Security+ - Identifying Common and Nonessential Services
A computer system that is not connected to a network, or the internet (or both) is a rare thing indeed in this day and age. While this provides a considerable amount of power and flexibility to the user in terms of access to remote services, data and information it carries with it great risks. It is not too much of an exaggeration to state that any computer connected to a network is in danger of being attacked in some way. For proof of this fact look no further than the secure computer environments used by government defense organizations. To these people, a secure computer is located in a physically secure area where users pass through stringent security checks and are searched to ensure they are not carrying any portable storage devices or media which would allow software to be installed in a secure system. The computers themselves, whilst possible networked to each other, have absolutely no contact to the outside world.
Obviously, such levels of security are beyond the needs and means of the average user or company and, quite frankly, disconnecting all the computers in an enterprise from the outside would negate he whole purpose of IT infrastructure. The best approach, therefore, is to make sure that all computer systems are as secure as possible. This requires a multi-layered defense strategy, the most basic of which is ensuring that only necessary ports and services are available on all systems on a network. In this chapter we will look at this strategy in detail.
Understanding Ports and Services
The predominant network communications protocol in use these days is TCP/IP. It is the protocol used by the internet and as such as swept away most of the formerly popular protocols used for local area networks (LANs).
TCP/IP defines a total 65,535 ports of which 1023 are considered to be well known ports. It is important to understand that these are not physical ports into which network cables are connected, but rather virtual ports on each network connection which can be used by applications and services to communicate over a TCP/IP network connection. In reality the number of ports that are used by popular network clients and services comprises an even smaller subset of the well known group of ports.
There are a number of different TCP/IP services which can be provided by an operating system. Such services include HTTP for running a web server, FTP for allowing file transfers, SSH and Telnet for providing remote login access and SMTP for the transport of email messages. Each service is in turn is assigned to a standard TCP/IP port. For example, HTTP is assigned to port 80 while SSH communication take place on port 21.
Securing Ports and Services
A large part of securing servers involves defining roles, and based on the roles, defining which services and ports should be accessible. For example, a server that is to act solely as a web server should only run the HTTP service (in addition to perhaps SSH for remote administration access). All other services should be disabled and, ideally, removed from the operating system.
Securing a system involves both removing any unnecessary services from the operating system and ensuring that the ports associated with the non-essential services are blocked using a firewall.
Many operating systems are installed with a number of services installed and activated by default. Before displaying a new operating system it is essential that the installation be carefully planned. This involves deciding which services are not required and identifying which services have been installed and enabled by default. Deployment of new operating system installation should never be rushed. The fewer services and open ports available on a system the smaller attack surface area for attackers. A good way to verify the security level of a system prior to deployment is through the use of Port Scanning.
