A TTACKING N ETWORK

The source of the attack and the networking technology employed have the potential to shape the results in ways that can lead to improper conclusions. Attacks sourced from the Internet are the most likely places to start and are susceptible to configu-rations that can influence the outcome of certain attack threads.

Most notable is network address translation (NAT), which is used to convert Internet routable IP addresses to a private IP space. In some configurations, all the privately addressed systems on the attacking network are masked through a single

external IP address. NAT can impede the ability for some tools to function as expected or make them not work at all. Moreover, if the target site is using NAT, as many do, there are more opportunities to receive inaccurate responses from remote systems.

Firewalls are a common element on networks and if an attack is being launched from a network with a firewall providing connectivity to the Internet for the tester, the results may be artificial. Many firewalls will respond on behalf of a remote system; this is especially true for ICMP messages, fragments, and session manage-ment, such as cookies used in Web browsers. In addition, firewalls are usually where NAT is employed, adding to the complexity.

Just about any device, other than a router to provide the basic connection to the Internet, will affect the protocols and tools being employed in some manner. There-fore, the attacking network is typically connected to the Internet without a firewall or NAT employed to ensure the access is clean and unencumbered. In addition to controlling the type of access to the Internet, the type of service provided by the ISP is next in line to be evaluated. Some service providers only provide NATed IP space to their customers; therefore a NAT system is modifying the traffic long before the tester’s traffic reaches the Internet.

Bandwidth can become a concern as well for the tester. The last problem a tester wants to be faced with is poor response or intermittent connections caused by the Internet connection or an intermediate. Depending on the technology being used, the Internet connection may be prone to drops or wide-ranging levels of available bandwidth. For example, some cable providers allow 344 Kb download, but only 56 Kb upload. During the attack, it may be necessary to upload a large file very quickly to avoid detection; an asymmetrical connection may become problematic.

Finally, the configuration of the attacking network must be reviewed for collat-eral exposures. There are many examples where the connectivity being used to access the Internet is provided by a medium, protocol, or architecture that lends itself to exposing others to the hacking activities. Using cable Internet providers as an example, the network is shared for each segment, so everyone in a neighborhood can see what other computers are doing and can, in turn, be affected by the attack.

If the tester is stationed at an office, the Internet connection may be provided by the building management, which may have a dedicated network for the entire building to provide Internet access through a single connection. When performing the test from a shared network, there is the potential to consume a great deal of the bandwidth or worse, inadvertently bring down the system in an attempt to attack the target.

The simplest way to avoid any of these problems and more is to seek out a clean, dedicated Internet connection that is directly accessible only to the attacking system(s).

Attacking Network Architecture

We’ve discussed some of the attributes concerning the network and systems used to perform a test. In an effort to pull all these characteristics together, consider the following example. As demonstrated in Figure 8.1, an attacking network architecture can be fairly simple, yet security cannot be underestimated.

The goal is to create an environment that is assumed completely insecure and a target for attacks. However, the network and controls must be flexible enough to permit nontraditional activities so the tester can perform complex system interaction with the target without concern for intermediate devices.

Simplicity, flexibility, and security may seem like an oxymoron, but it is a must to accommodate the needs of the tester and to ensure ample security for the target’s information assets.

As you can see in the graphic, there is an open connection (i.e., no firewalls or filtering devices) between the tester’s main systems and the Internet. Although there are arguments for having some security controls when interfacing with the Internet, if the systems are cycled (e.g., rebuilt) for each test and the information collected is managed appropriately, the risk to the tester and target are minimal. It is also assumed that the Internet connection will only be active during tests. A tester can accomplish this by simply unplugging the connection or applying sophisticated configurations on the router. No matter the practice used to control Internet access, given the network is designed for testing only, other means for day-to-day Internet access should be provided by a separate network altogether.

As discussed above, different operating systems should be employed to accom-modate tools in addition to using systems that reflect the target’s environment.

Although it is not necessary to use, for example, a Windows platform against a Windows system at the target, the option can be helpful to the tester. All the systems that are going to be used for testing purposes should exist—even if only tempo-rarily—on the exposed segment. Initiating an attack from another network should be avoided. Following are some basic reasons for testing from a specific point:

FIGURE 8.1 Example Attacking Network Internet

SQL Server (CD-Burner)

Syslog (Linux) Attacking

System(s) (Linux)

Attacking System(s) (Windows)

IDS (Type 2) [SNORT]

IDS (Type 1) [MANHUNT]

IDS (Type 1 or 2)

Research System

File Server

Data Repository

• By sourcing the attack from a set of known IP addresses, the target can easily identify traffic from the tester.

• By sourcing the attack from a point deeper in the network, the potential exists for exposing internal systems to undesirable traffic.

• If the test is performed from different locations that do not have supporting systems, the likelihood of exposing the target’s data increases.

• In the event a different ISP is used that is unaware of the tester’s activities, traffic may be blocked or reported to authorities.

The inclusion of intrusion-detection systems on the testing network segment are for two reasons: assisting in collecting data about the test, and identifying any unauthorized traffic. The IDS can be configured to simply log activity sourced and destined for the tester’s systems and alert to any other suspicious traffic. Two different IDS systems are represented in the graphic only to convey there are different types of IDS with varying degrees of detection and capability. Given the technical capacity of the testers and the value of information that can be collected, having two systems can be very helpful in avoiding any gaps in detection and information collection.

In addition to the IDS and testing systems, a separate system is provided for Internet research. Not only is it helpful to have a different system to prowl the Internet, but also the testing systems may be performing automated tasks that may not allow the tester to perform other activities or simply add efficiency to the engagement. The most prominent reason for the dedicated system is to avoid pol-luting the testing systems. When searching the Internet for tools or information, the potential for unwanted information being shared or inadvertently being absorbed (i.e., cookies, code, plug-ins, spam, etc.) by the system is a nuisance that can be easily contained and rectified.

Moving a step deeper into the network, a firewall (or some protective device) can be implemented to create a semi-secure environment, or DMZ, for basic support systems. The DMZ is a staging area for data collection. For example, data collected by some tools can be enhanced by the use of a comprehensive database. Exporting information to a system that has additional security controls adds a layer of security for sensitive information. Moreover, systems in the DMZ may contain source code for tools to allow the tester to quickly modify programs to accommodate specific requirements, compile them, test, and put into use without concern for having the necessary libraries on the testing systems. Another helpful attribute is having the ability to collect log information from the IDS, attacking systems, router, or anything that may help collect information about the activities. Not only is this helpful to demonstrate to the target company the activities performed, but it provides a minimum level of forensics in the event tactics are disputed. Again, an IDS on the DMZ can be helpful in identifying unwanted activities on the dedicated segment.

There are a number of reasons for employing a DMZ, but fundamentally the role of the segment is to provide support for the testers in a manner that does not require the testing systems to perform tasks that are not explicitly required for the engagement.

Finally, another set of firewalls is implemented to tightly control data flow between the DMZ and outer networks. In fact, the innermost network should not be permitted to interact with anything beyond the DMZ and the firewall should only permit traffic sourced from the internal network and not from any other external devices. The DMZ is there to support the testing segment and therefore if the tester needs something from the internal network, it should be staged in the DMZ. Given that the DMZ is providing data collection services for the testing network, it may be necessary for internal systems to pull the data to begin analysis or start creating the necessary documentation. The internal network is simply for performing tasks associated with the consultative characteristics of the engagement, but not with the testing elements.

Albeit a simplified example of an attacking network, the fundamentals of seg-menting systems with specific roles apply. Networks designed for performing ethical hacks can range from one system connected to a cable modem to hundreds of devices with complicated custom applications to support the process. The most important aspect is to allow the testing systems unfettered access to the Internet and to perform only what is needed to identify and exploit vulnerabilities. There needs to be a secure area to support those systems, and a highly controlled segment for nontesting activities. As long as these attributes are represented in some fashion, the security of sensitive information can be realized while allowing the tester the freedom to perform his or her task.