A polymorphic virus is a computer virus which is capable of mutating itself when it replicates, making it more difficult to identify with ordinary antivirus software. To effectively find such viruses, antivirus software needs to have more complex algorithms available to help it identify distinctive patterns which can betray the presence of a virus even when the code behind the virus is not known to the software. Such software tends to be more expensive, reflecting the additional effort required during development and updates to make the software functional.

The first known polymorphic virus was developed in 1990, in the early days of the Internet, illustrating the fact that virus creators have always been ahead of the curve when it comes to developing malicious code. Polymorphic viruses operate with the assistance of an encryption engine which changes with each virus replication; this keeps the encrypted virus functional, while still hiding the polymorphic virus from the computer it infects and allowing the virus to slip through security systems which are designed to prevent malicious code from entering or exiting a network.

Essentially, the designers of polymorphic viruses have integrated a trait associated with viruses which infect humans into the design of their software, designed to infect computers. Human viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup of immunities, and when a computer virus has a similar trait, the results can be unpleasant for computer users. It can be difficult to mount an adequate defense against a polymorphic virus, even with excellent antivirus software which has been designed to attempt to detect such viruses.

Polymorphic viruses can operate in different ways. Some mutate with each infection, making the virus extremely difficult to track. Others change with each generation. The speed of mutation is also highly variable. Some viruses mutate more slowly, which can make it easier to catch them, while others change very quickly. All of these variations, as a whole, make polymorphic viruses very diverse, which adds to the challenge of pinning them down.

Infection with a polymorphic computer virus can be a serious problem. While all computer viruses are designed to remain undetected for as long as possible, so that they can exact the maximum damage and increase their chances of infecting other computers, a polymorphic virus can linger undetected even on a system with antivirus software in place. People may also be lulled into thinking that their system is clean because they have such software and they update it regularly.

source: http://www.wisegeek.com/what-is-a-polymorphic-virus.htm

Network access control or NAC is one of the strategies that is employed to enhance the security protocols associated with a private or proprietary network. This is accomplished by setting restrictions on the ability to access various programs and functions that are available on the network. The creation of the authorizations required to allow access to any given database, software, or function on the network remains in the control of a network administrator or other persons who are granted that level of management by the administrator.

There are several common ways that network access control is achieved. The most common approach is to set up a process for authenticating each valid user for the network. This may be accomplished by employing a simplistic user name and password combination, or involve additional clearances that are necessary, such as a test question or proper identification of an image that is associated with the login credentials.

Typically, the administrator sets the structure for the credentials, although users may or may not be granted the privilege of changing passwords from time to time. This level of network admission control (which is also identified as NAC) is usually the foundational tool in making sure a network is secure. However, it rarely is the only security measure utilized.

Along with setting login credentials and procedures, network access control also usually involves setting rights and privileges associated with each user. For example, salespersons are likely to have access rights to a general sales database, but be limited to the type of information that may be accessed and viewed from the accounting software program that also resides on the network access server or NAS. Privileges are usually determined based on the perimeters of the job or position held by each user. However, administrators can grant users additional rights and privileges if the need arises.

Other tools help to provide general enhancement to these basic network access control protocols. The addition of a firewall can help to minimize attacks from outside the network. In like manner, the presence of spyware detection programs and antivirus protection software can also be a great help if users make regular use of Internet access.

While a network administrator can purchase and load individual tools to assist in network access control, several vendors now offer software packages that include a wide range of different network access control features and options. Several of the packages allow the administrator to pick and choose from available options, making it possible to customize the type and level of network security that is required.

source: http://www.wisegeek.com/what-is-network-access-control.htm

A botnet (“robot network”) refers to multiple computers infected with remote-controlled software that allows a single hacker to run automated programs on the botnet behind the users’ backs. The remote-controlled software or rootkit is clandestinely installed in each computer, hiding its presence and tracks, making detection difficult. Meanwhile, the hacker can use the botnet for many purposes, including distributing spam, spreading Trojan horses, perpetuating phishing scams, or gathering information for identity theft or fraud.

When a compromised computer falls prey to a rootkit, the computer is referred to as a “zombie computer.” A hacker can install rootkits on many computers, essentially building a network of compromised “zombie computers” to run secretive bots or services for the hacker. In the underground niche of botnet operators, there is much competition to have the largest or most powerful botnet. Not only are individual computers at risk, but so too are the networks of major private companies, government and even the military.

Botnets are a major source of crime on the Internet. Some operators “rent” their botnets by the hour to spammers. Internet Service Providers (ISPs) disallow spamming, but when thousands or hundreds of thousands of machines send five or ten pieces of spam, the spammer escapes notice. Furthermore, spam sent through a botnet tracks back to the compromised computers, not to the spammer.

Botnets are also used to perpetuate phishing scams by sending emails that appear to come from legitimate companies like financial institutions, eBay or PayPal. The email typically asks for sensitive personal information, which victims often provide. This information goes directly to the operator of the botnet for personal gain.

An operator can also use a botnet to launch a Distributed Denial of Service (DDoS) attack against a website. The computers in the botnet are sent a command prompting them to contact a specific webpage simultaneously. This can cause the website server to crash from an overload of traffic requests. Getting the server and the website back online can take time and disrupt business. DDoS attacks are often carried out against large, well-known companies and have been widely reportedly as costing millions of dollars.

Click-fraud is yet another scam perpetrated by some botnet operators. Advertisers commonly pay a small fee for every click on an advertised link that appears on a webpage. A botnet operator with an advertising contract on a personal domain can send a command to the computers in the compromised network to automatically click an advertising link whenever a browser is opened. Considering a botnet can be very large, click-fraud poses a considerable problem for advertisers.

In October 2005, Dutch police uncovered a major botnet consisting of 1.5 million compromised computers. The zombie network was allegedly run by three individuals in their twenties. Botnets are becoming more widespread with the United States believed to be the country most affected, housing some 26% of all botnets by some estimates. As many as 25% of all US computers might be part of a botnet, though it is difficult to know if such statistics are accurate.

What is certain is that botnets are widespread and growing, even attracting teenagers known as “script kiddies” who compete in building botnets. As a result, savvy computer users and administrators are taking steps to guard against rootkits that hand over access to hackers and script kiddies. Anti-rootkit software can be used to scan for existing rootkits, and other precautions can also be taken to minimize the risks of becoming part of a botnet.

source: http://www.wisegeek.com/what-is-a-botnet.htm

Understanding Firewalls

When anyone or anything can access your computer at any time, your computer is more susceptible to being attacked. You can restrict outside access to your computer and the information on it with a firewall.

What do firewalls do?

Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary Internet traffic. Firewalls can be configured to block data from certain locations while allowing the relevant and necessary data through (see Understanding Denial-of-Service Attacks and Understanding Hidden Threats: Rootkits and Botnets for more information). They are especially important for users who rely on “always on” connections such as cable or DSL modems.
What type of firewall is best?
Firewalls are offered in two forms: hardware (external) and software (internal). While both have their advantages and disadvantages, the decision to use a firewall is far more important than deciding which type you use.

* Hardware – Typically called network firewalls, these external devices are positioned between your computer or network and your cable or DSL modem. Many vendors and some Internet service providers (ISPs) offer devices called “routers” that also include firewall features. Hardware-based firewalls are particularly useful for protecting multiple computers but also offer a high degree of protection for a single computer. If you only have one computer behind the firewall, or if you are certain that all of the other computers on the network are up to date on patches and are free from viruses, worms, or other malicious code, you may not need the extra protection of a software firewall. Hardware-based firewalls have the advantage of being separate devices running their own operating systems, so they provide an additional line of defense against attacks. Their major drawback is cost, but many products are available for less than $100 (and there are even some for less than $50).

* Software – Some operating systems include a built-in firewall; if yours does, consider enabling it to add another layer of protection even if you have an external firewall. If you don’t have a built-in firewall, you can obtain a software firewall for relatively little or no cost from your local computer store, software vendors, or ISP. Because of the risks associated with downloading software from the Internet onto an unprotected computer, it is best to install the firewall from a CD or DVD. If you do download software from the Internet, make sure it is a reputable, secure website (see Understanding Web Site Certificates for more information). Although relying on a software firewall alone does provide some protection, realize that having the firewall on the same computer as the information you’re trying to protect may hinder the firewall’s ability to catch malicious traffic before it enters your system.

How do you know what configuration settings to apply?

Most commercially available firewall products, both hardware- and software-based, come configured in a manner that is acceptably secure for most users. Since each firewall is different, you’ll need to read and understand the documentation that comes with it to determine whether or not the default settings on your firewall are sufficient for your needs. Additional assistance may be available from your firewall vendor or your ISP (either from tech support or a website). Also, alerts about current viruses or worms (such as US-CERT’s Cyber Security Alerts) sometimes include information about restrictions you can implement through your firewall.

Unfortunately, while properly configured firewalls may be effective at blocking some attacks, don’t be lulled into a false sense of security. Although they do offer a certain amount of protection, firewalls do not guarantee that your computer will not be attacked. In particular, a firewall offers little to no protection against viruses that work by having you run the infected program on your computer, as many email-borne viruses do. However, using a firewall in conjunction with other protective measures (such as anti-virus software and “safe” computing practices) will strengthen your resistance to attacks.

source: http://www.us-cert.gov/cas/tips/ST04-004.html

If you are reading this article, you are most likely connected to the Internet and viewing it at the HowStuffWorks Web site. There’s a very good chance that you are using Network Address Translation (NAT) right now.

The Internet has grown larger than anyone ever imagined it could be. Although the exact size is unknown, the current estimate is that there are about 100 million hosts and more than 350 million users actively on the Internet. That is more than the entire population of the United States! In fact, the rate of growth has been such that the Internet is effectively doubling in size each year.

So what does the size of the Internet have to do with NAT? Everything! For a computer to communicate with other computers and Web servers on the Internet, it must have an IP address. An IP address (IP stands for Internet Protocol) is a unique 32-bit number that identifies the location of your computer on a network. Basically, it works like your street address — as a way to find out exactly where you are and deliver information to you.

When IP addressing first came out, everyone thought that there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into classes, and because some addresses are set aside for multicasting, testing or other special uses.

With the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (called IPv6), but will take several years to implement because it requires modification of the entire infrastructure of the Internet.

This is where NAT (RFC 1631) comes to the rescue. Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or “public network”) and a local (or “private”) network. This means that only a single, unique IP address is required to represent an entire group of computers.

What Does NAT Do?

NAT is like the receptionist in a large office. Let’s say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through.

The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension.

Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:

* Static NAT – Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.

In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.

* Dynamic NAT – Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.

In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.

* Overloading – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.

* Overlapping – When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the “internal” addresses to registered unique addresses as well as translate the “external” registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT.

The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router is translating the addresses to avoid a potential conflict with another network. It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network.

The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn’t travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.

NAT Configuration

NAT can be configured in various ways. In the example below, the NAT router is configured to translate unregistered (inside, local) IP addresses, that reside on the private (inside) network, to registered IP addresses. This happens whenever a device on the inside with an unregistered address needs to communicate with the public (outside) network.

* An ISP assigns a range of IP addresses to your company. The assigned block of addresses are registered, unique IP addresses and are called inside global addresses. Unregistered, private IP addresses are split into two groups. One is a small group (outside local addresses) that will be used by the NAT routers. The other, much larger group, known as inside local addresses, will be used on the stub domain. The outside local addresses are used to translate the unique IP addresses, known as outside global addresses, of devices on the public network.

* Most computers on the stub domain communicate with each other using the inside local addresses.
* Some computers on the stub domain communicate a lot outside the network. These computers have inside global addresses, which means that they do not require translation.
* When a computer on the stub domain that has an inside local address wants to communicate outside the network, the packet goes to one of the NAT routers.
* The NAT router checks the routing table to see if it has an entry for the destination address. If it does, the NAT router then translates the packet and creates an entry for it in the address translation table. If the destination address is not in the routing table, the packet is dropped.
* Using an inside global address, the router sends the packet on to its destination.
* A computer on the public network sends a packet to the private network. The source address on the packet is an outside global address. The destination address is an inside global address.
* The NAT router looks at the address translation table and determines that the destination address is in there, mapped to a computer on the stub domain.
* The NAT router translates the inside global address of the packet to the inside local address, and sends it to the destination computer.

NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that allows a computer to maintain several concurrent connections with a remote computer (or computers) using different TCP or UDP ports. An IP packet has a header that contains the following information:

* Source Address – The IP address of the originating computer, such as 201.3.83.132
* Source Port – The TCP or UDP port number assigned by the originating computer for this packet, such as Port 1080
* Destination Address – The IP address of the receiving computer, such as 145.51.18.223
* Destination Port – The TCP or UDP port number that the originating computer is asking the receiving computer to open, such as Port 3021

The addresses specify the two machines at each end, while the port numbers ensure that the connection between the two computers has a unique identifier. The combination of these four numbers defines a single TCP/IP connection. Each port number uses 16 bits, which means that there are a possible 65,536 (216) values. Realistically, since different manufacturers map the ports in slightly different ways, you can expect to have about 4,000 ports available.

Dynamic NAT and Overloading

Here’s how dynamic NAT works:

* An internal network (stub domain) has been set up with IP addresses that were not specifically allocated to that company by IANA (Internet Assigned Numbers Authority), the global authority that hands out IP addresses. These addresses should be considered non-routable since they are not unique.

* The company sets up a NAT-enabled router. The router has a range of unique IP addresses given to the company by IANA.

* A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server.

* The router receives the packet from the computer on the stub domain.

* The router saves the computer’s non-routable IP address to an address translation table. The router replaces the sending computer’s non-routable IP address with the first available IP address out of the range of unique IP addresses. The translation table now has a mapping of the computer’s non-routable IP address matched with the one of the unique IP addresses.

* When a packet comes back from the destination computer, the router checks the destination address on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address to the one saved in the address translation table and sends it to that computer. If it doesn’t find a match in the table, it drops the packet.

* The computer receives the packet from the router. The process repeats as long as the computer is communicating with the external system.

Here’s how overloading works:

* An internal network (stub domain) has been set up with non-routable IP addresses that were not specifically allocated to that company by IANA.

* The company sets up a NAT-enabled router. The router has a unique IP address given to the company by IANA.

* A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server.

* The router receives the packet from the computer on the stub domain.

* The router saves the computer’s non-routable IP address and port number to an address translation table. The router replaces the sending computer’s non-routable IP address with the router’s IP address. The router replaces the sending computer’s source port with the port number that matches where the router saved the sending computer’s address information in the address translation table. The translation table now has a mapping of the computer’s non-routable IP address and port number along with the router’s IP address.

* When a packet comes back from the destination computer, the router checks the destination port on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address and destination port to the ones saved in the address translation table and sends it to that computer.

* The computer receives the packet from the router. The process repeats as long as the computer is communicating with the external system.

* Since the NAT router now has the computer’s source address and source port saved to the address translation table, it will continue to use that same port number for the duration of the connection. A timer is reset each time the router accesses an entry in the table. If the entry is not accessed again before the timer expires, the entry is removed from the table.

Stub Domains

The NAT router stores the IP address and port number of each computer in the address translation table. It then replaces the IP address with its own registered IP address and the port number corresponding to the location, in the table, of the entry for that packet’s source computer. So any external network sees the NAT router’s IP address and the port number assigned by the router as the source-computer information on each packet.

You can still have some computers on the stub domain that use dedicated IP addresses. You can create an access list of IP addresses that tells the router which computers on the network require NAT. All other IP addresses will pass through untranslated.

The number of simultaneous translations that a router will support are determined mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a typical entry in the address-translation table only takes about 160 bytes, a router with 4 MB of DRAM could theoretically process 26,214 simultaneous translations, which is more than enough for most applications.

IANA has set aside specific ranges of IP addresses for use as non-routable, internal network addresses. These addresses are considered unregistered (for more information check out RFC 1918: Address Allocation for Private Internets, which defines these address ranges). No company or agency can claim ownership of unregistered addresses or use them on public computers. Routers are designed to discard (instead of forward) unregistered addresses. What this means is that a packet from a computer with an unregistered address could reach a registered destination computer, but the reply would be discarded by the first router it came to.

There is a range for each of the three classes of IP addresses used for networking:

* Range 1: Class A – 10.0.0.0 through 10.255.255.255
* Range 2: Class B – 172.16.0.0 through 172.31.255.255
* Range 3: Class C – 192.168.0.0 through 192.168.255.255

Although each range is in a different class, your are not required to use any particular range for your internal network. It is a good practice, though, because it greatly diminishes the chance of an IP address conflict.

Security and Administration

Implementing dynamic NAT automatically creates a firewall between your internal network and outside networks, or between your internal network and the Internet. NAT only allows connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. You can browse the Internet and connect to a site, and even download a file; but somebody else cannot latch onto your IP address and use it to connect to a port on your computer.

In specific circumstances, Static NAT, also called inbound mapping, allows external devices to initiate connections to computers on the stub domain. For instance, if you wish to go from an inside global address to a specific inside local address that is assigned to your Web server, Static NAT would enable the connection.

Static NAT (inbound mapping) allows a computer on the stub domain to maintain a specific address when communicating with devices outside the network.

Some NAT routers provide for extensive filtering and traffic logging. Filtering allows your company to control what type of sites employees visit on the Web, preventing them from viewing questionable material. You can use traffic logging to create a log file of what sites are visited and generate various reports from it.

NAT is sometimes confused with proxy servers, but there are definite differences between them. NAT is transparent to the source and to destination computers. Neither one realizes that it is dealing with a third device. But a proxy server is not transparent. The source computer knows that it is making a request to the proxy server and must be configured to do so. The destination computer thinks that the proxy server IS the source computer, and deals with it directly. Also, proxy servers usually work at layer 4 (transport) of the OSI Reference Model or higher, while NAT is a layer 3 (network) protocol. Working at a higher layer makes proxy servers slower than NAT devices in most cases.

NAT operates at the Network layer (layer 3) of the OSI Reference Model — this is the layer that routers work at.

A real benefit of NAT is apparent in network administration. For example, you can move your Web server or FTP server to another host computer without having to worry about broken links. Simply change the inbound mapping at the router to reflect the new host. You can also make changes to your internal network easily, because the only external IP address either belongs to the router or comes from a pool of global addresses.

NAT and DHCP (dynamic host configuration protocol ) are a natural fit. You can choose a range of unregistered IP addresses for your stub domain and have the DHCP server dole them out as necessary. It also makes it much easier to scale up your network as your needs grow. You don’t have to request more IP addresses from IANA. Instead, you can just increase the range of available IP addresses configured in DHCP to immediately have room for additional computers on your network.

Multi-homing

As businesses rely more and more on the Internet, having multiple points of connection to the Internet is fast becoming an integral part of their network strategy. Multiple connections, known as multi-homing, reduces the chance of a potentially catastrophic shutdown if one of the connections should fail.

In addition to maintaining a reliable connection, multi-homing allows a company to perform load-balancing by lowering the number of computers connecting to the Internet through any single connection. Distributing the load through multiple connections optimizes the performance and can significantly decrease wait times.

Multi-homed networks are often connected to several different ISPs (Internet Service Providers). Each ISP assigns an IP address (or range of IP addresses) to the company. Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route between networks using different protocols. In a multi-homed network, the router utilizes IBGP (Internal Border Gateway Protocol) on the stub domain side, and EBGP (External Border Gateway Protocol) to communicate with other routers.

Multi-homing really makes a difference if one of the connections to an ISP fails. As soon as the router assigned to connect to that ISP determines that the connection is down, it will reroute all data through one of the other routers.

NAT can be used to facilitate scalable routing for multi-homed, multi-provider connectivity.

source: http://www.howstuffworks.com/nat.htm