The same Web-based software that organizations install to better control their networks may actually be endangering them. |
The main problem is that these programs, which have become popular in recent years for allowing remote management capabilities from any client with a Web browser, can give hackers much more information about an enterprise network than IT staffs realize. That information can be used to damage networks, spy on a company or steal confidential data.
Because some of these programs are automatically installed when a larger program, such as a directory, is set up, administrators may not even realize the programs have been installed.
The danger is that many such programs are designed with default usernames and passwords that anyone can exploit.
"Any software that is installed by default is likely to be exposed because administrators don`t always know about it," says Jeff Gassaway, a network manager at a Southwestern university.
"Our sites have more information than I would have preferred available to the outside," he adds.
Weak password administration and too many open TCP/IP ports are related problems that can leave Web-based management systems open for abuse.
"I will advise all administrators of the potential risk and get our open ports closed down," says Michel L`Heureux, IT manager for a large technical school in Canada.
In fact, all these issues were cited among the top `Net security vulnerabilities by a new, jointly produced study from the network security organization SANS Institute and the FBI.
Organizations can use widely available tools for identifying unsecured passwords and open ports, but hackers have access to the same tools and assorted underground ones.
Provided with the name of a network-management utility and the TCP/IP port number, a hacker can launch a buffer overflow or other sort of attack.
In fact, this reporter, when provided with such information, could easily find several sites with holes in their networks (and alerted these organizations so they could lock them down).
All the exposed organizations we visited turned out to be universities, which isn`t that surprising given that so many tend to be a little looser with their network security systems and firewalls in an effort to provide students and faculty with the access they need to do their work.
The examples of exposed sites also all involved Novell`s NetWare 5.1, although such security issues are not limited to Novell software.
In these cases, when NetWare was installed, a program called Novell Directory Services (NDS) iMonitor was also automatically installed. NDS iMonitor, designed for managing Novell`s directory technology, was likely installed unbeknownst to network administrators and at a minimum security level called "public ID," which does not require a username or password.
Public ID lets NDS show the directory tree name, partition information, IP addresses and other data that can be used to scan a network for vulnerabilities or to log on to the network.
A net manager, if aware that NDS iMonitor has been installed, can easily lock it down by changing the level of password protection.
Vulnerabilities also exist in SNMP agents, which have default usernames and passwords that can be accessed by any client to view information.
There is disagreement across the industry about just how open networks should be.
Compaq doesn`t let any information be displayed by the management agents that come with its products. Its agents generate an authentication screen that reminds users that trying to guess the username and password is a violation of law that will be prosecuted.
Compaq is so wary of customers exposing network information gathered by its Web-based management software that it issued this advisory last month: "The implementation of sound security practices, which includes disabling external access to Compaq management ports, should help protect customers from external malicious attacks. Compaq also recommends that strong password standards are used and that passwords are changed regularly."
Not everyone is worried
Other organizations feel it is not necessarily harmful for outsiders to view information as long as they cannot change it.
Novell says iMonitor uses the anonymous Lightweight Directory Access Protocol (LDAP) Berkeley Internet Name Domain (BIND) operation to let unknown users obtain information about the directory so if they have proper credentials they can log on.
However, NDS returns more information than LDAP BIND requests.
While organizations must pay more attention to their authentication and network management practices, they should also take more advantage of firewalls and VPNs to secure their networks, says Marcus Williamson, president of network consultancy Connectotel.
"IT professionals should lock down their networks and only leave as few ports open as possible," he says.
"The only services you want to be seen by the outside world from a firewall are [Simple Mail Transfer Protocol] e-mail services, TCP Port 80 for the Web server and potentially an FTP server, which uses Ports 20 and 21.," he adds. "Apart from that, there is no valid reason for allowing other types of traffic through."
But Paul Hoffman, director of the Internet Mail Consortium and a Network World columnist, says that expecting a firewall to protect against exposure is ludicrous. He points to the consequences of the recent Nimda worm.
"A lot of the people affected by Nimda were behind firewalls," he says.
"No network should need a firewall - firewalls are for the reality that networks are complex and that network administrators are either lazy or not powerful enough to enforce simple security. IT managers need to be sure to use the authentication methods provided for them," Hoffman adds.
©2001 Network World, Inc. All rights reserved.