Life in the Fast Lane: Security for Cable Modem, DSL, and Other Remote User Internet Connections

Threats To Remote User Network Connections
An exciting array of modern broadband technologies, including cable modem, Digital Subscriber Line (DSL), VSAT satellite, and wireless is bringing faster, affordable Internet access opportunities to small, remote offices and home users. Furthermore, the traditional and economical analog modem connection continues in widespread use for individual Internet connections. Unfortunately, all of these remote connection services make the frequently connected remote user an extremely inviting target for hoards of direct and Trojan Horse-based hacker attacks.

In recent years, reports from the FBI’s National Infrastructure Protection Center have revealed that major distributed denial-of-service (DDoS) breaches were successful by attackers garnering a multitude of poorly protected user systems to serve as unwilling accomplices (frequently referred to as Zombies) and became “launching pads” for attacks on unsuspecting victim Web sites. The most common way that a victim system becomes a Zombie is when a backdoor Trojan Horse agent is planted on the user’s system. General-purpose Trojans include SubSeven, NetBus, and Back Orifice, while Trin00 is a popular, more DDoS-specific Trojan. In addition, widespread downloaded freeware and shareware such as PKZIP and Real Player may contain adbots that periodically send information about the user’s system back to the software developer/supplier across the Internet.

Vulnerabilities
Among the most common vulnerabilities that open the door for these attacks is the indiscriminant sharing of the user’s entire hard drive to the entire network community, technically referred to as Server Message Block (SMB) or just plain Windows network file shares. Unless extra attention is paid to adjusting access permissions, Windows NT 4.0 Workstation and Windows 2000 Professional will by default raise the vulnerability level by offering selected shares with Full Control privileges–meaning that all modes of access are allowed to everyone. Linux users can get into similar trouble by being overly permissive in sharing resources through SAMBA and Network File System (NFS) applications.

Other Achilles Heels include the recently identified unpatched plug-and-play services on many versions of Microsoft Windows platforms and a wide of array of TCP/IP application servers (Web or FTP servers, telnet, Trivial File Transfer Protocol, Simple Network Management Protocol) that may create vulnerabilities through faulty configuration and/or software bugs. If a remote user is connected to two different Internet sessions simultaneously, those applications open the door for a would-be intruder to slip from the Internet right into the user’s enterprise network. Additionally, cable modem users are even more vulnerable to packet sniffing attacks than other users of remote user Internet connections.

Security Safeguards
Organizations should develop and communicate clear policies promoted through aggressive security awareness programs that will alert remote users to the pitfalls of Internet access. Key safeguards include:

  • Minimizing the use of network file shares
  • Encouraging the use of personal software firewalls (ZoneLabs ZoneAlarm, Norton Internet Security, GTA Gnat Box Light)
  • Application content filtering (including adbots and mobile code agents)
  • Blocking random security scans and encrypted connections using virtual private networks (VPNs) or secure shell (SSH)
If an inexpensive consumer grade Internet router/gateway/firewall device (D-Link, Linksys, Netgear, SMC) is used for sharing Internet connections, the user/small office should carefully review the provided firewall features, including current firmware upgrades, to ensure that sufficient content screening is available. If not, either the addition of software firewalls in each workstation or the use of more robust (and more expensive) personal firewall appliances such as Cisco PIX 5xx Series, Sonic Systems SonicWall, and Watchguard SOHO should be considered. Only personal firewalls certified by a recognized independent testing laboratory like TrueSecure Labs and equipped with centralized firewall administration services should be seriously considered for corporate or government remote user applications.

Security Vulnerability Testing
All remote user systems should be periodically tested for vulnerabilities and for the effectiveness of applied safeguards. This objective can be achieved through a combination of user self audits using free public testing services (http://www.grc.com , ) and centralized enterprise remote vulnerability testing tools (e.g. ISS Internet Scanner, NAI/PGP CyberCop Scanner, and NGSS Typhon). Any serious vulnerabilities detected during these procedures should be promptly reviewed and corrected as necessary.

While modern Internet connection services are a boon to telecommuting and other off-premises applications, it is critical that they are safely deployed and maintained through prudent protection and security testing practices.

Reprinted with permission from MIS Training Institute’s TransMISsion Online. For a complete list of information security seminars and conferences available from MIS, go to: www.misti.com.

Don't miss