Computer Security Software
Virus Scanners-
A virus scanner is essentially software that tries to prevent a virus from infecting your system.In general, virus scanners work in two ways. The first method is that they contain a list of all known
virus definitions. The virus definitions are simply files that list known viruses, their file size, properties, and behavior. Generally, one of the services that vendors of virus scanners provide is a periodic update of this file. This list is typically in a small file, often called a .dat file (short for data). When you update your virus definitions, what actually occurs is that your current file is replaced by the more recent one on the vendor’s website. The antivirus program can then scan your PC, network, and incoming email for known virus files. Any file on your PC or attached to an email is compared to the virus definition file to see whether there are any matches. With emails, this can be done by looking for specific subject lines and content. Known virus files often have specific phrases in the subject line and the body of the messages they are attached to. Yet viruses and worms can have a multitude of headers, some of which are very common, such as re:hello or re:thanks. Scanning against a list of known viruses alone would result in many false positives.
Therefore, the virus scanner also looks at attachments to see whether they are of a certain size
and creation date that matches a known virus or whether it contains known viral code. The file size,
creation date, and location are the telltale signs of a virus.
Virus-Scanning Techniques-
In general, there are five ways a virus scanner might scan for virus infections. Some of these were
mentioned in the previous section, but they are outlined and defined below:
■ Email and attachment scanning: Since the primary propagation method for a virus is email,
email and attachment scanning is the most important function of any virus scanner. Some virus
scanners actually examine your email on the email server before downloading it to your machine.
Other virus scanners work by scanning your emails and attachments on your computer
before passing it to your email program. In either case, the email and its attachments should be
scanned prior to you having any chance to open it and release the virus on your system.
■ Download scanning: Anytime you download anything from the Internet, either via a Web link
or through some FTP program, there is a chance you might download an infected file.
Download scanning works much like email and attachment scanning, but does so on files you
select for downloading.
■ File scanning: This is the type of scanning in which files on your system are checked to see
whether they match any known virus. This sort of scanning is generally done on an on-demand
basis instead of an ongoing basis. It is a good idea to schedule your virus scanner to do a
complete scan of the system periodically. I personally recommend a weekly scan, preferably at
a time when no one is likely to be using the computer.
■ Heuristic Scanning: This is perhaps the most advanced form of virus scanning. This sort of
scanning uses rules to determine whether a file or program is behaving like a virus and is one of
the best ways to find a virus that is not a known virus. A new virus will not be on any virus
definition list, so you must examine its behavior to determine whether it is a virus. However,
this process is not foolproof. Some actual virus infections will be missed, and some nonvirus
files might be suspected of being a virus.
■ Sandbox: Another approach is the sandbox approach. This basically means that you have a
separate area, isolated from the operating system, in which a download or attachment is run.
Then if it is infected, it won’t infect the operating system.
One way to accomplish this is for the operating system to set aside a protected area of memory
to open the suspected file and to monitor its behavior. This is not 100% effective, but it is far
safer than simply opening files on your system and hoping there is no infection.
A related concept is called a “sheep dip” machine. This is useful in corporate networks. You set
up a system that is identical in configuration to your standard workstations. However, this sheep
dip machine is not networked. Suspect files are opened first on this system. Then the system is
monitored for a period of time for signs of infection. Once the file has cleared this check, it can
then be opened on normal workstations.
A simple way to do this in a home or small office is to set up a virtual machine on your
computer and to open suspected attachments or downloads in the virtual machine first. If they
are okay, then open them on your main system.
Firewalls-
A firewall is, in essence, a barrier between your network and the outside world. At a minimum, it will filter incoming packets based on certain parameters such as packet size, source IP address, protocol, and destination port. Linux and Windows (beginning with Windows XP and in all subsequent Windows versions) ship with a simple firewall. For Windows, the firewall in Windows 7 was expanded to handle filtering both inbound and outbound traffic.
In an organizational setting, you will want a dedicated firewall between your network and the outside
world. This might be a router that also has built-in firewall capabilities. (Cisco Systems is one company that is well known for high-quality routers and firewalls.) Or, it might be a server that is dedicated solely to running firewall software. Selecting a firewall, however, is an important decision. If you lack the expertise to make that decision, then you should arrange for a consultant to assist you in this respect.
Benefits and Limitation of Firewalls
A firewall, no matter what type you get (types are described in the next section), is basically a tool to
block certain traffic. A set of rules determine what traffic to allow in, and what traffic to block. Obviously,a firewall is a critical piece of your security strategy. I cannot even conceive of any reason to run any system without one. However, it is not a panacea for security. It cannot block every attack. For example, a firewall won’t stop you from downloading a Trojan horse. It also cannot stop internal
attacks. But a firewall can be an excellent way to stop a denial of service attack or to prevent a hacker
from scanning the internal details of your network.
Firewall Types and Components
Up to this point, most discussion of firewalls has focused on packet-filtering firewalls. However, there
are several other types of firewalls or components to firewalls that are listed below.
■ Screening firewall
■ Application gateway
■ Circuit-level gateway
The following sections will discuss each of these and assess the advantages and disadvantages of each.
Screening Firewall
Screening firewalls, the most basic type of firewall, are simply another name for packet-filtering firewalls. This type of firewall works in the network layer of the OSI model (see Chapter 2, “Networks and the Internet”). It simply examines incoming packets and either allows or denies them entrance based on a set of rules that were put into its configuration. They can filter packets based on packet size, protocol type used, destination IP address, source IP address, destination port, source port, and so forth. For
example, a packet filter might deny all traffic on ports 1024 and up, or it might block all incoming traffic using the TFTP protocol. You can use incoming and outgoing filters to dictate what information passes into or out of your local network.
Many routers offer this type of firewall option. These firewalls are usually very easy to configure and
quite inexpensive. As mentioned, some operating systems include built-in packet-filtering capabilities.
There are a few disadvantages to the screening/packet-filtering firewall solution. One disadvantage is
that they do not actually examine the packet or compare it to previous packets; therefore, they are quite susceptible to either a ping flood or SYN flood. They also do not offer any user authentication. Additionally, in many cases, a packet-filtering firewall will be used as a bastion host. A bastion host is a single point of contact between the Internet and a private network. It usually will only run a limited number of services (those that are absolutely essential to the private network) and no others.
Application Gateway
An application gateway (also known as application proxy or application-level proxy) is a program that runs on a firewall. When a client program, such as a Web browser, establishes a connection to a destination service, such as a web server, it connects to an application gateway, or proxy. The client then negotiates with the proxy server in order to gain access to the destination service. In effect, the proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. This process actually creates two connections. There is one connection between the client and the proxy server and another connection between the proxy server and the destination.
Once a connection is established, the application gateway makes all decisions about which packets to
forward. Since all communication is conducted through the proxy server, computers behind the
firewall are protected.
With an application gateway, each supported client program requires a unique program to accept client application data. This sort of firewall allows for individual user authentication, which makes them quite effective at blocking unwanted traffic. However, a disadvantage is that these firewalls use a lot of system resources and are susceptible to SYN floods and ping floods.
Circuit-Level Gateway
A circuit-level gateway is similar to an application gateway but is more secure and generally implemented on high-end equipment. A circuit-level gateway relays a TCP connection but does no additional processing or filtering of the protocol (Wack, 1995). In this system, your username is checked and granted access before the connection to the router is established. This means that you as an individual, either by username or IP address, must be verified before any further communication can take place. Once this verification takes place and the connection between the source and destination is established, the firewall simply passes bytes between the systems. A virtual “circuit” exists between the internal client and the proxy server. Internet requests go through this circuit to the proxy server, and
the proxy server delivers those requests to the Internet after changing the IP address. External users only see the IP address of the proxy server. Responses are then received by the proxy server and sent back through the circuit to the client. While traffic is allowed through, external systems never see the internal systems.
While highly secure, this approach may not be appropriate for some public situations, such as e-commerce sites. This type of firewall does not allow features, such as URL filtering. They also frequently offer only limited auditing capabilities.
How Firewalls Examine Packets
In addition to how the firewall operates, you can further differentiate firewalls based on how they
examine incoming packets. There are two main approaches to this task, and each is briefly examined
below.
Stateful Packet Inspection
The stateful packet inspection (SPI) firewall will examine each packet, denying or permitting access
based not only on the examination of the current packet, but also on data derived from previous packet in the conversation. This means that the firewall is aware of the context in which a specific packet was sent. This makes these firewalls far less susceptible to ping floods and SYN floods, as well as being less susceptible to spoofing. For example, if the firewall detects that the current packet is an ICMP packet and a stream of several thousand packets have been continuously coming from the same source IP, it is clearly a denial of service attack and the packets will be blocked.
The SPI firewall can also look at the actual contents of the packet. This allows for some very advanced filtering capabilities. Most high-end firewalls use the stateful packet inspection method; when possible, this is the recommended type of firewall.
Stateless Packet Inspection
Stateless packet inspection does not involve actually examining the contents of each packet, which is a significant weakness in using such an inspection technology. Also, the stateless packet inspection does not examine a packet within the context of an ongoing TCP conversation. It does not know what the preceding or subsequent packets are doing, thus making it vulnerable to ping floods and other denial of service attacks.
Firewall Configurations
In addition to the various types of firewalls, there are also various configuration options. The type of
firewall tells you how it will evaluate traffic and hence decide what to allow and not to allow. The
configuration gives you an idea of how that firewall is set up in relation to the network it is protecting.
Some of the major configurations/implementations for firewalls include the following:
■ Network host-based
■ Dual-homed host
■ Router-based firewall
■ Screened host
Each of these is discussed in the following sections:
Network Host-Based
A network host-based firewall is a software solution installed on an existing machine with an existing operating system. The most significant concern in using this type of firewall is that no matter how good the firewall solution is, it is contingent upon the underlying operating system. In such a situation, it is absolutely critical that the machine hosting the firewall have a hardened operating system.
Dual-Homed Host
A dual-homed host is a firewall running on a server with at least two network interfaces. The server acts as a router between the network and the interfaces to which it is attached. To make this work, the automatic routing function is disabled, meaning that an IP packet from the Internet is not routed directly to the network. You can choose what packets to route and how to route them. Systems inside and outside the firewall can communicate with the dual-homed host but cannot communicate directly with each other.
Router-Based Firewall
As was previously mentioned, you can implement firewall protection on a router. In larger networks
with multiple layers of protection, this is commonly the first layer of protection. Although one can
implement various types of firewalls on a router, the most common type used is packet filtering. If you use a broadband connection in your home or small office, you can get a packet-filtering firewall router to replace the basic router provided to you by the broadband company. In recent years, router-based firewalls have become increasingly common and are in fact the most common firewall used today.
Screened Host
A screened host is really a combination of firewalls. In this configuration, you use a combination of a
bastion host and a screening router. The screening router adds security by allowing you to deny or
permit certain traffic from the bastion host. It is the first stop for traffic, which can continue only if the screening router lets it through.
Firewall Logs:-
Firewalls are also excellent tools when attempting to ascertain what has happened after an incident
occurs. Almost all firewalls, regardless of type or implementation, will log activity. These logs can
provide valuable information that can assist in determining the source of an attack, methods used to
attack, and other data that might help either locate the perpetrator of an attack or at least prevent a
future attack using the same techniques. Any security-conscious network administrator should make it a routine habit to check the firewall logs.
Antispyware-
This is an important element of computer security software that was at one
time largely ignored. Even today, not enough people take spyware seriously or guard against it. Most
antispyware works by checking your system for known spyware files. Each application must simply be checked against a list of known spyware. This means that you must maintain some sort of subscription service so that you can obtain routine updates to your spyware definition list. Most antivirus solutions now also check for antispyware.
In today’s Internet climate, running antispyware is as essential as running antivirus software. Failing to do so can lead to serious consequences. Personal data, and perhaps sensitive business data, could easily be leaking out of your organization without your knowledge. And, as was pointed out earlier in this book, it is entirely possible for spyware to be the vehicle for purposeful industrial espionage.
Intrusion-Detection Software-
Intrusion-detection software (IDS) has become much more widely used in the last few years. Essentially,
an IDS will inspect all inbound and outbound port activity on your machine/firewall/system and
look for patterns that might indicate an attempted break-in. For example, if the IDS finds that a series of ICMP packets were sent to each port in sequence, this probably indicates that your system is being
scanned by network-scanning software, such as Cerberus. Since this is often a prelude to an attempt to breach your system security, it can be very important to know that someone is performing preparatory steps to infiltrate your system.
IDS Categorization
There are a number of ways in which IDS systems can be categorized. The most common IDS categorizations
are as follows:
■ Misuse detection versus anomaly detection
■ Passive systems versus reactive systems
■ Network-based systems versus host-based systems
Other Preemptive Techniques-
Besides IDS, antivirus, firewalls, and honey pots, there are a variety of preemptive techniques an
administrator can use to attempt to reduce the chances of a successful attack being executed against his or her network.
Intrusion Deflection
This method is becoming increasingly popular among the more security-conscious administrators. The essence of it is quite simple. An attempt is made to attract the intruder to a subsystem set up for the purpose of observing him. This is done by tricking the intruder into believing that he has succeeded in accessing system resources when, in fact, he has been directed to a specially designed environment.
Being able to observe the intruder while he practices his art will yield valuable clues and can lead to his arrest.
This is often done by using what is commonly referred to as a honey pot. Essentially, you set up a fake system, possibly a server that appears to be an entire subnet. You make that system look very attractive by perhaps making it appear to have sensitive data, such as personnel files, or valuable data, such as account numbers or research. The actual data stored in this system is fake. The real purpose of the system is to carefully monitor the activities of any person who accesses the system. Since no legitimate user ever accesses this system, it is a given that anyone accessing it is an intruder.
Infiltration
This method refers to efforts on the part of the administrator or security specialist to acquire information from various illicit sources. Many administrators rely solely on various security bulletins from vendors. With infiltration, the administrator proactively seeks out intelligence on potential
threats/groups. In other words, it is not a software or hardware implementation, but rather a process of infiltrating hacker/cracker online groups in order to keep tabs on what sort of vulnerabilities are
currently being exploited by these groups and what target systems are considered attractive targets.
This form of intrusion detection is not widely used for two reasons. The first reason is that it is quite
time-consuming. The second reason is that it requires spying skills, which many administrators may
not possess.
Intrusion Deterrence
This method involves simply trying to make the system seem like a less-palatable target. In short, an
attempt is made to make any potential reward from a successful intrusion attempt appear more difficult than it is worth. This approach includes tactics such as attempting to reduce the apparent value of the current system’s worth through camouflage. This essentially means working to hide the most valuable aspects of the system. The other tactic in this methodology involves raising the perceived risk of a potential intruder being caught. This can be done in a variety of ways, including conspicuously displaying warnings and warning of active monitoring. The perception of the security of a system can be drastically improved, even when the actual system security has not been improved.