Embed Size (px)
Citation preview
52-10-80 Software Solutions for LAN SecurityPaul Cullen
PayoffAs local area networks distribute processing capabilities to end users throughout anorganization, they also shift the management of internal controls from centralized dataprocessing departments to end users. Many of these users, however, are not proficient inassessing security risks and implementing the appropriate security controls. In addition,LAN management systems typically have not been furnished with sufficient controls aspart of their basic system architectures. Therefore, it is especially important to understandthe strengths and weaknesses of existing LAN systems and add-on security softwarepackages.
IntroductionA LAN can be simply defined as the wiring and software that allow two or morecomputers to share disk drives, printers, and other peripherals. How LANs distributeprocessing power, however, or what kind of computers they link varies.
Unlike minicomputer or mainframe networks, which process data on sharedCentral Processing Unit, LANs process data on the user's microcomputer workstation. Inthe future, this distinction will blur; processing will be distributed between microcomputersand LAN servers, which control network functions, printing, and file sharing. There aretwo types of servers: dedicated and nondedicated. A dedicated server performs onlynetwork functions and does not operate as a workstation. A nondedicated server performsnetwork functions, allowing other LAN microcomputers to access its disk drives andprinters; it can also function as a workstation. Such network managers as NetWare Liteemploy nondedicated servers in peer-to-peer networks.
LANs can also link diskless microcomputers, which do not have disk drives andaccess data stored only on dedicated servers. Access is controlled entirely through thenetwork operating system, and users do not need additional workstation security. Althoughdiskless workstations rely more on server availability than do standard workstations, theyare more easily secured because it is much simpler to secure a server than a workstation.
LANs Versus Standalone MicrocomputersLANs have advantages and disadvantages over standalone microcomputers. Advantagesinclude the following:
· Shared use of disk drives. By sharing server disk drives, LAN users can easilytransfer files among networked microcomputers, regardless of the type of disk drivesthe microcomputers employ.
· Centralized storage. By centralizing their disk storage and management, LAN userscan avoid creating diskettes with different versions of the same file; however, usersmust employ common naming procedures to keep from overwriting each other's filesand programs.
· Backups. LAN users can easily back up critical files to the server. When a hard drivefails, they can recover files by reloading the network software and copying the files to
Previous screen
the replacement disk drive. Tape backup units can be used to efficiently back upservers.
· Shared printers. LAN users can share printers connected to a server.
· Electronic mail. Most LANs support electronic mail; their users can easily sendmessages from one workstation to another and can electronically file messages forfuture reference.
· Data security. Typically, LANs provide password protection to control access to thenetwork and protect data stored on it.
· Mainframe access. LAN microcomputers can access a mainframe if the network isconnected to the mainframe through a bridge or gateway.
· Shared processing. Some LAN software packages allow servers to perform suchprocessing functions as data base retrieval. Future LANs may perform sharedprocessing among workstations, servers, mainframes, and minicomputers.
LAN disadvantages include the following:
· Potential misuse of network analyzers. These inexpensive software mechanismsturn network workstations into monitoring stations that can read data passing throughtheir LAN. They can be misused to access such sensitive data as user IDs andpasswords. Encryption or expensive controls are, therefore, necessary to secure suchdata.
· Program incompatibility. Some programs are written for standalone microcomputersand do not run on LANs. Such programs often do not allow multiple workstations toaccess files in a shared environment. Users employing these programs encountermemory conflicts between LAN and application software on their workstations.
· Need for a LAN administrator. LANs require a LAN administrator to set up andtrain new users, oversee security, back up data, and manage problems. These activitiesrequire an investment of both time and resources.
· Cost. A LAN needs an interface card for every station, wiring, and software. It alsorequires a server to handle such network traffic as printer and file sharing and therouting of messages. Servers are usually more powerful and expensive than end-userworkstations.
Common Features of DOS-Based LANsSuch early networks as IBM Corp.'s PC LAN and 3COM Corp.'s 3+Share are based onMicrosoft Corp.'s MS-Net network software. These systems run under the MS-DOSoperating system and use the Disk Operating System File Allocation Table file-handlingstructure. The IBM PC LAN program uses workstations as nondedicated servers on whichusers identify subdirectories that other users can access. The 3+Share network generallyrequires a dedicated server to control network functions and the sharing of files and
Previous screen
printers. Access to these networks is controlled through user IDs and passwords. Accessto subdirectories and printers is controlled through use of additional, shared passwords.
These DOS-based LANs share certain weaknesses. They allow users to repeatedlyguess passwords and do not suspend users for repeatedly trying false ones. They do notprovide violation reports of invalid password attempts for log-on access or access to LANresources, and because their password files are not encrypted, users can obtain passwordsby learning where and how they are stored. For example, passwords can be stored in DOS.BAT files so that they will automatically grant access when the user boots up themicrocomputer. Passwords can also be read in .BAT files. Networked systems cannotprovide access control reporting. Because users are allowed to share passwords , it isimpossible to determine who uses each password. The MS-Net Network operatingsystem does not provide problem management logs, resource utilization history reports, orthe mirroring of disk drives or servers. LAN administrators have unlimited access to thesenetworks, and there is no reporting of LAN administrator activity. Finally, because DOS-based servers can be booted without LAN software, their data is never secure.
Although these early LAN systems do not offer well-developed securitymanagement, they are still being used. The best recommendations for securing them are toavoid storing sensitive data in shared environments and to rely on physical security bystoring data on diskettes or hard drives that do not allow access to the data through thenetwork.
Novell's NetwareBy far the most popular LAN management system, Novell's Netware runs on mosthardware and wiring media. Novell's NetWare 4.0 is the latest version of the NetWareoperating system. It offers consolidated security administration among multiple serversusing the new global naming scheme Network Directory Services (NDS). The commandfor network administration is NWADMIN which combines SYSCON, PCONSOLE, PRINTCON,and RCONSILE. NetWare 4.0 also furnishes the authority to review events on the networkbut not to change them. This improves on the NetWare 3.11 security features that arediscussed next. Novell supports releases for 286, 386, 486, and Pentium machines, andhas a peer-to-peer network called Personal NetWare. Novell's server operating system isdesigned for shared processing in a LAN environment. Because its improved file structureallows for efficient file access, it outperforms the earlier Disk Operating System -basedLANs. NetWare also has backup and disk and server mirroring, features to maintainprocessing when a hard drive or server fails.
Novell security is based on user IDs (called accounts) and passwords.The systemadministrator (also referred to as the supervisor) first assigns IDs to group profiles andthen assigns access capabilities to users and group profiles. The command for the menuoptions to set up and report on user access is called SYSCON. SYSCON menu options aredisplayed in Exhibit 1.
Menu of SYSCON Options
Previous screen
Available Topics ----------------- Accounting Change Current Server File Server Information Group Information Supervisor Options User Information
Several of the security options that the supervisor can set are shown in Exhibit 2.These include:
· Mandatory passwords at the system level.
· ID expiration.
· Prevention of concurrent log-ons under the same ID.
· Enforcement of periodic password changes.
Sample Recommended Access Capabilities on Novell LANs
Default Account Balance/Restrictions --------------------------------------
Account Has Expiration Date: No Date Account Expires: Limit Concurrent Connections: No Maximum Connections: Create Home Directory for User: Yes Require Password: Yes Minimum Password Length: 5 Force Periodic Password Changes: Yes Days Between Forced Changes: 60 Limit Grace Log-ons Allowed: Yes Grace Log-ons Allowed: 1 Require Unique Passwords: Yes Account Balance: 0 Allow Unlimited Credit: No Default Balance Limit: 0
Other security options include:
· Intruder detection and lockout, which limits password attempts (as shown in Exhibit 3).
· Definition of the directories that an ID or group profile can access and the type ofaccess allowed (Exhibit 4 and Exhibit 5). Read, write, create, erase, and access controlallow users to change access to the subdirectories, the file scan directory, and modifydirectory.
· Specification of log-on times by time of day and day of week (Exhibit 6).
· Specification of workstation log-on addresses for each user.
Previous screen
Sample Intruder Detection and Lockout Screen Showing the OptionsThat Prevent Password Guessing on Novell LANs
Intruder Detection/Lockout ----------------------------
Detect Intruders: Yes
Intruder Detection ThresholdIncorrect Log-on Attempts: 3Bad Log-on Count Retention Time: 40 Days 0 Hours 0 Minutes
Lock Account After Detection: Yes Length of Account Lockout: 0 Days 0 Hours 0 Minutes
Sample User Screen Showing Novell Access Capabilities bySubdirectory
USER Names Trustee Directory Assignments---------- -------------------------------- USER01 SYS:MAIL/A000002 [ RWCENF ] USER02 VOL1:USERS/USER01 [ RWCENFA] USER03 USER04 USER05 USER06 USER07 USER08 USER09 SUPERVISOR
Sample Screen Showing How Directory Access Can Be Assigned toGroups in a Novell LAN
Group Names Trustee Directory Assignments-------------------------- ------------------------------------------ EVERYONE SYS: MAIL [ C ] EXCEL SYS:PUBLIC [ R F ] WINWORD
-----------------------------------------------------------------------------
Sample Screen Showing Times that a User Can Log onto a Novell LAN
Previous screen
Default Time Restrictions ------------------------------ AM PM 1 1 1 1 1 1 2 1 3 4 5 6 7 8 9 0 1 2 1 2 3 4 5 6 7 8 9 0 1 ----------------------------------------------------SundayMonday ***********************Tuesday ***********************Wednesday ***********************Thursday ***********************Friday ***********************Saturday ----------------------------------------------------
Novell network systems provide minimal, system-generated problem logs that list systemerrors, directory rights, and log-on violations (Exhibit 7).
Sample File Server Error Log showing Operating System Errors andInvalid Log-ons on a Novell LAN
File Server Error Log -------------------------
7/6/92 3:56:05 pm Severity = 0.1.1.60 Bindery open requested by the SERVER
7/6/92 4:17:19 pm Severity = 0.1.1.62 Bindery close requested by the SERVER
7/6/92 4:17:20 pm Severity = 4.1.1.72 Server TTS shut down because backout volume SYS was dismounted
7/6/92 4:38:39 pm Severity = 0.1.1.60 Bindery open requested by the SERVER
NetWare versions 2.2 and 3.11 have their security weaknesses, however. Novellsupervisors have complete access to the system; their activity is not logged by the operatingsystem. Novell security controls access only to the server; access to workstations must becontrolled through additional security packages. NetWare does not automatically log offterminals that have been inactive for a long period of time. Violation reporting is also weak.For example, although unsuccessful log-on attempts are logged, invalid attempts to accessdata are not.
Nevertheless, Novell LANs reliably secure applications software and data stored onservers. The addition of third-party security packages can allow users to run critical orsensitive business applications securely.
Microsoft's OS/2 LAN Manager and IBM's LAN ServerSecurity measures for Microsoft's LAN Manager and IBM's LAN Server are controlled bya user whose ID is designated as having administrator authority. There is no user ID withaudit authority, so an auditor should work with a LAN administrator to review accesscontrols.
Previous screen
On IBM's LAN Server, security is controlled for users and groups through userprofile management. LAN services and LAN requestor are used to assign accesscapabilities according to user or group ID.
LAN Manager security is administered using the Network Entity Title ADMINcommand. On the screen that this command calls up (Exhibit 8), the administrator canview resources on the network and access permissions (View),send messages (Messages),set server options (Config), review server statistics, audit trail and error log (Status), andmanage accounts (Accounts). With accounts selection , users and groups can be set up ortheir current status can be reviewed (the two screens are shown in Exhibit 9 and Exhibit10).
LAN Manager Screen for Starting Security Administration
Selecting a User Group on LAN Manager
Viewing a User Group on LAN ManagerTwo types of IDs are significant. The first is Admin; it allows complete network access. Theother is guest, which is a default access. If the guest account is not password protected, auser can access the server with any password or no password at all. Guest capabilitiesshould be restricted. When the operating system is installed, the default account is Adminand the password is “password.” Administrators can also set up “privileged” programs(e.g., Netrun programs), which run under administrative authority.
The user account option allows the administrator to enter a user description andpassword. With the group option, group members can be added or removed and assignedaccess capabilities. Four operator privileges can also be set (these are shown in the lowerportion of the screen in Exhibit 11):
· Server. The operator is able to start and stop LAN services, share resources, andreview the error log.
· Accounts. The operator can create, remove, modify, and add users and groups, butcannot add or modify administrators.
· Print. The operator can create and modify print queues.
· COM. The operator can modify and share communication device queues.
Setting Operator PrivilegesOn OS/2 LANs there are two methods for restricting access to files and subdirectories. Thefirst is share-level security (screen shown in Exhibit 12), which is similar to what earlyDisk Operating System-based LANs provided.
Previous screen
Previous screen
Share Level Security on LAN ManagerThis level of security requires an additional password to access the resources. The availablepermissions are read, write, create, execute, delete, set physical file attributes, or allowaccess to administrators only. In addition, it is possible to limit the number of users thatcan access a resource (e.g., a subdirectory) at one time. This feature could be used tocomply with license agreements. Share-level security should be used only for low-risksituations because the additional password for access subdirectories is shared and there isno way for management to positively know who has access to what resources.
The second method for restricting access to resources is based on the user or groupIDs. The levels of access (e.g., read, write, create) available are the same as with share-levelsecurity. However, this is an improved method of security because management canrestrict access based on the job functions of a user or group of users. In the exampleshown, the groups ADMINS and USERS have read, write, create, delete, and modify fileattributes to the server directory C:\RECORD2. When reviewing access permissions, theauditor must keep in mind that users with the administrator privilege have access to allresources regardless of these access permissions.
With user-level security, it is also possible to audit access resources. As seen in theexample shown in Exhibit 13, the events that can be audited include successful and deniedfile opens, successful and denied writes to the file, successful and denied file deletions, andchanges to the access lists for the resource. These parameters can be set by resource (e.g.,by directory or file).
Auditing Access ResourcesIn addition, system-level events can be audited, including successful or denied log-ons,successful or denied access, changes to users or group lists, changes to access lists, andresource access.
Exhibit 14 is an example of the audit trail screen showing audited events. An IDwith administrator authority can remove all audited events.
An Audit Trail ScreenOS/2 LANs also have the following services (Exhibit 15):
· Alerter, which sends messages about network events (e.g., violations or the hard diskreaching capacity) to specified users.
· Messages, which allows the user to send and log messages.
· Netlogon, which verifies the username and password supplied by each person whologged on to the network or gained access to the server.
· Netpopup, which displays a messages box.
· Netrun, which enables OS/2 workstations to run programs on the server.
· Remote boot, which enables a server to boot OS/2 or DOS work stations.
· Replicator, which duplicates a master set of directories and files.
Previous screen
· Server, which allows the sharing of printers and files.
· Timesource, which enables an administrator to designate a server as a central time serverthat will be used for synchronizing computer clocks in the network.
· Uninterruptible power supply (UPS), which is used to keep a computer running in the eventof a power failure.
Other LAN Manager ServicesOS/2 LANs allow the administrator to set a minimum password length, require passworduniqueness (prevent reusing passwords), set a minimum and maximum password age,force a log-off after a user's session expires, lock accounts after so many bad passwords,and set the server's role in the domain. A domain is a group of servers that are groupedtogether to administer security. There are four roles within a domain:
· Primary domain controller. It has a master copy of user accounts and validates log-ons.
· Backup domain controller. It has a backup copy of the accounts data base and canalso validate log-ons.
· Member server. It has a copy of the accounts data base but does not validate log-ons.
· Standalone server. It is not a part of the domain and has a separate user accounts database.
In addition, on an OS/2 LAN , log-on times can be restricted. Exhibit 16 shows log-on access seven days a week, 24 hours a day. Exhibit 17 shows a log on restriction only,allowing access from 6 am to 7 pm Monday through Friday.
A User with No Access Time Restrictions
Access Restricted to 13 Hours per Day, Monday through FridayOS/2 LAN Manager networks do exhibit several security weaknesses. LAN administratorshave complete access to the server, and there is no logging of LAN administrator activity.Although these systems provide logging capabilities, an entire log file must be manuallysearched to find specific entries. Finally, OS/2 LAN Manager does not provide security atthe workstation level. However, with third-party security packages to control theseweaknesses, OS/2 LAN Manager can provide adequate security to run critical or sensitivebusiness applications.
Windows New Technology (NT)This operating system is a recent introduction by Microsoft. It has a user interface similarto the Disk Operating System version of Windows, but the operating system is completelyrewritten and has improved security. NT's workstation version provides some serverfunctions, and there is Windows Advanced Server, which provides dedicated serverfunctions. NT introduces a new file structure called NTFS, which has improved security
Previous screen
Previous screen
Previous screen
and performance features. A drive can be formatted using either the DOS -based FileAllocation Table structure or NTFS. If the file allocation table structure is used, the user canbypass Windows NT security by booting up the microcomputer with a DOS diskette.
Windows NT's domain-level security features are similar to OS/2's. Domain-levelsecurity allows a collection of computers to share a common security data base. Whenusers sign on to the domain, they are granted access to files or directories, based on theiruser or group ID. Auditing is available by resource and at the system level. A sample auditpolicy screen is shown in Exhibit 18. There are three types of logs: the system log recordsevents logged by the Windows NT system, the application log records events logged byapplications, and the security log records security events (a sample security log is shown inExhibit 19).
Windows NT User Management Screen
Sample Security Log on Windows NTThe administrative features are called up from the Windows NT main menu with theadministrative tools icon. This brings up icons for user manager(shown in Exhibit 20),disk administrator, performance monitor, backup, and event viewer functions. New usersare added to the system and security is administered from the event viewer.
Windows NT Main Administrative MenuWindows NT also makes it possible to dial in to the network from a remote work stationthrough the use of remote access services. The remote work station acts as though it isattached to the LAN. Multiple levels of security are available for remote access: integrationwith Windows NT security, encrypted authentication, and callback for identifying users.
Microcomputer Security PackagesBecause none of the network systems reviewed in this article secure individualworkstations, many companies use add-on security products with their LANs. Commonpackages include Pyramid Development Co.'s PC-DACS and Fischer International SystemCorp.'s Watchdog.
These packages require users to enter log-on IDs and passwords to successfullyboot their microcomputers. Users who boot from diskettes cannot access data because thedata on the hard drives is encrypted. To prevent unauthorized data modification ordisclosure, most packages encrypt using the Data Encryption Standard.
Add-on security packages allow security administrators to set system parametersand optionally allow users to change these parameters. Log-on security features provide forworkstation time-out, the setting of password expiration dates, and suspension of user IDsto prevent guessing; users can also be allowed to change their own passwords.
Microcomputer security packages usually control access to microcomputerdirectories and files through use of log-on IDs; however, these systems also control accessto subdirectories by requiring an additional password. As with the LAN systemspreviously discussed, these microcomputer security packages can restrict access byfunction (i.e., read, write, create or delete, and execute). These packages can allow users toexecute programs but not copy them.
Previous screen
Reporting capabilities include microcomputer use statistics, invalid log-on attempts,invalid resource-access attempts, and security administrator activity. A sample Watchdogreport and reporting options are shown in Exhibit 21 and Exhibit 22.
Sample Watchdog Administration Report Showing User Access byArea
Sample Watchdog Administration Screen Showing Reporting Options
Advanced LAN Security TopicsOther threats to networks require the use of specialized security software packages. In thissection, the requirements for antivirus software and dial-access protection are reviewed. Inaddition, some security problems associated with diagnostic and gateway communicationsproducts are discussed.
Virus Detection and PreventionA virus can be extremely damaging to a LAN because it can destroy many more harddrives than the one into which it was introduced. The most effective way to prevent virusinfection is to purchase software only from reputable vendors. However, this strategy isnot foolproof and is almost impossible to implement in large organizations. Therefore, it isbecoming a common and recommended practice to run antivirus packages on LANprocessors as well as on standalone microcomputers.
Antivirus software protects against viruses in several ways. Such software canprevent inappropriate access to sensitive system files and can test files for unauthorizedchanges by checking file size and bit patterns against a controlled copy. Most viruspackages scan for signs of known viruses and alert users if any are present. Somepackages can also remove viruses after an infection. The best way to recover from a virus,however, is to maintain several generations of backups so that users are able to restore filesfrom an uninfected source.
Dial AccessRemote microcomputers can easily access networked microcomputers through use of amodem and communications software (e.g., Microcom, Inc.'s Carbon Copy). Thesoftware allows the LAN -based microcomputer to accept incoming phone calls that log onwith an authorized user ID and optional password.Users can dial in from any location andexecute commands on the networked computer as if it were their own.
Communications software, however, can be compromised by hackers. Passwordprotection is optional on these packages and they are not able to ensure that remote accessoriginates from an authorized location. Dial-back capabilities can alleviate this vulnerability.After a user dials up and logs on to a LAN system with dial-back capabilities, the initiatingand receiving microcomputers hang up; the LAN -based microcomputer then calls theremote microcomputer at a predetermined phone number associated with the ID the remoteuser gave when logging in. Dial-back protection should be used to secure all critical orsensitive business systems that can be accessed remotely.
Previous screen
Network Diagnostics Equipment and GatewaysMany types of equipment monitor LAN traffic to tune operations and diagnose problems.However, they can also view and capture sensitive data being transmitted across thenetwork. Therefore, although they are necessary tools for LAN administration, their useshould be properly controlled by authorized individuals.
Gateways connect networks running on different architectures. They commonlyconnect LANs to mainframes so that microcomputers can act as intelligent terminals andprovide users with mainframe processing capabilities. However, some gateway productscan also capture data flowing from microcomputers to mainframes, including sensitiveinformation. Gateways should be physically secure and restricted to authorized users.
ConclusionTools are now available to properly control LAN applications. When choosing amongthem, the communications systems manager must assess the risk inherent in theapplications being controlled, establish security standards and procedures, and apply theappropriate level of control. This process is well worth the effort, because breaches of LANsecurity can be very damaging.
Previous screen
