ONE OF THE BIGGEST CHALLENGES you will have to face as a security professional is keeping the network you are responsible for secure. On the surface this may not sound like a big challenge, but consider the fact that more threats are emerging every day and are emerging at an increasingly rapid rate. More people will be interacting with and using your networks and accessing the resources found there. Also, your network and the infrastructure that it comprises have become more complex with increasing numbers of employees going mobile and using advanced connection techniques such as virtual private networks (VPNs).
All this complexity makes the usability and capability of the network much greater than it would be otherwise, but it also means that your job of securing and managing the network is a much more difficult task. Another point to consider is the fact that for all these systems to work together effectively, a certain level of trust must be built into the system, meaning that one system gives a certain level of credibility to another system. These points are things that you must consider in order to properly protect your network.
Securing your network and infrastructure requires a mix of capabilities and techniques, some of which have been introduced in this course. Let's take all the techniques, technologies, and strategies discussed during this course and break them into two categories: prevention and detection. In the past, quite a bit of effort was focused on the prevention of an attack, but what about those times when a new or unanticipated attack gets through your defenses? Sure, you can prevent an attack by using firewalls, policies, and other means, but there are other things that can help, too. That's where detection comes into play and where devices and technologies such as intrusion detection systems and honeypots can assist you.
One of the tools that enables you to detect an attack is the intrusion detection system (IDS). These devices provide the ability to monitor a network, host, or application, and report back when suspicious activity is detected. The essence of intrusion detection is the process of detecting potential misuse or attacks and the ability to respond based on the alert that is provided. You can do a lot to secure your systems, but how do you know they are secure? The IDS provides the ability to monitor the systems under your care.
Note
Former President Ronald Reagan once made a comment about the former Soviet Union: "Trust, but verify." This is where the intrusion detection system comes into play. Your defenses should be working as designed to secure your network, but you should verify that they actually are doing so. Misplaced trust can be your worst enemy, and the IDS will serve as a way to prevent this.
An IDS is a hardware appliance or software-based device that gathers and analyzes information generated by a computer or network. This information is analyzed with the goal of detecting any activity that is unauthorized and suspicious, or looks for signs of privileges or access that are being misused. An IDS is essentially a packet sniffer on steroids. A packet sniffer by itself captures traffic, and it is up to you to analyze it and look for signs of problems, but in the case of an IDS, this capability is extended through the use of rules that allow the IDS to compare the intercepted traffic to known good or bad behavior.
Once an IDS determines that a suspected intrusion has taken place, it then issues an alarm in the form of an e-mail, page, message, or log file entry that the network administrator will evaluate. Remember that an IDS detects an attack. What it does not do is prevent an attack—if an IDS has detected an attack, it is already occurring.
Before going too far into the topic of IDS, it is necessary to define a few key terms. Each of the following is used to describe the environments and situations that an IDS is expected to operate in and what it is expected to detect:
Intrusion—An unauthorized use or access of a system by an individual, party, or service. Simply put, this is any activity that should not be but is occurring on an information system.
Misuse—The improper use of privileges or resources within an organization; not necessarily malicious in nature, but misuse all the same
Intrusion detection—Intrusion detection is the technique of uncovering successful or attempted unauthorized access to an information system
Misuse detection—Misuse detection is the ability to detect misuse of resources or privileges
When an IDS is in operation, it has three mechanisms it can use to detect an intrusion, with each one offering a distinct advantage and disadvantage compared with the others:
Signature recognition—Commonly known as misuse detection, it attempts to detect activities that may be indicative of misuse or intrusions.
Signature analysis refers to an IDS that is programmed to identify known attacks occurring in an information system or network.
For example, an IDS that watches Web servers might be programmed to look for the string "phf" as an indicator of a Common Gateway Interface (CGI) program attack. Looking for this particular string would allow the IDS to tip off the system owner that an attacker may be trying to pass illegal commands to the server in an attempt to gain information.
Most IDSs are based on signature analysis.
Anomaly detection—Anomaly detection is a type of detection that uses a known model of activity in an environment and reports deviations from this model as potential intrusions. The model is generated by the system owner based on knowledge of what is acceptable and known behavior on the network. In modern systems, the IDS will be configured to observe traffic in a training mode in which it observes and learns what is normal and what is not on a given network.
Table 15-1. IDS response matrix.
TRUE | FALSE | |
|---|---|---|
POSITIVE | An alert was generated in response to an actual intrusion attempt. | An alert was generated in response to a perceived but nonthreatening event. |
NEGATIVE | An alert was not generated as no suspicious activity was detected nor did it occur. | An alert was not generated as no suspicious activity was detected, but such activity did occur. |
When an IDS is configured to use one of these methods, it can respond with an alert using one of several criteria. When the IDS responds it can be in the positive or negative fashion, but it is not that simple because either response can be true or false. In Table 15-1 the responses are provided and their respective characteristics generated.
It is important to get an understanding of the different types of IDS available. It is necessary for you as a security professional to know what an IDS can detect and where it may be useful as well as understanding where it is not. Make sure that you understand what activities each is sensitive to as this will determine the proper deployment for each and where you will get the best results:
Network-based intrusion detection system (NIDS)—An IDS that fits into this category is one that can detect suspicious activity on a network such as misuse or other activities such as SYN floods, MAC floods, or other similar types of behavior. Network-based intrusion detection system (NIDS) devices monitor the network through the use of a network card that is switched into promiscuous mode and connected to a spanning port on a switch so that all traffic passing through the switch is visible.
Indications of network intrusion:
Repeated probes of the available services on your machines
Connections from unusual locations
Repeated logon attempts from remote hosts
Arbitrary data in log files, indicating an attempt at creating either a denial of service (DoS) or a crashed service
Host-based intrusion detection system (HIDS)—An IDS that fits into this category is one that can monitor activity on a specific host or computer. The ability of host-based intrusion detection systems (HIDS) extends to what is only on the specific host, not on the network. Included in the functionality of these types of IDS is the ability to monitor access, event logs, system usages, and file modifications.
These types of IDS can detect:
Modifications to system software and configuration files
Gaps in the system accounting, which indicate that no activity has occurred for a long period of time
Unusually slow system performance
System crashes or reboots
Short or incomplete logs
Logs containing strange timestamps
Logs with incorrect permissions or ownership
Missing logs
Abnormal system performance
Unfamiliar processes
Unusual graphic displays or text messages
Log file monitoring—Software in this category is specifically designed to analyze log files and look for specific events or activities. Software of this type can look for anything in log files from improper file access to failed logon attempts.
Log file activity that can be detected can include:
Failed or successful logons
File access
Permission changes
Privilege use
System setting changes
Account creation
File integrity checking—Software in this category represents one of the oldest and simplest types of IDS. Software in this category looks for changes in files that may indicate an attack or unauthorized behavior. These devices look for modifications in files using techniques such as hashing to uncover changes. One of the oldest IDS systems around, Tripwire, started by using this sort of technique.
Indications of file system intrusion:
The presence of unfamiliar new files or programs
Changes in file permissions
Unexplained changes in file size
Rogue files on the system that do not correspond to your master list of signed files
Unfamiliar filenames in directories
Missing files
The two main types of IDS discussed here are the HIDS and NIDS because they are the two most commonly encountered in the wild. Table 15-2 compares the two to help you understand how they stack up against one another.
Table 15-2. NIDS and HIDS features.
FEATURE | NIDS | HIDS |
|---|---|---|
Best suited for | Large environments where critical assets on the network need extra observation | Environments where critical system-level assets need monitoring |
Management concerns | Not an issue in large environments; may incur too much overhead in smaller environments | Requires specific adjustments and considerations on a system level |
Advantage | Ideal for monitoring sensitive network segments | Ideal for monitoring specific systems |
An IDS is not one thing—it is a collection of items that come together to make the overall solution. The IDS is formed by a series of components that make an effective solution designed to monitor the network or system for a range of intrusions. If you zoom out a bit, you can see that an IDS is not even centered or resident on a single system; it is distributed across a group of systems, each playing a vital role in monitoring the network.
In the solution that forms an IDS, there are a number of components, each with its own responsibilities. These components are responsible for monitoring for intrusion, but also are capable of performing other functions, such as the following:
Pattern recognition and pattern matching to known attacks
Analysis of traffic for abnormal communication
Integrity checking of files
Tracking of user and system activity
Traffic monitoring
Traffic analysis
Event log monitoring and analysis
When you move from vendor to vendor, the features that are part of the IDS will vary in scope, capability, and implementation. Some IDSs offer only a subset of the features mentioned here, and others offer substantially more. All IDSs do tend to have the same components no matter which vendor is manufacturing the device.
Note
The command console can be as simple as opening a Web interface in a Web browser or as complex as a piece of software on the client. In some cases, the client is a custom-built system configured just for the purpose of monitoring and configuring the system. The capabilities of this console will vary dramatically depending on the vendor and the features present on the IDS.
The most visible component of an IDS is the command console, which represents the component where the system administrator manages and monitors the system. This is where the administrator carries out the day-to-day tasks of monitoring, tuning, and configuring the system in order to maintain optimal performance. The command console may be accessed from anywhere or have its access restricted to a specific system for security purposes.
Working in concert with and monitored by the command console is the network sensor. The network sensor is a discrete software application that runs on a designated device or system as needed. This sensor is essentially the same as a sniffer in that it runs in conjunction with a network card in promiscuous mode. The sensor has the ability to monitor traffic on a specific segment of the network due to the same restrictions that are placed on sniffers. This is why placement of a network sensor is so important: Placement of a sensor on the incorrect network segment could result in a critical segment not being monitored. Figure 15-1 illustrates the components of a NIDS.
Another mechanism that works with an IDS is a hardware-based device known as a network tap. This device resides on the network and appears physically very similar to a hub or switch, but as part of an IDS it can be of value. A network tap has certain characteristics that make it unique; for example, it has no Internet Protocol (IP) address, it sniffs traffic, and it can be used by an IDS to collect traffic that is used to generate alerts. The main benefit of placing a network tap on the network in conjunction with an IDS such as a NIDS is that it will enhance the security and detection capabilities of the system.
An effective and robust alert generation and notification system is required to let the network owner know what is occurring when an attack happens. Alert notification and generation will occur when an event or some activity happens that needs the attention of the security or network administrator. The alerts that are generated can be delivered to the system owner using popup alerts, audio alerts, pagers, text messages and e-mail.
How does an IDS function? The intrusion detection process is a combination of information gathered from several processes. The process is designed to respond to packets sniffed and analyzed. In this example, the information is sniffed from an Ethernet network with a system running the sensor operating in promiscuous mode, sniffing and analyzing packets off of a local segment.
Note
Alerts can be sent in any way that is appropriate and most likely to get the attention they deserve. When an alert comes in, a network administrator should review the message and the nature of the information and then take the appropriate response. Some modern IDS include all the methods of notification here as well as the ability to send text messages to specific personnel.
In the following steps, an IDS using a signature-based detection method is used to detect an intrusion and alert the system owner:
A host creates a network packet.
At this point nothing is known other than the packet exists and was sent from a host in the network.
The sensor sniffs the packet off the network segment.
This sensor is placed so it can read the packet.
The IDS and the sensor match the packet with known signatures of misuse.
When a match is detected, an alert is generated and is sent to the command console.
The command console receives and displays the alert, which notifies the security administrator or system owner of the intrusion.
The system owner responds based on the information the IDS provides.
The alert is logged for future analysis and reference.
This information can be logged in a local database or in a central location shared by several systems.
A HIDS is designed to monitor the activity on a specific system. Many vendors offer this type of IDS so the features vary wildly, but the basic components are the same.
The first component of a HIDS is the command console, which acts much like its counterpart on the NIDS. This piece of software is the component that the network administrator will spend the most time with. Here the administrator will configure, monitor, and manage the system as needs change.
The second component in the HIDS is the monitoring agent software. This agent is responsible for monitoring the activities on a system. The agent will be deployed to the target system and monitor activities such as permission usage, changes to system settings, file modifications, and other suspicious activity on the system. Figure 15-2 illustrates the components of a HIDS.
When setting up an IDS, it is necessary to define the goals of the system prior to deploying it into production. As with any technology of this level of complexity, some planning is required to make things work properly and effectively. The first step in ensuring that an IDS is working as it should is to set goals. Two goals that are common are response capability and accountability.
When an IDS recognizes a threat or other suspicious activity it must respond in some fashion. The IDS receives the data, analyzes it, and then compares it to known rules or behaviors and when a match is found some response must occur. The question you must answer is what this action will be; in this case, an alert.
Reponses can include any number of potential actions, depending on what your goal may happen to be. Some common responses include sending an alert to the administrator as a text message or e-mail, but this is not the only option. Additionally the IDS will log the event by placing an entry in a log file for later review and retrieval. In most cases, an organization would choose to place information in a log or event log because it provides additional benefits for the business—including the ability to analyze data historically and plan for expenditures. However, logs are not used only for planning budgets. They are also very useful in determining the effectiveness of security measures. Remember that an IDS detects attacks or suspicious activity after it has already occurred. If it has occurred, it means it has gotten around or passed through security measures unimpeded, in which case you need to know why and how it happened.
Having the proper response in place is an important detail to address, and without a response plan in place the system loses its effectiveness. But this is not the only required element because you must establish accountability, too. As part of network security policy, you must define a process in which the source and cause of an attack are identified and investigated. This process is necessary due to the potential need to pursue legal action, not to mention the need for finding out the source and cause of the attack in order to adjust your defenses to prevent the problem from happening again.
While an IDS is capable of performing a number of tasks in the realm of monitoring and alerting system administrators to what is happening on their network, it does have its limitations. You should always be aware of the strengths and weaknesses of the technologies you are working with, and IDSs are no exception. Knowing these limitations will also make sure that you use the technology correctly and it is addressing the issues it was designed to address.
No matter what you are told by the vendor of a particular IDS, it is not a silver bullet that can solve all your problems. An IDS can only supplement existing security technologies; it cannot bring nirvana to the security of your network. You should expect an IDS to provide the necessary element of verification of how well your network security counter-measures are doing their respective jobs.
You should never expect an IDS to be able to detect and notify you about every event on your network that is suspicious; in fact, it will detect and report only what you tell it to. Also consider the fact that an IDS is programmed to detect specific types of attacks, and because attacks evolve rapidly, an IDS will not detect unfamiliar new attacks; it is not programmed or designed to do so. Remember, an IDS is a tool that is designed to assist you and is not a substitute for good security skills or due diligence. For example, as a system owner and security professional, you must regularly update the signature database of any IDS under your control that uses this mechanism. Another example is to understand your network and update your model or baseline on what is normal behavior and what is not, as this will change over time.
If the hardware that is supporting the IDS fails and it has the sensor or the command console on it, your IDS may become ineffective or worthless. In fact, if a system that has a network sensor located on it fails, there is no way to gather the information to be analyzed. Also, an IDS cannot inform you of or prevent a hardware failure, so if this event occurs, you will be out of luck. Any serious failure in hardware, network communications, or other areas can wreak havoc with your monitoring capabilities. Planning ahead and implementing mechanisms such as redundant hardware and links is a way to overcome this limitation to prevent the IDS from going offline.
An IDS provides a way of detecting an attack, but not dealing with it. That is the responsibility of something known as an IPS, which will be discussed later. An IDS is extremely limited as to the actions it can take when an attack or some sort of activity occurs. An IDS observes, compares, and detects the intrusion and will report it; it then becomes your responsibility to follow up. All the system can do is warn you if something isn't right; it can't give you the reasons why.
As a security professional, you will have to make it a point to review the IDS logs for suspicious behavior and take the necessary action. You are responsible for the follow-up and action.
Information from an IDS can be quite extensive and can be generated quite rapidly, and this data requires careful analysis in order to ensure that every potentially harmful activity is caught. You will have the task of developing and implementing a plan to analyze the sea of data that will be generated and ensuring that any questionable activity is caught.
The next step beyond an IDS is an IPS. An IPS is a device that is used to protect systems from attack by using different methods of access control. This system is an IDS with additional abilities that make it possible to protect the network.
The devices that were originally developed as a way to extend the capabilities were already present in an IDS. When you look at IDS in all its forms you see that it is a passive monitoring device that offers limited response capabilities. An IPS provides the ability to analyze content, application access, and other details to make determinations on access. For example, an IPS can provide additional information that would yield insight into activities on overly active hosts, bad logon activities, access of inappropriate content, and many other network and application layer functions.
Responses that an IPS can use in response to an attack include:
Regulating and stopping suspicious traffic
Blocking access to systems
Locking out misused user accounts
IPSs come in different forms, each offering a unique set of abilities:
Host-based—IPSs in this category are those that are installed on a specific system or host and monitor the activities that occur there.
Network—IPSs that fit into this category are designed to monitor the network and prevent intrusions on a specific host when activity is detected. In practice, these types of IPS are hardware appliances that are purposely built to carry out their function.
A challenge that you must address to protect your network and the assets therein to the highest possible degree is access control. The technologies and techniques in this area have varied and evolved dramatically over the years to include devices such as the IDS, authentication, and firewalls. Firewalls have undergone the greatest evolution, moving from a simple packet filtering device up to a device that can perform advanced analysis of traffic. Firewalls have become an increasingly important component of network security and as such you must have a firm command of the technology.
Firewalls separate networks and organizations into different zones of trust. If one network segment has a higher level of trust than another, a firewall can be placed between them as the demarcation point between these two areas. Such would be the case when separating the Internet from the internal network or two network segments inside an organization.
The firewall is located on the perimeter or boundary between the internal network and the outside world. The firewall forms a logical and physical barrier between the organization's network and everything outside. From this advantageous and important position, the firewall is able to deny or grant access based on a number of rules that are configured on the device. These rules dictate the types of traffic which are allowed to pass and the types which are not.
A firewall can also provide the ability to segment a network internally or within the organization itself. An organization may choose to control the flow of traffic between different parts of the organization for security reasons. For example, an organization may use a firewall to prevent the access to or viewing of resources and other assets on a particular network segment, such as those situations where financial, research, or company confidential information needs to be controlled.
An organization may choose to deploy a firewall in any situation where the flow of traffic needs to be controlled between areas. If there is a clear point where trust changes from higher to lower, or vice versa, a firewall may be employed.
In the early days of firewalls, the process of denying and granting access was very simple, but so were the threats (relative to today at least). Nowadays firewalls have had to evolve to deal with ever-increasing complexities that have appeared in growing numbers such as SYN floods, DoS attacks, and other behaviors. With the rapid increase and creativity of attacks, the firewalls of the past have had to evolve in order to properly counter the problems of today.
Firewalls function by controlling the flow of traffic between different zones. Their methods can vary, but the goal is still to control the flow of traffic. Figure 15-3 illustrates this process.
Firewalls are typically described by their vendors as having all sorts of advanced and complex features in an effort to distinguish them from their competitors. Vendors have found creative ways to describe their products in an effort to sound compelling to potential customers.
Note
The first-generation firewall based on packet filtering was outlined in the late 1980s and resulted in the first operational firewalls. While by today's standards these firewalls are primitive at best, they represented a huge leap in security and provided the foundation for subsequent generations.
Firewalls can operate in one of three basic modes:
Packet filtering
Stateful inspection
Application proxying
Packet filtering represents what could be thought of as the first generation of firewalls. Firewalls that used packet filtering could only do the most basic analysis of traffic, which meant that it was granting or denying access based on limited factors such as IP address, port, protocol, and little else. The network or security administrator would create what amounts to very primitive rules by today's standards that would permit or deny traffic.
The downside of this type of device is that the filtering was performed by examining the header of a packet and not the contents of a packet. While this setup worked, it still left the door open for attacks to be performed. For example, a filter could be set up to deny File Transfer Protocol (FTP) access outright, but a rule could not be created to block specific commands within FTP. This resulted in an all-or-nothing scenario.
A firewall may also use a stateful packet inspection (SPI). In this setup, the attributes of each connection are noted and stored by the firewall, these attributes are commonly known as describing the state of the connection. These attributes typically contain details such as the IP addresses and ports involved in the connection and the sequence numbers of packets crossing the firewall. Of course, recording all these attributes helps the firewall get a better handle on what is occurring, but this comes at the cost of additional processing and extra load on the central processing unit (CPU) on the firewall device or system. The firewall is responsible for keeping track of a connection from the time it is created until it is finished, at which point the connection information is discarded by the firewall.
SPI offers the ability to track connections between points and this is where the power of this technique lies. In this technique, tracking the state of connection provides a means of ensuring that connections that are improperly initiated or have not been initiated correctly are ignored and not allowed to connect. A proxy firewall is a type of firewall that functions as a gateway for requests arriving from clients. Client requests are received at the firewall, at which point the address of the final server is determined by the proxy software. The application proxy performs translation of the address and additional access control checking and logging as necessary, and then connects to the server on behalf of the client.
On the surface it sounds as if firewalls can do a lot just by controlling the flow of traffic; while this is true, they can't do everything. There are some things firewalls are not suited to performing and understanding, and understanding these limitations will go a long way toward letting you get the most from your firewall. Some companies in the past have made the ill-conceived decision to buy a firewall and set it up without asking what they are protecting from what and if the device will be able to do so. Unfortunately, a lot of companies have purchased firewalls, installed them, and later on wondered why security didn't improve.
The following areas represent the types of activity and events that a firewall will provide little or no value in stopping:
Viruses—While some firewalls do include the ability to scan for and block viruses, this is not defined as an inherent ability of a firewall and should not be relied upon. Also consider the fact that as viruses evolve and take on new forms, firewalls will most likely lose their ability to detect them easily and need to be updated. This capability can retain its effectiveness, however, if the security administrator takes the time to regularly update the definition database on the firewall, either through subscriptions or manually. In most cases, antivirus software in the firewalls is not, and should not be, a replacement for system resident antivirus.
Misuse—This is another hard issue for a firewall to address as employees already have a higher level of access to the system. Put this fact together with an employee's ability to disregard company rules against bringing in software from home or downloading from the Internet, and you have a recipe for disaster. Firewalls cannot perform well against intent.
Secondary connections—In some situations, secondary access is present and presents a major problem. For example, if a firewall is put in place, but the employee can unplug the fax machine from the phone line, plug the fax into the computer, and plug the computer into the network with the modem running, the employee has now opened a hole in the firewall.
Social engineering—Suppose a network administrator gets a call from someone who says he works for the Internet service provider that serves the administrator's network. The caller wants to know about the company's firewalls. If the administrator gives out the information without checking the caller's identity and confirming that he needs to know what he's asking about, the firewalls can lose their effectiveness.
Poor design—If a firewall design has not been well thought-out or implemented, the net result is a firewall that is less like a wall and more like Swiss cheese. Always ensure that proper security policy and practices are followed.
There are many different options for installing firewalls, and understanding each way is key to getting the correct deployment for your organization. The following describes different options for firewall implementation:
Single packet filtering device—In this setup, the network is protected by a single packet filtering device configured to permit or deny access. Figure 15-4 illustrates this setup.
Multi-homed device—This device has multiple network interfaces that use rules to determine how packets will be forwarded between interfaces. Figure 15-5 illustrates a multi-homed device.
Screened host—A screened host is a setup where the network is protected by a device that combines the features of proxy servers with packet filtering. Figure 15-6 illustrates a screened host.
Demilitarized zone (DMZ)—A region of the network or zone that is sandwiched between two firewalls. In this type of setup, the DMZ is set up to host publicly available services. Figure 15-7 illustrates a DMZ.
In an organization it is possible that some services such as a Web server, DNS, or other resource may be required to be accessed by those outside the network. By its very nature this setup makes it so these systems are more vulnerable to attack as the outside world has access to them. In order to provide a means of protection, a DMZ is used to allow outside access while at the same time providing some protection. A DMZ can allow these hosts to be accessed by the outside world, although the outer firewall in the DMZ provides only limited connectivity to these resources. Additionally, even though those outside the firewall have access to the resources, they do not have any access to the internal network or this access is highly restricted being given only to specific hosts on the internal network.
To appreciate the utility of a firewall, consider the situation without this structure. If a single firewall were in place, the publicly accessible resources would be on the internal network, which would mean that anyone outside the network gaining access to the resources would in essence be on the internal network. Conversely, if the resources were moved outside the firewall, there would be little if any protection for them as access would be tough to control.
Before you charge out and put a firewall in place, you need a plan that defines how you will configure the firewall and what is expected. This is the role of policy. The policy you create will be the blueprint that dictates how the firewall is installed, configured, and managed. It will make sure that you are addressing the correct problems in the right way and that nothing unexpected is occurring.
For a firewall to be correctly designed and implemented, the firewall policy will be in place ahead of time. The firewall policy will represent a small subset of the overall organizational security policy. The firewall policy will fit into the overall company security policy in some fashion and uphold the organization's security goals, but enforce and support those goals with the firewall device.
The firewall policy you create will usually approach the problem of controlling traffic in and out of an organization in two ways. The first option when creating a policy and the firewall options that support it is to implicitly allow everything and explicitly deny only those things that you do not want. The other option is to implicitly deny everything and allow only those things you know you need. The two options represent drastically different methods of configuring the firewall. In the first option you are allowing everything unless you say otherwise, while the second will not allow anything unless you explicitly say otherwise. One is much more secure by default than the other.
Consider the option of implicit deny, which is the viewpoint that assumes all traffic is denied, except that which has been identified as explicitly being allowed. Usually this turns out to be much easier in the long run for the network/security administrator. For example, visualize creating a list of all the ports Trojans use plus all the ports your applications are authorized to use, and then creating rules to block each of them. Contrast that with creating a list of what the users are permitted to use and granting them access to those services and applications explicitly.
There are many different ways to approach the creation of firewall policy, but the ones that tend to be used the most are known as Network Connectivity Policy, the Contracted Worker Statement, and the Firewall Administrator Statement.
This portion of the policy involves the types of devices and connections that are allowed and will be permitted to be connected to the company-owned network. You can expect to find information relating to the network operation system, types of devices, device configuration, and communication types.
This policy arguably has the biggest impact on the effectiveness of the firewall; this section is defining permitted network traffic and the shape it will take.
Included in this policy can be the following:
Network scanning is prohibited except by approved personnel such as those in network management and administration.
Certain types of network communication are allowed, such as FTP and the Function Programming (FP) sites that are allowed to be accessed.
Users may access the Web via port 80 as required.
Users may access e-mail on port 25 as required.
Users may not access Network News Transfer Protocol (NNTP) on any port.
Users may not run any form of chat software to the Internet, including, but not limited to, AOL Instant Messenger, Yahoo Chat, Internet Relay Chat (IRC), ICQ, and Microsoft Network (MSN) Chat.
Antivirus software must be installed and running on all computers.
Antivirus updates are required on all computers.
Antivirus updates are required on all servers.
No new hardware may be installed in any computer by anyone other than the network administrators.
No unauthorized links to the Internet from any computer are allowed under any circumstances.
This list is meant only to illustrate what you may find in these policies, but in practice you can expect to see a much longer and more complex list that will vary depending on the organization.
This next policy is another that tends to be of use in larger organizations with large numbers of contracted or temporary workers. These types of workers may very well have enhanced connectivity requirements due to how they work. These individuals could, for example, require only occasional access to resources on the network.
Some examples of items in the contracted worker statement portion of the policy are:
No contractors or temporary workers shall have access to unauthorized resources.
No contractor or temporary worker shall be permitted to scan the network.
No contractor or temporary worker may use FTP unless specifically granted permission in writing.
Some organizations may not have a policy for the firewall administrator, but it is not unheard of to have one. If yours is one that will require such a statement, the following are some examples that may be contained in a firewall policy:
The firewall administrator should be thoroughly trained on the firewall in use.
The firewall administrator must be aware of all the applications and services authorized to access the network.
The firewall administrator will report to an entity such as the Chief Information Officer.
There will be a procedure in place for reaching the firewall administrator in the event of a security incident.
It is probably obvious that the firewall administrator is a clearly defined job role that will require the proper rules and regulations placed upon it. It is not uncommon for some organizations to have such a policy, but others will not. It can be a benefit in a large organization to know these items, and to have them written in the policy.
A firewall isn't just configured in the way the administrator wants; it requires a policy to be followed for consistent application. A firewall policy is designed to lay out the rules on what traffic is allowed and what is not. The policy will specifically define the IP addresses, address ranges, protocol types, applications, and other content that will be evaluated and granted or denied access to the network. The policy will give detailed information on this traffic and in turn will be used as the template or guideline on what to specifically configure on the firewall. The policy will also provide guidance on how changes to traffic and requirements are to be dealt with (how a change will be initiated to the firewall, who is responsible, and so on). This practice, known as implicit deny, decreases the risk of attack and reduces the volume of traffic carried on the organization's networks. Because of the dynamic nature of hosts, networks, protocols, and applications, implicit deny is a more secure approach than permitting all traffic that is not explicitly forbidden.
This section discusses the honeypot, a device that is unique among security devices. The honeypot is a computer that is configured to attract attackers to it, much like bears to honey. In practice these devices will be placed in a location so that if an attacker is able to get around the firewall and other security devices, this system will act as a decoy drawing attention away from more sensitive assets.
What is the goal of a honeypot? It can be twofold and will vary depending on who is deploying it. The honeypot can act as a decoy that looks attractive enough to an attacker that it draws attention away from another resource that is more sensitive, giving you more time to react to the threat. A honeypot can also be used as a research tool by a company to gain insight into the types and evolution of attacks and give them time to adjust their strategies to deal with the problem.
Note
An attacker that can detect a honeypot could cause serious problems for a security professional. An attacker that is able to uncover what is really going on may be upset or angered by the attempt and attack you more aggressively as a "reward."
The problem with honeypots? They need to look attractive, but not so attractive that an attacker will know that they are being observed and that they are attacking a noncritical resource. Ideally you want an attacker to view the resource as vulnerable and not so out of place that they can detect that it is a ruse. When you configure a honeypot, you are looking to leave out patches and do minor configuration options someone might overlook and that an attacker will expect to find with a little effort.
A honeypot is a single system put in place to attract an attack and buy you more reaction time in the event of an attack. Under the right conditions, the honeypot will assist you in detecting an attack earlier than you would normally and allow you to shut it down before it reaches production systems.
A honeypot also can be used to support an additional goal: logging. By using a honeypot correctly and observing the attacks that take place around it, you can build a picture from the logs that will assist you in determining the types of attacks that you will be facing. Once this information is gathered and a picture is built, you can start to build a better picture of the attacks and then plan and defend accordingly.
Building upon the core goal of a honeypot, which is to look like an attractive target, the next step is a honeynet, which builds on the lessons and goals of the honeypot and the goals from one vulnerable system to a group of vulnerable systems or a network.
One of the issues that comes up when discussing honeypots and honeynets is the issue of legality. Basically the question is if you put a honeypot out where someone can attack it and does so, can you prosecute for a crime and would the honeypot be admissible as evidence? Some people feel that this is a cut-and-dried issue of entrapment, but others feel otherwise. Let's look at this a little more closely to understand the issue.
It has been argued that honeypots are entrapment because when you place one out in public you are enticing someone to attack it—at least that's the theory. In practice, attorneys have argued this point a handful of times without success due to certain points that have come up in other cases. Consider the police tactic of placing undercover female officers on a street corner playing the role of a prostitute. When officers stand there they simply wait and don't talk to anyone about engaging in any sort of activity, but when people approach the officer and ask about engaging in an illicit activity, they are arrested. A honeypot would be the same situation. No one forces attackers to go after honeypots; the attackers decide to do so on their own.
Protecting the organization is a series of controls, a number of which you have experienced. These controls fit into one of three key areas, each designed to provide one piece of an overall comprehensive solution: administrative, physical, and technical.
Technical, administrative, and physical controls are mechanisms that will work together to provide what is commonly known as defense in depth. This is the key detail: controls working together to ensure that security is maintained. Defense in depth enhances security by layering security measures, as in the design of a castle. A castle has moats, walls, gates, archers, knights, and other defenses—which is what you are looking for with security controls. By combining layers, you gain the advantage of multiple mechanisms to protect your systems. Next you gain the advantage of having a hedge against failure, meaning that if one layer or mechanism fails, you have others to fall back on.
Administrative controls are those that fit in the area of policy and procedure. What you will find here are the rules that individuals and the company will follow to ensure a safe and consistently secure working environment. Listed in this section are some of the more common administrative controls that you would expect to see in practice:
Implicit deny—Implicit deny is a rule or guideline that dictates that anything that is not directly addressed in policy is automatically in a default deny state. This means that if you miss a setting or configuration option, in software for example, you default to a state where no access is given. The opposite would be one where every action is given access unless explicitly taken away, much less secure.
Least privilege—Least privilege is the rule or guideline that states that individuals will be given only the level of access that is appropriate for their specific job role or function. Anything that individuals do not need to perform their jobs is not given to them.
Separation of duties—Separation of duties is a guideline that dictates that a user will never be in a situation where he or she can complete a critical or sensitive task alone. If one individual, for example, has the ability to evaluate, purchase, deploy, and perform other tasks that individual has too much power, which should instead be distributed among multiple people.
Job rotation—This is the ability to rotate people periodically between job roles to avoid them staying too long in a sensitive job role. The idea is to help prevent abuse of power and to detect fraudulent behavior.
Mandatory vacation—This technique is used to put employees on vacation for several days in order to give the company time to detect fraud or other types of behaviors. With an employee gone for several days (usually a period of a work week), the organization's auditors and security personnel can investigate for any possible discrepancies.
Privilege management—The process of using authentication and authorization mechanisms to provide centralized or decentralized administration of user and group access control. Privilege management needs to include an auditing component to track privilege use and privilege escalation.
Working in concert with administrative controls are technical controls that help enforce security in the organization. The technical controls you use will work with your other controls to create a robust security system. While there are a range of technical security controls, a handful stand out as more common than others.
Preventive logical controls include:
Access control software
Malware solutions
Passwords
Security tokens
Biometrics
Access control software
Antivirus software
Access control software is software designed to control access to and sharing of information and applications. Software in this category can enforce access using one of three methods: discretionary access control (DAC), role based access control (RBAC), and mandatory access control (MAC).
DAC—An access method that depends on the owner or author of data to manage security. A prime example of DAC is the use of folder and file permissions. Under DAC the owner/creator of data can grant write, read, and execute permissions as necessary. The advantage of this security management model is that it facilitates a quick and easy way of changing security settings; however, it has the problems associated with being decentralized. The decentralization of security management means that there could be inconsistent application of settings.
RBAC—An access control method based on the role that an individual holds within an organization. RBAC excels in environments in which a medium to large pool of users exists. In this access control model users are assigned to roles based on function and these are assigned permissions.
MAC—A system that uses labels to determine the type and extent of access to a resource and the permission level granted to each user. This type of access control system requires more effort to manage than DAC or RBAC.
Malware has become a considerable threat to organizations. Anti-malware solutions are essential tools in protecting the security of an organization with many organizations moving towards robust centralized applications designed to safeguard against software.
Passwords are another technical control; in fact, they may be the most common type of technical control in use. Interestingly enough, it may be the least effective, as users have been known to post passwords on monitors, choose simple passwords, and do other things that make passwords insecure. The idea is to use strong passwords as a preventive technical control. Passwords should be supplemented with other controls and even additional authentication mechanisms such as tokens or biometrics.
Security tokens are devices used to authenticate a user to a system or application. These devices take the form of hardware devices such as cards, fobs, and other types of devices. These types of devices can take many forms, including smart cards, key fobs, or cards. Tokens are intended to provide an enhanced level of protection by making the user present two forms of authentication—typically the token and a password or personal identification number (PIN)—that identify him or her as the owner of a particular device. If so equipped, the device will display a number on an LCD display which uniquely identifies the user to the service, allowing the logon. The identification number for each user is changed frequently at a predefined interval, which typically is one minute to five minutes or longer.
These devices can be used by themselves, but they are frequently used in conjunction with other controls such as passwords.
Biometrics is another type of access control mechanism. It provides the ability to measure the physical characteristics of a human being. Characteristics measured here include fingerprints, handprints, facial recognition, and similar methods.
Data backup is another form of control that is commonly used to safeguard assets. Never overlook the fact that backing up critical systems is one of the most important tools that you have at your disposal. Such procedures provide a vital protection against hardware failure and other types of system failure.
Not all backups are created equal and the right backup makes all the difference:
Full backups are the complete backups of all data on a volume; they typically take the longest to run.
Incremental backups copy only those files and other data that have changed since the last full or incremental backup. The advantage is that the time required is much less, so it is done more quickly. The disadvantage is that these backups take more time than a full backup to rebuild a system.
Differential backups provide the ability to both reduce backup time and speed up the restoration process. Differential backups copy from a volume that has changed since the last full backup.
Physical security controls represent one of the most visible forms of security controls. Controls in this category include barriers, guards, cameras, locks, and other types of measures. Ultimately physical controls are designed to more directly protect the people, facilities, and equipment than the other types of controls do.
Some of the preventative security controls include the following:
Alternate power sources—Items such as backup generators, uninterrupted power supplies, and other similar devices
Flood management—Includes drains, ducting, and other mechanisms designed to quickly evacuate water from an area
Fences—Structures that are designed to prevent access to sensitive facilities either as a simple deterrent or as an imposing physical barrier
Human guards—Placing the human element onsite around sensitive areas with the intention of providing an element of intelligence and the ability to react to unanticipated situations
Locks—Devices placed in locations to prevent easy access to areas that are sensitive in nature
Fire suppression systems—Covers devices such as sprinklers and fire extinguishers designed to suppress or lessen the threat of fires
Biometrics—Often these devices are generally used in conjunction with locks to regulate physical access to a location.
Location—Location provides some measure of protection by ensuring that facilities are not located where they may be prone to threats such as fire or flood. Also addresses issues of placing facilities or assets in locations where they may not easily be monitored.
Generally you can rely on your power company to provide your organization power that is clean, consistent, and adequate, but this isn't always the case. Anyone who has worked in an office building has noticed a light flicker, if not a complete blackout. Alternate power sources safeguard against these problems to different degrees.
Hurricane Katrina showed us how devastating a natural disaster can be, but the disaster wasn't just the hurricane; it was the flood that came with it. You can't necessarily stop a flood, but you can exercise flood management strategies to soften the impact. Choosing a facility in a location that is not prone to flooding is one option that you have available. Having adequate drainage and similar measures can also be of assistance. Finally, mounting items such as servers several inches off of the floor can be a help as well.
Fences are a physical control that represents a barrier that deters casual trespassers. While some organizations are willing to install tall fences with barbed wire and other features, it is not always the case. Typically the fence will be designed to meet the security profile of the organization, so if your company is a bakery instead of one that performs duties vital to national security, the fence design will be different as there are different items to protect.
Guards provide a security measure that can react to the unexpected as the human element is uniquely able to do. When it comes down to it, technology can do quite a bit, but it cannot replace the human element and brain. Additionally, once an intruder makes the decision to breach security, guards are a quick responding defense against them actually reaching critical assets.
The most common form of physical control is the ever-popular lock. Locks can take many forms including key locks, cipher locks, warded locks, and other types of locks—all designed to secure assets.
Fire suppression is a security measure that is physical and preventative. Fire suppression cannot stop a fire, but it can prevent substantial damage to equipment, facilities, and personnel.
One of the challenges you are going to face is that of verification. It is a challenge because the tools you will be using can do their job, but you need to be able to make sure they are always functioning as designed. The controls that you put in place today may not be equipped to deal with the problems that will arise tomorrow. Additionally your network and the infrastructure that it comprises will become more complex with larger numbers of employees going mobile and using advanced connection techniques such as VPNs.
All this complexity makes managing the security, while maintaining the usability and capability of the network, much more difficult than it would be otherwise. For all these systems to work together effectively, a certain level of trust must be built into the system, meaning that one system gives a certain level of credibility to another system. These points are things that you must consider in order to properly secure your network.
Securing your network and infrastructure requires a mix of capabilities and techniques, some of which have been introduced in this course. In the past, quite a bit of effort was focused on the prevention of an attack, but what about those times where a new or unanticipated attack gets through your defenses? Sure, you can prevent an attack by using firewalls, policies, and other technologies, but there are other things that can help. That's where detection comes into play and where devices and technologies such as the IDS and honeypots can assist you.
Anomaly detection
Honeynet
Honeypot
Host-based intrusion detection system (HIDS)
Intrusion
Intrusion detection
Misuse
Misuse detection
Network-based intrusion detection system (NIDS)
Signature Analysis
HIDS can monitor network activity.
True
False
A(n) _______ monitors activity on one host, but cannot monitor an entire network.
NIDS
Firewall
HIDS
DMZ
A(n) _______ has the ability to monitor network activity.
NIDS
HIDS
Firewall
Router
_______ can monitor changes to system files.
Hashes
HIDS
NIDS
Router
Signature-based IDSs look for known attack patterns and types.
True
False
Anomaly-based IDSs look for deviations from normal network activity.
True
False
An IPS is designed to look for and stop attacks.
True
False
What is used to monitor an NIDS?
Console
Sensor
Network
Router
What are deployed to detect activity on the network?
Console
Sensors
Network
Router
_______ can only monitor an individual network segment.
HIDS
NIDS
NAT
Sensors