----------------------------------------------------------- SearchWin2000.com's Security Tip ----------------------------------------------------------- TODAY'S SECURITY TIP: The lowdown on WindowsXP raw sockets ========================================================== SPONSORED BY: ConfigureSoft ========================================================== Secure Your Enterprise - With Enterprise Configuration Manager Configuration problems cause the majority of security breaches. ECM is the only tool that allows you to explore and manage security configurations in sufficient detail to eliminate these errors before breaches occur. ECM 3.5 collects thousands of configuration settings from every machine in your network, provides group and enterprise views of security-related data, and compares actual settings to established standards. It also enables you to fix most problems from the central console. Find out what ECM collects and how you can secure your enterprise using ECM: http://ad.doubleclick.net/clk;2998768;5058249;h?http://www.configuresoft.com/getuserinfo.asp?code=swk0612s ========================================================== Tips Summary "The lowdown on WindowsXP raw sockets" By Benjamin Vigil There has been a lot written recently in the computer press about WindowsXP and the perceived security issues that exist with a feature called "raw sockets." The issue is whether or not WindowsXP machines can be used as anonymous zombies to run distributed denial-of-service (DDoS) attacks. Anonymous is the operative word here. But if the zombies are anonymous, the sides in this debate are anything but. On one side is Steven Gibson of the Gibson Research Corporation and on the other is Microsoft. You can read each of their perspectives at the following links: Gibson: http://grc.com/dos/winxp.htm Microsoft: http://www.microsoft.com/technet/security/raw_sockets.asp Allow me to summarize. Any computer can be used in DDoS attacks but "raw sockets" allow IP spoofing, sending a packet across the Internet with something other than its true IP address. If a malicious hacker can get control of a computer linked to the Internet he can launch untraceable attacks on any Web site he chooses. This certainly isn't a new phenomenon; Unix machines support raw sockets. In fact, they are the prime targets of hackers trying to launch DDoS attacks. But the big difference, in Gibson's mind, is that Unix is not a widely used public OS. WindowsXP could be distributed to millions of homes and small business - mostly novice users - providing hackers with many more potential zombies. Microsoft would love to sell millions of WindowsXP copies. The company is probably counting on it, but says there is no significant danger of the zombification of WindowsXP. The contention is that to use a computer in a DDoS attack the hacker has to get into the system, which Microsoft says is secure. A default security system is set up in WindowsXP whenever the OS is configured to connect to the Internet. So why are raw sockets even in WindowsXP? According to Microsoft, WindowsXP is adhering to a standard and to the requests of users. It also allows for a feature that enables home users to permit others to take over their computers over a network to fix technical problems. Sounds like a nice selling point for the home user to me. So what does this have to do with enterprise security or, more specifically, Web security? Well, that depends. It could have everything to do with it if your company's Web site is the target of a DDoS attack. Until recently there hasn't really been a lot that a Web site's managers could do to prevent a DDoS attack, but two new products could be the key to identifying attacks and minimizing damage. One is Asta Networks, http://www.astanetworks.com/, Vantage System. According to the company's site, "Vantage System intelligently uses the existing capabilities of backbone routers to detect, locate and help network engineers effectively counter DDoS attacks and related network reliability problems." One-year-old company Mazu Networks, http://www.mazunetworks.com/, will also be releasing a product to combat DDoS attacks, but details are currently unavailable. If the release of WindowsXP is going to result in increased DDoS attacks, looking into these and other products might be worth it. An interesting byproduct to all this raw-socket discussion is the fact that Windows 2000 also supports raw sockets, particularly IP spoofing, through a command called IP_HDRINCL. Some experts believe that this will make Windows 2000 as likely a target as Unix machines for DDoS attackers. Network administrators, whether aware of this fact or not, probably prevent this possibility by having a safe, secure network. This is sure to be an ongoing debate, and I am sure I left out some of each side's issues, so if you want the full story read the documents from Gibson and Microsoft to draw your own conclusions. This is definitely an issue to be prepared for. Also look for news on the subject on the searchSecurity.com site and in the newsletter. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Benjamin Vigil is a technical editor for searchSecurity.com's parent company TechTarget at http://www.techtarget.com/. ======================================================== Did you like this tip? If so (or if not), why not let us know? Send an email to us at mailto:[EMAIL PROTECTED] and sound off. ======================================================== Featured Book ======================================================== Inside Internet Security: What Hackers Don't Want You to Know Author: Jeff Crume Publisher: Addison Wesley Published: Aug 2000 This book is a practical guide for anyone designing or administering a corporate or e-business network that runs across a number of platforms via the Internet. It will arm systems administrators with a thorough understanding of the problems of network security and their solutions, and thus help realize the tremendous potential of e-business. http://www.digitalguru.com/dgstore/product.asp?isbn=0201675161&ac_id=67 ==================================================================== EXCHANGE EXPERT IN FORUM -------------------------------------------------------------------- Scott Schnoll, searchWin2000's Exchange Expert, is in the Exchange Discussion Forum this week! Scott will be answering your questions throughout the week so post your questions now at http://searchwin2000.discussions.techtarget.com/WebX?50@@.ee83d69. ======================================================== If you would like to sponsor this or any TechTarget.com newsletter, please contact Gabrielle DeRussy at [EMAIL PROTECTED] ======================================================== If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchWin2000.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
