Review security issues

Overview

Image: Overview icon

You should already know about confirming client requirements and network equipment. This resource will help you to review security issues within an information technology environment.

In this topic you will learn how to:

  • assess security features of Internet gateways with reference to architecture and the security plan
  • review security measures with the Internet service provider with reference to firewalls and other measures
  • brief users on the security plan with reference to Internet use and hazard possibilities.

This topic contains:

  • reading notes
  • activities
  • references
  • topic quiz.

As you work through the readingnotes you will be directed to activities that will help you practise what you are learning. The topic also includes references to aid further learning and a topic quiz to check your understanding.

Download a print version of this whole topic: Review security issues (345 KB 2822.doc)

Reading notes

Image: Reading notes

Internet gateway architecture and plans

The basic architectural decision to be made when planning an Internet gateway is whether to host services within the client’s network control. This leads to the additional complexity of having a demilitarised zone (DMZ) in the Internet gateway.

The addition of a DMZ to an Internet gateway is a complication that extends the basic gateway, so we will consider the added requirements for a DMZ later and just the basic services first.

Home and small business

Image: A home and small business network arrangement with the Internet gateway is positioned on the network boundary of the LAN and communicates with the ISP to achieve Internet connectivity. There is no provision for the hosting of Internet-accessible servers within the organisation’s network.

Figure 1: Typical Internet gateway without a DMZ

The Internet gateway in Figure 1 needs to provide access for client systems in the internal network on the Internet. The internal resources of the LAN, including the normal sharing of file systems and printers expected of a LAN, should be directly accessible without the need to involve the Internet gateway.

The Internet resources include access to

  • websites (HTTP, HTTPS)
  • FTP servers (FTP)
  • email (SMTP and POP3)
  • domain name servers (DNS).

Default configuration of most residential gateways and other Internet gateway products may leave all services open by default. However, in order to create a suitably secure environment, gateways should have basic configuration carried out prior to being connected to the Internet link.

Preliminary configuration should include

  • changing default password (and possibly administrator’s username)
  • disabling access to the administration utility from the Internet (WAN) side of the device
  • enabling NAT
  • enabling the firewall initially to block all incoming ports for the Internet (WAN) side
  • disabling DHCP server features
  • enabling DHCP client capability on the Internet WAN side
  • setting the internal IP address of the device to match the internal LAN
  • setting the authorisation credentials (username and password) for the ISP’s link.

To summarise this in a checklist:

Table 1: Initial setting checklist

Setting / Completed
Default administrator password (and username)
Disable external (WAN) administration access
Enable NAT
Enable firewall and block all external (WAN) access
Disable DHCP server
Enable DHCP client on WAN
Set internal IP address
Set credentials for logging in to Internet link

The precise way this is done on any particular device is not standardised, so you will need to refer to manufacturers’ documentation, including user guides and installation manuals. These user guides may not contain all the options, and it may not be possible for you to completely document all the actions you need to take until working with the actual device. Remember that the terminology will vary between manufacturers.

In order to meet these requirements, certain ports must be opened in the firewall or router part of the Internet gateway to allow communication with appropriate Internet servers. The ports to open depend on the scope of the Internet services required by the client.

Enterprise

Larger organisations may decide that they have the internal support to host some services for their clients or mobile staff members. These services will be hosted on their own servers at their location and be managed by the internal support staff of the organisation.

Image: A larger organisation’s network arrangement with the Internet gateway positioned on the network boundary of the LAN which communicates with the ISP to achieve Internet connectivity. A DMZ has been created to allow the hosting of Internet-accessible servers within the organisation’s physical control.

Figure 2: Typical network layout of an Internet gateway for a larger organisation including a DMZ

The inclusion of a DMZ in an Internet gateway requires additional securityattention, as now some of the organisation’s systems are presented to the Internet and therefore become targets for viruses, worms and hackers worldwide. The host systems here need to be as well-protected as any severs at an ISP. The ISP will generally just allow Internet traffic directly to your client’s Internet gateway, so security of these systems is your responsibility.

The Internet gateway then needs to decide what traffic to direct to which of the number of DMZ servers and what traffic is a response to internal LAN users and systems and so be passed in to the internal Internet gateway.

Security of the DMZ servers needs to be tight. Security updates need to be assessed as soon as they are released. This is not only true for the underlying operating systems but also for any exposed server applications on each host. The performance and functionality must be monitored to ensure that a compromised server can be identified quickly or a threat mitigated as soon as possible.

A DMZ will usually contain a choice of servers for serving web pages (HTTP), domain name (DNS), email (SMTP and POP3) and file transfer protocol (FTP). The servers for these services may be on one or many physically distinct computer systems depending on the expected workloads of the services. For example, a business that is selling software that is available for download may require separate web and FTP servers to spread the load over a number of distinct physical machines.

The systems in the DMZ are usually crucial for the business or organisation since there is no room for frivolous servers in security architectures. Non-critical systems that need to be Internet accessible are often better outsourced to relieve the burden from local system administrators.

DMZ systems need to be accessible from the Internet in general as well as from the business’s LAN equipment. The DMZ produces segregation between the public and private infrastructures of the organisation. The segregation allows the mitigation of risks involved in allowing non-trusted, potentially hostile systems to access your client’s computer systems.

Confidential information about customers and internal business working of the organisation are kept on internal servers, not in the DMZ.Access to these servers is limited to internal LAN clients.

IP address

Another consideration is that clients from the Internet need to know where to go in order to contact your servers. That is, they need to know the IP address of your service. This is usually accomplished through the use of the DNS system, which translates between IP addresses and domain names on the Internet. The organisation’s ISP must assign a static IP address to your client’s link in order to allow it to be registered with a DNS server.

An alternative is to work with a dynamic DNS provider such as no-ip.com These services take the management of the server away from you, yet still allow complete control over the service. However, using a dynamic IP account to provide servers to the Internet may contravene the acceptable-use policy of the ISP. In this case, your client may have their Internet access disconnected until a suitable plan is put into place.

This scheme also places the DNS for all the internal network devices outside the ISP and so will increase the time to resolve domain name references for all of these devices. Any internal servers may also need to have their domain name information stored on the remote DNS server, leading to longer resolution times within the network. What will happen if the Internet connection fails? A local DNS server for internal lookups is still necessary.

Activity 1

To practise assessing Internet security features of yourhome or organisation,complete Activity 1 – Assess Internet security for home or organisation, locatedin the Activities section of the Topic menu.

Review security measures with the ISP

Most ISPs have no commitment to security for your client’s LAN. Many will provide virus scanning for email accounts hosted on their servers. The two most common problems when setting up an Internet gateway will be the blocking of port 25 and the use of dynamic IP addresses.

Blocking port 25

Port 25 is blocked to help reduce SPAM and unwanted transmission of email worms and viruses. Port 25 is used in sending an email from an email client, such as Outlook, to an SMTP mail server. It is also used between SMTP email servers in order to exchange emails around the world.

ISPs will block the outbound passage of connections to port 25 to all except their own email servers, thus preventing your client from hosting a mail server. If clients are not hosting their own email server or if the ISP hosts it, then there is no problem with the configuration.

The blocking solution was formed to prevent some email worms from creating their own SMTP server on a compromised computer and using it to send out emails of itself or in an attack on other systems. The blocking of port 25 prevents such a bogus server from operating and causing further damage.

Some ISPs also restrict the rate at which you can send emails in order to stop other mass-mailing viruses from using the legitimate email server inappropriately.

These restrictions from ISPs can cause problems if your clients have an externally hosted email provider other than the ISP. All outgoing emails must use the ISP’s mail server, but incoming mail needs to come from the established email provider. Fortunately, most email clients can be configured to have different incoming and outgoing email servers as shown in Figure 3.

Image: MS Outlook Accounts Properties screen showing different incoming and outgoing servers, eg incoming mail (POP3) server is mail.myPOP3mail.com and outgoing mail (SMTP) is mail.myISPmail.com.

Figure 3: Outlook Accounts Properties showing different incoming and outgoing servers

Note that in order for this to work, the ‘outgoing mail server’ section needs to be ticked and the settings for it set, meaning that two sets of credentials are needed to configure the server: one for the outgoing and one for the incoming mail servers.

In a larger organisation, the limitation on the rate of sending emails may not be satisfactory. In this case, the client may have to pay an additional fee to increase the number of outgoing email accounts available for use.

Typically, a statically assigned IP address supplied for a business Internet connection does not have either of these limitations.

Using dynamic IP addresses

Most ISPs provide an Internet connection using a dynamic IP address system (DHCP) for all broadband and dial-up links. This makes it easier to configure from the client’s point of view and removes the need to manually configure options such as the DNS servers. However, if a client is intending to host their own Internet-accessible servers, then this service will cause problems in that a domain name is statically assigned to an IP address, so that, for example,

- always associates with - 200.174.0.187

If the link to the ISP changes, then the server for will no longer be accessible. The only proper solution to this is to have the ISP assign your client a static IP address that will always remain the same. Most ISPs will charge more for this service and some don’t offer it at all. If the latter is the case, then a change of ISP will be required.

You can contact an ISP to obtain security and routing information, and many ISPs have the information available as either product FAQ (frequently asked questions) or information pages.

Dynamic DNS services are available that allow this problem to be circumvented. The use of these services and hosting over a dynamic IP address link may contravene the acceptable terms of use for the ISP, and the ISP may take action against your client over the use of such a scheme.

Activity 2

To practise accessing ISP security information, completeActivity 2 – Access ISP security information,in the Activities section of the Topic menu.

Brief users on the security plan and risks of Internet use

How can you ensure that users within your client’s network are aware of the security arrangements of their Internet access? Many businesses are finding that their employees are circumventing security in many ways. With the portability of mass storage devices increasing to the point where a pocket-sized 200 gigabyte hard drive can be plugged into a workstation to bring in and take away data from the organisation, the chances of viruses, worms and other destructive programs increases.

Users need to be informed of what they should and should not do while accessing the Internet. These measures should form a subset of a complete technology acceptable-use policy, including guidelines for all data handling that contacts the network or one of its systems.

The distribution of a policy and the confirmation that it has been read and understood is a difficult task. Merely signing an agreement does not ensure it was read or understood. Clicking on a button on the screen is even less likely to be effective in getting the message across.

Ways to accomplish the distribution of a policy include

  • induction packages for employees
  • seminars
  • emails
  • log-on notices
  • messages of the day
  • default home page in Internet Explorer.

Depending on your client’s policy documentation and reporting requirements, you may need to collect and audit information about the policy contents. You may do this by use of web forms and email read receipts. Some clients may require signatures from the users.

The content of these information parcels needs to include details of

  • security measures that have been implemented
  • advice on safe usage of the Internet
  • why, where, who and how to report incidents and problems
  • bad habits
  • good habits
  • information sources
  • penalties.

You need to obtain some sort of active feedback in order to gather evidence of the understanding of these issues by the users. This may be obtained by

  • questionnaire
  • mini-quiz
  • practical testing with simulated security risks, under the control of the security staff
  • monitoring and analysing user patterns.

Activity 3

To practise notifying users of Internet security measures, completeActivity 3– Notifying users of Internet security measures,in the Activities section of the Topic menu.

Activities

Image: Activities

Activity 1 – Assess Internet security for home or organisation

Examine the security features of an Internet connection you have access to by researching and answering the following questions:

  • What do you use to share Internet access at your home or business?
  • Is there a network administrator or ‘computer person’ that you can ask some information from at work?
  • What services are provided from your side of the Internet link?
  • Are there open ports for special programs?

You might also find the following sites helpful in making your decision:

– Home Network Security)

for DMZ servers)

forwarding examples)

PIX firewall)

of ports, NAT and port forwarding)

help and definitions)

FAQ)

Feedback

Were you able to determine the aspects of your Internet security provision at home or work? There are many answers to the creation of Internet security. Perhaps you have one or parts of several of the following solutions:

  • MS Windows system on a dial-up connection with a software firewall
  • Internet connection sharing (ICS) through a dial-up connection with firewalls on every system
  • broadband connection with a router with NAT enabled
  • broadband modem connected to one system with a software firewall and ICS running
  • broadband connection with NAT router and firewall device routed through a server providing DNS and anti-virus checking of the network traffic.

Activity 2 – Access ISP security information

Check for information about the security arrangements provided by your ISP. Look for FAQs, information pages, connection details and similar pages in order to find out what security measures are in place at the ISP premises that could potentially affect you or your client.

  • What does your ISP do for you?
  • Do they provide virus scanning of emails?
  • Are any ports blocked at their premises such as port 25 or others? Do they explain why they have done this?
  • Do they provide static IP addresses?

Feedback

Were you able to find the information? Some ISPs don’t advertise the fact that they block anything. You can determine if your ISP blocks port 25 by running the Telnet program and trying to connect to another ISP’s email server using port 25. For example in Windows you would do the following:

  • click on Start -Run then typecmdinto the command area and click OK.(or command on Windows 95, 98 or ME)
  • in the command window typetelnet mail.dodo.com.au 25and press Enter.

An unsuccessful connection will time out and show something like the following: