By breaking down a network into its basic segments, we can determine the risks and define what is necessary to prevent unauthorized access.
A misconfigured network is a primary entry point for unauthorized users. Leaving a trust-based, open local network vulnerable to the highly-insecure Internet is much like leaving a door ajar in a crime-ridden neighborhood — nothing may happen for an arbitrary amount of time, but eventually someone will exploit the opportunity.
System administrators often fail to realize the importance of networking hardware in their security schemas. Simple hardware such as hubs and routers rely on the broadcast or non-switched principle; that is, whenever a node transmits data across the network to a recipient node, the hub or router sends a broadcast of the data packets until the recipient node receives and processes the data. This method is the most vulnerable to address resolution protocol (arp) or media access control (MAC) address spoofing by both outside intruders and unauthorized users on local nodes. For advice on choosing the right networking hardware and topology, refer to Chapter 8.
Another potential networking pitfall is the use of centralized computing. A common cost-cutting measure for many businesses is to consolidate all services to a single powerful machine. This can be convenient because it is easier to manage and costs considerably less than multiple-server configurations. However, a centralized server introduces a single point of failure on the network. So if the central server is compromised, it may render the network completely useless or worse, prone to data manipulation or theft. In these situations a central server becomes an an open door, allowing access to the entire network. Refer to Chapter 8 for more information about network segmentation and how they help you avoid an incident.
The least likely, but still common, mistake among administrators and home users is the assumption that their network is inherently secure and, thus, they forgo the implementation of a firewall or network packet filtering service. The installation of a dedicated firewall, whether standalone or as part of a server that will act as a gateway, is crucial to segmenting internal and external network traffic. Leaving the internal network exposed to the Internet, especially if the connection to the Internet is constant, is an open invitation to any Internet user that happens to find the network's external IP address. A cracker can potentially act as a node on your internal network or take over machines on the network to act as a proxy. Firewalls can help prevent this by using packet filtering, port forwarding, or Network Address Translation (NAT). They can also act as a proxy between the internal network and the Internet, further buffering the private network from the Internet. Refusing to implement a firewall or, perhaps more importantly, setting up a firewall incorrectly, leaves a network completely vulnerable. Refer to Chapter 7 for more information on configuring a firewall for your network.
Password-protected applications and services are sound means of protecting a network. However, these passwords should never be passed over public networks unencrypted. This is because crackers use readably available tools to sniff network traffic for data such as passwords to gain access to private networks and services. Unfortunately, many applications and services (such as telnet and FTP) transmit passwords in plain text (also known as clear text) which makes them vulnerable to these network sniffing applications.
Encryption is a general method of scrambling data, such as passwords, in order to protect it in the event of interception. Depending on the encryption method used, it could conceivably take a cracker several thousand years to decrypt the data using conventional methods. Most encryption methods are done between the client application and the server, making the process transparent to all users. However, encryption is something that most people do not understand. Administrators feel that it is a nuisance to integrate into their network services, even though, in most cases, encrypting network traffic can be a relatively simple procedure. The advantages of using encryption vastly outweigh its liabilities.
The popularity of mobile technology has prompted engineers to develop new ways of connecting to and communicating with others. Cellular and radio-frequency (RF) technology has ushered a new age of wireless communication that boasts competitive speeds and functionality compared to wired or cabled communication solutions.
The recent IEEE 802.11b wireless protocol (wi-fi) has become an industry standard for users that need a more mobile networking solution. The 802.11b standard uses 2.4 GHz Direct Sequence Spread Spectrum (DSSS) frequency for communication. It also uses 40-bit Wired Equivalent Privacy (WEP) encryption of all data traffic. It seems to be the ideal solution for users who move frequently or do not have access to traditional RJ-45 or RJ-11 cabling lines.
There have been recent reports, however, that dispute the relative security of 802.11b and other WLAN technologies. One major drawback of wireless networking is that most wireless network interface cards (NICs) must be operated in promiscuous mode — that is, data packets must continually be broadcast in order for the wireless NIC to transmit and receive the packets that are intended for it. Moreover, the WEP encryption built into 802.11b NICs and Access Points is, by many estimates, a weak form of encryption that can be cracked using standard desktop or laptop PCs. Many WLAN administrators do not even enable the WEP encryption, making the ability to intercept data even easier. For general information on wireless security, refer to Chapter 8.