wipe the virus from your hard disk. Since viruses pose such adanger to intranets, it is also best to protect against virusesby putting a virus scanner on a server inside a firewall, wherethat scanner can check every file coming into the intranet forknown viruses. This does not eliminate the need for client softwareto cover such cases as a virus that may travel in a diskette froman external source.<P>Such a scanner typically doesn't check every single packet comingin, since many types of packets won't be able to have virusesin them. Instead, the scanner checks only those packets sent withcertain Internet protocols, such as for e-mail, FTP, and the Web,that may indicate that a binary file is being transferred intothe intranet. It looks at only those files, using packet filteringtechnology similar to that used by filtering routers. It thenscans those files for viruses, letting in those files that arevirus-free, and stopping any infected files from entering theintranet.<H2><A NAME="HowIntranetVirusScanningSoftwareWorks"><FONT SIZE=5 COLOR=#FF0000>How Intranet Virus Scanning Software Works</FONT></A></H2><P>Viruses are a major security risk for intranets. They can damagedata, occupy and consume resources, and disrupt operations. Programfiles were the major source of trouble in the past, but new &quot;macro&quot;viruses can hide in data files and launch, for example, when amacro in a word processing program is run. Server-based and client-basedvirus-scanning software both have roles that help protect theintranet.<OL><LI>A virus hides inside a legitimate program. Until you run theinfected program, the virus remains dormant. When you run theinfected program, the virus springs into action. Sometimes, thefirst thing it will do is infect other programs on your hard diskby copying itself into them.<LI>Some viruses place messages called <I>v-markers</I> or <I>virusmarkers</I> inside programs that they infect, and they help managethe viruses' activities. Each virus has a specific virus markerassociated with it. If a virus encounters one of these markersin another program, it knows that the program is already infected,and so doesn't replicate itself there. When a virus cannot findany more unmarked files on a computer, that can signal to thevirus that there are no more files to be infected. At this point,the virus may begin to damage the computer and its data. Virusescan corrupt program or data files so that they work oddly, notat all, or cause damage when they run. They can destroy all thefiles on your computer, change the system files that your computerneeds when it is turned on, and cause other types of damage.<LI>Intranet virus scanning software runs on a server in an intranetfirewall. The software doesn't check every packet that comes intothe intranet for viruses, since that would not be feasible. Instead,it checks only those packets sent with the kinds of Internet servicesand protocols that indicate that a file may be in the processof being transferred from the Internet to the intranet-commonly,e-mail (which is sent via SMTP, Simple Mail Transfer Protocol),the File Transfer Protocol (FTP), and the World Wide Web (HTTP,Hypertext Transfer Protocol). The software uses packet filteringtechnology to determine which packets are being sent with theseprotocols.<LI>When the software finds packets that are sent with SMTP, FTP,or HTTP, it knows it must examine them further, to see if theyhave viruses in them. Virus scanning software works in many ways.One method of detection is to check files for tell-tale virusmarkers that indicate the presence of a virus.<LI>Packets not using SMTP, FTP, or HTTP (such as NNTP) are passedthrough, and the software does not perform any action on them.<LI>If the file is found to be virus-free, it is allowed to pass.If it is found to have a virus, it won't be allowed to pass intothe intranet.<LI>Antivirus software should also be run on individual computersinside the intranet because it's possible that a virus can bebrought into the intranet by diskettes, for example. In additionto protection against viruses, it can detect viruses, and eradicateany virus that it finds.</OL><H2><A NAME="HowaquotHostilequotJavaAppletCanAttackanIntranet"><FONT SIZE=5 COLOR=#FF0000>How a &quot;Hostile&quot; Java Applet Can Attack an Intranet</FONT></A></H2><P>The Java programming language can create interactive, multimediaapplications (called applets) that can greatly extend the powerof the World Wide Web on intranets and the Internet. However,some people believe that it can theoretically be used to attackan intranet. Here is an example of such an attack, which computerscientists at Princeton University discovered was possible dueto holes in the Java protection scheme. Since then, this particularhole was covered up, but only if people use specific versionsof Netscape which contain the fix. Many computer scientists saythat other security holes still exist in Java.<OL><LI>The cracker begins by targeting a specific pair of computerson an intranet, stooge.victim.com, and target.victim.com. Oneof the computers will be used by the cracker as a jumping offpoint to attack the other. The cracker knows their IP addresses,123.123.122.1 for stooge.victim.com, and 123.123.122.2 for target.victim.com.<LI>The cracker's computer's name is www.hackit.com, and its IPaddress is 114.12.12.12. There is also a &quot;bogus&quot; machinename-a computer that does not exist, but looks to the rest ofthe Internet as if it does. The bogus machine is called bogus.hackit.com.The cracker creates a DNS mapping from this bogus machine to apair of IP addresses: the cracker's, 114.12.12.12; and the machinetargeted for attack, 123.123.122.2. When a DNS server looks upthe bogus machine name to see its IP address, it will see thesetwo IP addresses. Note that the cracker hasn't yet used Java;what has been done so far has commonly been done by crackers onthe Internet since well before Java was released.<LI>The intranet that the cracker has targeted is protected bya firewall. Normally, he or she would not be able to break throughthe firewall to attack the computer with the IP address 123.122.122.2.With a hole the cracker discovered in Java, however, now it canbe done.<LI>The cracker creates a &quot;hostile&quot; Java applet andposts it on a page on the World Wide Web. The applet looks asif it's a news ticker, but it in fact is designed to attack theintranet. The cracker sends out an e-mail note to the target intranet,disguised as a press release, inviting people to visit a freenews site on the Internet. Stooge.victim.com browses the Internetto the site and comes across the Java applet on www.hackit.com.The applet will download.<LI>The applet appears to be a news ticker, so stooge.victim.comreads the news ticker. In fact, the applet has begun to attackthe computer and the intranet.<LI>The applet tries to make a connection to the &quot;bogus&quot;computer created by the cracker, bogus.hackit.com. In order tomake the connection, Java uses the DNS mapping created by thecracker. It finds the mapping of 123.123.122.2 and 114.12.12.12for<B> </B>the<B> </B>name bogus.hackit.com. As a security measure,Java only lets applets contact the server on which they were launched,and no other server. In this case, that server is 114.12.12.12,so Java allows the connection since it sees it in the entry. However,since the first number in the entry is 123.123.122.2, it actuallymakes the connection to that computer, not to 114.12.12.12.<LI>The Java applet is now connected to the target computer, target.victim.com(123.123.122.2), and can make full use of the intranet's resources,as if it were a trusted computer inside the intranet. That's because<FONT COLOR=#000000>the connection was made from inside the intranet,directly from another intranet computer-the attack was made fromwithin the firewall. Using the applet, the cracker can now makea direct connection to 123.123.122.2, as if inside the intranet.A cracker can then probe the intranet's security weaknesses byusing a security-probing program like the particularly powerfulone called SATAN, and then attack not just the target computer,but the entire intranet.</FONT></OL><HR><CENTER><P><A HREF="ch18.htm"><IMG SRC="PC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="#CONTENTS"><IMG SRC="CC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="contents.htm"><IMG SRC="HB.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="ch20.htm"><IMG SRC="NC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><HR WIDTH="100%"></P></CENTER></BODY></HTML>