Security Baselines

To identify atypical behavior, it is necessary first to identify typical behavior of both network and application processes. The measure of normal activity is known as a baseline . Baselines must be regularly updated as networks and deployed technologies change. What was once a normal pattern of behavior is likely to change over time.

It is important that solid, closely watched security monitoring occur while you're establishing a baseline for network and application performance. Security monitoring during baselining is important because an ongoing attack during the baselining process could be registered as the normal level of activity. Obviously, this type of situation, as well as any other situation that will skew baseline readings , must be thought out and averted to establish true baseline data.

When establishing operational baselines, it is important to harden all technologies against as many possible avenues of attack as possible. The three basic areas of hardening are as follows :

• Operating system Security of the operating system, including domain architecture and user logon access planning

• Network Security of the network through hardware implementations , such as firewall and NAT devices, as well as logical security involving access control over distributed resources

• Application Security of applications and services, such as Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), and Web servers, as well as client-side user applications and integration suites

Operating System Hardening

Hardening of the operating system includes planning against both accidental and directed attacks, such as the use of fault-tolerant hardware and software solutions. Additionally, it is important to implement an effective system for file-level security, including encrypted file support and secured file system selection that allows for the proper level of access control. For example, Microsoft's New Technology File System (NTFS) allows for file-level access control, whereas most File Allocation Tablebased (FAT-based) systems allow for only share-level access control.

It is also imperative to include regular update reviews for all deployed operating systems in order to address newly identified exploits and apply security hotfixes, patches, and service packs . Many automated attacks use common vulnerabilities, often ones for which patches and hotfixes are already available. Failure to include planning for application updates on a regular basis, along with update auditing, can result in an unsecure solution that provides an attacker access to additional resources throughout an organization's network.

IP Security (IPSec) and PKI implementations must also be properly configured and updated to maintain key and ticket stores. Some systems may be hardened to include specific levels of access (for example, hardening a system to gain the C2 security rating required by many government deployment scenarios).

Operating system hardening also includes configuring log files and auditing, changing default administrator account names and default passwords, and instituting account lockout and password policies to guarantee strong passwords that will be resistant to brute-force attacks.

Network Hardening

Network hardening involves access restrictions to network shares and services, updates to security hardware and software, and disabling unnecessary protocol support and services.

Restricting Access to the Network

Firewall and Network Address Translation (NAT) software and hardware solutions provide the first layer of defense against unauthorized access attempts.

Mapping avenues of access is also critical in hardening a network. This process is a part of the site survey that should be performed for any network, especially those that involve public areas where a simple connection through a workstation might link the protected internal network directly to a public broadband connection.

Wireless networks also create significant avenues for unsecure access to a secured network. A user who configures a PC card on her workstation to allow for the synchronization of her 802.11-compliant wireless PDA may have inadvertently bypassed all security surrounding an organization's network.

A popular pastime for potential attackers involves the process of war-driving , which involves driving around with a Wi-Fi device configured in promiscuous mode to identify open wireless access points to the Internet in public areas or target locations. See Chapter 4, "Communication Security," for more information.

If a centralized access control system is used, such as those found in Windows and Novell networks, resource access and restrictions may be assigned to groups, and users can be granted membership to those groups. Properly configured access control lists help provide resource access to authorized parties and also limit potential avenues of unauthorized access.

Updating Security Hardware and Software

As with operating system hardening, default configurations and passwords must be changed in network hardware such as routers and managed network devices. Routing hardware must also be maintained in a current state by regularly reviewing applied firmware updates and applying updates that are required for the network configuration and hardware solutions used.

Security software packages need to be updated with as much vigilance as hardware. New tools, better protection, and up-to-date virus and attack definition files become available on almost a daily basis. A regular schedule should be identified and followed for proper update procedures for both security hardware and software.

Disabling Unnecessary Protocols and Services

Leaving protocols and services open and unconfigured when they are not necessary for your network can be a dangerous situation. When you install items on your network, we suggest that you do not accept default configurations because the defaults offered may not meet the business and security requirements of your network.

For example, in a homogenous network such as an allWindows 2000 network, it might be possible to terminate support for AppleTalk, Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), or other forms of unused network communications protocols. Because you don't have any Macintosh clients or Novell systems on the network, you don't need the services and protocols associated with these systems. By eliminating services such as these, you are closing holes that can potentially be exploited by attackers.

Application Hardening

Each application and service that may be installed within a network must also be considered when planning security for an organization. Applications must be maintained in an updated state through the regular review of hotfixes, patches, and service packs. Many applications, such as antivirus software, require regular updates to provide protection against newly emerging threats. Default application-administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required.

Web Servers

Access restrictions to Internet and intranet Web services may be required to ensure proper authentication for nonpublic sites, whereas anonymous access may be required for other sites. Access control may be accomplished at the operating system or application level, with many sites requiring regular updates of Secure Sockets Layer (SSL) certifications for secured communications.

Regular log review is critical for Web servers to ensure that submitted URL values are not used to exploit unpatched buffer overruns or other forms of common exploits. Many Web servers may also include security add-ins, provided to restrict those URLs that may be meaningfully submitted, filtering out any that do not meet the defined criteria. Microsoft's URLScan for the Internet Information Services (IIS) Web service is one such filtering add-in.

Email Services

Email servers require network access to transfer Simple Mail Transfer Protocol (SMTP) traffic. Email is often used to transport executable agents , including Trojan horses and other forms of viral software. Email servers may require transport through firewall solutions to allow remote Post Office Protocol version 3 (POP3) or Internet Message Access Protocol (IMAP) access, or they may require integration with VPN solutions to provide secure connections for remote users. User authentication is also of key importance, especially when email and calendaring solutions allow delegated review and manipulation. Inadequate hardware may be attacked through mail bombs and other types of attacks meant to overwhelm the server's ability to transact email messages.

FTP Servers

File Transfer Protocol (FTP) servers are used to provide file upload and download capabilities to users, whether through anonymous or authenticated connections. Because of limitations in the protocol, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in cleartext and may be subject to interception via packet sniffing. Unauthorized parties may also use FTP servers that allow anonymous access to share files of questionable or undesirable content while also consuming network bandwidth and server processing resources.

DNS Servers

DNS servers are responsible for name resolution and may be subject to many forms of attack, including attempts at denial of service (DoS) attacks intended to prevent proper name resolution for key corporate holdings. Hardening DNS server solutions should include planning for redundant hardware and software solutions, along with regular backups to protect against loss of name registrations. Technologies that allow dynamic updates must also include access control and authentication to ensure that registrations are valid.

NNTP Servers

Network News Transfer Protocol (NNTP) servers provide user access to newsgroup posts and share many of the same security considerations that email servers generate. Access control for newsgroups may be somewhat more complex, with moderated groups allowing public anonymous submission with authenticated access required for post approval. Heavily loaded servers may be attacked to perform a denial of service, and detailed user account information in public newsgroup posting stores, such as those of the AOL and MSN communities, may be exploited in many ways.

File and Print Servers

User file storage solutions often come under attack when unauthorized access attempts provide avenues for manipulation. Files may be corrupted, modified, deleted, or manipulated in many ways. Access control through proper restriction of file and share permissions is necessary, coupled with access auditing and user-authentication schemes to ensure proper access. Removal of default access permissions, such as the automatic granting of Allow access to the Everyone group in Windows systems, must be done before network file shares can be secured.

Distributed file system and encrypted file system solutions may require bandwidth planning and proper user authentication to allow even basic access. Security planning for these solutions may also include placing user-access authenticating servers close to the file servers to decrease delays created by authentication traffic.

Print servers also pose several risks, including possible security breaches in the event that unauthorized parties may access cached print jobs. Denial of service attacks may be used to disrupt normal methods of business. Network connected printers require authentication of access to prevent attackers from generating printed memos, invoices, or any other manner of printed materials as desired.

DHCP Servers

DHCP servers share many of the same security problems associated with other network services, such as DNS servers. DHCP servers may be overwhelmed by lease requests if bandwidth and processing resources are insufficient. This can be worsened by the use of DHCP proxy systems relaying lease requests from widely deployed subnets. Scope address pools may also be overcome if lease duration is insufficient, and short lease duration may increase request traffic. If the operating system in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients obtaining leases from the rogue servers. Planning for DHCP security must include regular review of networks for unauthorized DHCP servers.

Data Repositories

Data repositories of any type may require specialized security considerations based on the following:

• The bandwidth and processing resource requirements that are needed to prevent denial of service attacks

• The removal of default password and administration accounts (such as the SQL default "sa" account)

• Security of replication traffic to prevent exposure of access credentials to packet sniffing

Placement of authentication, name resolution, and data stores within secured and partially secured zones, such as an organization's DMZ, may require the use of secured VPN connections or the establishment of highly secured bastion hosts . Role-Based Access Control (RBAC) may be used to improve security, and the elimination of unneeded connection libraries and character sets may help to alleviate common exploits.