About | Buy Stuff | News | Products | Rants | Search | Security | Social
Home » Resources » Rants

Immovable Objects

Week of September 14, 2003

Dr Gerry is not a professional network administrator, but he could be. Dr Gerry gets paid for something entirely different - and nets a lot more than an admin ever would. Still, he's a survivor. He will do what it takes to protect his networks.

Things were relatively calm until a few years ago when Microsoft came to town. Regarding the proud and stable Unix server park, Microsoft began chumming up to the most intellectually disenfranchised and trying to get them to pull strings to pull the Unix boxes in favour of Windows 2000. They succeeded - and the cataclysm was total. (See 'Win2K Does It Again'.)

Dr Gerry was patient with Microsoft for as long as could be expected. When Windows 2000 first came out, he gave Microsoft the benefit of the doubt - but then quickly took it back.

In an about face expedited at breakneck speed, he replaced all the Windows installations in his computer laboratory with Mandrake, and set up his own Linux servers. When faculty and student body returned to campus, he told them: 'No more MS Office, and that's that.' They didn't like it, but there was nothing they could do, and as time went on, at least the student body thanked him.

But as we all know, money is the root of all evil. After watching worm after worm hail the Internet and the remaining Windows installations on campus, Dr Gerry got wind of more foul play. Here, by request, is his letter to the university. It is a fitting document over just how much high-level ingrained stupidity we on the Internet have to deal with if we are to survive. It is also a textbook example of how greed exploits stupidity and the richer get even richer.


TO WHOM IT SHOULD CONCERN:

My departmental LAN consists of two separate segments. Each of these segments is created with a Linux box with two NICs installed. This allows the internal LANs to be firewalled from the Internet. The LAN segments use 'reserved' or 'non-routable' IP addresses.

The first of our LAN segments is reserved for our faculty who use the MS Windows 2000 platform on their workstations. The non-routable address range that I assigned for this segment using Network Address Translation (NAT) is:

10.0.1.0/24

It exists behind the single Internet-visible IP address of:

xxx.xxx.xxx.xxx

The departmental web server provides our Internet presence via port 80 on that same IP address - again:

xxx.xxx.xxx.xxx

The site runs on a secured and patched Apache web server on a secured and patched Linux OS box and offers no other services. The site itself contains only static pages using certified HTML standards and, in the interest of reliablility, has had its name registered with Enom Inc, which provides the needed DNS info to the planet earth and beyond.

The SECOND of our LAN segments is reserved for our student/faculty/research/computer lab which uses the Mandrake Linux 9.1 platform on the workstations. The non-routable address range that I assigned for this segment using Network Address Translation (NAT) is:

10.0.0.0/24

It exists behind the single Internet-visible IP address of:

xxx.xxx.xxx.xxx

There are no Internet services offered over this IP address. It is only used as a gateway for Internet access to the workstations. Additionally, it is using the Squid proxy server (secured) to reduce network traffic if the lab is filled with people using the Internet.

The faculty LAN segment does not use any Unix services for Windows. The student LAN segment does not use any Samba services for Unix.

The combination of the two separate NATed LAN segments and the deliberate inability of the two segments to use file/print sharing was my good faith effort to absolutely minimize the spread of worms and other malware which might have a negative impact on network bandwidth and security. I don't get paid to do this.

Our department was assigned a third routable IP address in the netblock owned by the university:

xxx.xxx.xxx.xxx

I have a 'sticky honeypot' (Tom Liston's LaBrea software http://hackbusters.net) running on that IP address - again:

xxx.xxx.xxx.xxx

LaBrea is used by the FBI and the Defense Department to fight back against malicious Internet worms which scan netblocks at extremely high rates.

In our case it will make it appear that every single IP address in the:

xxx.xxx.xxx.0/24

range is in use. LaBrea 'moves out of the way' when legitimate network devices exist on that segment - however, if none actually do exist, a malicious scanner will find that:

a) the IP address responds to pings;

b) ARP requests will result in apparent MAC addresses (for devices that, again, don't actually exist); and

c) any attempts to exploit services on the unused IP addresses will result in the scanner becoming 'tarpitted' or 'stuck' until they give up the attack.

All of the MS Windows 2000 machines are equipped with Service Pack 4 and have all of the latest security patches applied as soon as they are available. They have never missed a patch nor have they ever been compromised. They also run Norton Corporate Edition Anti-Virus Software, and - most importantly - require our three static IPs to be open to traffic if for no other reason than to retrieve the patches and AV updates.

(Hint: If you cripple our LAN segments and Internet visibility (through the few services we offer) you are not helping the current campus IT situation - rather, you are increasing the likelyhood of compromise!)

I just read about the $6,000,000 cost of the new 'EXCHANGE SERVER' - what were you thinking? This is hard-earned taxpayer money being mismanaged beyond belief! The same goals could have been accomplished with open source applications (Ximian et al) for free! Without all this worm/virus stuff!

This was done because you apparently never understood that it is stupid to set up a campus wide DHCP server which leases real-routable (and therefore visible to the entire Internet) IP addresses - thus allowing easy access to malicious attackers via deliberate albeit isolated intrusion attempts or, more recently, automated Internet worm attacks which can spread with tremendous speed and, through the use of bizarrely crafted ICMP scanning algorithims, create such a large volume of traffic that affected netblocks become unusable.

This is Network Admin 101 stuff! Any undergraduate computer science major would know this by their sophomore year! However since you do not know this stuff, may I offer a primer I make available for my students?

Finally, since all of my classes require access to the departmental web server (and since I know exactly how it is performing from its logs) if denial of those services over the Internet continues any further into this semester, I will inform all students how to file official complaints about this situation with the Board of Regents and other officials.

Most of my students like me and know how hard I've worked on providing them with technology, and they know how much their technology fees are every semester, and I can provide them with logs that indicate exactly what is and what is not being competently managed IT-wise on our campus.

It's not a threat - it's reality.

Thank you for your kind attention to these matters.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.