18

Chapter 2. Attackers and Risks

2.2. Threats To Network Security

By breaking down a network into its basic segments, we can determine the risks and define what is

necessary to prevent unauthorized access.

2.2.1. Insecure Architectures

A misconfigured network is a primary entry point for unauthorized users. Leaving a trust based, open

local network vulnerable to the highly insecure Internet is much like leaving a door ajar in a crime 

ridden neighborhood   nothing may happen for an arbitrary amount of time, but eventually someone

will exploit the opportunity.

2.2.1.1. Broadcast Networks

System administrators often fail to realize the importance of networking hardware in their security

schemas. Simple hardware such as hubs and routers rely on the broadcast or non switched principle;

that is, whenever a node transmits data across the network to a recipient node, the hub or router sends

a broadcast of the data packets until the recipient node receives and processes the data. This method

is the most vulnerable to address resolution protocol (arp) or media access control (MAC) address

spoofing by both outside intruders and unauthorized users on local nodes. For advice on choosing the

right networking hardware and topology, refer to Chapter 8.

2.2.1.2. Centralized Servers

Another potential networking pitfall is the use of centralized computing. A common cost cutting

measure for many businesses is to consolidate all services to a single powerful machine. This can be

convenient because it is easier to manage and costs considerably less than multiple server configu 

rations. However, a centralized server introduces a single point of failure on the network. So if the

central server is compromised, it may render the network completely useless or worse, prone to data

manipulation or theft. In these situations a central server becomes an an open door, allowing access

to the entire network. Refer to Chapter 8 for more information about network segmentation and how

they help you avoid an incident.

2.2.1.3. No Firewall

The least likely, but still common, mistake among administrators and home users is the assumption

that their network is inherently secure and, thus, they forgo the implementation of a firewall or network

packet filtering service. The installation of a dedicated firewall, whether standalone or as part of a

server that will act as a gateway, is crucial to segmenting internal and external network traffic. Leaving

the internal network exposed to the Internet, especially if the connection to the Internet is constant,

is an open invitation to any Internet user that happens to find the network's external IP address. A

cracker can potentially act as a node on your internal network or take over machines on the network to

act as a proxy. Firewalls can help prevent this by using packet filtering, port forwarding, or Network

Address Translation (NAT). They can also act as a proxy between the internal network and the Internet,

further buffering the private network from the Internet. Refusing to implement a firewall or, perhaps

more importantly, setting up a firewall incorrectly, leaves a network completely vulnerable. Refer to

Chapter 7 for more information on configuring a firewall for your network.

2.2.2. Network Encryption

Password protected applications and services are sound means of protecting a network. However,

these passwords should never be passed over public networks unencrypted. This is because crackers

use readably available tools to sniff network traffic for data such as passwords to gain access to