Welcome to AnnexNET web-site!

It’s hard for us to imagine what it must be like to be blind in this way. “Normal blindness”, sure: just put a blindfold on.  But to actually not know you’re blind?” That sounds almost impossible. Or is it?

There is a form of blindness that many organizations suffer from – network blindness. And just like visual agnosia, many organizations don’t know they have it.

What is network blindness? It’s the inability to make sense of network information. Imagine the ‘eyes’ being replaced by network sensors, and the ‘brain’ by the IT department, and you get the picture. You might have some of the basics, statistics from your routers and switches, logs from your firewall. You might have some information from your IDS (if you have one). But it’s all rather fragmentary; and not knowing the full picture, it’s easy to jump to the wrong conclusions, or worse still, not know there’s an issue in the first place. 

Who can suffer from network blindness? There are many organizations that haven’t invested in awareness technologies such as intrusion prevention systems or vulnerability awareness systems.  They often don’t even know there are intrusion events happening on their network. They don’t know who is doing what to whom and with what and whether it’s an ‘inside job’ or not.  

What are the consequences of such blindness? What can happen to an organization that can’t assemble a comprehensive picture to what’s happening to them at the network level? Here’s a ‘Top Ten’ list of consequences.

Poor network performance: “The system’s so slow!”

It is really frustrating for a project manager to hear users lambast the new system for being slow, especially when huge amounts of money have been spent on hardware and software. In many cases performance issues are seated in the network, not in the servers.  Without good network awareness, the ability to diagnose such problems are limited – it is often the case that large sums of money are spent upgrading infrastructure without really addressing the core bottlenecks, resulting in no real gain from a user’s perspective.  

External attack: or ‘you’ve been hacked!’

If you don’t know what’s happening at the network level, you won’t know who is attempting to come in through your network access points. You may be relying on your firewall to keep out the offenders.  But many smaller companies place too much faith in firewalls. They may restrict what services may be accessed over which ports, but most organizations have certain ports that have to be open, such as port 80 (web), port 443 (secure web) and port 25 (mail delivery). This is where intruders focus their efforts.  For the majority of attacks other than denial of service attacks, it’s as if the firewall wasn’t there at all.

Typically the attacker will scan your network looking for vulnerable hosts. Once he finds one, he will run exploit code against it and will have access to it via a ‘root shell’, often in seconds. Once he has this, he is king and you are ‘owned’, for the attacker now has complete control of this machine.  He will then use this machine as a jumping-off point to discover and launch attacks at other machines within this part of the network, often invisible to the outside. 

Or perhaps the attacker doesn’t need to gain access to the machine at all. If it’s web application server, he may be able to get all the information he needs by running a SQL injection attack against it, enabling him to gain access to a much larger section of the underlying application database (read: your customer information) than he should be allowed to.

 Don’t look a gift horse in the mouth:  A favourite means of gaining access to people’s networks is the network Trojan.  This form of attack works just like in the fable – your users are enticed into downloading an application that says it does one thing but really installs remote control software on their machine, which is under command of the attacker. Once this happens, to all intents and purposes, the machine is now owned and can be called upon at any time to do the attacker’s bidding.  Often, the machine is used for spamming and performing distributed denial of service attacks against others. Such owned machines are referred to as ‘zombies’ and the collection of machines under the control of the attacker is referred to as a ‘botnet’. 

 Trojans typically check in periodically into an internet chat room, where they read instructions typed in the room and execute them. The signature of a botnet can be fairly clear (inbound Trojan code, outbound chat-room access) but what’s different about them from direct attack is that the initial infection of the machine happens on the user’s home network and is brought into to the corporate network next time they are in the office.  

Internal Fraud.  Like it or not, there are could well be staff within your organization up to no good. If your company is of any significant size, then the number and type of bad people will begin to approximate the national crime statistics (do you have a murderer in your midst?).  Your staff are likely to have a great deal more access to internal systems and this may include access to payment processing systems.  Staff gone bad may commit fraud by siphoning company funds, by using customer credit cards, or by selling internal information to external buyers. An example of this kind of fraud is that often committed by helpdesk staff, who obtain customer records and sell them on to your competitors.  Or it may be much more catastrophic – think of the rogue traders Nick Leeson and Jerome Kerviel, the former causing the demise of the English Bank Barings and the latter mortally wounding the French bank Society Generale.

Disgruntled Employees/Ex-employees. Staff who bear a grudge or people who have recently been fired or laid off can inflict huge damage to an organization.  Probably the best-known example of this happened in Queensland, Australia in 2001.  A recently laid-off employee hacked into sewage treatment plant over the company’s wireless LAN (he was in the car park using a laptop). Using known passwords, he hacked the system that controlled the plant, releasing over 250,000 gallons of raw sewage into nearby rivers and parks.   This individual thought that by creating a series of problems he would be hired back to solve them – imagine the damage someone could do if they had the means to erase your customer database, or even worse, corrupt the data in such a way that you didn’t notice until it’s too late?

Abuse of network policy. Staff may often knowingly or unknowingly transgress your network policy. Your policy is there for a reason – usually to protect the company from unacceptable risk.  If your organization is large, there’s a statistical likelihood you will have some staff with – shall we say, unconventional tastes?  So it’s important to be aware that this may mean they are storing anything from pornography to bomb making manuals on their machines – if they are stupid enough to download this stuff at work (and some people ARE that stupid) then there’s a good chance that they have attracted the interest of the authorities – and that won’t look good for your company in the press.  Or it may not be as extreme as this – instead, you might have a social networking epidemic on your hands. For example, research sponsored by Morse shows how office workers' use of Twitter and other social networking services costs UK businesses £1.38bn a year in lost productivity. Or staff may be simply displaying unsuitable images on their terminals, causing distress to others, which may lead to legal actions against you. 

 License dodgers and peer-peer jockeys

IT departments typically supply staff with machines and software suitable for doing their job.  Unfortunately, the opinion as to what software is suitable often differs between the IT department and staff, with the staff taking it into their own hands to install their own (often pirated copies) of software.   This software may vary from newer copies of Microsoft Office to Torrent downloaders for peer-peer sharing.  Many people think nothing of sharing their collection of films, music and so on (very easy to do with iTunes for example) and although much of the downloadable content from Apple, etc. is protected by DRM, there are many ripper utilities that enable people to create their copies of their own DVDs.   

 Configuration Jamboree/VM sprawl

Closely related to License Dodgers is the issue of VM sprawl. It’s easy (and free) to download many virtual machine environments and very easy to propagate entire operating systems and applications (they’re just files used by the VM). The VMs themselves may be legal and even the operating systems – but that doesn’t stop them being a security threat. The real threat behind VMs is that they often operate outside the management domain of the IT department and therefore may not be patched or audited. People can leave them powered down for months at a time, then power them up for a specific task. The problem then shows itself – the virtual machines have missed out of months of patches and are often very vulnerable to threats in the network.  Another risk stems from the fact that most VMs have a snapshot facility that can save the state of a virtual machine so that it can be restored at a later date. Whilst useful in a development environment, such snapshots also undo any security patches that have been applied since the snapshot was taken, again leaving a wide-open vulnerability.  One of the biggest issues with VMs is the false sense of security they can instil in their owners.  Staff may believe they are secure, by having a fully patched or non-vulnerable host (for example a Macintosh), which is running an older, un-patched vulnerable VM (e.g. Windows XP). In reality, they are merrily propagating worms around their workplace through the VM, without even suspecting it! 

Data Leakage

Well-meaning, honest staff may still cause unacceptable risk to your company by inadvertently leaking out confidential information. This often occurs via email, especially when people forward mails without thoroughly reading the forwarded content. Even if the mail is non-confidential, there can still be leakage, for example the cc list of an email can provide an external recruiter a bunch of names to head-hunt.   Other forms of inadvertent leakage may occur through simple mis-configuration – for example, an Internet banking server may be accidently configured to respond to HTTP instead of just HTTPS.  Nothing has failed – but customer confidential information will now be passed in the clear instead of being encrypted, a huge security hole.  

Your Liability

Which brings us to the bottom line. Your company is liable and exposed in some way in all of the above scenarios. In not protecting your customer payment data, you fall foul to PCI regulations. In not protecting personal data (employee and customer) you fall foul of the Data Protection Act.  In allowing peer-peer activity and other illegal software installations, you are opening yourself up to heavy fines and/or time in jail.   When you really look at it, not having network visibility has so many downsides that it’s just not worth doing it.

So what should you do?

Simply put, end your blindness and learn to see. Implement a network awareness system that is comprehensive and gives you an integrated picture of what’s happening on your network.  For this, look at an IPS that is highly tuneable, that gives you insight into why it is seeing events. Look for an IPS that has a low false positive rate and the best detection capabilities (if it can’t detect, there’s not much point in having it).  Check out impartial reviews for good IPS systems, such as NSS Labs and ICSA.   Next, ensure you have a good grasp of the systems in your network. Look at discovery systems. Passive systems (ones that don’t scan) have the advantage over scanners for speed of discovery and network stability. Next, look at network behavioural anomaly systems  (NBA). These will find unusual activity on your network and can identify threats that your IPS does not have rules for yet. Next, look at configuration management and enforcement systems to identify and lock down your systems against alteration.  Lastly, look for a system that is highly integrated, rather than lots of separate components from different suppliers. In doing so, you will reap the benefits of common management, a common operator interface and integrated, comprehensive awareness system which will make a big difference in reducing yoru risk and lowering the cost of ownership for your business.

 Dominic Storey
Technical Director
Sourcefire UK Ltd.

The new features and benefits make WhatsUp Gold v14.4 and WhatConnected 3.0 streamlined, faster and more secure than ever before:

• Dynamic auto-discovery and mapping to maintain an accurate, up-to-date topology view, even when VMs are added, moved or removed
• Enhanced inventory discovery for streamlining IT asset administration in real-time
• Automatic configuration of Microsoft Internet Information Services (IIS) as default web browser  for a more robust and feature-rich web platform, right out of the box

Incorrect password – block for 20 seconds

Should someone attempt to register to the PBX with an incorrect password, all subsequent registrations to the respective object are declined for 20 seconds. This makes it considerably more difficult for hacker programmes to test passwords, also preventing the detested brute force attacks.

Registrations only authorised with Admin password

If the “Zero Configuration Deployment” functions are used for a rollout, it is now possible to determine that the Admin password can be used for log-ins. This avoids any external people from being able to register temporarily without needing a user name and password, thus preventing “unknown registrations” as they need the admin log-in. Furthermore, it is possible to configure the system so that devices can only register to an object using the admin password. 

Deny registrations to an object

Sometimes there are objects in a PBX which are needed for various reasons but which are not suitable for devices to register to. This can for example be a mobile telephone user who does not have a fixed line telephone. You can now entirely disable the possibility of registering to such objects.

Definition of permitted IP address ranges

It was possible, even prior to V9, to define IP address ranges for devices which were allowed to log-in to the PBX without a password. It is now possible to define such IP address ranges for log-ins with a password. Even if a hacker wants to register to a system with a correct password, he still won’t be able to as his IP address is not within the defined IP address range.

Permitting multiple networks with configuration rights

In the past, it was possible to define a network which had access to the PBX. If one network was not sufficient, one had the possibility of allowing all networks to access the PBX at will and without any limitations. Theoretically, this carried the risk that hackers could enter and administrate a PBX without permission. It is now possible to name several networks which are allowed to access the PBX configuration interface. Therefore, for example, administrators from various networks can make changes to the PBX and it is guaranteed that no unauthorised person can administrate the PBX from an external network.

Minimum information transmission by the innovaphone PBX

Due to the fact that minimum information is transmitted, the innovaphone is now better protected against so-called SIP Scan Tools which can be used to scan networks and spy out product information on a telephone system, such as software version, hardware details etc. You can almost say, the innovaphone PBX is less gossipy and hardly gives hackers any information which they could, in turn, use for attacks.

The main difference to the IP6000 is the increased storage capacity and increased processor power: A 512 MB DDR2 RAM memory ensures sufficient capacity and a Dual Core processor, two times 800 MHz, guarantees performance. Additional capacity pays off especially when installations continuously grow and also provides the possibility to operate other applications over the VoIP gateway. Power over Ethernet is the IP6010’s only power supply.

 
The IP6010 has been designed in the same way as all other innovaphone VoIP gateways and has no rotating parts such as hard disks or fans. The gateway’s slim design dimensions enable up to two devices to fit onto one 19 inch height unit with the help of an installation frame – that is up to 120 channels in one height unit. A compact flash card can be used for announcements, voicemail and music on hold.

IP0010

Amongst the innovaphone boxes, the VoIP gateway IP0010 is the “pure PBX platform”, as we have done without multiple interfaces. The IP0010 has neither primary multiplex interfaces (PRI), nor does it have basic rate interfaces interfaces (BRI). Two Ethernet interfaces make the connection over SIP or H.323 – the IP0010 is therefore perfectly suited to connect to a carrier or as a powerful platform for the PBX in larger installations. Otherwise, the features of the IP0010 are equivalent to the IP6010.

“New Oldies”:

The IP6010 and IP0010 will be available at the same time as the innovaphone Version 9 and can be operated from this version onwards! They replace the VoIP gateways IP6000 and IP2000, which will soon go into a well deserved retirement! Remainders of stock can be ordered while stocks last.