by Rik Farrow <rik@spirit.com>
PPP means you don't need a cable or DSL modem to be in danger
The advent of DSL (Digital Subscriber Line) and cable modems has brought with it an avalanche of dire warnings. The doomsayers have proclaimed that people that are connected fulltime to the Internet are at great risk of having their home systems hacked. The truth, as usual, lies somewhere in between.
DSL and cable modem users do face a greater risk of Internet attacks than do dial-up users. But the main difference between the dial-up users and those connected fulltime is one of magnitude. When you use PPP, your system becomes part of the Internet and is subject to scans and attacks. And if you connect your desktop system at work, you may be exposing your internal network (one protected by a firewall) to attacks from the Internet.
DSL and cable modem users are already facing attacks based not on the fulltime nature of the connection, but because the address ranges used by suppliers of these fulltime connections are known. If past history is any guide, attacks seeking out systems connected fulltime to the Internet will increase.
Any system connected to the Internet needs protection. For desktop systems, software or hardware firewalls make sense, whether you use a modem or a fulltime link.
PPP
Point-to-point protocol (PPP, RFC 1661) defines a method for encapsulating and transporting other network protocols. PPP supports not only IP, but other protocols such as NetWare and AppleTalk. For most of us, this is not an issue as we are either not using these protocols, or are connecting to an ISP that will not route these protocols.
The primary use of PPP has been to setup connections over serial lines connected by modems. PPP handles authentication, negotiates compression, monitors link reliability, and also handles breaking down a connection. Each PPP header includes a description of the protocol encapsulated. When you use PPP to connect to the Internet, what you primarily are using is IP over PPP. At your end of the connection, a default route is added that directs your IP packets via the PPP link to the Internet. At the ISPs end, a route already exists that directs packets to your end of the PPP connection.
The Internet Protocol is two way. Once you have connected to the Internet, it is as if you have connected your system directly to the network within your ISP--a network that is up fulltime. The difference is that your connection only exists when you dial-into your ISP successfully. Also, the IP address assigned to your PPP link changes each time you dial-in.
But a changing IP address does not protect you from scans and attacks. An attacker that is scanning the range of addresses assigned to a terminal server (that is providing the PPP dial-ins) will see your system after it has been connected, and can attack it at that time. And if the attack is successful, the attacker can then install software on your system.
The software installed might be as mundane as a virus. Or perhaps, it might be a trojan, similar to Back Orifice, that provides remote access to your system as well as setting up a password sniffer. The combination of a backdoor providing remote access and a sniffer is a dangerous one, as the backdoor provides future remote access, and the sniffer may reveal the passwords of other systems. That is, if the system you are using is attached to another network, for example, your office network. (Figure 1)
An attacker who has managed to install a backdoor into your system via PPP will only be able to use it while you are using your dial-up link. And the IP address will (likely) be different everytime. But routine scanning for the backdoor's port address will reveal your system, and the backdoor will provide access. The intruder will then have the same access to your network that you have working locally. In other words, you will have created a backdoor into your network that bypasses any firewall that may be guarding the front door, your organization's official Internet connection.
Modems have always been a problem for security, with modems permitting dial-in an attractive target for attackers. War dialers scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, the war dialer won't discover it. But PPP changes the equation, as it provides bi-directional transport for TCP/IP, making any connected system visible to scanners, and attackers.
Fulltime
While using PPP makes your system visible, and potentially vulnerable, only when you have connected to the Internet, new fulltime connections exasperate the problem. Instead of having to find a backdoor on a system that only appears parttime, a fulltime connection system will always be there. The IP address will also (for the most part) stay the same, making an backdoored system easy to find again. These things make DSL and cable modem connected systems more interesting to an attacker.
One attack, reported at the beginning of April, was targeting network addresses known to include cable modems or DSL users. The attack checks for enabled file sharing (the default with Windows 98), attempts to map the directory exposed, and then installs the so-called 911 trojan. The 911 trojan is a nasty one, either deleting all files (or just the ones in the Windows installation) on the 19th of the month, or using a modem to dial 911 (which should fail now that these systems are using cable modems or DSL).
Some cable modem users have already begun to notice just how wide open their connection to the Internet has become. For example, when they check out the network neighborhood, they can see other people's desktops (anyone with the same broadcast address as they are using). Mac users will notice icons for other people's printers appearing on their desktops. Hopefully, these things are disturbing enough to consider doing something about it.
Some cable modem suppliers include at least rudimentary filtering in their modems. For example, simply by blocking access to TCP port 139, you cut off access to Microsoft (SMB) file and printer sharing. Hopefully, fulltime connection suppliers will educate their customers on exactly what filtering of services they are doing, if any at all.
You can be a lot more proactive about defending your system. You can install one of the personal firewall products that exist, or you can install a firewall appliance. Personal firewalls fit into your IP stack, and can detect and block attempts to connect to your system from the Internet. Of course, if you plan on using ICQ, you will want some of those connections to succeed. Certain other Internet services, like NetMeeting and even FTP, may require incoming connections. Most products deal with these issues by permitting you to poke holes in your firewall.
BlackIce has become one of the favorite personal firewall products. It both acts as a filter, controlling which packets are permitted to pass, but also as an individual Intrusion Detection system. You upload signatures along with the tool, and BlackIce will attempt to identify scans, denial of service, and other attacks launched against your system. Products like this can be real eye openers, especially for dial-up PPP users who never suspected how often their systems are being scanned. Products like BlackIce are designed for individual users. as there is no central management console or means to consolidate logs.
Personal firewalls do not function as
anti-viral software, and you must also use up-to-date virus
detection software as well to keep your desktop secure. All
anti-virus products now include signatures for trojan horses,
like Back Orifice or the version of the DDoS tool TFN that has
been ported to Windows 98. There are over a hundred different
trojan horse programs for Windows systems, all of which feature
remote control.
If you use Linux or BSD, you can set up your own firewall with software that comes with the OS. Unlike the PC firewall products (see Resources), you will need to know more about what you are doing to set up an IP firewall. There are new tools out, such as Mason and FWctl, that make it easier to point-and-click your way through the configuration of ip-chains, the firewall modules that provides packet filtering and some stateful inspection for versions of Linux that have been distributed since mid-1999. Linux systems as well as other versions of UNIX have not suffered from the virus problems that plague Windows systems, so don't even think about looking for antu-viral software for UNIX.
Firewall appliances have the advantage of being a separate device, not part of your operating system. Besides specializing in protecting your system, they also allow you to connect multiple systems while exposing only a single, registered IP address, through the use of NAT (Network Address Translation).
SOHO, from Watchguard Technologies, is a new product that provides
stateful packet filtering as well as centralized management.
One Ethernet port connects to your
DSL, cable or ISDN modem, and four ports permit connection
for internal systems or other hubs. Up to 50 systems can be supported by a
single SOHO that costs $495 including a year of support. SOHO
does not require the installation of any software on the protected
systems. A Web browser is used for administration, and software
updates are done automatically. For an upgrade fee, the SOHO
can also function as a VPN encryption device, supporting IPSec.
Any system connected to the Internet is vulnerable. Having a fulltime connection to the Internet does not make you more vulnerable--but simply a more accessible and attractive target. The fixed IP address and 7x24 availability makes your desktop system a great relay for attacks on your internal network, other sites, or as a launching pad for DDoS attacks.
The Internet, and TCP/IP, grew out of research projects that had no concerns about security. But just because TCP/IP was initially designed without security in mind does not mean that you can get away without ignoring your own system's vulnerabilities. Protect yourself. You will not only be doing yourself a favor, but will be performing a service to the community as well.
RFC 1661 defines the standards for PPP: http://www.faqs.org/rfcs/rfc1661.html.
Information about the 911 virus being deliberately spread to networks with
cable modem and DSL hookups:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=BAT_CHODE911
ZoneAlarm is a free firewall, very easy to use, for Win95/98. http://www.zonelabs.com
Black Ice Defender is both firewall and modest intrusion detection software for the PC. $39.95 for two year license, www.blackice.com
WatchGuard Technologies firewall appliance for protecting small networks or home offices: http://www.watchguard.com/products/fireboxsoho.asp
Tools for building and configuring firewalls for Linux (and some BSD) UNIX systems: http://xmission.linuxberg.com/conhtml/adm_firewall.html