Security issues with IP
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Security issues with IP
Without security, both public and private networks are susceptible to unauthorized monitoring and access. Internal attacks might be a result of minimal or nonexistent intranet security. Risks from outside the private network originate from connections to the Internet and extranets. Password-based user access controls alone do not protect data transmitted across a network.
Common types of network attacks
Without security measures and controls in place, your data might be subjected to an attack. Some attacks are passive in that information is only monitored. Other attacks are active and information is altered with intent to corrupt or destroy the data or the network itself. Your networks and data are vulnerable to any of the following types of attacks if you do not have a security plan in place.
In general, the majority of network communications occur in a plaintext (unencrypted) format, which allows an attacker who has gained access to data paths in a network to monitor and interpret (read) the traffic. When an attacker is eavesdropping on communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, data can be read by others as it traverses the network.
After an attacker has read data, the next logical step is often to modify it. An attacker can modify the data in the packet without the knowledge of the sender or receiver. Even if you do not require confidentiality for all communications, you do not want any of your messages to be modified in transit. For example, if you are exchanging purchase requisitions, you do not want the items, amounts, or billing information to be changed.
Identity spoofing (IP address spoofing)
Most networks and operating systems use the IP address to identify a computer as being valid on a network. In some cases, it is possible for an IP address to be falsely used. This is known as identity spoofing. An attacker might use special programs to construct IP packets that appear to originate from valid addresses inside an organization intranet.
After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete data. The attacker can also conduct other types of attacks, as described in the following sections.
A commonality among most operating systems and network security plans is password-based access control. Access to both a computer and network resources are determined by a user name and password.
Historically, many versions of operating system components have not always protected identity information as it was passed through the network for validation. This might allow an eavesdropper to determine a valid user name and password and use it to gain access to the network by posing as a valid user.
When an attacker finds and accesses a valid user account, the attacker has the same rights as the actual user. For example, if the user has administrative rights, the attacker can create additional accounts for access at a later time.
After gaining access to a network with a valid account, an attacker can do any of the following:
Obtain lists of valid user and computer names and network information.
Modify server and network configurations, including access controls and routing tables.
Modify, reroute, or delete data.
Unlike a password-based attack, the denial-of-service attack prevents normal use of a computer or network by valid users.
After gaining access to a network, an attacker can do any of the following:
Distract information systems staff so that they do not immediately detect the intrusion. This gives an attacker the opportunity to make additional attacks.
Send invalid data to applications or network services, causing applications or services to close or operate abnormally.
Send a flood of traffic until a computer or an entire network is shut down.
Block traffic, which results in a loss of access to network resources by authorized users.
As the name indicates, a man-in-the-middle attack occurs when someone between two users who are communicating is actively monitoring, capturing, and controlling the communication without the knowledge of the users. For example, an attacker can negotiate encryption keys with both users. Each user then sends encrypted data to the attacker, who can decrypt the data. When computers are communicating at low levels of the network layer, the computers might not be able to determine with which computers they are exchanging data.
A key is a secret code or number required to encrypt, decrypt, or validate secured information. Although determining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker determines a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. With the compromised key, the attacker can decrypt or modify data. The attacker can also attempt to use the compromised key to compute additional keys, which might allow access to other secured communications.
A sniffer is an application or device that can read, monitor, and capture network data exchanges and packets. If the packets are not encrypted, a sniffer provides a full view of the data that is inside of the packet. Even encapsulated (tunneled) packets can be opened and read if they are not encrypted.
Using a sniffer, an attacker can do the following:
Analyze a network and access information, eventually causing the network to stop responding or become corrupted.
Read private communications.
An application-layer attack targets application servers by causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of an application, system, or network, and can do any of the following:
Read, add, delete, or modify data or an operating system.
Introduce a virus that uses computers and software applications to copy viruses throughout the network.
Introduce a sniffer program to analyze the network and gain information that can eventually be used to cause the network to stop responding or become corrupted.
Abnormally close data applications or operating systems.
Disable other security controls to enable future attacks.