[ISN] How Nokia Guards Against Crackers

From: mea culpa (jerichoat_private)
Date: Sun Feb 28 1999 - 14:46:44 PST

Forwarded From: Simon Taplin <stickerat_private>

How Nokia Guards Against Crackers
(02/24/99, 10:34 a.m. ET)
By Lee Kimber,

Faced with 24,000 attempted network attacks in the past six months,
Finnish telecommunications leader Nokia has developed a smart strategy to
protect itself: Follow the network security rule book to the letter.

Marketing manager Bob Brace said the policy started at the ICMP level --
by disallowing pings. 

"The hackers first try do things like ping every IP address on a class C
subnet," he said. "So they will try for x.x.x.1 to x.x.x.254. We do not
allow pings." 

He said Nokia protected its networks with an integrated firewall/router --
the IP1440 -- providing logs showing the attacks came from different types
of crackers -- amateurs that tried to scan ports sequentially and
professionals that carried out long-term port scanning from different IP
addresses. The logs proved the crackers' attempts to find a service on
1234 -- the default port used by the remote-control Trojan Back Orifice,
Brace said. 

The firewall also offered NAT which could be configured to drop ICMP
packets regardless of the packet filtering set up on the firewall. 

That won the approval of Integralis security expert Tony Rowan: "If you've
got NAT," he said, "you're almost there." He said the ICMP suite contained
commands most people had forgotten -- unless they were crackers. 

"Router redirect lets you make a router hand requests to someone else. 
This is an ICMP request, and you can get packet shapers that let you set
these up," he said. 

When setting up a CheckPoint firewall for an Integralis customer, he
recommended they turn on the "stealth rule" -- any packet from anywhere to
the firewall is dropped, rather than rejected, which would give them
feedback. Log it with a long log, he said. 

Nokia runs an internal U.K. Web server and a public Web server in
Helsinki, and Brace said he saw port 80 scans of the U.K. intranet all the

"Our intranet server here in the U.K. cannot be seen from the outside; the
IP440 keeps these hackers at arm's length. They can see we are here, but
they don't know what is on the other side of the firewall." 

The last weapon is encryption. Given Nokia's firewall logs have proved
some of its attempted cracks are by extremely knowledgeable people, the
company said remote-access services are the biggest vulnerability in its

Remote users dialed in using encrypted VPNs over the Internet, it said. 
Nokia then authenticated them again if they tried to access key resources. 

So Brace had strong advice for governments that wanted to impose key

"Key escrow weakens authentication and threatens the whole issue of e-
commerce," he said. 

Subscribe: mail majordomoat_private with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:04 PDT