ISP Network Challenges:Network Security, Spam & Virus

ControlsBy Carter Manucy, FMPA

Outline

Securing Your Networks Windows vs. Unix Security Protecting Your Customers Controlling Spam

Securing Your Networks

What is a secure computer?

Any computer that is buried in concrete, with the power shut off and the network cable cut.

Anything less is a compromise.

Securing Your Networks

What protects computers and networks?

Passwords Firewalls Virus protection

Passwords Security guidelines for passwords

All passwords must be at least 20 characters

All passwords must not be in the dictionary Must contain tissue samples from at least 3

vital organs They must be different from all other

passwords on the internet They must be changed prior to every use Binary representation of passwords must

not contain any of the following sequences, as they are know about by hackers: 00, 01, 10, 11

May not contain ASCII characters Color passwords must use a 32-bit pallet

Passwords

Demand that your edge devices (anything that answers requests on the internet) have secure passwords on ALL accounts, not just the administrator accounts!

Passwords do need to be 8 or more characters that include numbers, letters and special characters.

Passwords

Control root/administrator accounts. DO NOT use these accounts for casual use! Only use them when you are required to.

Firewalls Firewalls selectively isolate two or

more networks Firewalls permit and deny traffic

based on rules Organizations need written policies

about what these firewall rules are Firewalls are not just to protect

your internet presence from your networks

Firewalls need to be on all DMZ servers

Firewalls Enable local firewalls on all DMZ

servers, such as IPTABLES on Linux, or TCP/IP filtering in Windows

Unfortunately, you have to allow some traffic in or out – otherwise you wouldn’t need an internet connection!

By allowing traffic, you open yourself up to attack. No firewall can protect you 100% of the time!

Firewalls

Widgets Inc uses a firewall in “Ultra-Paranoid” mode

Only HTTP (port 80) traffic allowed

No JavaScript, Java or ActiveX allowed

Only allow .gif and .jpg files along with web pages (HTML)

Only allow access to 50 approved sites

Firewalls

Joe Blow Hacker wants in! But Widgets Inc is safe… right? Joe Blow uses some crafty social

engineering on Widgets, Inc Joe Blow turns his attention to the

new “Top 50” Joe Blow uploads his new program Joe Blow renames his program Joe Blow resumes his attack

Firewalls

Joe Blow’s new friend runs his program

Joe’s new program is now giving Joe an invisible shell on the secretary’s computer

Joe uses his hacked server as a stepping point…

Game over!

Virus Scanning

Having an up-to-date virus scanner is especially important around inexperienced users

Make as sure as possible that users update their anti-virus software automatically

Offer links to free anti-virus sites such as AVG or WinClam

Know Your Network

Create network baselines Use MRTG (Multi Router Traffic

Grapher) to help you identify problems before they escalate

MRTG can identify Spam attacks MRTG can identify hacked

servers MRTG can identify problem users

MRTG – Normal Traffic

MRTG shows patterns – these patterns can show problems

MRTG – Abnormal Traffic

Abnormal traffic patterns can show network abuse

MRTG – Other Uses

MRTG can monitor any device that sends out SNMP data – including IIS servers, routers, even printers

By monitoring items such as HTTP errors, a high number could indicate attempts to hack at the server

Excessive 404’s on an HTTP server could help track down missing links on a webserver

Know Your Resources National White Collar Crime

Center: www.cybercrime.org High Tech Criminal Investigation

Association: www.htcia.org Computer Security Institute:

www.gocsi.com Carnegie Mellon CERT:

www.cert.org SANS Institute: www.sans.org National Security Institute:

www.nsi.org

Know Your Resources DOD Office of Cyber Security:

www.ciac.org/ciac/ SANS Reading room: www.sans.org/rr/ Security focus: www.securityfocus.com National Security Agency: www.nsa.gov Protocol Analysis Institute: www.packet-

level.com Sentinix all inclusive network monitoring

install: www.sentinix.org CAIDA (Cooperative Association for

Internet Data Analysis): www.caida.org

Know Your Resources Security Dashboard display:

www.securitywizardry.com/radar.htm

Hacker Toolbox

Ethereal: ethereal.com Snort: snort.org nMap: www.insecure.org/nmap LC4 (L0phtCrack):

atstake.com/research LANGuard: gfi.com/languard EtherPeek: wildpackets.com

Hacker Toolbox

NetStumbler: netstumbler.com

Hacker Toolbox

Sam Spade: spamspade.org

Hacker Toolbox

Ping Plotter: pingplotter.com

Hacker Toolbox

HexWorkshop: bpsoft.com Sniffer: sniffer.com Cain&Able:

www.oxid.it/cain.html Observer:

networkinstruments.com Chkrootkit: chkrootkit.org Netcat: netcat.sourceforge.net

Example – NMAP ScanHost ###.com (xxx.xx.xx.xx) appears to be up ... good.Initiating SYN half-open stealth scan against ###.com (xxx.xx.xx.xx) Adding TCP port 88 (state open).Adding TCP port 17 (state open).Adding TCP port 389 (state open).Adding TCP port 9 (state open).Adding TCP port 19 (state open).Adding TCP port 1068 (state open).Adding TCP port 636 (state open).Adding TCP port 593 (state open).Adding TCP port 1067 (state open).Adding TCP port 53 (state open).Adding TCP port 13 (state open).Adding TCP port 464 (state open).Adding TCP port 445 (state open).Adding TCP port 135 (state open).Adding TCP port 5000 (state open).Adding TCP port 7 (state open).Adding TCP port 1026 (state open).Adding TCP port 3389 (state open).The SYN scan took 0 seconds to scan 1523 ports. For OSScan assuming that port 7 is open and port 1 is closed and neither are

firewalled

Example – NMAP ScanInteresting ports on ###.com (xxx.xx.xx.xx):(The 1505 ports scanned but not shown below are in state: closed)Port State Service7/tcp open echo9/tcp open discard13/tcp open daytime17/tcp open qotd19/tcp open chargen53/tcp open domain88/tcp open kerberos-sec135/tcp open loc-srv389/tcp open ldap445/tcp open microsoft-ds464/tcp open kpasswd5593/tcp open http-rpc-epmap636/tcp open ldapssl1026/tcp open nterm1067/tcp open instl_boots1068/tcp open instl_bootc3389/tcp open msrdp5000/tcp open fics TCP Sequence Prediction: Class=random positive incrementsDifficulty=14410 (Worthy challenge) Sequence numbers: 3AD7953F 3AD8570E 3AD97977 3ADA2100 3ADB1400 3ADB9658 Remote operating system guess: Windows 2000 RC1 through final release

Logging – Your Only Hope Logs are often the only way you

have of determining if and when there is a problem with your machines

Always simultaneously send log files off of the machine to a remote syslog box!

Log files WILL be doctored and/or wiped by a hacker

Use NTsyslog for Windows machines

Logfile Actions/CountermeasuresAttacker Action

Defensive Countermeasure

Logfiles erased Highly visible – at least some part might be unerased using raw access to the file system, unerase tools (where available) or simple forensic tools

Logfiles wiped Highly visible – traces might still be found in swap file

Logfiles edited and saved

Not very visible unless long periods of time are missing. Parts might be recoverable using raw access to file system, unerase or forensic tools

Logfiles edited and appropriate parts zeroed on disk

Not very visible unless long periods of time are missing. Likely cannot be unerased

Windows vs. *nix Security No computer is 100% safe on the

Internet Windows has more problems

than *nix (UNIX/Linux) based systems due to its design

If you use Windows servers, you need to be more careful where you deploy them, and protect them as much as possible

Windows vs. *nix Security Unix started its life as a multi-

user OS Unix grew up on the internet In 1998, the Morris worm taught

Unix mail servers a valuable lesson – e-mail is insecure

In 1999, the Melissa virus duplicated the scenario, but this time for Windows

Windows vs. *nix Security Windows started life as a

standalone, single-user system “The security kernel of the

Windows NT server software was written before the Internet, and the Windows Server 2003 software was written before buffer overflows became a frequent target of recent attacks" (David Aucsmith, Microsoft, Feburary 2004).

Windows vs. *nix Security Unix (and all Unix-like OS’s such as

Linux, BSD, and MacOS X) were designed as a piecemeal system

Windows is a bunch of large integrated components

Windows components feature lots of redundancy – some are not optional

Piecemeal makes patching easier – integration makes patching a nightmare

Windows vs. *nix Security The mutiuser part of *nix is what

makes it both the most and least secure when compared to Windows

Programs have no access to the system by default

*nix does not differentiate between remote and local users

This feature can be controlled and disabled, as most do by default

No root or administrator access by default

Windows vs. *nix Security Windows has the worst of both

worlds Many Windows programs need

full control over the system to run

Some Windows programs require administrator privileges to run

Windows XP and 2003 are the least secure kernel ever designed

Windows vs *nix Security

Counting bug reports between *nix and Windows is a ridiculous practice

“Root Exploits” are standard operating procedure in Windows!

As such, they are not tracked for Windows

Windows vs. *nix Security Another problem with counting

bug reports for OS’s is that many Linux holes are counted multiple times for different vendors

Linux distributions ship with the equivalent of dozens of Microsoft products in one Linux product – to be fair these products must be added to Windows as well.

Windows vs. *nix Security Integration is where Microsoft

continues to have issues Patches for *nix programs or

services can be applied without a reboot

Worse-case scenario for *nix is that the program stops working

Windows patches can affect completely unrelated components

Reboots are often required with Windows patches

Windows vs. *nix Security *nix system are patched quickly

and with little effort Windows requires extensive

configuration management for patches

Even that isn’t enough sometimes – as the SQL Slammer taught us

Most recent patches removed the protection for the SQL Slammer worm!

Windows vs. *nix Security Windows recognizes that

integration is the problem now There is no way out without

breaking compatibility Win16 was abandoned in the

transition to Win32 with Windows NT

Microsoft can’t do that with a Win32 to .NET transition – Win32 is still the foundation of Longhorn

Windows vs. *nix Security Microsoft has given up on trying to

address the problem due to customer base

They will lose this customer base if they break compatibility

If customers tolerated compatibility changes, *nix becomes just as appealing as Windows

Windows Win32 applications don’t port well

Windows vs. *nix Security Probably 98% of Windows

viruses come through e-mail The root issue with e-mail worms

on Windows goes back to the heart of how Windows works

If Microsoft “fixed” Windows, the majority of Windows software would break overnight

Windows vs. *nix Security Microsoft does recognize the

problems The Ten Immutable Laws of

Computinghttp://www.microsoft.com/technet/archive/community/columns/security/essays/

10imlaws.mspx

Ten Immutable Laws of Computing Law #1: Nobody believes

anything bad can happen to them, until it does

Law #2: Security only works if the secure way also happens to be the easy way

Law #3: If you don't keep up with security fixes, your network won't be yours for long

Ten Immutable Laws of Computing Law #4: It doesn't do much good

to install security fixes on a computer that was never secured to begin with

Law #5: Eternal vigilance is the price of security

Law #6: There really is someone out there trying to guess your passwords

Ten Immutable Laws of Computing Law #7: The most secure network

is a well-administered one Law #8: The difficulty of

defending a network is directly proportional to its complexity

Law #9: Security isn't about risk avoidance; it's about risk management

Law #10: Technology is not a panacea

Protecting Your Customers Why should you protect your

customers? Bandwidth = money Wasted bandwidth from viruses

is a problem Hacking is a problem Your customers could

unknowingly be used for DDoS, spam or other kinds of ‘jump points’

Protecting your customers Have your customers: Turn off file/print sharing Install and USE a firewall Install, USE and UPDATE anti-virus

software Delete e-mails from people you

don’t know without reading them! Never accept unsolicited downloads Use anti-spyware software regularly

Protecting Your Customers Many places offer up free

firewalls for protection Windows XP Service Pack 2 has a

decent built-in firewall now Stand-alone firewalls are the best

bet – products such as IPCop (ipcop.org) and SmoothWall (smoothwall.org) can turn old useless computers into stateful packet inspecting firewalls.

Protecting Your Customers Protecting your customers also

means controlling content There is a fine line between

content control and censorship Generally speaking, there are

some specific ports and addresses that can be turned off at your edge devices that have no business on the internet

Protecting Your Customers Cisco ACL tip #1: A sample

Inbound ACL - block spoofed IP’s appearing to be from non-routable IP’s:

access-list 101 deny ip 10.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip 172.16.0.0 0.15.255.255 any log-input

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log-input

Protecting Your Customers Cisco ACL tip #2: A sample

Inbound ACL - block Microsoft NetBIOS and file sharing traffic:

access-list 101 deny tcp any any range 135 139

access-list 101 deny udp any any range 135 netbios-ss

access-list 101 deny tcp any any eq 445 log-input

access-list 101 deny udp any any eq 445 log-input

Protecting Your Customers Cisco ACL tip #3: A sample

Inbound ACL – block known Trojan Horse ports:

access-list 101 deny tcp any any eq 4444 log-input

access-list 101 deny tcp any any eq 27374 log-input

access-list 101 deny udp any any eq 1432 log-input

access-list 101 deny udp any any eq 1433 log-input

access-list 101 deny udp any any eq 1434 log-input

access-list 101 deny tcp any any eq 12345 log-input

access-list 101 deny tcp any any eq 31337 log-input

Protecting Your Customers Wireless routers are a problem

Wireless Networks

WEP vs. Non-WEP stats

Protecting Yourself Have someone who is well-versed

in security in charge of it. A little knowledge is a dangerous thing!

Be mindful that not everyone in the world runs Windows, so you have to be aware of other OS’s as well

Subscribe to an advisory system such as SANS

Always keep your networks separate!

Protecting yourself

Read your firewall and IDS logs! If you’re not reading your logs, the only time you’ll use them is after it’s too late

Try migrating away from Internet Explorer whenever possible

Spam and E-mail

Estimates show that between 75-85% of all e-mail is Spam

After the recent hurricanes in Florida, the spam percentage dropped by 10% - I guess they cleaned out more than just the tourists…

Ways To Stop Spam

DNSBL sites SPF (Sender Policy Framework) Bayesian filtering User education Whitelists Greylists Linux-based proxies Commercial appliances

DNSBL sites DNSBL = DNS Black Lists There are currently hundreds of

DNSBL sites – some private, some public

FMPA uses six DNSBL’s to deny mail from even connecting:

bl.spamcop.net

dnsbl.njabl.org

relays.ordb.org

sbl-xbl.spamhaus.org

list.dsbl.org

korea.services.net

DNSBL Sites

FMPA also checks against those sites and two additional ones a second time – this second scan looks at every header in the e-mail to look for black listed sites. If it finds a match, it just tags the e-mail – it doesn’t actually refuse to accept them

An example of a session might go something like this:

DNSBL SessionFor this session, I’ll take an actual e-mail I

just got A mail server connects to FMPA. In

this case, the IP address is 203.211.205.181 – but the sever ‘claims’ it is AOL.COM – which is a lie

Our qmail server looks at the connecting IP against the first list of DNSBL’s. None of them come up positive so it allows the connection.

The spammer dumps off the message. qmail then looks at all of the other

headers in the e-mail to see what other severs have handled the message

DNSBL Session5. There are other servers that handled

this message – before it got to 203.211.205.181 it went thru 80.0.16.8 – a server in Amsterdam!

6. Both IP’s are listed in different DNSBL’s – one is Spamcop, the other is NJAB’s Dynamic IP list. Since NJAB was found first, qmail injects a header into the e-mail marking it as spam

7. My Notes e-mail client picks up on the injected header, and automatically moves the message into my ‘junk mail’ folder

8. Apparently my application was approved for a $400,000 loan at 2.1%...

SPF (Sender Policy Framework) Allows for verification that your

server is authorized to send e-mail

Publishing your authorized servers is a simple DNS TXT entry

SPF In Action SPF records are TXT records in

DNS At FMPA, we accept mail from two

servers, which are listed in our MX recordsfmpa.com mail exchanger = 10 mail.fmpa.com.fmpa.com mail exchanger = 20 tally.fmpa.com.

FMPA’s SPF record is a TXT entryfmpa.com text = "v=spf1 mx ip4:66.192.231.225"

The above servers are the only servers that are authorized to send mail from fmpa.com

SPF In Action

Joe Blow Spammer is sending mail from susie@fmpa.com

Joe’s mail server connects to AOL’s mail server

Joe’s MTA tells AOL’s mail server who he is and who he’s sending to

AOL’s mail server checks fmpa.com’s SPF record, finds out that Joe’s server isn’t authorized to send mail from fmpa.com!

SPF In Action

AOL drops the session before the body of the message is delivered

AOL saves its’ customer from the Spam

AOL saves its’ bandwidth

Bayesian Filtering

Bayesian Filtering “reads” the e-mail for content, and normally scores the message accordingly

Too high of a score = spam Needs more processing time

than other methods Needs to be updated regularly to

keep up with trends

User Education

Don’t opt-out of spam Don’t give your e-mail address to

questionable sites – especially for “free” software and adult-content sites!

Don’t put e-mail address on websites

Don’t use the TO: or CC: field in an e-mail to send copies – use the BCC:

Whitelists

Whitelists are a simple way to guarantee delivery of messages

Whitelists are normally maintained on a per-user basis

Individual whitelists don’t do other users any good

Greylists

Greylists temporarily delay e-mail

Works against spammers, but not normally against legitimate e-mail

After the second successful attempt, delays are no longer incurred

Eventually this too will become a passé way of blocking spam

Linux-based Proxies

Linux-based, secure MTA’s such as qmail receive and scan e-mail

Can employ SPF, Bayesian filtering, Virus-Scanning, DNSBL, blacklists, greylists or whitelists

Can work with ANY other MTA – Exchange, Notes, mDaemon – whatever you already have

Aside from the hardware costs (not demanding) – it’s FREE!

Commercial Appliances

Commercial Anti-Spam Appliances and software – very effective tools

Not always appropriate in an ISP environment due to cost

ISP’s cannot afford false-positives for spam filtering

Summary The internet is a hostile place, and

must be treated as such – it is a global network, and in some places hacking is not only legal, but encouraged

Stay on top of security by keeping in mind that you will never know it all

Use tools available to you to help make the job easier

Use secure MTA’s and scan e-mail to put Spam where it belongs – off your network!