Security 022

various ways we can secure, or harden, the network against these threats

what constitutes host threats versus purely network threats and the associated hardening techniques that apply

techniques we discuss are common to all the layers,

look at the network as only one layer in a complex multilayered architecture,

network defense methods we can use to harden the network architecture

network devices we haven’t talked about much,

network hardening techniques and methods used to secure and defend the infrastructure

devices such as proxies, web security gateways, virtual private network (VPN) concentrators, and, of course, intrusion detection systems

You’ll also expand your knowledge of secure network administration methods and techniques, media access control (MAC) filtering, port-based authentication, and some layer security techniques.

additional network security devices, such as web proxies and gateways, as well as VPN devices

protocol sniffers and network intrusion devices

These devices are just as critical as the ubiquitous firewall to ensuring a layered defense for the network.

device or application

intercepts user or host requests and then

makes those requests to other hosts

advantages

hides the identity of the requester

proxy receives the data back

forwards it on to the internal network user and host that originated the request

can be dedicated network appliances

add-on applications to combination or all-in-one security devices

can also be software applications that reside on a user’s host.

can also be used to filter content coming from untrusted networks

can filter the requests and disallow requests that aren’t allowed per the network security policy

filter responses back from the external network and block certain content

potentially harmful executable files, scripts, or even prohibited content

proxies also serve as content filtering devices

A more advanced proxy device is called a web security gateway, discussed next.

Web security gateways are more advanced proxy devices

not only simple proxying functions, but also advanced content-filtering and application-layer security

filtering potentially malicious sites

perform deep-packet inspection on web traffic, looking beyond mere protocol filtering

prevent more dangerous attacks such as cross-site scripting and other associated web-application attacks

filter out malware, such as viruses, Trojans, and so on.

VPNs and how they work

establishes a virtual connection through an untrusted network,

encrypted and authenticated

protocols to accomplish this, including IPsec, Layer 2 Tunneling Protocol (L2TP), and even Secure Sockets Layer (SSL)

client-based,

client attempts to connect to a private network through the Internet, or

site-based,

two sites are separated by a public untrusted network,

VPN concentrator sits on the perimeter

receives the client and site VPN connection requests

policies and rule sets configured

so that it can negotiate a common set of acceptable encryption and authentication protocols between the private network and the requesting device

may further direct client requests to a network access control device or another secure network

A NIDS/NIPS looks at attacks coming into the network at large instead of into a particular host

malformed network traffic or

excessive amounts of traffic

malicious content embedded in traffic, or other forms of malware

massive distributed denial-of-service (DDoS) conditions, such as those caused by botnet attacks.

One point of interest is the difference between a NIDS and a NIPS

A NIDS is a passive device

alerts an administrator to these issues, also logging the events in the process

A NIPS, in contrast, is an active device

tries to prevent or stop attacks by taking a series of preconfigured actions,

dynamically block traffic

shunting traffic to other interfaces, initiating other security actions, tracing the attack back to its origin,

considered a prevention control,

A behavior- or anomaly-based system detects attacks after comparing traffic with a baseline of patterns considered normal for the network

given the opportunity to “learn” how the normal flow of traffic behaves over the network

good baseline of normal network traffic,

detect any unusual or anomalous traffic patterns that don’t fit into the normal network traffic patterns and issue alerts on them as potential attacks.

A signature-based system,

uses preconfigured signature files,

antimalware applications work, which are stored in the NIPS/NIDS database

define certain attack patterns based upon known traffic characteristics

have its signatures database updated frequently, since new attack patterns are recorded by the security community often

subscription-based service from the NIDS/NIPS vendor,

rule-based system

preconfigured rules in a rule set, much like a firewall, to detect possible attacks

detect an excessive number of Internet Control Message Protocol (ICMP) packets

rule would be activated,

alert would be sent or the attack would be stopped (in the case of a NIPS)

heuristic system

combines the best of both anomaly-based and signature-based systems

It starts out with a database of attack signatures and adapts them to network traffic patterns

It learns how different attacks manifest themselves on the particular network in which it is installed and adjusts its detection algorithms to fit the combination of network traffic behavior and signatures

modern NIDS/NIPS are hybrid systems and may use both techniques

Host-based IDS/IPS systems, in contrast, are almost always signature-based products.

usually implemented as software, although it can be a dedicated hardware device

intercept network traffic and dissect it

view traffic by source and destination address, port number, and, probably most important of all, by content

Eg, sniffers

can provide indications of performance issues that may affect the network

For example, a security professional would be interested in seeing any application that sends plaintext passwords across the network, and a sniffer would be able to tell if this were the case

A sniffer can also provide indications of an attack by looking at it at the protocol level to determine whether there are any abnormal packet construction issues with traffic.

malicious sniffers can be defeated through the use of strong encryption

Although a sniffer can intercept encrypted traffic, it won’t be able to read it,

All in all, it’s better to prevent an attacker from being able to capture traffic whenever possible

use switched networks,

Wireshark, a popular network sniffer

application on the e-mail gateway, or even as a separate network appliance

integrated tightly with an organization’s e-mail system

filter out unwanted e-mail, namely spam or junk mail

provide filtering for a number of other e-mail characteristics, including prohibited attachments or content,

provide a type of data loss prevention (DLP) layer security for e-mail

hone-in on certain sensitive data patterns and block e-mails

find spam filters on combination devices that provide firewall, proxying, and other security functions

We’ll discuss some of these unified devices next.

combination or all-in-one security devices,

progression of security devices has gone from separate single-purpose devices to integrated, multifunctional ones

called Unified Threat Management (UTM),

firewalls, intrusion detection systems, web security gateways, content filters, and so on, are included together in the same box.

good reasons for doing this: standardization of security products, interoperability with the different functions you need, and so on are big selling advantages

you’ve created the rule for your firewall, security gateway, and content filter all at the same time,

keeps your security folks from having to learn the inner workings of several different devices

ease of keeping its configuration and patches up to date, since you have to worry about only one product

functions may include URL filtering, deep content inspection, and malware filtering, if they are not already included in the device.

disadvantages

the only threat-management device you have installed, it’s a single point of failure

compromised or is unavailable, you have no security device

consider the principle of defense diversity

A UTM doesn’t exactly follow this principle, but your organization should weigh the advantages and disadvantages of following this practice when making the decision to implement a UTM.

layered security and defense in depth

multiple layers of access into a network, both authorized and unauthorized,

there must be multiple layers of defense to secure those entry points

using the hardware address of the host’s network card, the MAC address, to impose filters or limits on the device

use the host’s IP address as well, but this could be subject to change in an environment that uses dynamic IP addressing (such as DHCP services)

Limiting and filtering hosts based upon their MAC address has some advantages

tied to the host’s network card, the address isn’t likely to change often, unless the card goes bad and has to be replaced

Second, since the MAC address is fairly consistent, as opposed to IP addressing, the MAC address is a logical choice to filter on

MACs can be used in filtering schemes to include only the hosts whose MAC addresses appear in a preconfigured list

malicious users and hackers find that spoofing MAC addresses is a simple matter,

MAC spoofing defeats any hardware address filtering

Because of this, MAC address filtering should not be the only means of security used on a network.

it can prevent unauthorized hosts from connecting to the network

restricts connections by host and can also support device authentication

using a variety of security protocols, such as Extensible Authentication Protocol (EAP) and its variants

can provide for mutual authentication as well, requiring devices to authenticate to each other before passing sensitive network traffic between them

the practice of disabling both physical and logical interfaces and ports into a device

eliminate potential attack vectors

For physical interfaces, this includes switch ports, USB ports, and wireless and wired network interfaces

If they are not used to connect to the device, they should be disabled to prevent unauthorized and possibly undetected connections

For logical interfaces, this means reducing the number of entry points into a host through remote shells or administrative interfaces

Entry points should be kept to a minimum, only to those needed to administer or connect to a device effectively, and then restricted only to those personnel with a valid need.

Likewise, it’s also a good idea to disable unused logical application service ports

Disabling or blocking port 3389 on a Windows host, for example, is a good idea if you don’t routinely use a remote desktop connection to the device

The same goes for other common network ports, such as SMTP (port 25), HTTP (port 80), and FTP (ports 20 and 21)

It’s also a good idea to disable unused protocols on network devices, such as Telnet and Trivial File Transfer Protocol (TFTP) on routers and switches, for example, since they are nonsecure protocols

On some devices, these may be open by default.

In any event, in addition to preventing rogue clients from connecting, we also need to ensure that we monitor the network infrastructure to detect them, just in case they find a way to connect in spite of our preventive measures

NAC, which can prevent unauthorized machines but can also report to administrators any machines that attempt to connect but are not permitted to do so

log connection attempts through network devices, such as switches, for example

Switches, especially those managing VLANs, can prevent hosts from connecting through 802.1X port authentication, as well as restricting VLAN membership

If configured to do so, switches can also log connection attempts from unauthorized hosts.

Reviewing DHCP logs can be another useful way to detect rogue machines

If you have a device inventory established for authorized devices, perhaps by MAC address, you could compare that list to the DHCP server’s logs and ensure that only authorized hosts received addressing information from the server

You could also look at the computers authorized in Active Directory to determine if that database lists a potential rogue machine you are attempting to track down.

In addition to rogue clients, rogue servers are also an issue that occasionally pops up on a network

A rogue DHCP server, for example, could disrupt network operations by handing out false or duplicative IP addressing information to network clients, causing them not to be able to communicate with other network resources or to communicate only with an attacker’s boxes instead

Other rogue servers might include fake web or file servers, DNS servers, or other servers that appear to run critical network services

A comprehensive device inventory, device authentication, and constant service and traffic monitoring can also help detect rogue devices

Even sniffers can be useful in detecting unauthorized hosts.

you should actively monitor the status of the network, including hosts, devices, and the traffic that flows between them

you should also monitor traffic that enters into and exits from your network

you should monitor traffic to ensure that your devices are doing their job by controlling the traffic flow and content throughout the network

Using some of the devices we’ve discussed, such as sniffers and intrusion detection/devices to monitor the network continuously, for example, helps to maintain the security posture of your network and in itself is a best security administration practice.