Why do network security problems persist? While wireless network security issues continue to make current headlines, attention has been drawn away from the fact that wired networks are often affected by many of the same weaknesses. As a result, our vulnerability to network eavesdropping continues, despite growing investment in security measures. Eavesdropping attacks are insidious, because it's difficult to know they are occurring. Once connected to a network, users may unwittingly feed sensitive information - passwords, account numbers, surfing habits, content of email messages - to an attacker, writes Tom King, applications and security manager at 3i.
Eavesdropping attacks are easy to set up and protecting against the threat calls for a multi-faceted approach. Perhaps the persistency of the problem is explained by the implementation of partial solutions, leaving gaps in what should be done about it:
Lack of awareness of any security issue can be dangerous and IT managers need to promote awareness and demonstrate good practice. The next time you connect to a public wireless network think about the applications you are using. Do they use strong encryption? If not, who might be listening? What could they do with the information they listen in on? If you are aware of the problem, spread the message!
Encryption is a great defence against eavesdropping. By only using applications and systems which use strong encryption, you can make an attacker's life far more difficult. But it isn't a panacea, for a couple of reasons:
First, we continue to see a dual pronged attack against encrypted data. While PCs follow Moore's law and their speed increases exponentially, security tools get smarter. Faster PCs reduce the time an attacker needs to crack a password and modern password-cracking technologies - such as rainbow tables - can reveal passwords in seconds.
Second, unfortunately many applications do not offer encryption, or they may be configured not to use encryption by default, perhaps for performance reasons. The latter is the issue which was found to affect Gmail last year.
In the world of networks, the default position is often that "anything can access anything", which is weak from a security perspective. Why, for instance, does the salesman's laptop need network access to the HR system? Most likely it doesn't, but corporate networks tend to be configured in a manner that allows this and allows abuse. Formal network segmentation can provide a countermeasure against a number of threats, including eavesdropping.
Network access control (NAC).
One way to make eavesdropping more difficult is to prevent unauthorised users getting onto your network in the first place, "keeping the bad guys out". All that is needed to eavesdrop on many networks is physical access to the building (and even that is not needed if the network is wireless.) NAC attempts to fix this problem by ensuring that every connecting device is trusted before full network connectivity is delivered. NAC can give the network attacker a tough time.
Part of the "keep the bad guys out" philosophy is good physical security. Are there network points in your lobby? Network points in meeting rooms which visitors use? Do these network points offer direct connectivity to the corporate network? These kinds of weaknesses offer the unscrupulous a simple way of connecting to your corporate network, and stealing data through eavesdropping, or worse.
This was first published in March 2008