February 21, 2000

Printer ready

Security:
Are You Vulnerable?
Firewalls and similar security measures are essential for protecting your Internet presence, but a new study by Cisco Secure Consulting Services affirms that practical system administration and common sense are the best defense

By Jason Levitt and Gregory Smith

Related links:

sidebar: Security Frameworks Are Key To Reducing Vulnerability

And from our sister publications:

Network Computing Firewall & Load-Balancer: Perfect Union? (2/7/00) Network Computing Hammering Out a Secure Framework (1/24/00) TechWeb Axent Digs Deeper For Network Security (12/3/99)

Send Us Your Feedback

re we vulnerable? This is the central question IT managers should be asking themselves about their exposed network infrastructure. The recent denial-of-service attacks against CNN.com, Yahoo, and other large Web sites clearly show that vulnerabilities exist, but finding out where the actual vulnerabilities lie can be challenging. A new study by Cisco Secure Consulting Services offers some insight into where many common vulnerabilities exist in IT network systems. The study, which analyzed 33 midsize and large customer sites over a period of six months, found vulnerabilities in all the customer sites, but almost all the vulnerabilities could be traced to outdated software or lax system administration maintenance, not to inherent flaws in the systems. While the need for careful system administration and continual system security analysis has been well-understood, Cisco's study indicates that most businesses, especially those that are conducting E-commerce activities over the Internet, aren't being careful enough.

Cisco Secure Consulting Services analyzed 33 Internet-connected customer sites, belonging to a spectrum of businesses involved in telecommunications, transportation, finance, and other industries. Among these networks, the security group identified 9,874 network interfaces (a network interface is defined as anything with an IP address that's accessible from the Internet) over a period of six months. However, each of these network interfaces, served an average of 3.34 services, such as the Web, E-mail, and Telnet.

Overall, the results were startling. Nearly 22% of the network interfaces had some vulnerability, and a third of the Internet-exposed services had some vulnerability. This finding isn't as surprising as the fact that nearly all the vulnerabilities discovered by the study could be avoided through more-careful system analysis and administration techniques.

Examining which services were vulnerable to Internet-based attacks reveals much about the state of system administration. The service most commonly associated with an exposed Internet risk is the remote procedure call service, which lets one computer execute a program on another. Grouped by service, nearly a quarter of the vulnerabilities result from administrators failing to block traffic on the RPC port. Functionally, there is little reason to allow Internet systems access to RPC. When a distributed application necessitates RPC access, the nature of the application suggests using a virtual private network or similar, more-secure mechanisms should be carefully audited, as should access to certain RPC services, such as RPC Portmapper. Clearly, that's not happening routinely.

After RPC, Web services are the most common source of vulnerabilities. However, companies almost certainly need to allow HTTP traffic to and from the Internet, so universally blocking access on the relevant ports, as should be done with RPC, is no solution. Most of these risks, however, are largely due to the use of outdated Web servers (old versions of NCSA, Netscape, and Apache servers are typical) and third-party applications that had inherent vulnerabilities or weren't carefully installed. Taken together, RPC and Web services account for nearly half of the Internet-exposed vulnerabilities, and Cisco's security group concludes that "most of these vulnerabilities can be resolved with a little research and some diligence on the part of the administrative staff."

E-mail (Simple Mail Transfer Protocol), network management (Simple Network Management Protocol), and file-transfer (File Transfer Protocol) services make up the bulk of the remaining vulnerabilities discovered. Predictably, SMTP vulnerabilities were usually unpatched Sendmail installations or poorly configured Sendmail daemons. SNMP access, typically required for remote network management, should never be allowed from the Internet. If remote administration is absolutely necessary, Cisco recommends filtering access at the firewall or using a virtual private network or extranet configuration. Anonymous FTP service shouldn't be allowed unless absolutely necessary--and even then, careful configuration is required. Cisco recommends disabling the FTP service on all Internet-accessible network devices.

Of course, different vulnerabilities expose your site to different forms of attack. As the recent Web-site assaults show, a denial-of-service attack swamping a site with bogus requests is relatively easy to mount. Unlike other forms of attack, inundating your servers won't normally do permanent damage to your servers or let attackers access confidential data. But for many business, such as E-Trade Group Inc., an online trading firm, and eBay Inc., an online auction house, losing Internet service means they're out of business, at least temporarily.

While it's difficult to completely forestall any denial-of-service attack, carefully configuring your Internet devices can minimize the likelihood of tying up your servers. The study found that the most-common exposure to this form of attack stemmed from running outdated, unnecessary services--almost 5% of the vulnerabilities. One thing to remember when securing your network is to disable any service that isn't necessary for your Internet operation. Those services that you do need, such as the domain name system and Web hosts, should be carefully reviewed--you must make sure they're up-to-date and properly configured. Most server-software vendors and the CERT coordination center (www.cert.org) maintain lists of known configuration risks.

The second and third most common denial-of-service vulnerabilities also involve unnecessary services and known risks that can be patched with upgrades. Services using the Bootstrap Protocol, an outdated protocol used to distribute IP addresses to clients, are seldom needed in any business other than Internet service providers, but they make up the second most common vulnerability in this area. Likewise, a well-known problem with a buffer overflow in some versions of FTP servers, an error that's easily patched, was the third most common exposure.

There are other forms of attack associated with other weaknesses in your network. Reconnaissance attacks attempt to gather information about your network that can then be used to compromise it. More than 13% of Internet interfaces have some vulnerability to this form of attack. Most are the result of Internet-based RPC services. For example, the RPC Portmapper will return information about all RPC network services configured to run on your host systems. Rarely would an Internet client have a legitimate need for this information, so blocking requests on the relevant port and disabling RPC on systems where it's not needed are simple antidotes.

continued...page 2

Back to Labs
Send Us Your Feedback
Top of the Page

---