Categories Internet & Networks

Continued from Fixing the Problem

Our second scenario describes a common situation that appears safe but which in reality exposes a pathway into a company's internal network. In this case, the same fictitious company, MicroEmporium, invests heavily in firewall and remote-access security, but it overlooks users dialing out to the Internet from their desktop PCs.

Most network administrators understand the problems associated with letting users set up their own remote-access links. Using Windows NT RAS or pcAnywhere, for example, employees can inadvertently open security holes by allowing any dial-up user access to the company network.

But as the diagram "How Dial-Up Access Can Expose Your LAN" illustrates, a user can open security holes simply by establishing an outbound Internet connection, even if his modem isn't configured for dial-in access.

In this scenario, a MicroEmporium employee uses a dial-up Internet account to chat with friends. Although corporate mail is accessible through the LAN, he still frequently dials in to his existing account to access Internet applications that are blocked by the corporate firewall.

The problem here is that while a user is dialed into the Internet and simultaneously connected to the corporate LAN, his machine is a potential gateway between the two networks. For an attacker to exploit this possibility, he must enable proxy functionality on that user's machine (by installing a program that will let him remotely control that machine), wait for the user to connect to the Internet, and then use that machine as an intermediary to access the corporate LAN.

The first step is the most difficult and is more likely to succeed if the attacker doesn't target a specific user. Here, the hacker sends a Trojan horse, disguised as an amusing e-mail attachment, to the company-wide e-mail list. Anyone who opens that attachment unwittingly installs a notorious program called Back Orifice on his machine. Back Orifice lets an intruder control a PC by sending it commands over the network.

The attacker could also use other less common methods to distribute the executable. These methods include obtaining physical access to a user's PC or circulating a virus or worm with the goal of installing code on as many machines as possible. The code could then notify its home base each time a machine is compromised, letting the attacker choose its targets at a later time.

After the program is installed, the attacker simply waits for the company's users to dial up their Internet providers. If any user's machine has been subverted by the Trojan horse, it will automatically send an e-mail to the attacker, informing him of the computer's current IP address.

Once an infected user dials into the Internet, the attacker has an open channel into the company's LAN and can browse or modify files on the network via Back Orifice, just as if he were seated at the victim's PC. Note that a single modem user installing the Trojan horse compromises the entire network; instead of targeting one user, the attacker targets many and simply focuses on the first one that falls prey to attack.

Next: Diagram: How Dial-Up Access Can Expose Your LAN

Published as Enterprise Computing in the 5/25/99 issue of PC Magazine.

Related Links
• Denial-of-Service Attacks -- PC Tech
• Internet Security Standards -- PC Tech
• Internet Security: Disarming the Net -- PC Labs Reviews
• Network Antivirus: Defend Your Network -- PC Labs Reviews
• Network Manager -- ZD Products
• Network Administrator Courses -- ZDU