People who design computer networks for professional television applications face a dilemma. Users almost universally demand Internet connectivity. But engineers know that there are risks associated with providing that connectivity. A fairly typical reaction from engineers to a request by users for Internet connectivity in these high-risk environments has been, “Over my dead body!” To which users and management have replied, “That can be arranged.” It is fair to say that a bit of tension exists on this topic.
These days, users expect ubiquitous Internet connectivity. Like it or not, access to e-mail and Web sites, and the ability to share files and other information over the Internet, have become deeply ingrained in almost all business organizations, including professional television production. Many studies have found that there are real economic gains to companies and countries that have easy, low-cost Internet connectivity. And you can expect user pressure to increase. At some point, you will likely be required to provide at least some level of access to the Internet on critical networks. So it would be prudent to take a realistic look at the risks associated with this connectivity.
There are a number of threats you may encounter when you connect to the Internet. Common threats include port probes, viruses and worms, denial-of-service (DoS) attacks, ping-of-death (PoD) attacks, and Universal Datagram Protocol flood attacks. Port probes check a computer connected to the Internet for vulnerabilities. The attacking computer systematically checks for ports that are open and available on your computer. Internet-aware applications usually “listen” for communications on a specific port. For example, telnet uses port 23. When a remote computer initiates communication with your computer on port 23, your computer responds with the commands necessary to establish a telnet session. Once the attacker knows what ports are open on your computer, he can then use this information to launch specific attacks on open ports.
Figure 1. When hundreds or even thousands of computers all try to contact the same Web server at the same time, the Web server becomes unavailable. This is called a denial-of-service attack. Click here to see an enlarged diagram.
Many readers are personally familiar with viruses and worms. Viruses usually pass from computer to computer through infected files or removable media. These days, worms are much more common. Worms are most often transmitted through e-mail. The user opens an attachment containing an executable code that runs and infects the computer. The worm then reads the e-mail address book on the infected computer and e-mails itself to everyone on the list. In some cases, the worm remains dormant on the computer until a specific time, or until it receives a specific command from a remote computer. One worm, when activated, sends an HTTP request to a targeted Web address. As Figure 1 shows, there may be hundreds or thousands of infected computers on the Internet that are all directed to go to a specific Web server at the same time. When this happens, the Web server cannot service all the requests, and the system is effectively “knocked off the air.” This kind of attack is called a denial-of-service attack.
Almost all computers on the Internet contain a utility called Ping. Ping is a simple but useful utility that sends a message to another computer on the Internet saying, in effect, “Do you hear me? If so, could you please respond.” Ping then displays how long it took from the time it made a request until it received a reply. By manipulating Ping, an attacker can create Ping messages that can cause the target machine to quit working. This is called the Ping of Death. Of course, an attacker could use machines infected with a worm to create multiple, simultaneous attacks from different locations.
Attackers can use the Universal Datagram Protocol (UDP) as well. Because of the way UDP is designed, it is possible for an attacker with a high-speed Internet connection to send a large, continuous stream of data to the target machine. UDP is not fair to all traffic. If the stream or multiple streams are large enough, UDP can crowd out other traffic, effectively bringing Internet communications with the target computer system to a halt. This kind of attack is known as a UDP flood attack.
Firewalls are our friends
To defend against the attacks listed above, and to control the types of traffic allowed from the Internet onto a local network, network engineers created utilities called firewalls.
A firewall can do several things to protect your local network while permitting access to the Internet. A firewall can:
- Conceal a local computer's IP address from an observer on the Internet.
- Hide the actual IP address of Web and other dedicated servers from Internet users
- Block port probes
- Allow an administrator to admit only the traffic types she decides are acceptable across the firewall and on to the local network
- Provide logging so that security threats from the Internet can be analyzed
A firewall can conceal the private IP address of your workstation from prying eyes on the Internet. This is called network address translation (NAT). In the example shown in Figure 2, the public Internet address of the corporate firewall is 22.214.171.124. Workstations on the private network all use the 10.0.0.0 private address space. Someone trying to probe the port of a workstation from the Internet would not see the workstations at all. The only device visible from the Internet is the firewall.
Figure 2. Firewalls use NAT and PAT to conceal the existence of computers on local networks. Click here to see an enlarged diagram.
Firewalls can hide the actual address of dedicated servers such as Web servers from an observer on the Internet. Web clients normally connect to servers using port 80. In the example in Figure 2, the firewall permits all inbound traffic from the Internet 126.96.36.199 port 80 to traverse the network, and directs it to the Web server located inside a demilitarized zone (DMZ) at 192.168.0.1. The firewall can be configured so that only HTTP traffic is permitted into and out of the DMZ. The firewall also can be configured with rules different from the rest of the company network. For example, the firewall may allow FTP across a DMZ to an FTP server, but it might not allow any workstations to use FTP.
Administrators can configure firewalls to defeat port probes as well. A port probe queries a particular port and waits for a response. If it detects a response, it logs the port as being open. It is possible to configure the firewall so that it sends back a response indicating that the port is closed. But a better way to defeat port probes is to configure the firewall so that it discards queries without communicating any information back to the port-probing program. This is frequently referred to as “stealth” mode. (You can go to www.grc.com and run a port-scanning program that will report the status of all ports on your computer.)
Another protection a firewall can offer is to allow only certain protocols to traverse to the local network. This allows the administrator to block all telnet traffic, for example, because data sent over telnet (including passwords) are unencrypted.
While a firewall can do a lot to protect computers on your network, there are certainly things it cannot do. A firewall cannot protect your network or servers from a denial-of-service attack. Also, a firewall cannot stop the spread of viruses or worms because they typically are spread by e-mail applications that are allowed to traverse the firewall. The best way to block these attacks is to install a central mail scanning server with appropriate software. Finally, a firewall cannot provide a totally bulletproof solution to all security attacks. People can be very creative — both in creating firewalls and in working to defeat them. But firewalls can provide a reasonable level of security while granting users the Internet access they demand.
The decision to allow Internet connectivity on local critical networks is difficult. Engineers frequently find themselves in the middle, trying to protect the interests of the company while also meeting the users' needs.
Brad Gilmer is president of Gilmer & Associates, executive director of the AAF Association, and executive director of the Video Services Forum.
Several of you wrote to let me know of an error in the RJ-45 wiring diagram for Ethernet cables that appeared in my August column. Thanks to you for catching this error. Here is the correct way to wire the connector:
Wiring Ethernet cables
Pair #1 white/blue, blue
Pair #2 white/orange, orange
Pair #3 white/green, green
Pair #4 white/brown, brown
Pin 1 - white/orange
Pin 2 - orange
Pin 3 - white/green
Pin 4 - blue
Pin 5 - white/blue
Pin 6 - green
Pin 7 - white/brown
Pin 8 - brown
Send questions and comments to:firstname.lastname@example.org