Saturday, January 26, 2013

Defense in Depth Layer 5: Host Security


"We have only two modes - complacency and panic."
— James R. Schlesinger



The host layer of security focuses on keeping host operating systems and workstations secure.   A host is any device/computer/server with a unique Internet Protocol (IP) address that is interlinked with another machine through an Internet connection.  Security at this layer is especially challenging as these devices are designed to multitask and interact with multiple applications and services simultaneously.  The following is a list of measures to support host security.

1. Host Vulnerability Assessment and Management
Host-based scanners can recognize system-level vulnerabilities including incorrect file permissions, registry permissions, and software configuration errors.  They also ensure that target systems comply with predefined company security policies.  

2. Host-Based IDS/IPS
Host-based intrusion detection systems (HIDS) consist of software agents installed on individual computers within the system.  The HIDS analyze traffic to and from the specific computer on which it is installed.  The HIDS can monitor activities that only an administrator should be able to implement.  It is also able to monitor changes to key system files and any attempt to overwrite these files as well as prevent Trojan or backdoor installation.

Host-based intrusion prevention systems (HIPS) are used to protect servers and workstations through software that runs between the system's applications and operating system.  The software is preconfigured to determine the protection rules based on intrusion and attack signatures.  The HIPS will catch suspicious activity on the system and will either block or allow the event depending on predefined rules.  It also monitors activities including application or data requests, network connection attempts, and read/write attempts.

3. Access Control and Authentication
Host-based access control grants or denies access depending on the IP address of the machine that requested access.  This system is the least intrusive to users because access is granted on the basis of the machine address.  User authentication allows access control on an individual user basis by utilizing user and passwords lists to provide the necessary authentication.

4. Host-Based Anti-Virus Protection
Anti-virus protection should ensure that updates to the required signature files for addressing new forms of malware are delivered as soon as possible.  A signature file contains information that anti-virus programs use to detect malware during a scan.  Signature files are designed to be regularly updated by the anti-virus application vendors and downloaded to the client computer.

5. Host-Based Firewall
Host-based firewalls can be used to reduce the attack surface on servers as well as to remove unwanted services and applications.  Host-based firewalls control incoming and outgoing network traffic on individual hosts.  The firewalls check each packet's source, destination address, port, type, etc., and then determine whether to allow them into the machine.  Host-based firewall software must be enabled and configured to block all inbound traffic that is not clearly required for the intended use of the device.

6. Host Hardening
Host hardening works with intrusion detection and is an important part of a secure architecture. It is especially important when it comes to public-facing or Internet-enabled servers such as email, web, or DNS servers.  The main function of host hardening is to harden key servers to ensure the confidentiality and integrity of the systems.  Host hardening measures include:  disabling unused services and user accounts, tightening security settings of required services and file systems, replacing vulnerable services with more secure alternatives, and removing unused tools, libraries, and files.

7. Port Control
It is important to block any unnecessary ports, restrict access to necessary ports whenever possible, and audit open ports to determine if required ports are being abused or if unnecessary ports have been opened.

8. Patch and Security Update Management
It is important to keep up to date on all security related patches and updates. The most commonly exploited security vulnerabilities are widely known and already have patches and updates which address them.  The expected result is to reduce the time and money spent dealing with vulnerabilities and their exploitation.

9. Logging and Auditing
Critical areas of the host can be logged, and the logs can be audited for any unusual activity.  As hosts communicate with each other, the transferred packets are logged to the system log.  Logged information can be monitored for traffic analysis and debugging assistance.

10. Lockdown Mode
Lockdown mode is a security setting used to disable direct user access to a host.  When direct user access is disabled, the host must be managed from the server.  This ensures that the security policies and access controls defined on the server are always enforced, and users are not able to bypass security by logging into the host directly.

Next time, we’ll continue the Defense in Depth journey by discussing application layer security.

Thanks for reading!

Jen

Monday, January 21, 2013

Defense in Depth Layer 4: Internal Network Security


"Do not figure on opponents not attacking; worry about your own lack of preparation."
- Book of the Five Rings



This is the sixth post in in the series/semester.  The next step in our journey through the Defense in Depth model of security is the internal network.  Internal network security deals with authenticating network users, authorizing access to the network resources, and protecting the information that flows over the network.  There are various tools here to protect the network from potential attackers and traffic that should not be there.  The following is a list of key elements for internal network security.

1. Vulnerability Assessment and Management
Network services should be assessed and tested for vulnerabilities on a regular basis.  The purpose is to discover possible attack vectors to each host and device on the network and to address them in a way that makes an attack more difficult.

2. Network Segmentation
The process of network segmentation splits the network into sub-networks or network segments.  Network segments are created to control the flow of traffic between hosts on different segments  In addition to improving performance by reducing congestion and containing network problems, segmenting the network improves security by ensuring that only appropriate traffic is forwarded between segments and that the internal network structure is not visible from the outside. 

3. Network-Based IDS/IPS
The internal network layer, like the perimeter layer, works in conjunction with IDS/IPS.  As we discussed in the last blog post, the intrusion detecting system is in place to identify and proactively respond to problems while the intrusion prevention system allows for an automated response to potential security breaches.

4. Internet Protocol Security (IPSec)
IPSec is a set of protocols for securing IP communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic, public keys to be used during the session.  It can be used in protecting data flows between a pair of security gateways (network-to-network) or between a security gateway and a host (network-to-host). 

5. Network Access Control (NAC)
NAC restricts the availability of network resources to endpoint devices that comply with a defined security policy.  NAC restricts the data that each individual user can access and can also implement anti-threat applications such as firewalls, anti-virus software, and spyware-detection programs.  NAC also regulates and restricts the things individual subscribers can do once they are connected.

6. Access Control and Authentication
Access control is the means of controlling what a user or device can and cannot access. Authentication is the method used to identify a user or device.  Access control and authentication measures have evolved to include ID and password, digital certificates, security tokens, smart cards, and biometrics.   Access control lists (ACLs) block traffic and ensure that only those individual IP addresses can access systems and services.

7. Network-Based Anti-Virus Protection
Network based anti-virus software can eliminate viruses and worms before they reach other layers.

8. Network Communication Encryption
Encryption can defend network communications in three ways:
-An encrypted link can be constructed so that a third party cannot see its contents while data is in transit.
-An encrypted link can be constructed so that data cannot be modified while it is in transit without the modifications being detected.
-An encrypted link can be constructed to ensure the sender’s identity.

9. Network Analytics and Monitoring
Network traffic flow can be analyzed to determine patterns and identify potential risks.  This can be done through packet sampling, port scanning, behavior anomaly tracking, threat detection, rogue traffic quarantine, and network event management.

Next time, we’ll discuss security at the host layer.  

Thanks for reading!

Jen



Monday, January 14, 2013

Defense in Depth Layer 3: Perimeter Security


“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place, be transported halfway across the planet in seconds, and be stolen without your knowledge.” — Bruce Schneier

Image retrieved from v3.co.uk


The perimeter of the network is the part that touches the outside world.  Therefore, it is essential to strengthen defenses along the edges of the network to promote comprehensive protection.  The perimeter is the network's border where data flows in from, and out to, other networks, including the Internet.  Perimeter defense allows authorized data to enter while blocking suspicious traffic, and it is handled by several different components, outlined below.

1. Border Router
The border router is the last controllable router before an untrusted or external network, e.g. the Internet.  Since all Internet traffic passes through the border router, it is a practical place for filtering.  It is the first and last line of defense.

2. Demilitarized Zone (DMZ)
A DMZ is a small network that provides public services with low security.  It is a neutral area that is created outside the firewall between a company’s network and an external network, e.g. the Internet.  Web servers, for example, would not be protected by firewall because of the traffic it generates or that needs less protection.

3. Firewall
A firewall is a chokepoint device that decides which traffic is permitted and which is denied.  For perimeter defense, firewalls are available as software (installed inside a router) or as standalone hardware appliances.  A firewall can provide services such as the following:
-Stateful packet inspection – analyzes transactions to ensure inbound packets were requested
-Packet filtering – blocks data from specified IP addresses and ports
-Network Address Translation (NAT) – presents a single IP address representing multiple internal IP addresses to the outside world.

4. Intrusion Detection System (IDS)
An IDS is an alarm system that detects malicious and suspicious activities by analyzing network traffic.  If something unusual is detected, the IDS alerts the network administrator to take action to stop the event.  A network-based intrusion detection system is referred to as a NIDS.

5. Intrusion Prevention System (IPS)
An IPS is similar to an IDS, except that the IPS takes automatic and immediate defensive action without requiring action by the network administrator. 

6. Virtual Private Network (VPN)
A VPN provides perimeter security by encrypting the data sent between a business network and remote users over the Internet.  This creates a private tunnel through the Internet.

Perimeter defense measures are designed to fortify the network boundary.  While the components listed above do not constitute an exhaustive list, they give us an idea of what is required for perimeter security.  Once again, it is easy to see how this layer is actually layers within a layer.  These different technologies work in unison to create a protective barrier.  

Next time, we will discuss the internal network layer. 

Thanks for reading!

Jen