Forwarded From: Simon Taplin <stickerat_private> How Nokia Guards Against Crackers (02/24/99, 10:34 a.m. ET) By Lee Kimber, Faced with 24,000 attempted network attacks in the past six months, Finnish telecommunications leader Nokia has developed a smart strategy to protect itself: Follow the network security rule book to the letter. Marketing manager Bob Brace said the policy started at the ICMP level -- by disallowing pings. "The hackers first try do things like ping every IP address on a class C subnet," he said. "So they will try for x.x.x.1 to x.x.x.254. We do not allow pings." He said Nokia protected its networks with an integrated firewall/router -- the IP1440 -- providing logs showing the attacks came from different types of crackers -- amateurs that tried to scan ports sequentially and professionals that carried out long-term port scanning from different IP addresses. The logs proved the crackers' attempts to find a service on 1234 -- the default port used by the remote-control Trojan Back Orifice, Brace said. The firewall also offered NAT which could be configured to drop ICMP packets regardless of the packet filtering set up on the firewall. That won the approval of Integralis security expert Tony Rowan: "If you've got NAT," he said, "you're almost there." He said the ICMP suite contained commands most people had forgotten -- unless they were crackers. "Router redirect lets you make a router hand requests to someone else. This is an ICMP request, and you can get packet shapers that let you set these up," he said. When setting up a CheckPoint firewall for an Integralis customer, he recommended they turn on the "stealth rule" -- any packet from anywhere to the firewall is dropped, rather than rejected, which would give them feedback. Log it with a long log, he said. Nokia runs an internal U.K. Web server and a public Web server in Helsinki, and Brace said he saw port 80 scans of the U.K. intranet all the time. "Our intranet server here in the U.K. cannot be seen from the outside; the IP440 keeps these hackers at arm's length. They can see we are here, but they don't know what is on the other side of the firewall." The last weapon is encryption. Given Nokia's firewall logs have proved some of its attempted cracks are by extremely knowledgeable people, the company said remote-access services are the biggest vulnerability in its network. Remote users dialed in using encrypted VPNs over the Internet, it said. Nokia then authenticated them again if they tried to access key resources. So Brace had strong advice for governments that wanted to impose key escrow. "Key escrow weakens authentication and threatens the whole issue of e- commerce," he said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:04 PDT