Archive for January, 2008

h1

Network Sizes

January 30, 2008

Local Area Network (LAN): A LAN is a single network, confined to one building or area of a building. There may be links to other locations at the same site, but these will be localized.

Campus Area Network (CAN): CAN is a fairly new term, used to describe a group of interconnected LANs within a small geographical area, such as a school campus, university, hospital or military base.

Metropolitan Area Network (MAN): The term MAN is usually applied to networks that have a sociopolitical boundary; such as a network of district authority offices in a town or city. Sites on a MAN are usually interconnected using fiber optic cable or some other high-speed digital circuit (rather than standard phone lines, for example), and the MAN itself may well carry voice as well as data traffic.

Wide Area Network (WAN): A WAN is two or more interconnected LANs spread over a large geographic area, even on different continents. The Internet is the largest WAN in existence.

Global Area Network (GAN): A GAN is a single network with connnection points spread around the world. GANs are used mostly by large corporate organizations and consist of a series of networked, orbiting satellites.

Solar System Area Network (SSAN): A SSAN is a series of interconnected GANs connecting all the habitable planets and planetoids in a single solar system. Well, I’m sure we’ll see one someday!

h1

Logic Bombs

January 21, 2008

A Logic Bomb is a type of malicious program that, although it can be running on a system for a long time, won’t activate until a specific trigger, such as a specific date or the number of times a program is started, is set off. Logic bombs can be highly destructive, depending on the payload. The damage done by a logic bomb can range from changing bytes of data on your disk to rendering your entire hard drive unreadable.

h1

RAID

January 21, 2008

The many different techniques for using multiple drives for data protection and increasing speeds were organized by a couple of sharp guys at the University of California at Berkeley in 1987. This organization was presented under the name RAID (Redundant Array of Independent Disks). RAID is designed to improve the fault tolerance and performance of computer storage systems.

Initially, RAID was conceived to simply enable all the individual drives in the array to work together as a single, larger drive with the combined storage space of all the individual drives added up.

An organization called the RAID Advisory Board (RAB) was formed in July 1992 to standardize, classify and educate on the subject of RAID. The RAB has developed specifications for RAID, a conformance program for the various RAID levels, and a classification program for RAID hardware.

Currently, seven standard RAID levels are defined by the RAID Advisory Board, called RAID 0-6. RAID typically is implemented by a RAID controller board, although software-only implementations are possible (but not recommended). The levels are as follows:

RAID Level 0 – Striping. File data is written simultaneously to multiple drives in the array, which act as a single, larger drive. Requires a minimum of two drives to implement.

RAID Level 1 – Mirroring. Data written to one drive is duplicated on another, providing excellent fault tolerance (if one drive fails, the is used and no data is lost), but no real increase in performance as compared to a single drive. Requires a minimum of two drives to implement (same capacity as one drive).

RAID Level 2 – Bit-Level ECC. Data is split one bit at a time across multiple drives, and error correction codes (ECCs) are written to other drives. Provides high data rates with good fault tolerance, but large number of drives are required.

RAID Level 3 – Striped with Parity. Combines RAID Level 0 striping with an additional drive used for parity information. This RAID level is really an adaptation of RAID Level 0 that sacrifices some capacity for the same number of drives. It also achieves a high level of data integrity or fault tolerance because usually can be rebuilt if one drive fails. Requires a minimum of three drives to implement (two or more for data, one for parity).

RAID Level 4 – Blocked Data with Parity. Similar to RAID 3, except data is written in larger blocks to the independent drives, offering faster read performance with larger files. Requires a minimum of three drives to implement (two or more for data, one for parity).

RAID Level 5 – Blocked Data with Distributed Parity. Similar to RAID 4, but offers improved performance by distributing the parity stripes over a series of hard drives. Requires a minimumĀ of three drives to implement (two or more for data, one for parity).

RAID Level 6 – Blocked Data with Double Distributed Parity. Similar to RAID 5, except parity information is written twice using two different parity schemes to provide even better fault tolerance in case of multiple drive failures. Requires a minimum of four drives to implement (two or more for data, two for parity).

Additional RAID levels exist that are not supported by the RAID Advisory Board but which are instead custom implementations by specific companies. Note that a higher number doesn’t necessarily mean increased performance or fault tolerance; the numbered order of RAID level was entirely arbitrary.

h1

Proxy Servers

January 9, 2008

A proxy server, also known as an application gateway, provides protection for your network at the application layer. Although packet filters make decisions based on the header information in a packet, they do not understand the application protocols, such as FTP or HTTP. Because of this, it’s relatively easy for a hacker to exploit known problems with application protocols, and problems can ensue if the packet filter allows the packet to enter the network.

A proxy server can perform this function by managing connections to and from the outside world. A proxy server acts as a “man in the middle” by accepting requests for an application for your users and making that request for them. A proxy server never allows a packet to pass through the firewall; instead, a proxy server follows these steps:

1. Receives an outgoing request from one of your users. It creates a new packet and substitutes the proxy server’s own address as the source address, replacing the user’s actual source address.
2. The proxy server sends this new packet out onto the Internet on behalf of the user.
3. When a response is received from the Internet server, the proxy server examines the packet to determine whether the data contained in the packet is appropriate for the particular application. If so, it creates a new packet, inserts the data, and place the Internet server’s address in the source address field. The packet then is sent back to the original user.
4. The user receives the packet and assumes that it’s actually communicating directly with Internet server – after all, it has the correct addressing information in the header.

Proxy servers also can be used to provide authentication, logging, content filtering, and other security measures. There are two kinds of proxy servers: classical proxy servers and transparent proxy servers.

A Classical Proxy Server can be used with any application. The user needs to take a few extra steps to use the proxy server because the application itself was not written to understand the proxy process. A classical proxy server works in the following manner:

1. A client executes a command, such as the Telnet command, to connect to the proxy server.
2. The proxy server receives this request and sends a packet back to the user, prompting for authentication information, such as a username and password.
3. The user interacts with this man-in-the-middle by entering the required information.
4. If the proxy server has been configured to allow this user to make use of the service, it prompts the user to enter the target system for the service.
5. The proxy server proceeds to create a packet containing the Telnet request, and sends it out onto the Internet. The Internet server sends back a packet requesting a password (if required) for the service.
6. The proxy server prompts the user to enter the password and passes it back to the Internet server. If the authentication succeeds, the proxy server begins operating as described earlier, by intercepting packets to and from the Internet server, substituting its own address for the user’s address when sending packets to the Internet server, and substituting the Internet server’s address for packets returned to the client.

A Transparent Proxy Server works a little differently. In this case, the application is modified so that it understands that a proxy server is being used. For this to work, you must tell the application the address of the proxy server for each service you want to use.

h1

Setting Up A New Address List (Exchange Server 2003)

January 6, 2008

Ok, decided to toss in here a little bit of Exchange Server 2003. Specifically, how to set up a new address list:

1. Open System Manager and select the Recipients node in the console tree (left pane).
2. Expand the Recipients object by clicking the plus sign; then right-click the All Address Lists node, point to new, and select Address List.
3. Type a name that describes the list you’re creating (for example, Company Email Addresses).
4. Click Filter Rules to select list membership criteria. On the General tab, click the check boxes for the users, groups, public folders or contacts that should be displayed in the list. Clear the check boxes for unwanted items.
5. Click the Advanced tab, click Field, and then click one of the following attributes that you want to use for your address book filter: User, Contact, Group, or Public Folder.
6. Under the Condition label, select a condition that fits the type of information to search on. Next, click Add to complete the process.
7. After you finish adding conditions, click Find Now. Double-check that the list contains the correct users in the list, then click Ok.

The newly-created address list is displayed in Exchange System Manager. To confirm the address lists are configured properly and are available for users the next time they start Outlook, simply:

1. Log onto a workstation as a user and start Outlook.
2. Click New, click Mail Message and click To.
3. Click the down arrow in the Show Names From box and confirm the new address book is displayed under All Address Lists.

Administrators will often want to edit information in the address lists. The properties of the default address lists cannot be edited, but the properties of lists created by admins can be. To modify a list’s properties, simply:

1. Open Exchange System Manager and select the Recipients node in the console tree (left pane). Expand the Recipients node by clicking the plus sign and then clicking the plus sign next to the All Address Lists node.
2. Right-click and select Properties of the address list to modify. Click Modify to create a new filter for the address list.
3. On the General tab, select the appropriate users, groups or contacts to be displayed in the recipients list. Use the Advanced tab to set address list limiting criteria.
4. After all filters are set for the list, click Ok and then click Finish. This will make the list available the next time users start Outlook.

h1

Server Types

January 6, 2008

I apologize for not having sufficient time to post something new, but here we go:

Web Servers
These servers accept HTTP requests from client Web browsers and send back the requested information to the client. Web servers are the most common type of server on the Internet and, as a result, they’re the most often attacked. Most of these attacks take advantage of vulnerabilities in the Web server. These exploits include malformed requests, buffer overflows, worms, and DoS attacks.

Malformed Request – This is a request that contains some type or sequence of information that causes a Web server to malfunction. This is caused by bugs in the Web server software that cause certain input coming from a Web browser to have an adverse effect on the system.

Buffer Overflow – This type of attack is caused by sending a parameter that is outside the boundary of the system’s program. Its data buffer can overflow with information, causing it to crash or even provide administrative access to the entire system.

Worms – These are malicious code transmitted through normal HTTP communications. The Website can be infected by the worm from an infected client. The worm tries to replicate itself to other servers and clients by scanning the Internet for servers using the HTTP service port 80. Clients become infected with the worm by simply connecting to the infected Web server.

DoS – Denial of Service attacks are used to prevent other users from accessing a Website. This is accomplished by flooding the Web server with ‘bogus’ requests, so it’s unable to process legitimate ones. These attacks can come from one system or a coordinated attack of infected systems (called a Botnet) over the Internet.

E-Mail Servers
E-mail servers can be either a server to store messages and enable users to send and retrieve mail. An e-mail server can also act as a Message Transfer Agent (MTA), whose sole purpose is to relay mail from one site to another. Security for these servers is of great concern, due to e-mail being the most common target for attack by viruses and worms. Protocols used by e-mail servers include Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP). Both of these protocols use authentication (such as requiring a username and password before allowing a user to access an inbox). For sending e-mail, the standard protocol is Simple Mail Transfer Protocol (SMTP). An SMTP server forwards e-mail from a client to its proper destination.

FTP Servers
An FTP server is used to transfer files from one system to another over the Internet. A server hosting files will be running an FTP server service, which awaits file transfer requests from clients using FTP client software. Many FTP servers found on the Internet are public, and allow anonymous users to log in and download or upload files. This can be dangerous, as some files are embedded with virus or worm code which is transferred to client systems and then executed once the file is opened. Another problem with FTP servers is they’re usually installed by default with some type of anonymous account, which enables users to access the server without having to authenticate themselves.

DNS Servers
Domain Name Service (DNS) servers provide a way to translate Internet domain names into IP addresses. This allows network applications and services to refer to Internet Domains by the Fully Qualified Domain Name (FQDN) rather than by their IP address, which can be tough to remember, and often changes. Most client machines use DNS each time they connect to a network host.

NNTP Servers
Network News Transfer Protocol (NNTP) servers are used to retrieve and send Usenet newsgroups and news articles. To protect your system, NNTP servers should be set up so users who need to read or send news using the server must authenticate with a login and password. NNTP servers suffer from the same vulnerabilities that plague other Internet servers, such as Web or FTP servers.

File and Print Servers
These servers form the base for the majority of your users’ daily operations. File servers are used to store the user’s data, including personal work files, and departmental or company-wide information. Print servers are used to administer print services and print queues, where user’s print jobs are organized and sent to the appropriate printer. Security concerns with file and print servers center around authentication and access permissions. Most file servers have their directories set up as a hierarchy, typically split between user and departmental or group directories. Most printers are set up so anyone can direct print jobs to them, but for departments with access to confidentialĀ or sensitive information (such as Human Resources), the printer should have its access permissions set so that only HR can print from it.

DHCP Servers
Dynamic Host Control Protocol (DHCP) servers are used to allocate IP addresses and other network information automatically, such as DNS and Windows Internet Naming System (WINS) information to clients as they access the network. DHCP servers take the place of having to configure each client individually on the network with specific information. This greatly reduces administrative overhead because of the use of static manual addressing. This means that, if something changes on the network, such as the address of a DNS server, you have to change the information manually for each client. The main vulnerability with DHCP servers is no authentication mechanism exists to allow or disallow clients. Any client system that accesses the network and is configured for DHCP will be allocated network information so it is able to communicate with the network. This means any unauthorized machine configured for DHCP can access the network, allowing it the ability to perform a Denial of Service attack.

Directory Services
Directory Services are a repository of information regarding the users and resources of a network. Directory Services software applications and protocols are often left open and unprotected because the information they contain sometimes isn’t considered important, compared to file servers or database server information. Depending on the level of information Directory Services provide, they can be an excellent resource for the unauthorized user to gain knowledge of the network and the resources and user accounts contained within. A simple Lightweight Directory Access Protocol (LDAP) database that contains usernames, e-mail addresses, phone numbers and locations of users can be a valuable resource for the unauthorized user. Other types of directory services, such as Novell Directory Services or Microsoft Active Directory, can contain more critical network and user information such as network addresses, user account logins and passwords, and access information for servers.

Database Servers
A database server typically contains transactional types of data used as a back-end repository of information for front-end applications and Web services. The most popular forms of database software are Oracle, Microsoft SQL, and MySQL. The front-end applications that access the database usually send their command as a set of procedures for the database to run on the data and to return the required result. A hacker can easily insert their own code into these procedures to run some query on the database that can reveal or damage confidential data. This is similar to buffer overflow and invalid data type attacks that are done from a Web browser, by passing certain parameters of input that transcend the the boundaries of the software’s threshold.