Improving Network Security: Normal Addresses and Behavior
By Edward J. Hawkins, II
To understand network security from a technical vantage point, it is first necessary to know the answers to the questions of “What is my network address?” and “What is normal for my network?” By answering these questions, the network owner or administrator can more easily identify unauthorized users or the unauthorized use of network resources.
Identifying Network Addresses, Devices and IP Addresses
Network addresses are typically in one of two specifications — either Internet Protocol version four or six (IPv4 and IPv6). IPv4 is a 32-bit address and IPv6 is a 128-bit address.
For these addresses, there are either 32 or 128 ones and zeros that define a network device. However, this is the discretionary address for the device, because this type of address is assigned and managed by the network owner or administrator.
The network interface card (NIC) address is assigned by the manufacturer is a 48-bit address that is written in a hexadecimal format and serves as a globally unique identifier. The first 24 bits in the address indicate the manufacturer of the NIC and the last 24 bits identify the NIC.
Both addresses are important to security as they help administrators to manage which devices are authorized for use on a network. From a management standpoint, however, the IP address is the more important one and more deserving of the network administrator’s attention.
The IP address of any system takes the format of either a dotted decimal or hexadecimal format. In dotted decimal format, the IP address may look like 192.168.1.1.
But in a hexadecimal format, the IP address may look like one of these two examples:
- 2001:0db8:85a3:0000:0000:8a2e:0370:7334 (IPv6 format)
- 2001:0db8:85a3::8a2e:0370:7334 (the zeros are omitted)
However, there are rules to follow. By contrast, IPv4 uses a class system which identifies how large the network can be, from which country the IP address originated, or how the IP address can be used (such as multicast — where data transmissions can be sent to a group of computers simultaneously).
The Security Aspects of Networking
Originally, security was excluded from the original 1980s network standard and had to be incorporated into the network later. In addition, it took over 20 years for IPv6 to be standardized and its initial implementation of IPSec (a suite of IP security tools) was flawed.
There are two main types of security tools that security administrators use to protect networks from malicious attacks: firewalls and intrusion detection and prevention systems (IDPS).
The firewall on your car and the one for your network serve the same purpose. They are designed to let only authorized service through to you.
Commonly, a firewall is created by setting up rules that meet a given set of criteria. For example, let’s say you want to allow network connections from a given set of addresses and to block everything else.
In this case, you would create an inbound rule that met the conditions for those connections. A common use for firewalls today is for filtering traffic intended for website network traffic (port 80 or 443), gaming services (e.g. X-Box, PlayStation, Nintendo), e-mail (ports 25 and 110) and domain name services (DNS) (port 53).
Unfortunately, most of the small office/home office (SOHO) routers on the market today (e.g. any network device you can buy that is readily available) are incapable of supporting this level of management without some advanced knowledge or associated cost.
Intrusion Detection and Prevention Systems
When it comes to detecting intruders or unauthorized use of a network, there is either the Intrusion Detection System (IDS) or the Intrusion Prevention System (IPS). The IPS was developed to overcome the shortcomings of the IDS.
In these systems, devices or sensors are placed in line with a firewall. They are designed to identify malicious network traffic that manages to avoid detection by the firewall.
Snort, a well-documented and free IDS, provides a robust detection environment for determining malicious activity beyond the firewall. Snort also has an online community that provides rules regarding potential malware infections, as shown in the sample below:
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any ( msg:”MALWARE-BACKDOOR SatansBackdoor.2.0.Beta”; flow:to_client,established; content:”Remote|3A| “,depth 11,nocase; content:”You are connected to me.|0D 0A|Remote|3A| Ready for commands”,distance 0,nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12; )
In other words, the rule is that for any transmission control protocol (TCP) connection to the home network on port 666 from any external source, there would be an alert message “MALWARE-BACKDOOR: SatansBackdoor 2.0 Beta” and the message that would appear if a computer was infected is: “You are connected to me.” The rest of the information is related to how the attack looks from the attacker’s point of view, how Snort uses the rule and references for more information.
Also, keep in mind that depending on which rules file is downloaded, there are close to 3,500 rules developed by the Snort community. It is entirely possible for the implementer of this software or any advanced IDS to develop their own rules, based on network traffic that they want to prevent.
An IPS, unlike the IDS which reports and logs malicious activity, is more proactive in the network environment. It can take a set of actions against a known attack signature, such as blocking traffic, rerouting it to a honeypot, or placing it in a demilitarized zone (DMZ).
Most network-level security devices that include an IDPS with them are usually high-priced items; however, it is possible to create a dedicated device for smaller networks using Linux. The key point in creating a dedicated device is to ensure that all network traffic is forced through the device for inspection prior to being routed on the internal network.
Honeypots and Honeynets
Honeypots and honeynets are devices/networks that contain apparently valuable information or data that an attacker may find of value. However, these devices and networks provide no real value and are there to enable the monitoring of an attacker’s activities.
Honeypots and honeynets are usually located in a DMZ where they are away from legitimate network traffic. In some cases, these systems are a single piece of software that are implemented on an entire network.
One thing to consider before implementing these systems is to consult legal counsel before using a honeypot or honeynet. There is some controversy regarding their use.
Recommendations for Better Network Security
It is critical to understand what your network does every day and night. Only by understanding what it is doing can you protect it. Be sure to review your network logs on a regular basis or find a tool that can collect and provide a dashboard for what your network does.
One such tool is the AlienVault OSSIM software, but it requires a dedicated system for its installation. In other words, if you try to install it on your computer, be prepared for it to erase your computer’s operating system erased. If you have limited system availability, use a virtual machine instead for a more successful implementation.