I wrote this article for Usenix's ;login magazine. It originally appeared in Volume 22, Number 1, dated February 1997.
Pagers are a blessing and a curse. After a long day at a client site, I was headed home when my alphanumeric pager went off. It was the Network Operations Center for the client I had just left. They had been notified by one of their engineering staff that an intruder had compromised one of their World Wide Web servers. I headed back and called my wife on the cell phone.
When I got to the Operations Center, I learned that a university system administrator had been monitoring an intruder when he noticed that the target of the attack was my client's machine. Since the university admin had a friend there, he called to let him know what was happening. Naturally, the engineer notifed Network Operations. That's where I came in.
Steve, the duty system administrator, briefed me on what he had observed. When I felt that I understood the situation, and the level of risk, I called the Information Security Officer. He gave me the latitude to monitor the attack or to pull the plug, as I saw fit. Steve and I spent half an hour or so watching the intruder. It seemed to me that the intruder was following a cookbook of vulnerabilities, trying the recipe on each host on his list in succession. He was patient, and it paid off. Once we were satisfied that we understood what the intruder was up to, we disconnected the target host from the network.
While Steve surveyed the other Internet-connected hosts, I once again call the Information Security Officer and the Network Operations Center to keep them abreast of the situation. I then called the university sysadmin who originally reported the incident and compared notes. I found that the intruder had been seeking out computers of a certain type and opportunistically exploiting vulnerabilities that were well-known (the subject of CERT advisories) and for which there were patches and work-arounds. He had been successful at universities from Maryland to California, at ISPs, and at commercial sites. We were just one more notch on his key board.
If the weaknesses and their remedies were well-known, how then was my client vulnerable? They read the CERT advisories, they have security expertise, and they have well-administered computers. What happened?
The answer lies in the kind of Brownian motion that affects so many large, high-tech companies. This computer started life as a Web server on an internal network, administered by a marketing person, and serving as the development platform for the Web site of a small division of the main company. When the Web site content was finished, the computer was disconnected from the internal network and hooked to the DMZ. No review. No systematic hardening. No formal, ongoing administration. It moved "on its own" from the protected net to the DMZ. The DMZ network at this site is large, touching several buildings, and has two separate Internet connections. No formal process was in place to control what was connected, and no regular, periodic audit of connected devices was conducted.
It seems that merely knowing the right way to configure a host is not enough. In a large and diverse network environment where management is distributed among several organizations, periodic surveys of the network are necessary.
What surprises are waiting for you in your DMZ?
