 |
 Always On, Always Vulnerable
by Douglas Schweitzer
This article was excerpted from Chapter 4 of Douglas Schweitzer' book "Internet Security Made Easy"
Let's face it; the Internet is here to stay. As the media on the Web become richer in content (i.e., audio, video), the need for speed increases. The faster your connection to the Internet, the faster these media-rich Web pages will download and pop up on your screen. As discussed in Chapter 2, technology has responded to consumer demands by bringing affordable broadband connections to all computer users. Although this chapter focuses mainly on broadband connections, many of the principles outlined can be applied to computers that use standard dial-up modems for Web access and online transactions.
Digital subscriber line (DSL) and cable Internet access are two of the biggest and broadest means to the Internet. In addition to offering speed, they eliminate the wait for dial-up or disconnect dialogs because the Internet connection is always on. While convenient, this type of connection leaves your computer vulnerable to attack, because your Internet Protocol (IP) address (as discussed in Chapter 1) is static (fixed) and always remains the same. A static IP address makes your computer susceptible to port-scanning programs used by hackers to probe IP addresses when they're looking for an entrance into your PC.
Why is there such a risk? The answer lies in the low-cost hardware Internet service providers (ISPs) are installing in many computers. Cheaper DSL and cable modems act as a bridge, essentially a simple pass-through device. When your ISP assigns a bridge an IP address, that address simply passes through the bridge and becomes linked directly with your PC, making your computer visible to anyone on the Internet.
Two-Way Street
Many people forget that the Internet is like a two-way street. You connect to the Internet, and it connects to you. In essence, anyone with an Internet connection can potentially access resources on your PC when you are connected to the Net. This applies to all types of connections to the Internet, including standard dial-up access. Most consumer operating systems were not designed with Internet security in mind, leaving them open to attacks. To make matters worse, many new software technologies, such as Java or Active X applets, can interact directly with the operating system. This creates a potentially serious security risk. As recently as a few years ago, many hackers avoided home Internet users since they were few in number. As more and more individuals connect to the Internet, hackers are targeting both home and business users in increasing numbers. Having a computer connected to the Internet is a potential resource for hackers. Without your acknowledgment or permission, your computer can be used as:
- A relay for unsolicited commercial e-mail (spam)
- An arena for the exchange of pornographic material
- An unwilling participant in a distributed denial-of-service (DDoS) attack
After hackers enter a system, they target the programs that they find attractive. They ply their "trade" and do their damage, sometimes for long periods of time without the legitimate user's knowledge. Whether for fun or profit, a computer can be used by others in criminal and felonious activities. Often legitimate users do not become aware that there is a problem until they are charged with a criminal offense.
Note that, unlike denial-of-service (DoS) attacks, which are carried out by a single computer against another single computer or Web site, DDoS are the result of many computers attacking a single victim or Web site. Hackers can exploit the power of hundreds of computers (unsuspecting victims) commandeered to inundate a particular computer or Web site with so many data requests that it either crashes or has to be taken offline.
Minimize the Risk
One of the easiest ways to minimize your security risk is to turn off your PC when you are not using it (this is not such a big issue if you use a standard analog modem to connect to the Net). Many people are under the impression that they should leave their PC on all the time to prolong its useful life. The premise is that the "shock" of turning the computer on and off will cause premature failure of sensitive electrical components. This is simply not true. Frequently powering a system on and off does not cause deterioration or damage to components.
Disable File and Print Sharing
If you are not using your PC in a networked environment, there is no need to have file sharing and printer sharing installed and no need to have Microsoft networking installed. Your stand-alone computer will boot up and run faster and you will have a marked increase in Internet security without them. "Client for Microsoft Networks" is used primarily to connect your Windows computer to other Windows-based computers. It serves no purpose in connecting a computer to the Internet.
Disabling file sharing and print sharing can also help defend your computer against an Internet Trojan horse program called Back Orifice. A user computer infected by this "back door" program will allow outside hackers to have full access to its systems. Hackers regularly scan the Internet looking for computers that have been compromised by a Trojan horse.
You can disable file and print sharing and/or remove the "Client for Microsoft Networks" by:
1. Opening up the control panel and double clicking on the "Network" icon
2. Selecting the "File and Print Sharing . . ." button
3. Disabling (unchecking) the two resulting options
Many new computers use the "Microsoft Family Logon" as the default client software. You may notice that your system has the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol "bound" to the Microsoft Family Logon. By unbinding your TCP/IP adapters from either the Microsoft Family Logon or "Client for Microsoft Networks," you increase your Internet security by not allowing your files to be accessed via the Internet using the NetBIOS file sharing system. (NetBIOS is a protocol used in primarily small computer networks and was never designed for the use with the Internet.)
To "unbind" your TCP/IP adapters in Windows 95/98/ME, follow these three simple steps:
1. Open the "Network" icon in the control panel. (This can be found in your "Start" menu under settings or by opening the "My Computer" icon on your desktop.)
2. Under the "Configuration" tab, double click on the TCP/IP adapter you wish to "unbind" (Note: your PC may have several from which to choose).
3. Click on the "Bindings" tab and be sure the "Microsoft Family Logon" or the "Client for Microsoft Networks" box is disabled or unchecked. Restart your computer so that the changes you made can be put into operation.
Note: This tip is only for stand-alone Internet-enabled computers! Disabling file and print sharing should not be done in a home or business local area network (LAN) environment. If you disable file and print sharing, computers on your network will not be able to communicate or share network resources. If your computer is used in a networked environment and you need to share files, you must purchase and install a third-party firewall product to adequately secure your PC.
A Quick Word About NETSTAT
The NETSTAT command is used to display the status of all TCP and User Datagram Protocol (UDP) ports on a computer. Hackers can use this command to "discover" open TCP and UDP ports on your computer. One of the easiest ways to defend your networked computers against this command is to block TCP port 139 and UDP ports 137 and 138 at the router used to connect your network to the Internet.
Install a Firewall
For those who use Internet-enabled computers in a networked environment, a firewall is essential for security. A firewall is, in effect, software or hardware that protects your computer from external threats by limiting or controlling access. Most stand-alone computers use only a software-based firewall, while networked computers might use a combination of both hardware- and software-based firewalls.
Hardware-based firewalls are a bit more time-consuming to set up but offer excellent protection, particularly in an LAN environment. If you have a network of two or more computers and wish to have all your PCs share a single Internet connection, I strongly recommend that you use a hardware-based firewall.
The simplest forms of hardware firewalls are small, inexpensive routers that are available specifically for this purpose. These routers provide excellent protection by keeping your trusted network (your LAN) isolated from the untrusted network (the Internet). This "separation" is achieved using something called network address translation (NAT). (NAT is addressed later in this section.) By using NAT, you make the router the only externally recognized device on your network and keep your computers "hidden" from the Internet. Many of these routers cost less than $200 and come with easy-to-use instructions and excellent vendor support.
Keep in mind that most low-capacity routers support up to 253 users. If your company has more than 253 users, you should consider using a higher-capacity router designed for this purpose.
Integrated Service Digital Network/Plain Old Telephone System
Despite the fact that more and more users are jumping on the broadband-wagon, many still use the plain old telephone system (POTS) to log on to the Web. For those who wish to install a hardware-based firewall, several products are available specifically designed for analog and digital dial-up connections.
With the advent of unlimited Internet access for a flat fee, many users log on once and remain connected for extended periods. Consequently, their network computers are at greater risk, and a hardware firewall is necessary as a first line of defense against hackers. For those wishing to purchase a router/hardware firewall for their dial-up or integrated service digital network (ISDN), several companies make products designed for this purpose.
Internet Security Appliances
Hardware-based Internet security appliances are becoming popular because of their ability to provide both a hardware firewall and virus protection in a stand-alone hardware product. More expensive than most router/firewalls, these products usually require that users purchase a license for using their product. The user license allows only a certain number of users to access the product (usually in blocks of ten, twenty-five, or fifty users). Companies should choose a size that meets their current and future needs.
Dynamic Host Configuration Protocol and NAT
As explained in Chapter 1, before a client can obtain access to the Internet, an IP address must be obtained. Dynamic Host Configuration Protocol (DHCP) provides for the automatic issuing of IP addresses. NAT is a method of connecting several computers to the Internet using only one IP address and is often used along with DHCP. Most routers act as DHCP servers and automatically assign a special "fake" internal IP address to each computer on a TCP/IP-based LAN. When one of the network computers makes a request destined for the Internet, it is automatically sent to the router. The router then forwards this request directly to the ISP, using the static IP address that was assigned by the ISP. NAT is the process used to convert requests from a "fake" internal IP address to the "real" static IP address issued by the ISP. In other words, the router acts as a kind of old-fashioned switchboard operator by keeping track of all Internet requests from each of the networked computers and routing them to the ISP. To the ISP, it appears as if all requests are coming from only one computer!
Personal Software Firewalls
Personal firewall software isolates your PC from the Internet. Unlike its industrial-strength brethren (used by large company networks), you won't have to shell out a few thousand dollars to achieve a sufficient level of protection from this software. Several vendors produce excellent software well suited to the task. Some of these software products act only as firewalls, while others have additional features you may find useful for Internet security and privacy.
Excerpted from INTERNET SECURITY MADE EASY ©2002 Douglas Schweitzer Published by AMACOM Books, a division of American Management Association International, New York, NY. Used with permission. All rights reserved. http://www.amacombooks.org
|
|
