comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

Using a Layered Defense Strategy

At this comparatively early stage in the development of information security, no single security component or method can be expected to ensure complete protection for a network—or even an individual host computer. Instead, you need to assemble a group of methods that work in a coordinated fashion to provide protection against a variety of threats. Even then, it is not realistic to think that all security threats can be stopped. Security is more a state of mind than a tangible, absolute state.

The components and approaches described herein should be arranged to provide layers of network defense. This layering approach to network security is often called defense in depth (DiD). The National Security Agency (NSA) originally designed DiD as a best practices strategy for achieving information assurance.

When beginning with an unprotected system, the first layer of defense added is always the most effective. As more layers are stacked on the first, potential attackers must successfully breach each layer to gain access to the next one. However, adding layers also adds increasing complexity for system administrators. Security enhancements must be balanced against the cost to maintain and monitor defenses. DiD does eventually reach a point where the cost of implementing additional security outweighs the potential benefits.

Another goal of implementing DiD should be to find ways that the security layers can work together, each using data generated by others to enhance the overall effectiveness of the systems.

In general, the layers are as follows. Each layer is discussed in the following sections.

Physical Security

The term physical security refers to measures taken to protect a computer or other network device from theft, fire, or environmental disaster. Examples of physical security include instal- ling computer locks that attach a computer device to a piece of furniture in your office, and keeping critical servers in a room protected by a lock and/or burglar alarm. If the bad guys can touch it, they own it. This statement means that a computer can easily be compromised if a malicious intruder has physical access to it. Within minutes, an attacker can defeat most common physical locks and steal anything from a password file to the whole server. More insidiously, attackers can plant malware that could give them control of the system without the owner’s knowledge.

Authentication and Password Security

After you have physically secured your computers, you can begin to protect them from the inside as well. One simple but reasonably effective strategy is a password security policy, which requires your employees to select good passwords, keep them secure, and change them regularly. Using multiple passwords, including screen-saver passwords and passwords for protecting critical applications, is also a good idea to guard against unauthorized employ- ees gaining control of unattended computers. But, unless password policies are in place to ensure the use of complex passwords and their safekeeping can be enforced through technical means, passwords can become a serious vulnerability. These days, more stringent methods of authentication are becoming common.

Authentication—verifying the identity of a user, service, or computer—uses one of three methods: verifying something the user knows, something the user possesses, or something the user is. In the field of network computing, authentication is performed in one of several ways. Basic authentication involves using something the user knows, such as a username/ password pair. In challenge/response authentication, the authenticating device generates a random code or number (the challenge) and sends it to the user who wants to be authenticated. The user resubmits the number or code and adds a secret PIN or password (the response), or uses a possession such as a smart card to swipe through a card reader.

In large organizations, a centralized server typically handles authentication. The use of biometrics — physical information that identifies a person, such as retinal scans, voiceprints, and fingerprints — is growing in popularity because of the security limitations of relying on username and password combinations alone.

Operating System Security

Another way to secure computers and their data from the inside is by installing operating system (OS) patches that have been issued to address security flaws. It is your responsibility to keep up with patches, hot fixes, and service packs and to test and install them when they become available. In addition, stopping any unneeded services and disabling guest user accounts helps make an OS more secure.

Antivirus Protection

Virus scanning refers to the process of examining files or e-mail messages for filenames, file extensions such as .exe (for executable code) or .zip (for zipped files), and other indications that viruses are present. Many viruses have suspicious file extensions, but some seem innocuous. Antivirus software uses several methods to look for malware, including comparisons to the software’s current signature files, which contain a pattern of known viruses. Signature files are the primary reason for keeping your antivirus software updated; antivirus software vendors frequently create updates and make them available for customers to download. When antivirus software recognizes the presence of viruses, it deletes them from the file system or places them in a storage area called a quarantine where they cannot replicate themselves or do harm to other files.

Firewalls and IDSs, by themselves, are not equipped to scan for viruses and eliminate them. However, many enterprise-level firewalls come with integrated antivirus protection. Antivirus software is a must-have for every computer in a network; if your firewall does not provide antivirus software, you need to install it on the computer that hosts the firewall and on all network computers.

Packet Filtering

Packet filters block or allow the transmission of packets of information based on port, IP address, protocol, or other criteria. Packet filtering can be performed by different types of systems. Some are hardware devices, such as routers and firewalls placed at a network gateway. Others are software programs that can be installed on a gateway or a computer.

Here are a few examples:

Whatever type you use, the packet-filtering device evaluates information in the packet header and compares it to the established rules. If the information corresponds to one of the “allow” rules, the packet is allowed to pass; if the information matches one of the “deny” rules, the packet is dropped.

Firewalls

The foundation for installing and configuring a firewall is your organization’s overall security policy. After you have a solid security policy as your guide, you can design security configurations to support your organization’s goals. Specifically, you can create a packet-filtering rule base for your firewall that reflects your overall approach to network security. Firewalls can be based on either permissive or restrictive policies.

Permissive vs. Restrictive Policies

A firewall, following the direction given in a security policy, typically adopts one of the following general approaches to security:

A firewall should enforce the overall policy established by the network administrator. Enforcement is handled primarily through setting up packet-filtering rules; a rule base con- tains a set of these rules. The order of rules in the rule base is important to how the firewall processes traffic.

Demilitarized Zone (DMZ)

A subnet called a demilitarized zone (DMZ) is a network that sits outside the internal net- work but is connected to the firewall. A DMZ makes services like HTTP (Web server) and FTP (File Transfer Protocol) publicly available, yet protects the internal LAN.

A DMZ might also contain a DNS server that resolves fully qualified domain names to IP addresses. The subnet attached to the firewall and contained in the DMZ is sometimes called a service network or perimeter network.

Intrusion Detection and Prevention System (IDPS)

Ideally, firewalls and proxy servers block intruders or malicious code from entering a net- work. However, using an IDPS with these tools offers an additional layer of protection for a network. An intrusion detection and prevention system (IDPS) works by recognising the signs of a possible attack and sending a notification to an administrator that an attack is under way (intrusion detection). Some traffic can trigger a response that attempts to actively combat the threat (intrusion prevention).

Note that the term intrusion prevention is not precise because there is no known method for preventing all possible intrusions. The signs of possible attacks are commonly called signatures—combinations of IP addresses, port numbers, and the frequency of access attempts.

Virtual Private Networks (VPNs)

Companies that share files or exchange confidential financial information traditionally used expensive leased lines provided by telecommunications companies. Although these lines created a point-to-point connection between company networks and therefore ensured a high level of security, the monthly costs were excessively high for many budget-conscious companies. Today, a more common approach to protecting confidential data in transit is the use of VPNs, which provide a low-cost and secure connection that uses the public Internet.

A virtual private network (VPN) is a network that uses public telecommunications infrastruc- ture, such as the Internet, to provide secure access to corporate assets for remote users. VPNs use authentication to verify users’ identities and encrypt and encapsulate traffic to protect it in transit.

Network Auditing and Log Files

Auditing is the process of recording which computers are accessing a network and what resources are being accessed, and then recording the information in a log file. IT managers often overlook detailed reviews of log files generated by firewalls and IDPS. By reviewing and maintaining log files, you can detect suspicious patterns of activity, such as regular and unsuccessful connection attempts that occur at the same time each day. You can identify those who have attacked your network, or at least gather enough information to begin to identify them. You can set up rules to block attacks and keep your network defense systems up to date by examining attack attempts that have penetrated firewalls and other protective devices. Effective management of log files is an essential activity that goes hand in hand with any perimeter security configuration.

Log File Analysis

If your firewall or IDPS cannot display log files graphically, it is well worth the time to locate and install a compatible product that can.

Configuring Log Files

Typically, the log files compiled by a firewall or IDPS give you different options. You can view active data (data compiled by the firewall as traffic moves through the gateway in real time) or data that the device has recently recorded. You can also view the information in the following ways:

With more elaborate programs, you can customise what you see in log files and search for specific items or events.

Routing and Access Control Methods

Routers at the perimeter of a network are critical to the movement of all network traffic, regardless of whether the traffic is legitimate or harmful. Because routers are positioned on a network’s perimeter, they can be equipped with their own firewall software to perform packet filtering and other functions.

To set up a defense, you need to know what kinds of attacks to expect and which of your services and computers might present openings that can be exploited. Your goal is ensuring that no unauthorized access occurs. You must identify areas that would allow attackers to gain access to your network. An attacker might attempt to access the following open points of entry:

Users must have access to the resources necessary to do their jobs, but unauthorized people must not be able to gain access to those resources. Access control is a vital facet of network security and encompasses everything from complex permission configurations on domain controllers to locked doors.

There are three main methods of access control:


Published on Sun 11 August 2013 by Anthony Smith in Security with tag(s): strategy