|
|
| YBET | IT forum | Magasin en ligne |
10. Remote connection by Internet, Security and access |
 |
10.1 Introduction - 10.2. The risks (virus, hacking, ...) - 10.3. Basic connection Internet - 10.4. Various points of a professional connection - 10.5. Firewall - 10.6. The remote access - 10.7. Safeguard via Internet
This chapter treats communications and safety measures between computers. More the current relates to connection towards Internet (Firewall, VPN) but also of the remote takeover of computer or network starting from a computer connected to a telephone line or via Internet (division of remote discs for example), remote work... All these connections can be treated in hardware or software, the 2 possibilities exist systematically. We will see in detail the hardware possibilities. This will prepare us following the course: structure of a network.
A short recall on the risks of safety (virus, hacking...).
As each one knows, a virus is a program of which various purpose (it is a manner of even the things). Here approximately types of virus according to their working method. For the list of the virus currently on the "market", go on any site of antivirus.
The most current solution is an up to date antivirus software. The current antivirus detect practically all the virus present on Internet (besides some new models). The virus attached to the mall are also detected. The method of disinfections passes by the suppression of the virus attached until the pure and simple removal of the file if it cannot be repaired.
At the antivirus level Hardware, some routers and VPN include directly an internal antivirus. Other equipment are used only for that (PANDA manufactures a model of this type). SYMANTEC GATEWAY Security also includes (in other) an antivirus. The advantage comes from the automatic daily updates on only one node: the router of input/output of connection Internet towards the internal network. When a virus is detected in a mall (some is the type), the mall is directly returned to the shipper without very passing the end of the nose on the internal network, even less in the PC of the recipient. The defect remains the other entrance points: diskettes, pirated CD, connections to Internet via other points (modem of notebook for example). This solution is thus effective only partly.
The risks of intrusions are a subject "à la mode". Various methods of hacking will be examined.
|
The first method consists in injecting a program in your computer (via a mail for example). This server process program will react to any request of a customer (the program of that which tests the intrusion) via a port TCP or UDP. The ports are specific to each Trojan (also called backdoor). I leave you with the sites specialized for the list of the worm and their specific ports. This exceeds the framework of this course hardware. As these programs are easily findable on Internet, any kid is able to use them in practice, on the other hand, it requires that a program is established in your computer or a PC of the network. In short, if the customer is not established in the system, not risk. The second method consists in using faults of safety in furbished Microsoft, that it is in the operating system Windows, Internet explorer or Outlook (all versions confused). Definitely more difficult, this solution is reserved to the professionals. This allowed a site tests of firewall to open my remote CD-Rom reader. With a firewall software on the station and the network protected by a firewall hardware, I however felt safe rather. The solution consists in following SERVICE PACK of safety of Microsoft (when the new versions do not open other faults) Of the third, by far most underhand, the method consists in modifying information in screen TCP/IP of a correct message so that the PC (or the router) attacked believes that information comes indeed from the site required as in the diagrams below. To counter these attacks, it is necessary imperatively that the screens all is analyzed before the reading by the navigator. |
 |
The goals are multiple: flights of information and in many cases, used this PC like relay for other attacks. The target detects then the attack like coming from the "hacked" PC.
They are both of the programs which use Internet To explore to carry out various commercial tasks with title. These types of programs are not regarded as viruses. They thus neither are detected, nor removed by an antivirus! Free software is downloadable on Internet to remove them.
One regularly finds problems of safety in the operating systems, the navigators and the programs of Mall of Microsoft. This is used for the intrusions, as for the proliferation of the viruses. The only solution is the update of your program on the site of Microsoft.
Probably the worst. Appeared with Windows XP and To explore 6.0, each movement on Internet is analyzed. This is not too spring of a course hardware.
Still a concerning problem safety on Internet. Arrivals recently in the world of connections, this type of attack is rather fatal. It consists in sending a maximum of request on a Web server or a router in a minimum of time. The apparatus not knowing more to follow cracks literally.
The method consists in sending multitudes of packages ICMP echo-request by modifying the address source of each package. The orders sent are multiples small packages of 64 KB or inferior. The target cannot answer any more at the requests of connections because the whole of the band-width is limited.
This is the method of the spoiled kid who does not manage to be introduced on a site, then, it plants it. On the other hand, it is also a method much more professional in certain cases. In, effect, to ensure a maximum of orders at the same time, best remains to use a maximum of PC at the same time for the attack. Nothing better than to establish a Trojan among simple amateurs and to ask to all these PC to send same the orders at the same time.
The attacks of the type Teardrop, Newtear, Boink... are almost identical to the refusal of service above except which it tackles only with the computers (servers included) directly connected or even via a router. This type of attack aims at the system Windows 32 bits (Win 95, 98, Me, XP (Pro), NT and 2000) but also the operating systems Linux lower than 2.0.32 (as Linux is not in my competences, to check). Apparently, Mac and Unix systems can also be deteriorated by these attacks. With share Windows 3.11 and DOS (but how to go on Internet in DOS?), all are thus aimed. The attack is not done any more on one server, but on the connected stations. This type of attack consists in sending packets TCP/IP which overlap called OOB = Out Of Band). The target computer tries to rebuild information and finally, not arriving there, this causes a planting of the machine. In Windows, you find yourselves with a beautiful blue window and you have other choices only to start again the machine.
Anonymity on Internet, not so sure. To determine your address IP provided by the provider remains a play of child. A router protects your local address TCP/IP on the network by not indicating that the external address. In the case of a division of connection via the programs provided with the operating systems Microsoft, in fact the internal addresses of the network are directly detected. Any intrusion, attacks of any type initially requires of the "hacker" to know address TCP/IP of the target with respect to Internet. The sport for him is then to know the internal addresses of stations PC or others of the network. As long as the address Wan (Internet) is invisible, it cannot anything. Inevitably, it is easier A to detect when the local area network is connected by fixed address TCP/IP.
In the same way, your operating system and your navigator Internet are automatically sent by your navigator to the site, idem for the resolution of your screen (dimension and a number of colors)
The servers proxy are memories hiding place which make it possible to accelerate connections. The mechanism is simple, when a page has been just read, the proxy the guard in memory. If a request on this page intervenes quickly, the proxy does not download it Internet but directly of its memory. Moreover, it is more difficult to track you since you are not always directly in contact with the sites. These proxy can be external cases, included in a dedicated computer of the local area network (under Linux for example) or directly by the provider.
Cookies are small textual files charged on your computer. These cookies records your preferences. This makes it possible for example to arrive directly on the French version of Google.be. Not quite dangerous, but these cookies often includes information such as passwords (even if they are often encrypted) or goes back it to your last visit on a site. Some cookies makes it possible to track you on various sites.
NAT (Network Address Translation) is used as translation between the outside of the local area network (Internet) and the stations. The router builds a table of correspondence of IP addresses. In this manner, outside cannot determine the internal address of a station. With the reception of data by the router, this one transfers information towards the true recipient thanks to his table.
The division of a connection Internet makes it possible simultaneously to connect several computers connected in network TCP/IP with only one modem. The professional division is done via a router, but simpler divisions directly use a modem connected on a PC. The modem can be normal, ISDN or ADSL. In the same way, the type of modem can be internal, external series, external USB or even in unquestionable modem ADSL, connected via to a chart network. In the first three cases, the division can be done directly by the operating system (Windows 98 second edition, Windows Millenium, Windows 2000 or Windows XP). In the case of a connection via chart network, the division can be done via a router or a software of the Wingate type. This software also ensures the safety of connections. In this last case, the PC ensuring the division receives 2 network cards.
A last remark, in the case of a simple division via the operating system Windows, each computer can require connection, but connection can be cut only on the PC connected to Internet. This does not pose problems in ADSL, but attention with the telephone calls in RTC or ISDN. It is nevertheless possible to ask to cut connection Internet after a certain lapse of time. In small Option Internet To explore, choose the order option Internet. Select connection (My connection below) and click on the button parameters. In the following window, select the "advanced" button. Notch the Disconnect box so inactive during and type the number of minutes wished.
Various software or hardware nevertheless will be connected between the network and Internet, either to ensure the safety, or to ensure the speed of connection. These apparatuses (software) provide various functions of connection.
Before speaking about the apparatuses and solutions to be implemented for professional connections Internet, let us analyze the various possible problems. This will in the long term enable us to draw our connection more easily.
In the case of a connection towards Internet, the first task is the division. This will make it possible to several users to connect itself on Internet at the same time (navigation, mall, news...). This necessarily passes by a network installation. In this case, a computer or an apparatus (generally a simple PC on which is connected the modem must be used as connection.
According to diagrams' above, each station has its own address TCP/IP (X.X.X.X.@station1 and X.X.X.X@station2). In the same way, the supplier of access automatically provides an address TCP/IP to connection. At the time of a request for posting of a site, referred by a clean address TCP/IP, for example 238.128.128.128 which we will name by X.X.X.X@site. At the time of the request for posting, station 1 sends to the apparatus of connection its own address (for the answer) and site addresses it which she wants to post (X.X.X.X@site). The supplier of access and all the components of Internet network will manage so that information of the site is returned to address TCP/IP Internet provided by the supplier of access (X.X.X.X.@ISP) which returns them to the apparatus of connection. This one will make the transfer of its own address Internet towards the private address of station 1.
Operation, though complex in an internal way, is not too difficult to implement with the current software. This method is used by the division of connection Internet established in Windows 98 SE, Millenium, 2000 or XP. This solution is not very protected. Each address of the connected PC is visible of Internet. This practice is used for small divisions of family connections Internet out of modem STN or ADSL with modem USB.
This solution of division Internet uses a PC relay between the network and Internet. The PC uses 2 networks cart. A NIC is connected towards the internal network, the second network card is connected to a modem Ethernet RJ45. The software can be Wingate, some professional solutions (Symantec for example) or a solution containing Linux. This diagram is used by Windows 2003 and 2008 server. The PC relay must remain connected so that connection Internet functions.
The software provides various functions: NAT (Network Address Translation), proxy (mask) and even firewall. The firewall if it is directly established (Linux) is of functionality identical to a firewall hardware. You can also install on this PC relay a firewall software of the type Zonealame Pro (the free version does not function in network).
This software solution of division forms part of the other courses of second year, in particular Linux. I thus do not return in the details.
The use of Internet is completely transparent for the network. The router remains connected permanently. This hides the internal network (addresses PC and peripherals) for outside, but does not prevent the risks of intrusion. Indeed, separately the hidden addresses (NAT), the stations are directly connected on Internet. A Trojan on a station will communicate through the network in a completely transparent way. It is even probable that the hacker will not realize that it is in a network that at the time of the takeover of the PC when it has access to all the divisions of files and peripherals.
This gives a pretence of safety, hardly more.
This diagram represents almost the solution of ideal safety (almost worries me). The router and the firewall can be included in the same case. The modem can be integrated in the router or be connected between this one and Internet. This solution will be examined in a exercise of chapter 17. Divide and connection Internet via a router - firewall mode ADSL RJ45 Ethernet.
Safety does not rest on the assembly but on the manner of parameterize the firewall. This is valid for all the solutions of safety firewall.
This is a particular use of the firewall. It is used with a lodging on a server specific to the company or in the event of lure for various attacks. In this last case one by the PC bastion. Its use as server proxy or server of transport is also used.
The firewall in contact with Internet will let pass information on port TCP 80 (possibly 443) coming from the outside of the site, as well as information coming from the internal site towards Internet. In the case of a Web server, the first firewall avoids the attacks outside. Ports 20 and 21 for example could be closed. On the other hand, information coming from outside will pass is by the external firewall, then by server DMZ (case of a PC bastion) then by the second firewall.
It is not the maximum level of safety, but the hacker is found with 2 to see 3 barriers to be opened.
The firewall protect the processing installations from hacking. A firewall supervises the communications of computers towards Internet and screw poured. For that, it analyzes, blocks or authorizes the communications via ports UDP and TCP. This is valid for connections Internet, but also between various parts of an internal network. A broad part of the "intrusions" are orchestrated interior of the company. Think for example of the employee who has just received his notice... One finds 2 types of firewall: software firewall and the firewall hardware.
The parameter setting of the software firewall does not form part of this course hardware, I will not be delayed there.
In applications Internet, to facilitate the communications between identical applications, one uses ports as well in TCP as in UDP. Each port is specific to a type of application. Navigation is done by port 80 and the news by port 119 for example. The parameter setting consists in opening doors (ports) necessary to the normal applications according to the emission or TO addresses IP (at exit) (addresses of the sites). As of this moment, it seems to to me clear that all the others must be closed. By definition, the intrusion is always done by the weakest entry of the protection of the network. This is similar with the safety of a building. That is not used for nothing to put doors armored everywhere, if the window of behind remainder opened permanently.
And not, both do not make the same job exactly. In a direction, they are complementary. For recall, to install 2 firewall software is dangerous and can make each software ineffective.
A software firewall checks and indicates on which ports the programs which reach Internet since your PC (in TCP/IP and UDP). In the same way, they announce the ports on which return (or try to return) of the applications on your PC. In this direction, except misconfiguration, they are effective. On the other hand, they do not analyze the current programs at all (modifications of the screens...), nor do not analyze even less the defect of safety of the operating system (various faults of Microsoft safety on the operating systems, Internet Explore, Outlook and even office 2003). By checking the programs which try connections Internet, these programs block the spyware and the adware. Unfortunately, this solution generally also blocks connection Internet. The software solution to remove them remainder lavasoft for example. A firewall software is installed on each PC (from where a heavy work of administration), on the server or dedicated PC. Moreover, this software seldom recognizes the addresses external (Internet) of the internal addresses. This software is perfect for the detection of the Trojans. If they detect them, they do not remove them. This role deals with the antivirus, even if the antivirus do not consider the adware and spyware as harmful (they are commercial programs).
A firewall hardware is placed between Internet and the network. In this direction, the intrusions (or attempts) inside the network are never analyzed. Even if a firewall hardware is not related to Microsoft, they do not protect either from the faults of safety of the programs and operating system. By analyzing the data trame, they also refused the intrusions by do-it-yourself of the addresses. On the other hand, even if all the ports not used are closed, the programs which use the standard ports can work without problems. Worms (Trojan) which would use port 80 will not be to in no case blocked, it is regarded as a completely standard application. The spyware and adware using port 80 are not thus to in no case taken into account by a firewall hardware.
2 protections below are generally integrated in the firewall material:
Statefull Packet
Inspection:
Allows the firewall to compare a package of data entering with the packages
having previously been regarded as "healthy".
Content Filtering :
In particular allows to control the accesses to the Web by filters (based on
lists of Internet addresses, words key or time beaches of connection).
An optimal safety would be thus a firewall hardware between the network and Internet and a software firewall on each station. Nevertheless, the firewall intern in the case of heavy networks poses problems on the level user. With the slightest warning (even useless of type DHCP on port UDP 68), the administrator will be called (or not...) by the user.
Currently various firms manufacture networks cards which include a firewall hardware.
Each application is characterized by a port TCP and/or UDP used. It is specific to the type of application This facilitates the communications since an application of the navigation type will use office port 80, whether it is Microsoft Explorer, Netscape or another. The numbers of ports (as well in TCP as in UDP) vary from 0 to 65535 (216). IP determines the address of the site or the PC in communication. The combination port TCP/IP thus determines the site and the application.
The firewall analyze the trames, while the firewall software analyze the applications. This analysis hardware is carried out by an internal software. The first part filters combinations TCP IP to send or not information towards the PC customer of the network. The second part will check if information is actually required by a station customer by analyzing connections PC - Internet site.
The third application is called State full inspection. This term is patented by Checkpoint (one of the leaders of safety Internet) which manufactures firewall software but whose technology is established in various firewall hardware, in particular those manufactured by firm NOKIA. "State Full Inspection" is also called Firewall-1 or with technology of dynamic filtering. The firewall determines if the customer is well connected (activates) on Internet at the time of the reception of the message. For that, the firewall guard in tables of connection active sessions. In the contrary case, the message is purely blocked.
The firewall can include also various options such as the proxy. A proxy is a hard disk space on which the usually required pages are stored. Each provider uses a proxy for connections. At the time of a request, the proxy checks if the page is not in memory. In the positive case, the page is returned to the request without remote loading starting from the site. This makes it possible to save time at the time of the remote loadings. This solution is also used in some firewall or router. If the user is not in direct contact with the site, its address IP could not be analyzed. Though certain sites say some, it is not really a safety since the addresses with hacker are often determined by a addresses scanning on Internet. On the other hand, in the case of the firewall which do not return orders PING, this allows the attacker to determine that the address is actually used if the proxy is not in function. Notice that use ICQ or MSN Messenger also makes it possible to determine your address TCP/IP even more easily, the list appears on the site.
The filtering of sites is established in the majority of the firewall hardware. This makes it possible to block the outgoing accesses of the addresses of sites or even of the addresses containing a word. You can for example block the sites whose name included sex, meets or KAZAA.
This application makes it possible to be connected to an internal network via a telephone link or by Internet.
In the preceding chapter, we saw that the horse of the Netburst type make it possible to take the remote control (amongst other things) of a PC via Internet. This solution seems easy but makes it possible others to take control too. This solution is thus completely to proscribe.
The solution most commonly used calls upon software of the type PC Anywhere which makes it possible to take the ordering of PC via analogical modems or ISDN, or even ADSL (Internet). This solution is often used for small infrastructures of the independent type, or for the breakdown service of the remote users in the internal networks. Many attempts at attacks by Internet come from this software. The parameter setting of PC Anywhere makes it possible to change the number of port for the remote access. It is not the perfect solution. Indeed, for a remote takeover, one needs the number of port and the program customer. By changing the number of port, the administrator supposes that the hacker will not be able to take control. Other side, the hachers by scanning of addresses on all the ports, receives the software which answers (even badly) on a port. It does not have any more but to test all the possible programs on this port. The takeover is also done by password (clearly advised).
Another solutions which is not used that by certain programs allow to share resources via the access remote network.
This function requires the installation of an additional component of Windows: server of access remote network and allows the use of files on discs divided via a modem (always RTC or ISDN). Connection to allow the entry is also done via a password and the starting of this server of remote access via the part access remote network.
Certain office automation programs (in particular Works of Microsoft) also include transfer transfer functions of files. Windows XP also established a function of remote order taking, by hoping that here also there are no faults of safety.
The solutions above directly do not make it possible "to be connected to a server network", but to take the control of a PC which him is connected to the network. They are software solutions.
VPN (for Virtual Private Networks) equipment are connected physically on Internet or between the network and the router following the models. The last versions of the operating systems servers of Microsoft establish equivalent functionalities.
VPN create between a computer and the network interns a protected and encrypted connection to ensure the transfer of information: called a tunnel commonly. When the station requires via Internet a connection on the internal network, the 2 apparatuses communicate a software key which will be used for encoding of information. The VPN then creates a kind of tunnel made safe on Internet which prevents any form of hacking. This solution is the only usable one for a connection via ADSL connection requires 3 things:
The first two constraints seem easy. We will speak again of the apparatus. The third requires, that is to say an Internet site and thus a clean server connected on Internet, even if connection must be done on another server or a specific subscription making it possible to have a fixed address Internet TCP/IP. In the case of a normal subscription ADSL, the address changes with each connection and the maximum after a few tens of hours following the provider. The amateurs will be able nevertheless to use some solutions to know address TCP/IP of connection to one moment given on specific sites for example and to communicate it via telephone or mall. This solution is not very possible for a connection 24h/24h.
One distinguishes several models from VPN. The majority of the models hardware allow only one tunnel between 2 network installation fixed. They thus do not allow the domestic industry (though publicities imply). The models more expensive also allow remote work. The mode of encoding can be MPLS or IP-Dryness (IP Security). Encoding is done only between the two VPN. Certain methods of tunnel, in particular Over IP (with the difference of tunnel IP) make it possible to make forward other protocols such as IPX in the tunnel.
In the case of the use of a VPN, you cannot make safe your network by preventing the division of the resources via TCP/IP. Indeed, for small networks, you can establish in parallel with TCP/IP the protocols IPX or Netbui and configure protocol TCP/IP network on the network card so that it does not allow the division of the resources. The VPN makes it possible to use at distances all the resources of the network (files, applications and peripherals of the printer type) as if you were directly connected on the network.
According to the apparatus (of the software solutions exist, in particular in Win2000 server), the VPN will carry out several tasks like below the series of Symantec Gateway security.
A footbridge (gateway) towards Internet (function of router Internet), a function of firewall to block the intrusions, an integrated antivirus and function VPN to create tunnel Internet via, generally operation is in conformity with the specifications of IPsec encoding of the stations customer.
The VPN will provide a local address to a PC connected on Internet this one then automatically will be integrated in the network. Attention, the parameter setting of this type of apparatus on level VPN is generally more pointed since it makes it possible for example to accept the data returning on an address but to refuse the outgoing entries.
When all the levels are solved, you can directly connect two internal networks VIA Internet. It is currently the only viable solution (without completely dedicated and rented lines) for this kind of applications. It is also, at least in Belgium in the zones connected to the ADSL, the best solution for the telecommuting (work starting from its residence).
This method of backup could be inserted in the storage part and safeguard network, but uses the techniques of remote connections. The principle is to create a tunnel Internet between your internal server and a distant network made up of servers, NAS or safeguards on tapes to save your data. The principal advantage: you are not worried any more your bands, they are in theory in safety outside your company (another advantage). The control program automatically saves the important data by compressing them and crypting them as a preliminary.
Various alternatives of this technique are proposed. The first consists in systematically transferring the contents from the hard disk on safeguard Internet. A small recall, fastest connections ADSL turn to 8 Mb/s (divide by 10 for find a notation in byte or byte). To save a hard disk of 20 GB of data, one thus needs 20.000.000/800 = 25.000 seconds, that is to say nearly 7 hours. The return is done even more slowly, with 512 kb/s maximum for the ADSL, that is to say 16 X slower. Not very effective.
The second solution consists in saving on various supports the starting data (CD, DVD, bands) and safeguarding only the important files or that files modified via tunneling Internet. The second method returns to an incremental or differential safeguard with their respective defects. In the event of problem, one repatriates by vehicle the basic safeguard and one recovers the files safeguarded later. These systems can save the data each day in different files or the same file (by crushing the oldest files. The safeguard is compressed and encrypted at least with 128 bits, therefore protected. It is practically impossible to recover the data without the various keys. On the level SAFETY, this solution thus seems good.
The defects make nevertheless important. The first comes from the data security (even if they are encrypted) since the data are on a site which does not belong to you. The second problem comes from the flow of transfer of the data in emission (even compressed) and even more in reception. As the tunneling requires a hardware or an application software, check the effective cost of this solution of not very orthodox safeguard. This principle functions only with servers networks working in TCP/IP. In short, not inevitably an intelligent solution for the safeguard of a complete server but a manner of being encumbered task more safeguards for small capacities.
This solution could be also installed between two servers networks of the same company but distant by using a connection VPN. This reduces the cost of the person receiving benefits but requests of fixed connections Internet by IP and is thus possible only for the large companies.
|
Next of Hardware 2 training > Chapter 11: Wireless network |
|
Course: modem RTC, ISDN |
ADSL splitter How to install filter ADSL on the telephone line |
1. Network course - 2. Introduction to communication - 3. Base of transmission - 4. Ethernet - 5. Switch, router, ... Ethernet - 6. Internet connections - 7. Networks servers - 8. SCSI, SAS, RAID - 9. Backup Tape drives, NAS, ... - 10. Hardware Security - 11. Wireless and Wifi - 12. UPS, Inverter, Power Supply - 13 . Corporate network - 14. Alternative technologies - 15. Touch Screen, video projector 17. Exercise: Connecting ADSL modem in bridged
The Hardware 2 course: Network, server and communication. - The complete hardware training
© YBET 2006