We all know how firewalls work; they prevent packets from passing through self-imposed barriers. But they don’t limit how far packets go once they pass the threshold.
The big question many U.S. organization database managers need to ask themselves is: is my server carrying high-value data to unfriendly countries? Firewalls are in place, but data is still leaking.
Is there anything else I can do to stop it?
When in Doubt, Blame the Desire for Systems to Just Work!
We all want to have a phenomenal experience when setting up new computers. The system should boot and connect effortlessly. It doesn’t matter whether the system runs Windows, Mac, Unix, Linux or any other operating system. If the OS is a pain, we switch to one that works better.
In the 1990’s, Microsoft had an out-of-the-box connectivity problem: The Internet had outgrown Windows. The Internet had grown to the point that there were more than 32 routers between some locations, but Windows had a default of 32 hops.
The way it used to work was that, after passing through 32 routers, the packets would be discarded by the router. Like running out of money driving across toll roads, the router, like the toll taker, would stop further travel when the packet ran out of “money”. Each router charged the packet one hop to cross. Starting at 32 hops, by the 32nd router the remaining hop value reached zero — and the packet came to a screeching halt.
Users reported this inability to reach distant devices as a bug; the Internet was broken trying to reach certain sites. Since there was no indication how many hops were required to reach a given URL, this problem manifested itself as a failure to load.
The set of affected web sites varied based on the user’s location and network topology. Microsoft responded by raising the default hop limit to 128 routers, meaning its packets were free to roam the full Internet. At the time, this was great for web servers and browsers wanting to publish/consume information on the World Wide Web.
This particular problem was unique to Microsoft. Other operating systems were already more vulnerable by having higher default hop counts. For example, most Linux systems default to 64 hops. Some even have a limit of 255 (the maximum allowed by the Internet Protocol (IP) specification)!
Was this the right approach? Yes and no.
It makes a user’s experience better. If you need to order from Alibaba or look at travel destinations around the world, it’s a big improvement. For critical infrastructure, however, it makes them more vulnerable.
Databases, middleware and other back-end servers rarely, if ever, need to communicate directly with users beyond the data center. Their job is to provide services to hardened application and web servers that communicate directly with end-user devices. Unfortunately, most of those databases have a default hop value that allows full worldwide communication.
The hacker credo states, “If I can ping it, I can hack it.” HOPZERO’s HOPsphere Radius Security sets a lower hop limit that prevents connections beyond a tight perimeter. This blocks hackers’ access to database login prompts, preventing lost or stolen username and passwords or cracking attempts from enabling a data breach.
HOPsphere Radius Security is a powerful additional layer of security, an approach that database administrators should add to their toolbox. Best of all, this strategy actually makes firewalls, and other network security tools, stronger.
Say you’ve already purchased expensive security devices that perform tests on malware, viruses, and potential Trojans. If such devices consume their analysis power defending against nuisance attacks from faraway Internet locations, then limiting the HOPsphere will reduce analysis load on sophisticated security devices, making them more efficient. Since HOPsphere Radius Security prevents a connection, there is no way to transmit the nefarious payload.
The Origin of the Hop Value Field
The hop value field was placed in the Internet TCP/IP packet header to protect packets from living forever because of network loops. If packets loop forever, all traffic stops when enough packets get caught to fill the router buffers in the loop. Instead, as a packet leaves a station, each router in its path decrements the hop value by one as it traverses. When the hop value reaches 0, the packet is discarded.
As last year’s massive data breach demonstrated, a DBA’s credentials, lost or stolen, were responsible. In order to enter the username and password at a login prompt, one must gain access to a login prompt. HOPsphere Radius Security denies an opportunity to gain access to a login prompt by putting the database server beyond the hacker’s reach. A lot fewer nefarious devices will communicate with your high-value device.
The downside to such a strategy? Every system that needs to talk to the server must be within the HOPsphere Radius. This requires study and analysis prior to deployment and monitoring afterwards.
If you want to keep tabs on Mr. Putin’s favorite soccer team, do it from your personal machine, because your server will not be able to check. A small price to pay for not knowing how St. Petersburg Football Club does while logged into your server.