4 Days Left to Save $400 on SANS Security East 2015, New Orleans

Intrusion Detection FAQ: What is the risk to Windows 9x from Dedicated Internet Connections?

One of the most dangerous and least recognized vulnerabilities to home pc users and enterprise lans/wans is unauthorized access via a dedicated Internet connection. Although this problem can exist across a multitude of operating systems and Internet connection types, this document will focus on Windows 9x with a digital subscriber line (DSL) or cable modem based Internet service.

An Awakening
The availability of affordable high speed Internet service to the public has resulted in an exodus from traditional modem connectivity - an environment where dynamic IP addressing provided an often unacknowledged layer of security to unprotected systems. While realizing superior performance, these users are also becoming increasingly aware of security implications associated with static addressing and full time connections. It is becoming disturbingly common to hear of incidents where home ĎNet connected systems have been accessed by neighbors or persons unknown.

The Openness of Windows 9x
Features within Windows 9x were designed to provide ease of use and sharing of information (security was certainly not the priority). One of these features is file and printer sharing - a feature requiring utilization of NetBIOS. Improperly administered shares may present a moderate risk in the userís local area network, however this risk can escalate quickly when connected to the Internet. DSL and cable modem service can enable other users on a common subnet or segment to access these shared resources as easily as clicking on Network Neighborhood. All too often shares are not password protected. Malicious activity including installation of BackOrifice, Netbus or other such programs can ensue and ultimately breach security of other connected systems - i.e.: secured remote access sessions with enterprise networks.

DSL and Cable Modem Network Characteristics
DSL and cable modem networks can vary in design and configuration. A fundamental difference between the two is that DSL networks are switched and users do not share transport media. It is possible for users to see other systems in their subnet, however the traffic is limited to resource broadcasts.

Cable modem networks, on the other hand, can be viewed as a LAN. Many users may share a common segment and thus may not only see other userís resource broadcasts, but the actual data streams as well. This may not always be the case, however, if the ISP has implemented enhanced filtering technique such as DOCSIS (Data On Cable Service Interface Specification). The important thing that one must understand is that the access network does not protect a system from attack. The user must take measures to secure their computer.

Protecting The System
Protecting a full time Internet connected Windows 9x system does not have to be a daunting task. Key considerations that should be addressed are:
  • Determine whether file and print sharing is really needed. Most home based systems donít require it. It is recommended that NetBIOS be unbound from TCP/IP (effectively disabling Windows (SMB) file and print sharing).
  • Install a software or appliance based firewall. Functionality and performance will vary between various products. Some firewalls will provide NAT (network address translation) services which fits well with multiple users sharing one Internet connection - however be aware that NATs do not provide firewall services. A growing number of personal firewall products are readily available. Concept, method and features vary so an evaluation of needs should be conducted before selecting a product.
  • Confirm that the "protected" system is in fact protected. Intrusion testing tools can be run against the connection. While not as comprehensive as tools like Network Associates "CyberCop", web based services such as Gibson Researchís "Shields UP!" at URL http://grc.com/default.htm can be used for this purpose.
It is also recommended that the user understands his/her Internet connection. The ISP can be contacted and asked to provide details of the connection - i.e.: Is traffic filtering provided on UDP/TCP ports 137, 138 and 139 to prevent accidental Windows file and print sharing? Is DOCSIS implemented on a cable system? A network sniffer can be used to analyze traffic type at the connection point.

Bibliography
McClure Stuart & Scambray, Joel. "New high-speed Net access services give unwanted snoopers a real opportunity". 25, January 1999
http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/04/o08-04.75.htm (11 Nov. 1999).
Livingston, Brian. "Security appliances offer users protection during 'always on' high-speed access ". 25 October 1999.
http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/42/o10-43.60.htm (11 Nov. 1999).
Security Dogs. "Internet Sharing and Security for Cable Modems and xDSL Products."
http://www.securitydogs.com/secdog_sharing_prod.html (10 Nov. 1999).
CableLabs. "Security in DOCSIS-based Cable Modem Systems." 26 August 1999.
http://cablemodem.com/DOCSIS_Security.html (10 Nov. 1999).

-----

Don Burlack