Network Security by Half-Wittedness

How to base your network security on misinformation, overreaction, nervousness and lawyers

Security cautiousness is a good thing, in the vast and wild cyberspace. A lot of networks don't even have somebody who cares. But there are some sites which are security cautious, and there are different kinds of these: Those who care, and those who fear.

Fear and Loathing in Cyberspace

There are a lot of companies out there who fear they could be attacked by some misfit and in turn create policies, buy firewalls and try to detect any behaviour which could be interpreted as attack. Particularly a lot of those companies are in the consulting or even network security business. And some of them quite internationally renowned. As soon some possible sign of an attack is detected, hell breaks loose: sysadmins of the originating site of the possible attack are emailed, upstream providers informed, the CERT gets an email, even the police might be called or a lawyer to write threatening letters. In the end it probably turns out to be some user who tried to test it's newest movie-streaming software. Or the sysadmin of the ISP did a portscan "to see what that machine does". Maybe it even was intended maliciously, but it came from somewhere in China. What had happened was in any case something with no importance and no actual impact which is now turned into a great spectacle.

A very nice case is the one of the Israeli "security" company COMSEC versus IOS++, the Internet Operating Systems Counter. With great incompetence COMSEC interpreted some weird packets which reached their webservers as attack, didn't even bother to contact IOS++ but informed the press instead which promptly took up a story about widespread attacks against the isreali part of the internet.

Another typical case is people who want their DNS Zone transfers blocked. Why would one want that when you just can do a zone transfer of in.addr-arpa and get the whole thing anyway? This is typical for wrong understood network security. It's called security by obscurity, one tries to hide something, and it never works. There are certainly things outsiders ought not know, but certainly not which hosts you've got on your external network. If you've got no internal (private) and external (for the public) network, you'll be probably in trouble anyway...

Of course, this is not the only case, I had at least three cases of overreaction last year (one involving a user trying to stream some movies and two portscans), and one demand of restriction of zone-transfers from a big international consulting company which really should know better.

What we have here is security cautiousness backed by a half-witted knowledge about network security. People who know nothing about network security don't fear a security breach, neither do people which really know what network security is all about. It's those who know a bit, but not enough, who fear and cry.

Why should a sysadmin start crying about some possible attack which failed anyway, because the sysadmin keeps his systems updated and knows that some 13 year-old script-kiddie will fail against his walls anyway?

How-NotTo

Essentially, there are two forms of misbehavior when it comes to security (not counting the case of being NOT security cautious):

In the first case, we've got the idea of being secure just because the enemy does not know you are not. Or where you are located. The effect is badly designed programs which appear secure just because nobody should be able to proof they're not; IP-adresses which do not resolve but which can be found by broadband-scanning anyway; crypto-software which can cracked in seconds, and so on. A strong lock is one where you can see how it works but are still unable to break it. The international crypto-community has condemned obscurity long ago, see the Snake Oil FAQ for details.

The second case is a bit more difficult to grasp. Is a portscan or weird packets an attack or not? You can simply ignore it if you're confident enough of your security, or you can investigate, meaning taking a look at the originating host, portscan it yourself, query whois-databases and finally sending the sysadmin of the originating host a note. There are a lot of sysadmins out there who portscan without any intention of attacking you. And a sysadmin of a system into which was broken in will be very glad if you tell him some portscan originated at his site. The wrong answer is of course to panick and make a big fuss about it. If you detect a portscan, chances are low the portscanning person will ever break in, because you already updated your system -- otherwise you'd be a complete moron. On the other hand, if you've been already broken in, you can investigate and collect evidence that there actually was a break-in -- then it's time to make a fuss. So it either has nothing to say, or it's a failed attempt, in which case you'd better update your system, or the breakin already occurred.

There are also several projects like the Internet Security Auditing Project, or the above mentionned IOS++ which might appear as "attackers", but surely don't have the intention to break into your systems. So you better get informed before you start crying out loud.

So if you detect something which could be a failed attack, what you should do is to simply inform the sysadmin of the originating host (the sysadmin of the provider, if it originated from a dialup-machine, or the sysadmin of the company. You should be smart enough to know who you should contact, otherwise you'd better stay away from network security altogether). In the case of an actual break-in, the most stupid thing you can do is also panicking. If you don't feel experienced enough to handle the incident, you probably get help at your internet provider or from a specialized company. In the other case, you'll have to investigate what the attacker did, and most important, where it came from. Then you mail the sysadmins of the originating hosts -- chances are it was a dialup-machine (so mail or call up the ISP) or another compromised system, so be polite and don't threaten him with legal action or somesuch. Normally they'll be very glad to hear one of their machines was compromised (actually they're not glad to hear that, but glad that you tell them ;))

Prevention

So what do security cautious people do who actually know what they're doing? Simple. Updating. First, all security-relevant mailinglist need to be read, and as soon as some vulnerability is found, the systems need to be fixed. Either there is already a fix, then it needs to be applied, or the services need to be replaced or turned off until a fix comes. Sometimes even the whole system needs to be either shut down or replaced, unless you want to risk it; particularly the case with Windows NT since Microsoft normally needs weeks to fix something. Another possibility is of course to firewall such systems/services off.

And if someone seems portscan or to probe the network for vulnerabilities or somesuch? Don't panic. The Walls are strong enough to whitstand a script-kidde attack. Probably send an email to the attacker or its sysadmin. It will either be harmless or a real attacker who will go away and seek something easier to penetrate; probably after he gets a new ISP. ;)

Peter Keel, August 16, 1999