Basic Steps To Secure Network Infrastructure
Securing your network infrastructure is a process, not a task. It is something that, once started, does not end. You must remain constantly vigilant to the threats against your network and continuously undertake actions to prevent any compromises. Because of the scale of the undertaking, hardening your network infrastructure is not an endeavor you should undertake lightly.
Depending on the size and complexity of your environment, you might spend weeks or even months planning before you make any changes. At the same time, if you are looking at how to harden your network, you probably recognize that you have security issues that need to be addressed, even if you aren’t sure exactly what those issues are or how to fix them. This can put you in a bind in that you may have issues that really need to be addressed immediately, before the full-scale hardening process begins.
So what are some things you should do immediately, right now, without any hesitation?
In this guide, we will look at six things you should do right now, before you do anything else.
There are many tasks you can perform as part of the systematic hardening process. These are all generally big-ticket items—for example, hardening your routers and switches or implementing DMZs and perimeter network devices. These tasks take time, sometimes months from the initial planning and design phase to the implementation. Although all these tasks are necessary, you should undertake six tasks, in particular, before you do anything else on your network.
Review your network design - If you don’t know what your network design looks like, how your devices are interconnected, how the data flows in your enterprise, you will never be able to successfully protect your network. The first step to hardening your network is to understand it.
Implement a firewall - If you don’t have a firewall, stop reading this guide right now and go buy or build one and implement it on your network. I’m deadly serious here. Implementing a firewall has the most impact of any task you can perform for hardening your network infrastructure because it allows you to define a perimeter. NGFW will helps visibility , application identity , more advance threat defense features .
Implement access control lists (ACLs) - You should be restricting and controlling all traffic entering and exiting your network from the outside world. At the same time, you should be restricting traffic between internal network segments. If there isn’t a business justification for the traffic, block it. You should be filtering traffic with ACLs not only on your external firewalls and routers, but on your internal firewalls and routers as well.
Turn off unnecessary features and services - Although traditionally the realm of servers and applications, unnecessary services equally plague your network infrastructure devices. If you don’t have a reason to be running a particular service on your network equipment, don’t do it.
Implement virus protection - Today’s worms and viruses, though directed at applications and computers, have the uncanny side effect of often causing Distributed Denial of Service (DDoS) attacks against routers and switches because of how they attempt to replicate. The easiest way to protect against these kinds of attacks is to ensure that every system from Windows to Unix, desktop to server, runs virus protection. Don’t forget to implement virus protection on your gateway devices, such as SMTP gateways, to prevent email–based viruses and worms as well.
Good APT Solutions like PA Traps/ CarbonBlack /Fireeye Endpoint Security Engine will helps latest threats and it can identify threats before it get infected/Exploited /
Secure your wireless connections - Wireless connectivity presents a unique problem to securing your network. If you aren’t sure why you are running wireless, turn it off. Revisit the issue once you know why you are implementing a wireless network. If you have to run wireless, ensure that you implement encryption and authentication to prevent unauthorized users from connecting and/or intercepting and reading your wireless communications.
Review Your Network Design
“In order to know where you are going, you have to know where you came from.” This is true for hardening your network infrastructure. In order to effectively protect your resources, you must know how your network is designed. You must know how your routers are interconnected, where your network ingress points are, where your various resources are located, and so on. Only once you know this information you can effectively protect those resources. In addition, if your network does become compromised, knowing how everything is connected will help you in determining how to recover from it or how to isolate the problem to specific network segments. At the same time, I’m not proposing that the first thing you should do is redesign your network. Remember, we are looking at things you can do right now to make an immediate impact on the security of your network.
Because every network is different, it is impossible for me to provide you a comprehensive review of a network design. I can, however, provide you with 21 questions you should be asking as you review your network design. These questions will help you better understand where and how your network can be hardened.
Where are your Internet connections? Today’s networks commonly have multiple Internet connections. Review your network design and identify all your Internet connections. These can range from your enterprise Internet connection to a backup/redundant connection for your company, all the way down to a DSL or cable modem connection used as a temporary backup exclusively for your sales force. Be prepared to locate “surprises,” such as unauthorized connections to your network in executive suites. Identify these ingress points because those are where you will implement your firewalls.
Where are your external connections? External connections range from traditional frame relay and ATM connections to dedicated serial T1/T3 lines to the Internet connections addressed previously. They are typically used to connect remote offices or external business partners. These are all potential ingress points on your network. Consequently, you need to implement firewalls at those connections as well as potentially employ encryption for the data traversing them.
What networks/subnets are you using? Identify the IP addressing scheme and the location of all your subnets. Are you using dynamic addressing products and protocols such as VitalQIP and DHCP? DHCP networks, although they provide significant ease of resource addressing, create a security issue. Anyone can connect to your DHCP network and immediately begin attempting to gain access to your network resources by exploiting weak security that might exist elsewhere on your network.
What routing protocols are you employing? The routing protocols you use will identify the methods you can implement to protect those protocols. The steps you take to harden Routing Information Protocol (RIP), for example, are not necessarily the same as the steps to harden Open Shortest Path First (OSPF). Are you redistributing routes between protocols? Knowing what protocols you are running, where they are running, and how they are configured will dictate how to harden the protocols.
Are you running Spanning Tree Protocol? Spanning Tree Protocol, like your routing protocols, contains a tremendous amount of information about your network that any hacker would give his two front teeth to get. Identify where you are running Spanning Tree Protocol so that you can decide whether you need to be running it in that location.
Where is your Intrusion Detection/Protection System (IDS/IPS) located? You need to know what you are monitoring for and where you are monitoring. Are you only monitoring with network-based intrusion detection systems (NIDSs) or are you also using host-based intrusion detections systems (HIDSs)? Where are you performing these functions, and more important, where are you not?
Where are you performing content filtering? Knowing where and how you are performing content filtering is critical in preventing web-based exploits from entering your network. This is commonly done at your Internet connections, but it might make sense for you to do this in other locations, such as between extranet partners.
Are you implementing NAT, and where are you implementing NAT? Network Address Translation (NAT) is commonly implemented at your Internet connections; however, with growth and acquisitions, companies are using NAT on their internal network segments more and more. NAT can present problems with IPsec encryption as well as increased network complexity. Knowing where you are implementing NAT can illustrate areas of your network that you need to keep an eye on, in particular, to make sure NAT is working securely and properly.
What VLANs are in use? Virtual Local Area Networks (VLANs) can be a saving grace to large networks, making it much easier to logically separate resources. At the same time, VLANs can dramatically increase the complexity of a network, consequently allowing security problems to be hidden by the complexities of the VLAN. A common example of this is having VLANs for networks of different security levels (that is, inside and outside or inside and DMZ) running on the same switch fabric. This is a bad thing because switches have historically shown a propensity to allow traffic to traverse between VLANs when it shouldn’t. Knowing where you have VLANs will help you harden those VLANs
Where is your server resources located? If your server resources are located on a dedicated subnet away from your users, it’s much easier to implement ACLs or similar filters to protect those resources. Knowing where your critical server resources are located will allow you to strategize a method to protect those resources.
Do you provide VPN/remote access connectivity? VPN/remote access connectivity is one of the biggest threats to your network’s security posture. This is due in large part to the fact that you rarely have control of the equipment that is connecting via your VPN connections. Employee’s home networks are rarely protected as they should be, and when those systems connect via VPN to your corporate network, it becomes susceptible to compromise. Knowing where your VPN/remote access connectivity occurs allows you to focus on where to protect against remote exploits.
What vendor’s equipment are you using? Different vendors are susceptible to different exploits. Likewise, different vendors implement different methods to secure their equipment. Knowing what vendor’s equipment you have on your network will allow you to develop a reasonable policy for hardening that equipment.
What network devices are you using? Routers require different security measures than switches do. Switches require different security measures than hubs do. By identifying the devices employed on your network, you can develop a security policy that addresses the specific issues of each device type on your network.
What are your device naming conventions? Although a relatively mundane item, device naming conventions can be a real problem in large environments where you need to figure out what a device is or where it might be located by name alone. Using names of fish and trees, as one company I worked at, serves only to make identifying where a problem or security issue is occurring much more difficult than it needs to be. At the same time, using names that lead people to critical or sensitive servers or resources can also be an issue. You need to strike a balance between function and anonymity.
What circuit types do you employ? Point-to-point connections and frame relay connections require different methods of hardening. Identifying the various circuit types you are using will allow you to define a policy that doesn’t overlook a circuit type.
What network protocols and standards are in use? Are you using Hot-Swap Router Protocol (HSRP)? What about Data-Link Switching (DLSw)? Do you still need to run Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)? By examining the network protocols and standards in use on your network, you can identify security issues unique to each protocol or standard.
Do you have dedicated management segments? Using dedicated management segments is one of the best methods to protect your devices from remote management exploits. Where are these segments, and most important, who has access to them? Knowing this information will help ensure that people do not inadvertently gain management access to your equipment.
Where are your critical segments? Backbone connections, critical Line of Business (LOB) segments, human resources (HR) segments, and so on, need to be identified so that you can ensure not only that the data on those segments is protected, but that those segments are reliable and redundant. Connections between subnets and segments—particularly critical subnets and segments—represent locations where filtering and access lists should be implemented to protect those subnets and segments
What kind of AAA mechanism are you using on your network? Are you using common passwords (for example, enable secret passwords) or are you performing user-based authentication? Do you have RADIUS or TACACS+ for authentication, authorization, and accounting?
What kind of enterprise monitoring/management products are you using? Many management protocols such as SNMP and Syslog transmit their data in an unencrypted and therefore insecure fashion. Identifying what management products you are using, where they are located, and what devices they communicate with will allow you to determine the most effective method for securing the traffic.
Where are your wireless connections? Wireless represents a significant security issue on a corporate network. Know where you have wireless access points set up so that you can identify and secure that access.
Implement a Firewall
If you can do nothing else to harden your network, you need to implement a firewall. The reason for this is simple: a firewall is the single device that can do more to keep unauthorized traffic from entering a network than any other device. Now you might have heard that firewalls aren’t effective anymore because so many things use port 80 to pass traffic; however, those situations are a small, small portion of all the threats that exist from which a firewall can protect you. In addition, when implementing an application-filtering firewall, you can gain the ability to filter application content, identifying legitimate web requests from illegitimate web requests. Finally, remember that a firewall, although the best single choice you can make, is most effective as a component of security, being complemented by an intrusion detection/prevention system (IDS/IPS) and content filters.
Although many folks think of a firewall as something used to protect their network from Internet-based threats do not overlook the value of using firewalls at other locations on your network. For example, you can use a firewall on your WAN perimeter to filter traffic to and from frame relay or point-to-point circuit connections across a public internetwork. Likewise, you can implement a firewall to filter traffic between internal LAN segments, protecting critical business resources such as HR servers and application servers from unauthorized traffic. There are a few types of firewalls to consider:
Application proxies
Stateful packet-inspecting/filtering gateways
Hybrid firewalls
1. Application Proxies
Application proxies are identified by their ability to read and process an entire packet to the application level and make filtering decisions based on the actual application data, not just the packet header. Application proxies receive all incoming packets and completely decode them to the Application layer. The actual application data can then be scrutinized to determine whether it is legitimate data. If this data is legitimate, the firewall will rebuild the packet and forward it accordingly. Because of this capability, application proxy firewalls can apply a significant amount of intelligence before making a filtering decision.
One drawback is that this type of filtering introduces latency to network communications and requires significant amounts of processing power. Another drawback is that unless the firewall has the proxy capability for a given protocol or service, it might not be able to facilitate communications with the given protocol or service. Secure Computing Sidewinder G2, Microsoft’s Internet Security & Acceleration (ISA) Server 2000, CyberGuard firewall/VPN appliances, and Symantec Enterprise Firewall are examples of application proxy firewalls.
2. Stateful Packet-Inspecting/Filtering Gateways
Packet-inspecting/filtering gateways are generally not able to process the packet to the application level to make a filtering decision. Instead, packet-inspecting/filtering gateways tend to process the data to the Network/Transport layer and make filtering decisions based on the protocol and port numbers contained in the packet header only. Packet-inspecting/filtering gateways also typically implement a stateful packet inspection model, which allows the firewall to maintain a record of the state of all conversations occurring through the firewall, automatically permitting responses for legitimate outbound requests. IPtables, IPchains, SonicWALL, Clavister, and many of your SOHO firewalls such as Linksys and D-Link are examples of packet-inspecting/filtering gateways
3. Hybrid Firewalls
Now-a-days most of the firewalls fall into the hybrid category. Although they typically perform stateful packet filtering/inspecting for making most filtering decisions, they may have some application proxy functionalities built in for specific high-risk protocols and services such as HTTP and FTP. Most of the firewalls on the market today are hybrid firewalls. Examples of hybrid firewalls are Check Point Firewall-1 NG, Cisco Secure PIX, and Netscreen Deep Inspection Firewall.
Which Firewall Should You Implement?
There is no right answer as to which firewall to use for your environment. This is one of the rare cases when I really can’t give you a definitive answer. You will need to make a decision based on your requirements and your environment. For example, if you require extremely high throughput, a packet-filtering firewall would be a good choice to implement. If you are using standard protocols and require the most rigorous application inspection, an application proxy would be a good choice to implement. In some environments, you might even need both—a packet-filtering firewall to perform initial packet inspection on all traffic, and an application proxy behind that to perform the more detailed application filtering. Regardless of which type of firewall you decide is best for your environment, however, if you do not currently have a firewall, make sure you get one. Any of the firewalls mentioned are better than having none at all.
Implement Access Control Lists
Properly implemented access control lists (ACLs) on your routers provide packet-filtering capabilities without the stateful functionality of a full-featured firewall. Consequently, I think of ACLs on routers as being part of a firewall system, where the router is performing initial packet-filtering functionality in front of a firewall that is providing the full-bore stateful filtering or application proxy functionality.
Here are some types of access you should filter with your ACLs immediately:
Block RFC1918 addresses at your perimeter, including the following:
0.0.0.0/8
10.0.0.0/8
169.254.0.0/16
172.16.0.0/20
192.168.0.0/16
Block bogon addresses - The term bogon refers to packets addressed to/from a bogus network. Bogons represent the addresses that have not been allocated by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs) to Internet service providers (ISPs) or organizations for use. A current list of bogon networks can be found at http://www.iana.org/assignments/ipv4-address-space. Any entry with the term “reserved” or “unallocated” should be blocked as a bogon. You will need to periodically update the bogons you are blocking because those addresses get assigned to legitimate ISPs and organizations for use.
Implement spoof protection
Implement TCP SYN attack protection
Implement LAND attack protection
Implement Smurf attack protection
Block multicast traffic if it is not needed.
Implement ACLs to control Virtual Type Terminal (VTY) access (Telnet and SSH).
Implement ACLs to control who can manage the router via SNMP
Turn Off Unnecessary Features and Services
One point of security that has been hammered on within the desktop/server world is the need to turn off unnecessary services. Unfortunately, people commonly overlook the fact that it is not just the desktops and servers that are potentially running unnecessary services—your network devices are also likely doing this. Here is a list of services you should look for on your network equipment and turn off if you are not actively using them:
Cisco Discovery Protocol (CDP)
TCP and UDP small servers
Finger server
HTTP server
Bootp server
Network Time Protocol (NTP) service
Simple Network Management Protocol (SNMP) services
Configuration auto-loading
IP source routing
Proxy ARP
IP directed broadcast
IP unreachable, redirects, and mask replies
Router name and DNS name resolution services
Implement Virus Protection
Virus protection and implementing virus protection typically fall within the realm of the server/desktop administrator. Indeed, in large environments, if you are responsible for the network infrastructure, you may never be involved in any virus-protection discussions. Unfortunately, today’s worms and viruses are having a larger impact on the network infrastructure, which means you need to become concerned with the status of virus protection on your network. In addition, you can install virus-protection gateway devices and virus-protection applications in conjunction with your existing firewalls and gateways to prevent viruses from entering your network. You should be involved in advocating these systems being implemented.
The methods that many of the worms use to self-replicate (for example, by scanning an entire subnet and attempting to connect to every IP address on that subnet) have the uncanny ability to result in a denial of service (DoS) on many routers. The reason for this is pretty straightforward. When a router receives a packet destined for a subnet that it is directly connected to, the router will generate an ARP request for the destination MAC address. In the case of these worms, often the destination is not online, but the router has no way of knowing this and issues the ARP request anyway. The router then must wait for a response, or wait for the ARP request to time out before it can drop the packet in question. As the router gets hit with thousands of these requests, it fills its buffers and input/output queues with these packets waiting for the timeout periods to occur. Often this consumes the entire free RAM on a router. The end result is that the router starts dropping legitimate traffic because it cannot queue the traffic, and/or the router will no longer accept VTY sessions because it does not have enough free RAM to house those sessions. Both of these circumstances result in a DoS against the router. In fact, when you think about it, the way that these worms work is a great example of just how effective a distributed denial of service (DDoS) attack can be.
If you are not running virus protection on all your systems—Windows, Unix, Linux, and Macintosh based—you need to be.
Don’t forget your gateway virus protection when talking about implementing virus protection on all your systems. This allows you to catch and stop a significant amount of viruses attempting to enter your network at your network ingress points. TrendMicro, Network Associates, and Symantec all have gateway virus protection you can implement. Don’t overlook the value of implementing virus protection on your gateways and firewalls.
The only way to effectively prevent your network from being susceptible to virus- and worm-based DDoS attacks is to keep the systems that propagate the worms from being infected in the first place and to attempt to prevent the viruses from entering your network to begin with.
Secure Your Wireless Connections
What you can do right now is to locate and remove all wireless access points that you do not need or did not plan properly. This may sound like a little bit of overkill, but it isn’t. If you have not developed a wireless security plan and implemented your wireless network by restricting IP addresses and implementing encryption and authentication, you need to unplug everything and start all over again building a secure wireless network. If you must run wireless, you can do the following four tasks to harden your wireless network against attack:
Require a written wireless security policy that allows only IT supported wireless products that are only implemented by IT. If an employee goes out and buys the latest, cheapest personal wireless access point or router, that should be grounds for dismissal.
Only allow authorized MAC addresses to connect to your wireless network
Require Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), or 802.11i for encryption. Be aware that WEP has been compromised, but is better than clear text.
Require authentication via shared secret key, 802.1x, RADIUS authentication, or certificates as supported by your devices.
Summary
Securing your network infrastructure is going to be a long process that involves examining all your network infrastructure equipment and evaluating what vulnerabilities exist as well as identifying how to harden your equipment against those vulnerabilities. However, you can undertake six tasks to start making an immediate impact on the security of your network.
First, you must review your network design so that you know what you are dealing with. This will serve as a roadmap of what needs to be done. Next, you need to implement a firewall. A firewall is the best thing you can introduce into your environment to address security. After that, you should implement ACLs on your equipment. Restrict not only the traffic that can pass through the system, but also who has access to the system. At the same time, review all your network equipment and ensure that any unnecessary services and features have been turned off or disabled. Protocols like Spanning Tree Protocol are very good at what they do, but if you do not need that functionality, turn those features off. Although likely not in the realm of the network infrastructure engineer; virus protection can make your life much easier. Insist that virus protection be installed and configured on all systems in your enterprise. Also, make sure there is a regular schedule for updating the virus signatures and scanning engine to protect against new viruses. Last but not least, secure your wireless connections. Wireless today is really just an open door to your network, inviting unauthorized access to anyone who happens to be in range of your wireless access point. If you don’t need wireless access, don’t use it. If you do, make sure you have properly secured your wireless access points. If you aren’t sure whether your wireless access points are secured, turn them off and start again.
Security is a complex process; however, these six tasks are all relatively easy to perform and will make an immediate and noticeable impact on your overall security posture
Securing your network infrastructure is a process, not a task. It is something that, once started, does not end. You must remain constantly vigilant to the threats against your network and continuously undertake actions to prevent any compromises. Because of the scale of the undertaking, hardening your network infrastructure is not an endeavor you should undertake lightly.
Depending on the size and complexity of your environment, you might spend weeks or even months planning before you make any changes. At the same time, if you are looking at how to harden your network, you probably recognize that you have security issues that need to be addressed, even if you aren’t sure exactly what those issues are or how to fix them. This can put you in a bind in that you may have issues that really need to be addressed immediately, before the full-scale hardening process begins.
So what are some things you should do immediately, right now, without any hesitation?
In this guide, we will look at six things you should do right now, before you do anything else.
There are many tasks you can perform as part of the systematic hardening process. These are all generally big-ticket items—for example, hardening your routers and switches or implementing DMZs and perimeter network devices. These tasks take time, sometimes months from the initial planning and design phase to the implementation. Although all these tasks are necessary, you should undertake six tasks, in particular, before you do anything else on your network.
Review your network design - If you don’t know what your network design looks like, how your devices are interconnected, how the data flows in your enterprise, you will never be able to successfully protect your network. The first step to hardening your network is to understand it.
Implement a firewall - If you don’t have a firewall, stop reading this guide right now and go buy or build one and implement it on your network. I’m deadly serious here. Implementing a firewall has the most impact of any task you can perform for hardening your network infrastructure because it allows you to define a perimeter. NGFW will helps visibility , application identity , more advance threat defense features .
Implement access control lists (ACLs) - You should be restricting and controlling all traffic entering and exiting your network from the outside world. At the same time, you should be restricting traffic between internal network segments. If there isn’t a business justification for the traffic, block it. You should be filtering traffic with ACLs not only on your external firewalls and routers, but on your internal firewalls and routers as well.
Turn off unnecessary features and services - Although traditionally the realm of servers and applications, unnecessary services equally plague your network infrastructure devices. If you don’t have a reason to be running a particular service on your network equipment, don’t do it.
Implement virus protection - Today’s worms and viruses, though directed at applications and computers, have the uncanny side effect of often causing Distributed Denial of Service (DDoS) attacks against routers and switches because of how they attempt to replicate. The easiest way to protect against these kinds of attacks is to ensure that every system from Windows to Unix, desktop to server, runs virus protection. Don’t forget to implement virus protection on your gateway devices, such as SMTP gateways, to prevent email–based viruses and worms as well.
Good APT Solutions like PA Traps/ CarbonBlack /Fireeye Endpoint Security Engine will helps latest threats and it can identify threats before it get infected/Exploited /
Secure your wireless connections - Wireless connectivity presents a unique problem to securing your network. If you aren’t sure why you are running wireless, turn it off. Revisit the issue once you know why you are implementing a wireless network. If you have to run wireless, ensure that you implement encryption and authentication to prevent unauthorized users from connecting and/or intercepting and reading your wireless communications.
Review Your Network Design
“In order to know where you are going, you have to know where you came from.” This is true for hardening your network infrastructure. In order to effectively protect your resources, you must know how your network is designed. You must know how your routers are interconnected, where your network ingress points are, where your various resources are located, and so on. Only once you know this information you can effectively protect those resources. In addition, if your network does become compromised, knowing how everything is connected will help you in determining how to recover from it or how to isolate the problem to specific network segments. At the same time, I’m not proposing that the first thing you should do is redesign your network. Remember, we are looking at things you can do right now to make an immediate impact on the security of your network.
Because every network is different, it is impossible for me to provide you a comprehensive review of a network design. I can, however, provide you with 21 questions you should be asking as you review your network design. These questions will help you better understand where and how your network can be hardened.
Where are your Internet connections? Today’s networks commonly have multiple Internet connections. Review your network design and identify all your Internet connections. These can range from your enterprise Internet connection to a backup/redundant connection for your company, all the way down to a DSL or cable modem connection used as a temporary backup exclusively for your sales force. Be prepared to locate “surprises,” such as unauthorized connections to your network in executive suites. Identify these ingress points because those are where you will implement your firewalls.
Where are your external connections? External connections range from traditional frame relay and ATM connections to dedicated serial T1/T3 lines to the Internet connections addressed previously. They are typically used to connect remote offices or external business partners. These are all potential ingress points on your network. Consequently, you need to implement firewalls at those connections as well as potentially employ encryption for the data traversing them.
What networks/subnets are you using? Identify the IP addressing scheme and the location of all your subnets. Are you using dynamic addressing products and protocols such as VitalQIP and DHCP? DHCP networks, although they provide significant ease of resource addressing, create a security issue. Anyone can connect to your DHCP network and immediately begin attempting to gain access to your network resources by exploiting weak security that might exist elsewhere on your network.
What routing protocols are you employing? The routing protocols you use will identify the methods you can implement to protect those protocols. The steps you take to harden Routing Information Protocol (RIP), for example, are not necessarily the same as the steps to harden Open Shortest Path First (OSPF). Are you redistributing routes between protocols? Knowing what protocols you are running, where they are running, and how they are configured will dictate how to harden the protocols.
Are you running Spanning Tree Protocol? Spanning Tree Protocol, like your routing protocols, contains a tremendous amount of information about your network that any hacker would give his two front teeth to get. Identify where you are running Spanning Tree Protocol so that you can decide whether you need to be running it in that location.
Where is your Intrusion Detection/Protection System (IDS/IPS) located? You need to know what you are monitoring for and where you are monitoring. Are you only monitoring with network-based intrusion detection systems (NIDSs) or are you also using host-based intrusion detections systems (HIDSs)? Where are you performing these functions, and more important, where are you not?
Where are you performing content filtering? Knowing where and how you are performing content filtering is critical in preventing web-based exploits from entering your network. This is commonly done at your Internet connections, but it might make sense for you to do this in other locations, such as between extranet partners.
Are you implementing NAT, and where are you implementing NAT? Network Address Translation (NAT) is commonly implemented at your Internet connections; however, with growth and acquisitions, companies are using NAT on their internal network segments more and more. NAT can present problems with IPsec encryption as well as increased network complexity. Knowing where you are implementing NAT can illustrate areas of your network that you need to keep an eye on, in particular, to make sure NAT is working securely and properly.
What VLANs are in use? Virtual Local Area Networks (VLANs) can be a saving grace to large networks, making it much easier to logically separate resources. At the same time, VLANs can dramatically increase the complexity of a network, consequently allowing security problems to be hidden by the complexities of the VLAN. A common example of this is having VLANs for networks of different security levels (that is, inside and outside or inside and DMZ) running on the same switch fabric. This is a bad thing because switches have historically shown a propensity to allow traffic to traverse between VLANs when it shouldn’t. Knowing where you have VLANs will help you harden those VLANs
Where is your server resources located? If your server resources are located on a dedicated subnet away from your users, it’s much easier to implement ACLs or similar filters to protect those resources. Knowing where your critical server resources are located will allow you to strategize a method to protect those resources.
Do you provide VPN/remote access connectivity? VPN/remote access connectivity is one of the biggest threats to your network’s security posture. This is due in large part to the fact that you rarely have control of the equipment that is connecting via your VPN connections. Employee’s home networks are rarely protected as they should be, and when those systems connect via VPN to your corporate network, it becomes susceptible to compromise. Knowing where your VPN/remote access connectivity occurs allows you to focus on where to protect against remote exploits.
What vendor’s equipment are you using? Different vendors are susceptible to different exploits. Likewise, different vendors implement different methods to secure their equipment. Knowing what vendor’s equipment you have on your network will allow you to develop a reasonable policy for hardening that equipment.
What network devices are you using? Routers require different security measures than switches do. Switches require different security measures than hubs do. By identifying the devices employed on your network, you can develop a security policy that addresses the specific issues of each device type on your network.
What are your device naming conventions? Although a relatively mundane item, device naming conventions can be a real problem in large environments where you need to figure out what a device is or where it might be located by name alone. Using names of fish and trees, as one company I worked at, serves only to make identifying where a problem or security issue is occurring much more difficult than it needs to be. At the same time, using names that lead people to critical or sensitive servers or resources can also be an issue. You need to strike a balance between function and anonymity.
What circuit types do you employ? Point-to-point connections and frame relay connections require different methods of hardening. Identifying the various circuit types you are using will allow you to define a policy that doesn’t overlook a circuit type.
What network protocols and standards are in use? Are you using Hot-Swap Router Protocol (HSRP)? What about Data-Link Switching (DLSw)? Do you still need to run Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)? By examining the network protocols and standards in use on your network, you can identify security issues unique to each protocol or standard.
Do you have dedicated management segments? Using dedicated management segments is one of the best methods to protect your devices from remote management exploits. Where are these segments, and most important, who has access to them? Knowing this information will help ensure that people do not inadvertently gain management access to your equipment.
Where are your critical segments? Backbone connections, critical Line of Business (LOB) segments, human resources (HR) segments, and so on, need to be identified so that you can ensure not only that the data on those segments is protected, but that those segments are reliable and redundant. Connections between subnets and segments—particularly critical subnets and segments—represent locations where filtering and access lists should be implemented to protect those subnets and segments
What kind of AAA mechanism are you using on your network? Are you using common passwords (for example, enable secret passwords) or are you performing user-based authentication? Do you have RADIUS or TACACS+ for authentication, authorization, and accounting?
What kind of enterprise monitoring/management products are you using? Many management protocols such as SNMP and Syslog transmit their data in an unencrypted and therefore insecure fashion. Identifying what management products you are using, where they are located, and what devices they communicate with will allow you to determine the most effective method for securing the traffic.
Where are your wireless connections? Wireless represents a significant security issue on a corporate network. Know where you have wireless access points set up so that you can identify and secure that access.
Implement a Firewall
If you can do nothing else to harden your network, you need to implement a firewall. The reason for this is simple: a firewall is the single device that can do more to keep unauthorized traffic from entering a network than any other device. Now you might have heard that firewalls aren’t effective anymore because so many things use port 80 to pass traffic; however, those situations are a small, small portion of all the threats that exist from which a firewall can protect you. In addition, when implementing an application-filtering firewall, you can gain the ability to filter application content, identifying legitimate web requests from illegitimate web requests. Finally, remember that a firewall, although the best single choice you can make, is most effective as a component of security, being complemented by an intrusion detection/prevention system (IDS/IPS) and content filters.
Although many folks think of a firewall as something used to protect their network from Internet-based threats do not overlook the value of using firewalls at other locations on your network. For example, you can use a firewall on your WAN perimeter to filter traffic to and from frame relay or point-to-point circuit connections across a public internetwork. Likewise, you can implement a firewall to filter traffic between internal LAN segments, protecting critical business resources such as HR servers and application servers from unauthorized traffic. There are a few types of firewalls to consider:
Application proxies
Stateful packet-inspecting/filtering gateways
Hybrid firewalls
1. Application Proxies
Application proxies are identified by their ability to read and process an entire packet to the application level and make filtering decisions based on the actual application data, not just the packet header. Application proxies receive all incoming packets and completely decode them to the Application layer. The actual application data can then be scrutinized to determine whether it is legitimate data. If this data is legitimate, the firewall will rebuild the packet and forward it accordingly. Because of this capability, application proxy firewalls can apply a significant amount of intelligence before making a filtering decision.
One drawback is that this type of filtering introduces latency to network communications and requires significant amounts of processing power. Another drawback is that unless the firewall has the proxy capability for a given protocol or service, it might not be able to facilitate communications with the given protocol or service. Secure Computing Sidewinder G2, Microsoft’s Internet Security & Acceleration (ISA) Server 2000, CyberGuard firewall/VPN appliances, and Symantec Enterprise Firewall are examples of application proxy firewalls.
2. Stateful Packet-Inspecting/Filtering Gateways
Packet-inspecting/filtering gateways are generally not able to process the packet to the application level to make a filtering decision. Instead, packet-inspecting/filtering gateways tend to process the data to the Network/Transport layer and make filtering decisions based on the protocol and port numbers contained in the packet header only. Packet-inspecting/filtering gateways also typically implement a stateful packet inspection model, which allows the firewall to maintain a record of the state of all conversations occurring through the firewall, automatically permitting responses for legitimate outbound requests. IPtables, IPchains, SonicWALL, Clavister, and many of your SOHO firewalls such as Linksys and D-Link are examples of packet-inspecting/filtering gateways
3. Hybrid Firewalls
Now-a-days most of the firewalls fall into the hybrid category. Although they typically perform stateful packet filtering/inspecting for making most filtering decisions, they may have some application proxy functionalities built in for specific high-risk protocols and services such as HTTP and FTP. Most of the firewalls on the market today are hybrid firewalls. Examples of hybrid firewalls are Check Point Firewall-1 NG, Cisco Secure PIX, and Netscreen Deep Inspection Firewall.
Which Firewall Should You Implement?
There is no right answer as to which firewall to use for your environment. This is one of the rare cases when I really can’t give you a definitive answer. You will need to make a decision based on your requirements and your environment. For example, if you require extremely high throughput, a packet-filtering firewall would be a good choice to implement. If you are using standard protocols and require the most rigorous application inspection, an application proxy would be a good choice to implement. In some environments, you might even need both—a packet-filtering firewall to perform initial packet inspection on all traffic, and an application proxy behind that to perform the more detailed application filtering. Regardless of which type of firewall you decide is best for your environment, however, if you do not currently have a firewall, make sure you get one. Any of the firewalls mentioned are better than having none at all.
Implement Access Control Lists
Properly implemented access control lists (ACLs) on your routers provide packet-filtering capabilities without the stateful functionality of a full-featured firewall. Consequently, I think of ACLs on routers as being part of a firewall system, where the router is performing initial packet-filtering functionality in front of a firewall that is providing the full-bore stateful filtering or application proxy functionality.
Here are some types of access you should filter with your ACLs immediately:
Block RFC1918 addresses at your perimeter, including the following:
0.0.0.0/8
10.0.0.0/8
169.254.0.0/16
172.16.0.0/20
192.168.0.0/16
Block bogon addresses - The term bogon refers to packets addressed to/from a bogus network. Bogons represent the addresses that have not been allocated by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs) to Internet service providers (ISPs) or organizations for use. A current list of bogon networks can be found at http://www.iana.org/assignments/ipv4-address-space. Any entry with the term “reserved” or “unallocated” should be blocked as a bogon. You will need to periodically update the bogons you are blocking because those addresses get assigned to legitimate ISPs and organizations for use.
Implement spoof protection
Implement TCP SYN attack protection
Implement LAND attack protection
Implement Smurf attack protection
Block multicast traffic if it is not needed.
Implement ACLs to control Virtual Type Terminal (VTY) access (Telnet and SSH).
Implement ACLs to control who can manage the router via SNMP
Turn Off Unnecessary Features and Services
One point of security that has been hammered on within the desktop/server world is the need to turn off unnecessary services. Unfortunately, people commonly overlook the fact that it is not just the desktops and servers that are potentially running unnecessary services—your network devices are also likely doing this. Here is a list of services you should look for on your network equipment and turn off if you are not actively using them:
Cisco Discovery Protocol (CDP)
TCP and UDP small servers
Finger server
HTTP server
Bootp server
Network Time Protocol (NTP) service
Simple Network Management Protocol (SNMP) services
Configuration auto-loading
IP source routing
Proxy ARP
IP directed broadcast
IP unreachable, redirects, and mask replies
Router name and DNS name resolution services
Implement Virus Protection
Virus protection and implementing virus protection typically fall within the realm of the server/desktop administrator. Indeed, in large environments, if you are responsible for the network infrastructure, you may never be involved in any virus-protection discussions. Unfortunately, today’s worms and viruses are having a larger impact on the network infrastructure, which means you need to become concerned with the status of virus protection on your network. In addition, you can install virus-protection gateway devices and virus-protection applications in conjunction with your existing firewalls and gateways to prevent viruses from entering your network. You should be involved in advocating these systems being implemented.
The methods that many of the worms use to self-replicate (for example, by scanning an entire subnet and attempting to connect to every IP address on that subnet) have the uncanny ability to result in a denial of service (DoS) on many routers. The reason for this is pretty straightforward. When a router receives a packet destined for a subnet that it is directly connected to, the router will generate an ARP request for the destination MAC address. In the case of these worms, often the destination is not online, but the router has no way of knowing this and issues the ARP request anyway. The router then must wait for a response, or wait for the ARP request to time out before it can drop the packet in question. As the router gets hit with thousands of these requests, it fills its buffers and input/output queues with these packets waiting for the timeout periods to occur. Often this consumes the entire free RAM on a router. The end result is that the router starts dropping legitimate traffic because it cannot queue the traffic, and/or the router will no longer accept VTY sessions because it does not have enough free RAM to house those sessions. Both of these circumstances result in a DoS against the router. In fact, when you think about it, the way that these worms work is a great example of just how effective a distributed denial of service (DDoS) attack can be.
If you are not running virus protection on all your systems—Windows, Unix, Linux, and Macintosh based—you need to be.
Don’t forget your gateway virus protection when talking about implementing virus protection on all your systems. This allows you to catch and stop a significant amount of viruses attempting to enter your network at your network ingress points. TrendMicro, Network Associates, and Symantec all have gateway virus protection you can implement. Don’t overlook the value of implementing virus protection on your gateways and firewalls.
The only way to effectively prevent your network from being susceptible to virus- and worm-based DDoS attacks is to keep the systems that propagate the worms from being infected in the first place and to attempt to prevent the viruses from entering your network to begin with.
Secure Your Wireless Connections
What you can do right now is to locate and remove all wireless access points that you do not need or did not plan properly. This may sound like a little bit of overkill, but it isn’t. If you have not developed a wireless security plan and implemented your wireless network by restricting IP addresses and implementing encryption and authentication, you need to unplug everything and start all over again building a secure wireless network. If you must run wireless, you can do the following four tasks to harden your wireless network against attack:
Require a written wireless security policy that allows only IT supported wireless products that are only implemented by IT. If an employee goes out and buys the latest, cheapest personal wireless access point or router, that should be grounds for dismissal.
Only allow authorized MAC addresses to connect to your wireless network
Require Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), or 802.11i for encryption. Be aware that WEP has been compromised, but is better than clear text.
Require authentication via shared secret key, 802.1x, RADIUS authentication, or certificates as supported by your devices.
Summary
Securing your network infrastructure is going to be a long process that involves examining all your network infrastructure equipment and evaluating what vulnerabilities exist as well as identifying how to harden your equipment against those vulnerabilities. However, you can undertake six tasks to start making an immediate impact on the security of your network.
First, you must review your network design so that you know what you are dealing with. This will serve as a roadmap of what needs to be done. Next, you need to implement a firewall. A firewall is the best thing you can introduce into your environment to address security. After that, you should implement ACLs on your equipment. Restrict not only the traffic that can pass through the system, but also who has access to the system. At the same time, review all your network equipment and ensure that any unnecessary services and features have been turned off or disabled. Protocols like Spanning Tree Protocol are very good at what they do, but if you do not need that functionality, turn those features off. Although likely not in the realm of the network infrastructure engineer; virus protection can make your life much easier. Insist that virus protection be installed and configured on all systems in your enterprise. Also, make sure there is a regular schedule for updating the virus signatures and scanning engine to protect against new viruses. Last but not least, secure your wireless connections. Wireless today is really just an open door to your network, inviting unauthorized access to anyone who happens to be in range of your wireless access point. If you don’t need wireless access, don’t use it. If you do, make sure you have properly secured your wireless access points. If you aren’t sure whether your wireless access points are secured, turn them off and start again.
Security is a complex process; however, these six tasks are all relatively easy to perform and will make an immediate and noticeable impact on your overall security posture
No comments:
Post a Comment