virus Scanning Having an up-to-date virus scanner is especially important around inexperienced users Make as sure as possible that users update their anti-virus software automatically Offer links to free anti-virus sites such as AVG or WinClam Know Your Network Create network baselines Use MRTG (Multi Router Traffic Grapher) to help you identify problems before they escalate MRTG can identify Spam attacks MRTG can identify hacked servers MRTG can identify problem users MRTG – Normal Traffic MRTG shows patterns – these patterns can show problems MRTG – Abnormal Traffic Abnormal traffic patterns can show network abuse MRTG – Other Uses MRTG can monitor any device that sends out SNMP data – including IIS servers, routers, even printers By monitoring items such as HTTP errors, a high number could indicate attempts to hack at the server Excessive 404’s on an HTTP server could help track down missing links on a webserver Know Your Resources National White Collar Crime Center: www.cybercrime.org High Tech Criminal Investigation Association: www.htcia.org Computer Security Institute: www.gocsi.com Carnegie Mellon CERT: www.cert.org SANS Institute: www.sans.org National Security Institute: www.nsi.org Know Your Resources DOD Office of Cyber Security: www.ciac.org/ciac/ SANS Reading room: www.sans.org/rr/ Security focus: www.securityfocus.com National Security Agency: www.nsa.gov Protocol Analysis Institute: www.packetlevel.com Sentinix all inclusive network monitoring install: www.sentinix.org CAIDA (Cooperative Association for Internet Data Analysis): www.caida.org Know Your Resources Security Dashboard display: www.securitywizardry.com/radar.htm Hacker Toolbox Ethereal: ethereal.com Snort: snort.org nMap: www.insecure.org/nmap LC4 (L0phtCrack): atstake.com/research LANGuard: gfi.com/languard EtherPeek: wildpackets.com Hacker Toolbox NetStumbler: netstumbler.com Hacker Toolbox Sam Spade: spamspade.org Hacker Toolbox Ping Plotter: pingplotter.com Hacker Toolbox HexWorkshop: bpsoft.com Sniffer: sniffer.com Cain&Able: www.oxid.it/cain.html Observer: networkinstruments.com Chkrootkit: chkrootkit.org Netcat: netcat.sourceforge.net Example – NMAP Scan Host ###.com (xxx.xx.xx.xx) appears to be up ... good. Initiating SYN half-open stealth scan against ###.com (xxx.xx.xx.xx) Adding TCP port 88 (state open). Adding TCP port 17 (state open). Adding TCP port 389 (state open). Adding TCP port 9 (state open). Adding TCP port 19 (state open). Adding TCP port 1068 (state open). Adding TCP port 636 (state open). Adding TCP port 593 (state open). Adding TCP port 1067 (state open). Adding TCP port 53 (state open). Adding TCP port 13 (state open). Adding TCP port 464 (state open). Adding TCP port 445 (state open). Adding TCP port 135 (state open). Adding TCP port 5000 (state open). Adding TCP port 7 (state open). Adding TCP port 1026 (state open). Adding TCP port 3389 (state open). The SYN scan took 0 seconds to scan 1523 ports. For OSScan assuming that port 7 is open and port 1 is closed and neither are firewalled Example – NMAP Scan Interesting ports on ###.com (xxx.xx.xx.xx): (The 1505 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 17/tcp open qotd 19/tcp open chargen 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open loc-srv 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1026/tcp open nterm 1067/tcp open instl_boots 1068/tcp open instl_bootc 3389/tcp open msrdp 5000/tcp open fics TCP Sequence Prediction: Class=random positive increments Difficulty=14410 (Worthy challenge) Sequence numbers: 3AD7953F 3AD8570E 3AD97977 3ADA2100 3ADB1400 3ADB9658 Remote operating system guess: Windows 2000 RC1 through final release Logging – Your Only Hope Logs are often the only way you have of determining if and when there is a problem with your machines Always simultaneously send log files off of the machine to a remote syslog box! Log files WILL be doctored and/or wiped by a hacker Use NTsyslog for Windows machines Logfile Actions/Countermeasures Attacker Action Defensive Countermeasure Logfiles erased Highly visible – at least some part might be unerased using raw access to the file system, unerase tools (where available) or simple forensic tools Logfiles wiped Highly visible – traces might still be found in swap file Logfiles edited and saved Not very visible unless long periods of time are missing. Parts might be recoverable using raw access to file system, unerase or forensic tools Logfiles edited and appropriate parts zeroed on disk Not very visible unless long periods of time are missing. Likely cannot be unerased Windows vs. *nix Security No computer is 100% safe on the Internet Windows has more problems than *nix (UNIX/Linux) based systems due to its design If you use Windows servers, you need to be more careful where you deploy them, and protect them as much as possible Windows vs. *nix Security Unix started its life as a multi-user OS Unix grew up on the internet In 1998, the Morris worm taught Unix mail servers a valuable lesson – email is insecure In 1999, the Melissa virus duplicated the scenario, but this time for Windows Windows vs. *nix Security Windows started life as a standalone, single-user system “The security kernel of the Windows NT server software was written before the Internet, and the Windows Server 2003 software was written before buffer overflows became a frequent target of recent attacks" (David Aucsmith, Microsoft, Feburary 2004). Windows vs. *nix Security Unix (and all Unix-like OS’s such as Linux, BSD, and MacOS X) were designed as a piecemeal system Windows is a bunch of large integrated components Windows components feature lots of redundancy – some are not optional Piecemeal makes patching easier – integration makes patching a nightmare Windows vs. *nix Security The mutiuser part of *nix is what makes it both the most and least secure when compared to Windows Programs have no access to the system by default *nix does not differentiate between remote and local users This feature can be controlled and disabled, as most do by default No root or administrator access by default Windows vs. *nix Security Windows has the worst of both worlds Many Windows programs need full control over the system to run Some Windows programs require administrator privileges to run Windows XP and 2003 are the least secure kernel ever designed Windows vs *nix Security Counting bug reports between *nix and Windows is a ridiculous practice “Root Exploits” are standard operating procedure in Windows! As such, they are not tracked for Windows Windows vs. *nix Security Another problem with counting bug reports for OS’s is that many Linux holes are counted multiple times for different vendors Linux distributions ship with the equivalent of dozens of Microsoft products in one Linux product – to be fair these products must be added to Windows as well. Windows vs. *nix Security Integration is where Microsoft continues to have issues Patches for *nix programs or services can be applied without a reboot Worse-case scenario for *nix is that the program stops working Windows patches can affect completely unrelated components Reboots are often required with Windows patches Windows vs. *nix Security *nix system are patched quickly and with little effort Windows requires extensive configuration management for patches Even that isn’t enough sometimes – as the SQL Slammer taught us Most recent patches removed the protection for the SQL Slammer worm! Windows vs. *nix Security Windows recognizes that integration is the problem now There is no way out without breaking compatibility Win16 was abandoned in the transition to Win32 with Windows NT Microsoft can’t do that with a Win32 to .NET transition – Win32 is still the foundation of Longhorn Windows vs. *nix Security Microsoft has given up on trying to address the problem due to customer base They will lose this customer base if they break compatibility If customers tolerated compatibility changes, *nix becomes just as appealing as Windows Windows Win32 applications don’t port well Windows vs. *nix Security Probably 98% of Windows viruses come through e-mail The root issue with e-mail worms on Windows goes back to the heart of how Windows works If Microsoft “fixed” Windows, the majority of Windows software would break overnight Windows vs. *nix Security Microsoft does recognize the problems The Ten Immutable Laws of Computing http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx Ten Immutable Laws of Computing Law #1: Nobody believes anything bad can happen to them, until it does Law #2: Security only works if the secure way also happens to be the easy way Law #3: If you don't keep up with security fixes, your network won't be yours for long Ten Immutable Laws of Computing Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with Law #5: Eternal vigilance is the price of security Law #6: There really is someone out there trying to guess your passwords Ten Immutable Laws of Computing Law #7: The most secure network is a well-administered one Law #8: The difficulty of defending a network is directly proportional to its complexity Law #9: Security isn't about risk avoidance; it's about risk management Law #10: Technology is not a panacea Protecting Your Customers Why should you protect your customers? Bandwidth = money Wasted bandwidth from viruses is a problem Hacking is a problem Your customers could unknowingly be used for DDoS, spam or other kinds of ‘jump points’ Protecting your customers Have your customers: Turn off file/print sharing Install and USE a firewall Install, USE and UPDATE anti-virus software Delete e-mails from people you don’t know without reading them! Never accept unsolicited downloads Use anti-spyware software regularly Protecting Your Customers Many places offer up free firewalls for protection Windows XP Service Pack 2 has a decent built-in firewall now Stand-alone firewalls are the best bet – products such as IPCop (ipcop.org) and SmoothWall (smoothwall.org) can turn old useless computers into stateful packet inspecting firewalls. Protecting Your Customers Protecting your customers also means controlling content There is a fine line between content control and censorship Generally speaking, there are some specific ports and addresses that can be turned off at your edge devices that have no business on the internet Protecting Your Customers Cisco ACL tip #1: A sample Inbound ACL - block spoofed IP’s appearing to be from non-routable IP’s: access-list access-list access-list access-list 101 101 101 101 deny deny deny deny ip ip ip ip 10.0.0.0 0.255.255.255 any log-input 127.0.0.0 0.255.255.255 any log-input 172.16.0.0 0.15.255.255 any log-input 192.168.0.0 0.0.255.255 any log-input Protecting Your Customers Cisco ACL tip #2: A sample Inbound ACL - block Microsoft NetBIOS and file sharing traffic: access-list access-list access-list access-list 101 101 101 101 deny deny deny deny tcp udp tcp udp any any any any any any any any range 135 139 range 135 netbios-ss eq 445 log-input eq 445 log-input Protecting Your Customers Cisco ACL tip #3: A sample Inbound ACL – block known Trojan Horse ports: access-list access-list access-list access-list access-list access-list access-list 101 101 101 101 101 101 101 deny deny deny deny deny deny deny tcp tcp udp udp udp tcp tcp any any any any any any any any any any any any any any eq eq eq eq eq eq eq 4444 log-input 27374 log-input 1432 log-input 1433 log-input 1434 log-input 12345 log-input 31337 log-input Protecting Your Customers Wireless routers are a problem Wireless Networks WEP vs. Non-WEP stats Protecting Yourself Have someone who is well-versed in security in charge of it. A little knowledge is a dangerous thing! Be mindful that not everyone in the world runs Windows, so you have to be aware of other OS’s as well Subscribe to an advisory system such as SANS Always keep your networks separate! Protecting yourself Read your firewall and IDS logs! If you’re not reading your logs, the only time you’ll use them is after it’s too late Try migrating away from Internet Explorer whenever possible Spam and E-mail Estimates show that between 75-85% of all e-mail is Spam After the recent hurricanes in Florida, the spam percentage dropped by 10% - I guess they cleaned out more than just the tourists… Ways To Stop Spam DNSBL sites SPF (Sender Policy Framework) Bayesian filtering User education Whitelists Greylists Linux-based proxies Commercial appliances DNSBL sites DNSBL = DNS Black Lists There are currently hundreds of DNSBL sites – some private, some public FMPA uses six DNSBL’s to deny mail from even connecting: bl.spamcop.net dnsbl.njabl.org relays.ordb.org sbl-xbl.spamhaus.org list.dsbl.org korea.services.net DNSBL Sites FMPA also checks against those sites and two additional ones a second time – this second scan looks at every header in the e-mail to look for black listed sites. If it finds a match, it just tags the e-mail – it doesn’t actually refuse to accept them An example of a session might go something like this: DNSBL Session For this session, I’ll take an actual e-mail I just got A mail server connects to FMPA. In this case, the IP address is 203.211.205.181 – but the sever ‘claims’ it is AOL.COM – which is a lie Our qmail server looks at the connecting IP against the first list of DNSBL’s. None of them come up positive so it allows the connection. The spammer dumps off the message. qmail then looks at all of the other headers in the e-mail to see what other severs have handled the message DNSBL Session 5. 6. 7. 8. There are other servers that handled this message – before it got to 203.211.205.181 it went thru 80.0.16.8 – a server in Amsterdam! Both IP’s are listed in different DNSBL’s – one is Spamcop, the other is NJAB’s Dynamic IP list. Since NJAB was found first, qmail injects a header into the email marking it as spam My Notes e-mail client picks up on the injected header, and automatically moves the message into my ‘junk mail’ folder Apparently my application was approved for a $400,000 loan at 2.1%... SPF (Sender Policy Framework) Allows for verification that your server is authorized to send e-mail Publishing your authorized servers is a simple DNS TXT entry SPF In Action SPF records are TXT records in DNS At FMPA, we accept mail from two servers, which are listed in our MX records fmpa.com fmpa.com FMPA’s SPF record is a TXT entry fmpa.com mail exchanger = 10 mail.fmpa.com. mail exchanger = 20 tally.fmpa.com. text = "v=spf1 mx ip4:66.192.231.225" The above servers are the only servers that are authorized to send mail from fmpa.com SPF In Action Joe Blow Spammer is sending mail from susie@fmpa.com Joe’s mail server connects to AOL’s mail server Joe’s MTA tells AOL’s mail server who he is and who he’s sending to AOL’s mail server checks fmpa.com’s SPF record, finds out that Joe’s server isn’t authorized to send mail from fmpa.com! SPF In Action AOL drops the session before the body of the message is delivered AOL saves its’ customer from the Spam AOL saves its’ bandwidth Bayesian Filtering Bayesian Filtering “reads” the e-mail for content, and normally scores the message accordingly Too high of a score = spam Needs more processing time than other methods Needs to be updated regularly to keep up with trends User Education Don’t opt-out of spam Don’t give your e-mail address to questionable sites – especially for “free” software and adult-content sites! Don’t put e-mail address on websites Don’t use the TO: or CC: field in an email to send copies – use the BCC: Whitelists Whitelists are a simple way to guarantee delivery of messages Whitelists are normally maintained on a per-user basis Individual whitelists don’t do other users any good Greylists Greylists temporarily delay e-mail Works against spammers, but not normally against legitimate e-mail After the second successful attempt, delays are no longer incurred Eventually this too will become a passé way of blocking spam Linux-based Proxies Linux-based, secure MTA’s such as qmail receive and scan e-mail Can employ SPF, Bayesian filtering, Virus-Scanning, DNSBL, blacklists, greylists or whitelists Can work with ANY other MTA – Exchange, Notes, mDaemon – whatever you already have Aside from the hardware costs (not demanding) – it’s FREE! Commercial Appliances Commercial Anti-Spam Appliances and software – very effective tools Not always appropriate in an ISP environment due to cost ISP’s cannot afford false-positives for spam filtering Summary The internet is a hostile place, and must be treated as such – it is a global network, and in some places hacking is not only legal, but encouraged Stay on top of security by keeping in mind that you will never know it all Use tools available to you to help make the job easier Use secure MTA’s and scan e-mail to put Spam where it belongs – off your network!