91AggieLawyer said:
Eric: since you know networking well, walk me through how a hacker could access a firm's network through their ISP DHCP address. Assume the firm would have either a custom or off the shelf router/firewall and all computers and a file server are behind that. Assume no attached email files opened by staff.
Is the DHCP address routable or is it a private address that is itself behind a NAT? One way to tell which is which is to log into the router/firewall and see what address it has. Then go to a website that shows the IP address and see if it matches the one on the router/firewall.
Another way to check is to look at the address. If it is in one of the 10/24 (10.0.0.0 to 10.255.255.255), 192.168/16 (192.168.0.0 to 192.168.255.255), or 172.16/12 (172.16.0.10to 172.31.255.255) blocks, then you have a nonroutable address and are behind a NAT, but you would not normally expect one of these to be used because they could conflict with private networks of the provider's customers. There is a lesser known block, 100.64/10 (100.64.0.0 to 100 127.255.255) reserved for ISPs that they should be using. So if you see one in that range, then you are behind a NAT.
You can see the same on your cell phone. It appears that IBM uses the 10/24 block for cell phones. My cell phone is a Trakfone that uses Verizon and it has always had a routable address when I checked it.
The NAT helps because the NAT device wouldn't normally pass the incoming traffic to your router/firewall. It would allow outbound connections, not inbound. Even then, depending on their security, anyone else behind the NAT would be able to attack your router/firewall. It helps, but don't depend on it.
We are a small ISP in the Texas Panhandle. Most of our customers are behind a NAT in the 100.64/10 block, but any who needs a routable address has one. A customer with a routable address on their wireless router for their office was hit with a worm a couple of months ago. Once on the local network, it spread through other customer's routers and radio gear. I was very fortunate that I happened to notice the odd traffic from the worm about two hours after it started and was able to get most of worm cleaned out before the next morning.
If the firmware on all that had been up to the current revision levels, there wouldn't have been a problem. I routinely upgraded the firmware on those that had routable addresses that I had access to, but I didn't have access to theirs. Our own equipment with that firmware and that version of firmware were protected from any and all accesses from outside the network, but those that were vulnerable still got hit.
Some firewalls will be more susceptible than others, but the main thing to remember is that they can still be broken into. Anyway, rule 1 should be to always keep the firmware up to date for everything you have. Nearly every time someone is attacked, it is with methods that are well known and for which patches exist. There are zero day exploits, but they don't normally stay zero day exploits for long.
Another way that your network could be breached, even with a fully patched firewall with no vulnerabilities at all, and that is with a VPN. If someone works from home and logs in through a VPN, then any viruses or other malware on their computer could spread into your network.
There was a recent article about one noted large company in the East that suffered from such a vulnerability. The company probably spends well over a million dollars annually on security. In spite of following the best practices suggested by the NSA, their system got hacked through an employee's use of the VPN. The attack completely went around all of their regular defenses. Fortunately for them, they caught it really quick and was able to isolate the issue.
Another problem is with wireless access on your office network. Anyone who knows, or can guess, the password has full access to your office network. My approach to this is to set up a separate wireless that outside of our office firewall. People can connect to it without getting into our internal network at all. So if someone walks in and asks if they can use the internet, it's all right with me since they can't get into our internal network at all. It's not even password protected.
One thing we're doing here is putting a firewall or a wireless router in each office. The only things not behind these individual firewalls/routers is the main office firewall and the printer. Where we have a router, it has the capability of reducing the output power levels to a very small fraction of the usual power. At that level, you can connect to the router from inside the office, but not from very far away. The wireless is for me to use when trying to fix a problem -- I'm the only one who should ever connect to it.
For example, one night I parked in front the window of our accounting clerk's office and tried to connect to the wireless router. Even from that short distance, I was unable to connect with either my smart phone or my laptop.
Also, the firewalls in each office are of a different manufacturer than the main office firewall. The idea is that if they were able to break into the main firewall, they would then have to use an entirely different attack to get to any individual office firewall. So if anyone gets malware on their computer, it is going to be very difficult for it to get out to other computers. Knowing how everything is set up and all the passwords, it would take me a while to be able to set up a connection from any a computer in one office in the building to any other computer in the building.
So we have three layers of firewalls. The first is an external firewall that controls access to the customers and to our office firewall. In general, there are three levels of incoming access: all, usa, or local. For where the access level is set to "local", the only permitted incoming connections are from within our local network. For where the access level is set to "usa", the only permitted incoming connections are from netblocks used in the US. Only for the very few with the access level set to "all" can someone from outside the country connect to any of our computers or devices. This is mainly for things like DNS, web pages, and email delivery and which are not internal to the office.
The second level is a Cisco RV325 router. And then the internal routers inside each office which are usually Ubiquiti.
Note that if the second level was a Ubiquiti router and someone could get into it, then they would be more likely to be able to go from it to the internal routers in each office. Using a different manufacturer at each level is intentional for security issues.
Out of all that, the most important thing, I think, is to make sure that the firmware is always up to date.