As technologists, we are generally thorough when we design or build a project. But when thinking about security issues in the professional IT environment, it is important to remember that not all threats are technical in nature. Physical security can be just as important as technological security. When dealing with physical security, there are two general classifications of threats: malicious and non-malicious. Malicious threats involve the active attempt by someone to break into your network. Non-malicious threats occur when a good person makes a mistake. Fortunately, both threats can be addressed with effective physical security.
Physical security
In most broadcast facilities, once someone is inside the technical area, they can wander the building at large. I have been in a few facilities where access to on-air areas was restricted, but this has been the exception rather than the rule. It goes without saying that allowing everyone physical access to on-air or technical core areas is a physical threat. When designing a new facility, it's a good idea to consider employing some sort of physical security system to keep people out of these critical areas, unless their job requires access.
One common mistake people make is taking their laptops home, letting their kids play games on the Internet with them, picking up a malicious code, and then bringing the laptops back to the office. If that person plugs the laptop into the core network, there is a good chance that the malicious code will spread.
There are a number of ways to stop this from happening. One way is to restrict the employee's ability to run certain applications or install new software on company laptops. Another way to handle this threat is to purchase a router that uses Layer 2 port authentication. The router is configured so that it will only pass packets from authorized Media Access Control (MAC) addresses. Each network interface card (NIC) has a unique MAC address. By restricting access on the network to authorized MAC addresses, you can prevent someone from plugging an unauthorized computer into your core network. As with all security measures, there is an additional administrative load required, and you will have to determine if the additional work is worth the added security.
Password security
Another area of both physical and technical security is passwords. Security experts generally agree that a system that consists of “something you have and something you know” allows technologists to create relatively secure systems. An example of this is a network logon system where the user is issued a small device that creates a new password every few minutes. The user has this device, and the user knows his or her logon information. One of the strong points of this system is that the device creates the system passwords, thus avoiding several pitfalls of password-protected systems.
Needless to say, users should protect their logon and password information. Here is an interesting experiment: Walk around your office and ask your fellow employees how many of them have written their passwords down and either taped them to the bottom of their keyboard or to the side of their top desk drawer. As amazing as it seems, this physical security threat is common. While you are talking to your colleagues, ask them whether their user name and password are the same, or whether their password is their first name. Weak passwords are also a threat to security.
Weak passwords are typically obvious. They are short (less than six characters) or without punctuation. A malicious person might use common sense to guess a password, or he or she could use a brute-force dictionary attack. A dictionary attack employs a relatively simple program that uses a dictionary of words in an attempt to break into the system. The program uses dictionary words to figure out user names and passwords. Strong passwords, which are longer and contain random punctuation, are much less vulnerable to dictionary attacks.
Another password-related issue is simple login names. Certain names such as Administrator, Admin and Root should be disabled for remote login, if possible. Also, short first names should be avoided. Attackers will likely probe login names like Bill, Sue and Fred.
Internet threats
In several previous articles, I have written about threats to the core technical network and strategies for minimizing those threats. For many people, the chief concern is that an attacker will be able to reach the core technical network via the Internet. It may help to look at general Internet-borne threats.
There are a number of threats that may cause problems when you connect to the Internet. Common threats include port probes, viruses and worms, Denial of Service (DoS) attacks, Ping of Death (PoD) attacks, and Universal Datagram Protocol (UDP) flood attacks.
Port probes check a computer connected to the Internet for vulnerabilities. The attacking computer systematically checks for ports that are open and available on your computer. He or she will use this information to launch attacks on open ports. An attacker can also use port probes to determine which operating system is running on the computer. This information allows them to craft an attack against well-known weaknesses of the particular version of the operating system on the target machine.
Many readers are personally familiar with viruses and worms. Viruses usually pass from computer to computer through infected files or removable media. Worms are most often transmitted via e-mail. The user opens an attachment and the attachment contains an executable code (the worm), which runs and causes the computer to be infected. The worm then reads the e-mail address book on the infected computer and e-mails itself to everyone on the list.
Figure 1. When hundreds or even thousands of computers all try to contact the same Web server at the same time, the Web server will become unavailable. This is called a Denial of Service attack. Click here to see an enlarged diagram.
Worms can be used to spawn DoS attacks. In some cases, the worm remains dormant on the computer until a specific time, or until a specific command is received from a remote computer. When the worm is activated, it sends repeated requests to the target system's IP address. As Figure 1 shows, there may be hundreds or thousands of infected computers on the Internet, which are all directed to go to a specific server at the same time. When this happens, the server cannot service all the requests, and the system is effectively knocked off the air.
Almost all computers on the Internet contain a utility called Ping. Ping is a simple but useful utility that checks the round-trip time between your system and another computer. By manipulating Ping, an attacker can create Ping messages that can cause the target machine to quit working. This attack is called the Ping of Death.
The UDP can be used to attack target systems in flood attacks. Because of the way UDP is designed, it is possible for an attacker with a high-speed Internet connection to send a large, continuous stream of data to the target machine. UDP is not fair to all traffic. If the stream or streams are large enough, they can crowd out other traffic, effectively bringing other Internet communications with the target computer system to a halt. If the attacker can generate enough simultaneous UDP streams, all directed at a particular machine, he or she could overload the routing systems that feed the machine.
Firewalls: What they will and will not do
In all cases, knowledge is important in combating these attacks. Properly configured firewalls and routers can protect core networks from these attacks. In previous articles, I have described firewalls in detail. For this article, let's look at a high-level description of their functionality.
There are several things a firewall can do to protect your local network while permitting Internet access. A firewall can:
- conceal local computer IP addresses from an observer on the Internet
- hide the actual IP address of Web and other dedicated servers from Internet users
- block port probes
- allow an administrator to admit only the traffic types that are acceptable across the firewall and on to the local network
- provide logging so that security threats from the Internet can be analyzed.
While a firewall can do a lot to protect computers on your network, there are certain things it cannot do. A firewall cannot:
- protect your network or servers from a DoS attack
- stop the spread of viruses or worms, since these are typically spread by e-mail applications that are allowed to traverse the firewall
- provide a totally bulletproof solution to all security attacks.
Firewalls provide a reasonable level of security while granting users the necessary Internet access.
Brad Gilmer is president of Gilmer & Associates, executive director of the Video Services Forum and executive director of the AAF Association.
Send questions and comments to:brad_gilmer@primediabusiness.com
