The need for security
Security of sensitive information has throughout been a priority for people. Encryption techniques are known to have been used even in the times of Julius Ceaser. But with the advent and growth of the internet, interest in security has seen an exponential increase. Companies throughout the world are investing billions of dollars in securing confidential and sensitive information from malicious hackers. Because of this increased interest in security, network administrators are spending more time in an effort to protect their networks than on actual network setup and administration. New tools like Security Administrator Tool for Analyzing Networks (SATAN) help them in pointing out their system's vulnerabilities.

The first step in securing your networks should be knowing the vulnerabilities of your system. You should also be aware of what methods a hacker may use to gain malicious access to your system. Creating this awareness is basically the intent of this article.

The first step in securing your network should be knowing the vulnerabilities of your system. You should also be aware of the methods a hacker may use to gain unauthorized access to your system and data. You should be able to read the mind of the attacker.

Modes of Attack
Confidential information can be in two states on your network. Either it can reside on a physical Storage media or it can reside in transit on a physical network link. Our primary concern here will be the information in the second state i.e. in transit. Information in this state may be vulnerable to the following modes of attack.

1. Network Packet Sniffers
2. ARP Attacks
3. Denial of Service Attacks
4. IP Spoofing
5. Password Attacks

Network Packet Sniffers
Sniffing is the use of the network interface to receive data which is not intended for the computer in which that network interface resides. A computer normally checks the destination address of the incoming packet and accepts the packet if its intended for that particular computer. A packet sniffer is a software application that uses a Network Adapter Card in the promiscuous mode (a mode in which the network adapter card passes all packets passing through to the application layer for processing whether the packet was addressed to it or not). The way to safeguard data from packet sniffers is to encrypt it first so that even if that data is hijacked in the middle the thief won't understand its contents.

A number of packets sniffers are available over the internet. You can download one to see how they work.
Since you are frequently sending your login and passwords on the network to log on to some remote system, somebody using a sniffer may come to share this confidential information and the problem can become quite serious

ARP ATTACKS
The Address Resolution Protocol (ARP) is a protocol used to map the 32 bit IP address to the address scheme used by the data link layer i.e hardware address. Each network interface card has a unique hardware address, typically assigned by the manufacturer. ARP works by sending an address request and collecting the response to create its mapping of addresses. The hardware addresses are only needed for the hosts on the local network. The computer when requiring the hardware address of some machine broadcasts its IP address on the network called an ARP request. All computers examine that request and the one whose IP address has been broadcast responds by sending it hardware address to the requesting machine.

The hardware address is then stored in the ARP cache for future reference so that the machine does not have to request the hardware address of the same machine each time it wants to communicate with it. The problem with ARP is that it allows any host to provide its own address information, correct or not. One system may provide information on behalf of another system and it will be accepted. Additionally, address information received by the ARP is processed whether it was requested or not.

There are two basic types ARP attacks possible:

Denial of service and IP spoofing
The simplest form of attack is the denial of service attack. There are two basic forms for this attack, local and remote. In local attacks an attacker with root privilege can insert bogus information in the ARP cache hence making it impossible for the packets to reach the intended destination. Or the attacker can feed a remote system with incorrect information as well. This is also known as cache poisoning. An attacker may use the publish feature of ARP to broadcast incorrect information about other systems.
The second type of ARP attack i.e. IP spoofing is more serious. By masquerading as another system the attack can exploit a trust relationship to gain entry into the target system. Suppose that system A trusts system B, another system say C can exploit this trust relationship by masquerading as system B to gain access to A. To do this the attacker must first disable B and prevent it from sending ARP replies to A. Then the attacker send an ARP reply to A containing the IP address of C but its own hardware address to gain the trust of A.

Password Attacks
Although packet sniffers and IP spoofing techniques can be used to gain password information, password attacks usually refer to repeated attempts to identify a user account and password, these repeated attacks are frequently referred to as brute force attacks.
Often a brute force attack is performed using a application layer program e.g. A Trojan Horse program. A Trojan horse program display a screen, banner or prompt that the user believes is the valid login sequence. The program captures the information that the user types in and emails it to the attacker. Next the program either transfers that information to a normal login procedure or sends an error message to the user, who believing that he/she has incorrectly entered the password, retypes the information and gains access.

SYN Flood Attacks
The SYN flood attacks are perhaps the most dreaded of all attacks for commercial organizations. This form of attack may make the system respond very slowly to incoming networking connections or not respond at all. Web sites may appear to be down because they can't establish connection with incoming browser requests.
The name SYN refers to Synchronization, which is actually a three way handshake that two systems must make before making a TCP connection. The handshake is done in the following sequence.
a) Client sends a TCP segment to server with the SYN flag in the header set and an initial sequence number (ISN).
b) The server returns the segment with SY N flag set, and ACK (acknowledgment) flag, the original ISN+1 and its own initial sequence number.
c) The client sends a segment with the ACK flag set and the server's ISN+1
The connection is now established and data can now be exchanged. The sequence numbers are used to provide reliability to the procedure. If a packet is missing it can be detected and retransmitted.

The SYN flood attack takes advantage of a weakness in TCP. When the server receives the first SYN segment, it sends a SYN/ACK segment to the client address listed in the SYN segment. If the client is unreachable, the server will resend that segment till a time limit is reached. TCP will also ignore the ICMP errors returned by the IP layer. If the attacking host sends many synchronization requests addressed to unreachable hosts, the server will spend a lot of time and resources in trying to establish connections with them. Incoming connections still in the handshake phase are part of the backlog queue for a specified port. Once that queue is full, no incoming SYN segment will be processed. The system will not respond to new connections. Even if it does, its response would be very sluggish.

Although we discussed here the more common of the methods used in breaking through the defenses of a network, the list is long and as soon as network administrators are able to plug a leak in their network, hackers attack from some other gate by exploiting weaknesses in a system's design and protocols. I am also working on a complementary article on some common strategies used by network security managers in securing their networks and both of them combined should hopefully be a good primer on different aspects of network security.