MODULE 22
Network Hardening
Module 21 discussed various threats against networks and networked hosts. In this module, we’ll look at the various ways we can secure, or harden, the network against these threats. Networks aren’t single entities that can be treated individually. Sometimes it can be difficult to draw the line between what constitutes host threats versus purely network threats and the associated hardening techniques that apply. Add in the different threats and security techniques that operating systems and applications use, and the nuances of one infrastructure layer seem to overlap with those of another. Most of the threats and hardening techniques we discuss are common to all the layers, whether they are software, hardware, host, or network. So, some of the things we discuss in this module may also touch on topics we have previously or will later discuss in other modules. Although the focus of this module is specific to networks, try to look at the network as only one layer in a complex multilayered architecture, along with hosts, applications, operating systems, and services, and remember they’re all connected in various ways.
Securing and Defending Networks
Let’s start by taking a look at the network defense methods we can use to harden the network architecture. We’ll continue our discussion on network security by discussing a few network devices we haven’t talked about much, and we’ll also extend our discussion from other modules on the network hardening techniques and methods used to secure and defend the infrastructure. This part of the module covers devices such as proxies, web security gateways, virtual private network (VPN) concentrators, and, of course, intrusion detection systems. You’ll also expand your knowledge of secure network administration methods and techniques, media access control (MAC) filtering, port-based authentication, and some layer security techniques.
Network Defense Methods
We discussed network devices at length in previous modules, including some of the more common devices found on the network that serve both a network infrastructure as well as a security purpose. We discussed routers and switches, and their contribution to security through their ability to segment network hosts physically and logically. We also discussed firewalls at length and covered the different types of management techniques associated with rule sets that can be found on firewalls. In this section, we’ll discuss some additional network security devices, such as web proxies and gateways, as well as VPN devices. We’ll also talk about protocol sniffers and network intrusion devices. These devices are just as critical as the ubiquitous firewall to ensuring a layered defense for the network.
Proxies
A proxy is a device or application that intercepts user or host requests and then makes those requests to other hosts or networks on behalf of the user. This provides several advantages. First, it hides the identity of the requester. Since the proxy is the device making the request, the receiving host, such as a web server on the Internet, for example, does not get to see any information about the requesting user or host. The only thing the web server would see is that the request came from the proxy itself. The proxy receives the data back from the request and then forwards it on to the internal network user and host that originated the request. Proxies can be dedicated network appliances or add-on applications to combination or all-in-one security devices. Proxies can also be software applications that reside on a user’s host.
A proxy can also be used to filter content coming from untrusted networks. In addition to making requests on behalf of the user, a proxy can filter the requests and disallow requests that aren’t allowed per the network security policy. It can also filter responses back from the external network and block certain content if configured to do so by its rule set. This might include potentially harmful executable files, scripts, or even prohibited content. So, in addition to protecting the identity of the requesting host, proxies also serve as content filtering devices. A more advanced proxy device is called a web security gateway, discussed next.
Web Security Gateway
Web security gateways are more advanced proxy devices that provide not only simple proxying functions, but also advanced content-filtering and application-layer security. This includes filtering potentially malicious sites as well as content that comes from them. A web security gateway can also perform deep-packet inspection on web traffic, looking beyond mere protocol filtering. This can help prevent more dangerous attacks such as cross-site scripting and other associated web-application attacks. These gateways can also help filter out malware, such as viruses, Trojans, and so on.
VPN Concentrators
We’ve already discussed the details of VPNs and how they work. Remember that a VPN establishes a virtual connection through an untrusted network, such as the Internet. This connection is typically both encrypted and authenticated. A VPN can use different protocols to accomplish this, including IPsec, Layer 2 Tunneling Protocol (L2TP), and even Secure Sockets Layer (SSL). VPNs can be client-based, in which an individual client attempts to connect to a private network through the Internet, or site-based, in which two sites are separated by a public untrusted network, again, such as the Internet, and must secure establish connections between them.
In both of these types of VPN connections, a VPN concentrator sits on the perimeter of the private network and receives the client and site VPN connection requests. It usually has various policies and rule sets configured so that it can negotiate a common set of acceptable encryption and authentication protocols between the private network and the requesting device. It may have different policies configured for client VPN connections and site-to-site VPN connections. Once it allows a connection into the private network, it may further direct client requests to a network access control device or another secure network. Figure 22-1 illustrates how VPNs and their concentrators work.
Figure 22-1 VPN concentrators receiving connections from clients and sites
Network Intrusion Detection and Prevention Systems
A critical category of network devices that we haven’t addressed yet are network intrusion detection and network intrusion prevention systems (NIDS/NIPS). We briefly discussed host-based intrusion detection a few modules back, when we were focused on host hardening, but network-based intrusion handling looks at it from a different perspective. A NIDS/NIPS looks at attacks coming into the network at large instead of into a particular host. Attacks could be in the form of malformed network traffic or excessive amounts of traffic that would easily exceed a host’s threshold to handle effectively. An attack could also manifest as malicious content embedded in traffic, or other forms of malware. Network intrusion handling also might look at massive distributed denial-of-service (DDoS) conditions, such as those caused by botnet attacks.
One point of interest is the difference between a NIDS and a NIPS. A NIDS is a passive device and focuses on detection alone, making it a detection control. It detects network traffic issues and alerts an administrator to these issues, also logging the events in the process. A NIPS, in contrast, is an active device and focuses not only on detecting network attacks, but on preventing them. In addition to performing the same functions as a NIDS, a NIPS also tries to prevent or stop attacks by taking a series of preconfigured actions, based upon the characteristics of the attack. A NIPS may dynamically block traffic from a certain source address or domain, for example, or block a certain port or protocol if it detects issues with them. A NIPS can take other actions as well, such as shunting traffic to other interfaces, initiating other security actions, tracing the attack back to its origin, and performing some analysis on the attack, but these are all dependent upon the feature set of the particular NIPS. A NIPS is considered a prevention control, and we will go more in depth on how controls are classified, with examples, from a detection and prevention perspective in Module 32.
A behavior- or anomaly-based system detects attacks after comparing traffic with a baseline of patterns considered normal for the network. In order for this to work, the intrusion detection system has to be installed and then given the opportunity to “learn” how the normal flow of traffic behaves over the network. This can take time, but once it establishes a good baseline of normal network traffic, the system will detect any unusual or anomalous traffic patterns that don’t fit into the normal network traffic patterns and issue alerts on them as potential attacks.
A signature-based system, on the other hand, uses preconfigured signature files, similarly to how antimalware applications work, which are stored in the NIPS/NIDS database. These signatures define certain attack patterns based upon known traffic characteristics. Like an antimalware solution, a signature-based NIDS must also have its signatures database updated frequently, since new attack patterns are recorded by the security community often. These updates will usually come through a subscription-based service from the NIDS/NIPS vendor, although some community or open-source signatures may be available as well.
Another type of intrusion detection system is a rule-based system. It uses preconfigured rules in a rule set, much like a firewall, to detect possible attacks. For example, if the system were to detect an excessive (beyond a set number or threshold) number of Internet Control Message Protocol (ICMP) packets directed at a particular destination IP address on the network, a rule would be activated, and an alert would be sent or the attack would be stopped (in the case of a NIPS). Obviously, an administrator could configure unique rules for the organization based upon its network environment and historical attack experiences, but these types of systems are also usually included as part of either a signature- or behavior-based system.
Finally, a heuristic system combines the best of both anomaly-based and signature-based systems. It starts out with a database of attack signatures and adapts them to network traffic patterns. It learns how different attacks manifest themselves on the particular network in which it is installed and adjusts its detection algorithms to fit the combination of network traffic behavior and signatures. Although there are advantages and disadvantages to both signature based and behavior-based systems, more often than not, modern NIDS/NIPS are hybrid systems and may use both techniques. Host-based IDS/IPS systems, in contrast, are almost always signature-based products.
Protocol Analyzers
A protocol analyzer is usually implemented as software, although it can be a dedicated hardware device. Its purpose is to intercept network traffic and dissect it according to various criteria based particularly on protocol. It can also view traffic by source and destination address, port number, and, probably most important of all, by content. Most professionals know protocol analyzers by their everyday name, sniffers. A network sniffer is used by network and security professionals alike on a daily basis. For a network professional, a sniffer can provide indications of performance issues that may affect the network. A security professional would use a network sniffer to examine traffic entering into and exiting from the network, to make sure that it meets security requirements, and to ensure that there is nothing malicious within the traffic. For example, a security professional would be interested in seeing any application that sends plaintext passwords across the network, and a sniffer would be able to tell if this were the case. A sniffer can also provide indications of an attack by looking at it at the protocol level to determine whether there are any abnormal packet construction issues with traffic.
Hackers can also use sniffers; typically, though, they use them to intercept unencrypted data and gain credentials, look for weaknesses, and so on. Such malicious sniffers can be defeated through the use of strong encryption. Traffic using encrypted protocols, such as SSL and SSH, can’t be easily read by ordinary sniffers. Although a sniffer can intercept encrypted traffic, it won’t be able to read it, and the traffic will look like a bunch of network garbage. However, an attacker may be able to gain other knowledge from the traffic, such as IP address space and other information that may help him formulate an attack. Additionally, an attacker could use attacks against encrypted traffic, providing he can capture it. All in all, it’s better to prevent an attacker from being able to capture traffic whenever possible. To do this, you can use switched networks, since it is difficult to sniff traffic from hosts connected to a switch, and provide physical security for switch ports and other connections into the network. Figure 22-2 shows an example of Wireshark, a popular network protocol analyzer.
Figure 22-2 Wireshark, a popular network sniffer
Spam Filter
A spam filter is usually implemented as an application on the e-mail gateway, or even as a separate network appliance. This device is usually integrated tightly with an organization’s e-mail system. It also may be integrated into any of an organization’s directory services structures. Its purpose is to filter out unwanted e-mail, namely spam or junk mail. However, it can also provide filtering for a number of other e-mail characteristics, including prohibited attachments or content, blocked or disallowed senders or receivers, and, in more advanced devices, it can provide a type of data loss prevention (DLP) layer security for e-mail. When used in this advanced context, the filter can hone-in on certain sensitive data patterns and block e-mails containing this data from exiting the infrastructure headed to another domain outside the organization.
In addition to network-centric spam filters, individual host-based applications can also have separate, but complementary, spam and junk mail filters. You can also find spam filters on combination devices that provide firewall, proxying, and other security functions. We’ll discuss some of these unified devices next.
Unified Threat Management
We’ve hinted a bit at the existence of combination or all-in-one security devices, and it’s time to explain those. As security theory and practice have developed, and technologies have become more robust and integrated, the natural progression of security devices has gone from separate single-purpose devices to integrated, multifunctional ones. This concept is called Unified Threat Management (UTM), and it means that all-in-one types of devices are now implemented into the infrastructure—devices such as firewalls, intrusion detection systems, web security gateways, content filters, and so on, are included together in the same box.
There are a few really good reasons for doing this: standardization of security products, interoperability with the different functions you need, and so on are big selling advantages. For example, creating a filtering rule on a UTM device means that you’ve created the rule for your firewall, security gateway, and content filter all at the same time, instead of having to create three different rules and apply them to three different boxes. With a standardized, integrated user interface and command set, it also keeps your security folks from having to learn the inner workings of several different devices. Yet another advantage is the ease of keeping its configuration and patches up to date, since you have to worry about only one product. UTM devices can have a wide range of functions; sometimes you can purchase a basic security product that has some functions right out of the box, with the option of adding security features and functions later at additional cost. These functions may include URL filtering, deep content inspection, and malware filtering, if they are not already included in the device.
There are a couple of disadvantages to using a UTM device, however. First, if it’s the only threat-management device you have installed, it’s a single point of failure. If for some reason it gets compromised or is unavailable, you have no security device. Even if you have multiple redundant devices set up (which you probably should), you also need to consider the principle of defense diversity. Remember back in Module 19 we discussed this concept; essentially it is the practice of using different vendors and models for security devices to avoid having the same security vulnerabilities present on all of them at the same time. A UTM doesn’t exactly follow this principle, but your organization should weigh the advantages and disadvantages of following this practice when making the decision to implement a UTM.
Network Hardening Techniques
We’ve discussed the concepts of layered security and defense in depth throughout the book, so it should not come as a surprise that we’re revisiting them again in our discussions on hardening the network. Because there are multiple layers of access into a network, both authorized and unauthorized, there must be multiple layers of defense to secure those entry points. We’ve discussed various defensive methods and techniques in the preceding modules, and we’re adding to those layers with some additional ones in this module.
MAC Limiting and Filtering
One way of managing connected hosts on the network is by using the hardware address of the host’s network card, the MAC address, to impose filters or limits on the device. You can certainly use the host’s IP address as well, but this could be subject to change in an environment that uses dynamic IP addressing (such as DHCP services). In addition, some controls prefer the use of a MAC address to control devices, based upon where those controls reside in the OSI model. For instance, limiting connections on a switch only to certain devices would usually require the limitation imposed on the device’s MAC address, since those devices work at Layer 2, where hardware addresses are normally seen.
Limiting and filtering hosts based upon their MAC address has some advantages. First, since it’s tied to the host’s network card, the address isn’t likely to change often, unless the card goes bad and has to be replaced. Second, since the MAC address is fairly consistent, as opposed to IP addressing, the MAC address is a logical choice to filter on. MACs can be used in filtering schemes to include only the hosts whose MAC addresses appear in a preconfigured list (in other words, only those particular hosts are allowed), or to exclude those same addresses from connecting or accessing a resource.
One word of caution on MAC address filtering: malicious users and hackers find that spoofing MAC addresses is a simple matter, either through using built-in operating system utilities or by manipulating network traffic they send with a special program. MAC spoofing defeats any hardware address filtering or limiting schemes in use, since an attacker can simply change how her MAC address appears in her network traffic. Because of this, MAC address filtering should not be the only means of security used on a network.
802.1X
In Module 20, we covered the IEEE 802.1X port authentication security method, and although we won’t belabor the details here as well, it’s worth mentioning as a network hardening technique, since it can prevent unauthorized hosts from connecting to the network. Remember that 802.1X restricts connections by host and can also support device authentication in a network using a variety of security protocols, such as Extensible Authentication Protocol (EAP) and its variants. 802.1X can provide for mutual authentication as well, requiring devices to authenticate to each other before passing sensitive network traffic between them. In highly sensitive network environments, this can be a powerful feature used to reduce the threat of unauthorized hosts from connecting or data being inadvertently sent to an incorrect host not authorized to receive that data.
Disabling Unused Interfaces and Application Service Ports
We discussed several host-hardening measures that also apply to network devices (which really are also hosts). One of these host hardening measures in particular is the practice of disabling both physical and logical interfaces and ports into a device. This practice helps eliminate potential attack vectors into a system and reduces the overall security vulnerabilities associated with a device. For physical interfaces, this includes switch ports, USB ports, and wireless and wired network interfaces. If they are not used to connect to the device, they should be disabled to prevent unauthorized and possibly undetected connections. For logical interfaces, this means reducing the number of entry points into a host through remote shells or administrative interfaces. Entry points should be kept to a minimum, only to those needed to administer or connect to a device effectively, and then restricted only to those personnel with a valid need.
Likewise, it’s also a good idea to disable unused logical application service ports. Disabling or blocking port 3389 on a Windows host, for example, is a good idea if you don’t routinely use a remote desktop connection to the device. The same goes for other common network ports, such as SMTP (port 25), HTTP (port 80), and FTP (ports 20 and 21). It’s also a good idea to disable unused protocols on network devices, such as Telnet and Trivial File Transfer Protocol (TFTP) on routers and switches, for example, since they are nonsecure protocols. On some devices, these may be open by default.
Rogue Machine Detection
We’ve spent some time discussing how to prevent unauthorized machines from connecting to a network, usually by disabling switch ports, using Network Access Control (NAC) devices, and even through limiting MAC addresses. Later on in the book, we’ll also discuss additional methods, such as preventing unauthorized wireless clients from connecting to an organization’s wireless networks. In any event, in addition to preventing rogue clients from connecting, we also need to ensure that we monitor the network infrastructure to detect them, just in case they find a way to connect in spite of our preventive measures. We can do several things to detect unauthorized devices. One is through the use of NAC, which can prevent unauthorized machines but can also report to administrators any machines that attempt to connect but are not permitted to do so. Another way would be to log connection attempts through network devices, such as switches, for example. Switches, especially those managing VLANs, can prevent hosts from connecting through 802.1X port authentication, as well as restricting VLAN membership. If configured to do so, switches can also log connection attempts from unauthorized hosts.
Reviewing DHCP logs can be another useful way to detect rogue machines. If you have a device inventory established for authorized devices, perhaps by MAC address, you could compare that list to the DHCP server’s logs and ensure that only authorized hosts received addressing information from the server. You could also look at the computers authorized in Active Directory to determine if that database lists a potential rogue machine you are attempting to track down.
In addition to rogue clients, rogue servers are also an issue that occasionally pops up on a network. A rogue DHCP server, for example, could disrupt network operations by handing out false or duplicative IP addressing information to network clients, causing them not to be able to communicate with other network resources or to communicate only with an attacker’s boxes instead. Other rogue servers might include fake web or file servers, DNS servers, or other servers that appear to run critical network services. A comprehensive device inventory, device authentication, and constant service and traffic monitoring can also help detect rogue devices. Even sniffers can be useful in detecting unauthorized hosts.
Continuous Security Monitoring
Although the next module covers monitoring, it’s worthwhile to mention it here in the context that you should actively monitor the status of the network, including hosts, devices, and the traffic that flows between them. For a variety of reasons, you should also monitor traffic that enters into and exits from your network. In addition to monitoring the health and status of individual devices to ensure they are up and running and performing their designated functions, you should monitor traffic to ensure that your devices are doing their job by controlling the traffic flow and content throughout the network. Using some of the devices we’ve discussed, such as sniffers and intrusion detection/devices to monitor the network continuously, for example, helps to maintain the security posture of your network and in itself is a best security administration practice.
Module 22 Questions and Answers
Questions
1. Which of the following describes a network device that intercepts user or host requests and then makes those requests to other hosts or networks on behalf of the user?
A. Proxy
B. Firewall
C. NIDS
D. NIPS
2. Which of the following is an advanced form of proxy and can also perform content filtering and web application attack prevention functions?
A. NIPS
B. Firewall
C. Web security gateway
D. NIDS
3. Which of the following types of connections does a VPN concentrator control? (Choose two.)
A. Device VPN
B. Client VPN
C. User VPN
D. Site-to-site VPN
4. A NIPS is considered a __________ type of control.
A. detective
B. preventative
C. network
D. host
5. Which of the following types of systems detects network attacks based upon how they compare with a baseline of traffic patterns that are considered normal for the network?
A. Pattern-based
B. Rule-based
C. Signature-based
D. Behavior-based
6. Which of the following is used to intercept and examine network traffic based upon protocol?
A. Sniffer
B. NIDS
C. NIPS
D. Proxy
7. Which of the following does MAC filtering use as its filtering criteria?
A. Hardware address
B. Software address
C. Logical address
D. IP address
8. You are configuring a network device. You want to be able to manage the device remotely using only the Secure Shell (SSH) protocol. If enabled by default, you should disable all of the following ports, protocols, and services, except:
A. Telnet
B. UDP port 69
C. TCP port 22
D. RDP
9. Which of the following techniques can be used to detect rogue or unauthorized hosts? (Choose all that apply.)
A. DHCP address assignment logs
B. NAC
C. Switch port and VLAN connection logs
D. IP address
10. Which of the following terms refers to combination of multifunction security devices?
A. NIDS/NIPS
B. Application firewall
C. Web security gateway
D. Unified Threat Management
Answers
1. A. A proxy is a network device that intercepts user or host requests and then makes those requests to other hosts or networks on behalf of the user.
2. C. A web security gateway is an advanced form of proxy and can also perform content filtering and web application attack prevention functions.
3. B, D. A VPN concentrator manages connections for both client and site-to-site VPN connections.
4. B. A network intrusion prevention system (NIPS) is considered a preventative type of control.
5. D. Behavior-based detection systems detect network attacks based upon how they compare with a baseline of traffic patterns that are considered normal for the network.
6. A. A sniffer, or protocol analyzer, is used to intercept and examine network traffic based upon protocol.
7. A. MAC filtering uses a host’s network hardware address as its filtering criteria.
8. C. You should not disable TCP port 22, as this is the port that SSH uses. All other port and protocol choices should be disabled, as they are not needed, nonsecure, or both.
9. A, B, C. All of these techniques can be used to detect rogue or unauthorized hosts. A rogue client can’t be detected, however, simply by examining its IP address alone.
10. D. Unified Threat Management refers to combination of multifunction security devices.