Evaluating the Security of Computer Networks
Security in Systems Architecture and Applications SE579

2
Table of Contents

Evaluating the Security of Computer Networks

I. Vulnerabilities
A. Design Flaws
B. Poor Security Management
C. Incorrect Implementation
II. Firewalls
A. Packet Filtering
B. Circuit Level Gateway Proxy Server
C. Application Gateway
III. Antivirus
A. Scans
IV. Intrusion Detection Systems

V. Disadvantages
VI. Conclusion 3

One of the major computing challenges in today’s economy is the lack of adequate security over the information computer networks, and internet applications in which business, government, and economy depend on. Businesses have become more dependent on information. The gathering, organizing, managing, finding, and analyzing of information are crucial to businesses. Computer viruses created by hackers cost businesses $55 billion in 2003. In 2011, a single instance of hacking on the Play Station cost Sony more than $170 million, while Google lost $500,000 due to hacking in 2005.(Coyne) 2003 Single instances of hacking may cost as much as $600,000 to $7m a day for online businesses in 2011, depending upon the revenue of the operation. In addition the monetary cost arisen from computer hacking, instances of hacking costs organizations considerable amounts of employee time, resulting in the loss of yet more money. While large businesses possess the financial framework to absorb such costs, the loss of revenue and employee time may prove markedly detrimental to small organizations.(Power)2011 An organization can be faced with vulnerabilities. Among the most frequently mentioned sources of security vulnerability problems in networks are designs flaws, poor security management, incorrect implementation, internet technology vulnerability, the nature of the intruder activity, and social engineering

4 Whenever a computer is connected to the internet it is potentially subjected to attacks from malicious programs such as viruses, Trojan, and spyware. Firewalls, Antivirus, and Intrusion prevention and detection software are all types of internet security programs that can limit the chances of a breach of network security. In this research paper I will discuss the advantages and disadvantages of firewalls, Anti-virus software, and intrusion detection system although all are important for network security. Is one better than the other? A firewall is the first line of defense for your network. A firewall can be a hardware device or a software application and generally is placed at the perimeter of the network to act as the gate keeper. There are four mechanism used by firewalls to restrict traffic. One device or application may use more than one of these in conjunction with each other to provide more in depth protection. The four mechanisms are packet filtering, circuit level gateway proxy server and application gateway. The application gateway is considered to be a more advanced and secure firewall mechanism than the other three, but it uses more resources and can be slower. Packet filtering is generally faster and easier to implement, but is susceptible to attack from users faking their source port to trick your firewall into thinking that the traffic should be allowed through. Fire walls provide better content filtering capabilities as they have the ability to examine the entire network packet rather than just the network addresses and ports means. They have more extensive logging capabilities too, such as application specific commands, which provide valuable information for dealing with security incidents and policy implementation. Since all incoming and outgoing traffic is inspected at the application level, it must pass through all seven layers of the OSI model prior to being inspected, whereas packet filtering methods look at the traffic at the network layer. Because the firewall must consume CPU cycles reading and interpreting each packet, the inspection process require s more processing power, which has the potential to become a bottleneck for the network. 5

This means application firewalls are more susceptible to and therefore are less suited bandwidth or real time applications. The firewall can also be vulnerable to the security loopholes of the underlying operating system. Another disadvantage of application firewall is that each protocol, such as HTTP, SMTP, etc., requires its own proxy application, and support for new network applications and protocols tends to be limited. Although most firewall vendors provide generic proxy agents to support undefined network protocols or applications, they tend to allow traffic to tunnel through the firewall, negating many of the reasons for operating an application firewall. Application firewall typical requires clients on the network to install specialized software or make configuration changes to be able to connect to the application proxy. This can have quite an impact on larger networks. Antivirus and Antispyware software products analyze files to protect against viruses, worms, Trojan horses and other malware, as well as to block spyware such as key loggers. Signature based scanning is the most common type of malware detection, and is particularly effective against known threats. One drawback is that there is always a lag between the time when threats are identified and the deployment of the signature for updating antivirus applications. This makes it difficult for signature based systems to keep up with the fast changing malware threats. About ten years ago, it was said that an antivirus solution didn't need to protect systems against every new virus and Trojan. After all, the majority of new malicious programs which were appearing at this time would never penetrate the user's computer. They were written by adolescent cyber vandals, who either wanted to show off their coding skills, or to satisfy their curiosity. Users only really needed protection against the few attacks which managed to actually penetrate victim machines. However, the situation has now changed. More than 75% of malicious programs are created by the criminal computer underground, with the aim of infecting a defined number of computers on the Internet. The number of 6

new viruses and Trojans is now increasing every day by hundreds. (Krutz)2007 The third problem faced by the antivirus industry is deleting malicious code detected on the victim machine. Very often viruses and Trojans are written in a way which enables them to hide their presence in the system and or to penetrate the system so deeply that deleting them is a complex task. Unfortunately, some antivirus programs are unable to delete malicious code and restore the data which has been modified by the virus without causing further problems. An additional issue is that all software uses system resources, and antivirus programs are no exception. In order to protect the computer, the antivirus program has to perform certain actions such as opening files, reading information in them, and opening archives to scan them. The more thoroughly a file is checked, the more resources are required by the antivirus solution. In this way, an antivirus solution is similar to a security door - the thicker the door is, the more protection it will offer; however, the heavier the door is, the more difficult open and closing it will be. When talking about antivirus solutions, the problem is balancing program speed against the level of protection provided. Intrusion prevention and detection systems are similar to firewalls in that they examine network traffic and allow or block traffic based on set rules. IPS examines the data portion of network traffic to look for common elements in normal appearing network traffic. This allows the system to detect and stop attacks that might get passed firewalls and other defenses. These include worms, viruses, trojans, denial of service attacks, peer-to peer bandwidth floods, spyware, phishing, cross site scripting, structured query language injections, Voice over internet Protocol attacks and whatever other threats are emerging against operating systems.

7

Firewalls can prevent various levels of network attacks. They can permit or deny specific features of an application or particular users. One downside to Firewalls is that they cannot block holes found in most web applications that allow hackers to attack web sites directly through URL manipulation. The most obvious disadvantage of a firewall is that it may likely block certain services that users want, such as TELNET, FTP, X Windows, NFS, etc. However, these disadvantages are not unique to firewalls. Network access could be restricted at the host level depending on a site's security policy. A well planned security policy that balances security requirements with user needs can help greatly to alleviate problems with reduced access to services. Some sites may have a topology that does not lend itself to a firewall, or may use services such as NFS in such a manner that using a firewall would require a major restructuring of network use. For example, a site might depend on using NFS and NIS across major gateways. In such a situation, the relative costs of adding a firewall would need to be compared against the cost of the vulnerabilities associated with not using a firewall, i.e., a risk analysis, and then a decision made on the outcome of the analysis. Other solutions such as Kerberos may be more appropriate, however these solutions carry their own disadvantages as well contains more information on Kerberos and other potential solutions. Secondly, firewalls do not protect against back doors into the site. For example, if unrestricted modem access is still permitted into a site protected by a firewall, attackers could effectively jump around the firewall. Modem speeds are now fast enough to make running SLIP (Serial Line IP) and PPP (Point-to-Point Protocol) practical; a SLIP or PPP connection inside a protected subnet is in essence another network connection and a potential backdoor. Firewalls generally do not provide protection from insider threats. While a firewall may be designed to prevent outsiders from obtaining sensitive data, the firewall does not prevent 8

an insider from copying the data onto a tape and taking it out of the facility. Thus, it is faulty to assume that the existence of a firewall provides protection from insider attacks or attacks in general that do not need to use the firewall. It is perhaps unwise to invest significant resources in a firewall if other avenues for stealing data or attacking systems are neglected. Anti-virus software includes a number of programs designed to scan your computer's hard drive for intrusions, viruses and different types of malware. It also helps to prevent these programs from being downloaded onto your computer. The software then may carry out functions to delete or quarantine the infectious files. Computer viruses can be a dangerous threat to computers, but not all anti-virus software is fool-proof. Although the benefits of anti-virus software outweigh the consequences of malware, sometimes anti-virus programs block access to legitimate programs. One of the drawbacks of anti-virus software is its heavy dependence on computer resources. Most computers, when running a virus scan, can do little to nothing else. While one of these scans is running, accessing folders, the Internet, or applications can slow to a crawl. Sometimes, the computer may lock or freeze up.
Intrusion Detection Prevention systems use several response techniques, which involve stopping the attack itself, changing the security environment, or changing the attack’s content. One of the most common problems with an IPS is the detection of false positives or false negatives, this occurs when the system blocks a activity on the network because it is out of the normal and so it assumes it is malicious, causing denial of service to a valid user, trying to do a valid procedure; or in the case of a false negative,

9 do little to nothing else. While one of these scans is running, accessing folders, the Internet, or applications can slow to a crawl. Sometimes, the computer may lock or freeze up. There will almost always be false positives; however it should be one of the main goals of the network administration. Another problem with IDS is that is difficult and expensive to collect a large number of scripts that have been attacked. It takes time to find relevant scripts to a particular test environment because they are widely available on the internet. Firewalls are used to limit incoming transmissions to those that are least likely to contain bad data. Antivirus programs look at the effect that the incoming data on systems. An Intrusion Detection system is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. Organizations use IDPS for identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPS have become a necessary addition to the security infrastructure of nearly every organization

With a plethora of vulnerabilities out there, security administrators need to constantly mitigate risk associated with the ever changing environments and applications being introduced. Firewalls, Anti-virus, and Intrusion Detection Systems are all invaluable tool, but there is no secret weapon for stopping network attacks. “They can be a great addition to a solid, layered defense among other things, but one should not replace the other” (Bradley) 2005. As each system possesses strengths and weaknesses, selecting just one for complete protection results in too much risk to the network. Combining different technologies will reduce risk and exposure to threats down to acceptable levels.

10

References

Bradley, T Things To Look For in The Last Line of Defense 2005
Gish, J http://smallbusiness.chron.com 2009
Krutz, R Vines,R The CISSP and CAP Prep Guide 2007
Lesson, P “The Economic of Computer Hacking” 2003
Scarfone, K “Guide to Intrusion Detection and Prevention System (Feb 2007)