Lesson 5: Securing and Monitoring Network Resources

Previous page
Table of content
Next page

Lesson 5: Securing and Monitoring Network Resources

This lesson wraps up the information on protecting your network infrastructure by focusing on network resource security and monitoring. The first part of the lesson focuses on monitoring and securing workstations, mobile devices, servers, and connectivity devices. Next, you learn about software and hardware that can be used to detect attacks. Finally, the lesson discusses ways to learn from attackers without risking your production equipment.

After this lesson, you will be able to

  • Document methods to monitor and secure workstations, mobile devices, and servers

  • Select appropriate methods for monitoring network infrastructure connectivity devices

  • List how intrusion detection systems can help to protect networks

  • Describe the purpose of honeypots and honeynets and select appropriate uses for them

Estimated lesson time: 20 minutes

Securing and Monitoring Workstations

The workstations on your network are tools for productivity, but they could also be vulnerable to attack. Workstation attacks can cause your organization's employees to lose time and valuable data. If an attacker compromises a workstation it can be used to attack other systems on your network as well. Here is a list of ways to protect your workstations:

  • Install virus-scanning software and keep virus definition files up to date.

  • Monitor system logs for errors.

  • Configure logging or auditing for critical system resources and data.

  • Limit access to workstations to a specific user or set of users.

  • Control access to local and shared resources.

  • Remove unnecessary applications and services.

  • Configure automated or centralized backup systems.

  • Ensure the latest operating system and application security fixes are applied and kept current.

Network monitoring systems and some intrusion detection systems (discussed later) can help you monitor the workstations on your network. These systems can send alerts when certain thresholds are exceeded (for example, if the system has less than 5 percent free hard disk space). Here are some items to monitor on your workstations:

  • System logs.

    Look for error messages about file system changes, permission changes, services that no longer start, or other system modifications and critical error messages.

  • Audit logs.

    Audit logs are typically activated to track specific resources, such as access to a secure folder, file, or printer.

  • Hard disk space.

    Workstations might fail to log errors, fail to detect attacks, or fail to function properly at all if they run out of hard disk space.

  • Network counters.

    If a system is under attack, network counters could indicate that an attack is underway.

  • Access denied errors.

    When an attacker is attempting to guess a password, the server component that shares files on the workstation might record a high number of errors by which access is denied.

Protecting Mobile Devices

Laptops, notebooks, and personal digital assistants (PDAs), among other electronic devices, are widely used on many networks. These devices, just like workstations, are important to secure, protect, and monitor, but monitoring these devices is often more difficult than monitoring workstations due to their mobile nature.

All of the precautions you take to protect your organization's workstations should be used (wherever possible) to protect your organization's mobile devices. Additional items to consider for protecting mobile devices include the following:

  • Antitheft devices.

    Consider using motion alarms, locking cables, and tracking equipment to protect your mobile devices.

  • Additional identifying marks or colors.

    If a laptop is stolen from an environment in which many people are carrying laptops, it might be difficult to spot. If your company logo or your name appears prominently on the laptop or mobile device, you might be able to recognize it more easily. Further, if your devices have identifying marks, a thief might be less likely to steal it in the first place, knowing the theft would be more difficult to conceal.

  • Data encryption.

    If your mobile devices are used to transport sensitive data (such as trade secrets or competitive information), you might consider using data encryption, which can prevent sensitive files from being easily decrypted.

When mobile devices are on the network, you should monitor them as if they are workstations. Of course, PDAs and similar devices might not have the same components to monitor, so monitoring must be adjusted on a product-by-product basis.

Securing and Monitoring Servers

You should perform the same tasks on your organization's servers to secure and monitor them as you do on your organization's workstations. Network servers require even more attention than individual workstations, however, because the loss of a server affects more people. In some ways, network servers are easier to protect than individual workstations, because they need not be physically touched or logged on to by normal users. Here are some additional protections that you should perform on your network servers:

  • Physically secure servers in a locked room.

  • Prevent users from logging on interactively (at the console).

  • Carefully control and monitor access to resources, such as the file system, shared data, and printers.

  • Carefully control and monitor access to all services. Additional services such as user databases, account directory services, Web services, and other services provided by servers should be logged. You should track service access errors (access denied), failures of services to load, and any changes in running services (either additional services or services that are disabled or stopped).

  • Frequent backups of server configurations, shared data, and service data are critical to protecting your server. Be sure to test backups by actually restoring data to an alternate location to be sure that your backups are working. Also, you should keep your backup media physically secure. Password protect backup media, encrypt it, and store it in fireproof safes if possible.

You must also be sure to monitor access and availability of the resources the server provides. For example, you should monitor the availability of the HTTP service and Web site files of the Web server. Most services allow for additional logging and this feature should be utilized. On the file server, be sure to appropriately secure files and monitor inappropriate access to those files. Most network operating systems allow you to configure auditing on critical system and data files.

Monitoring Connectivity Devices

Network management systems are available from many vendors that collect information from connectivity devices. For example, if a router or switch is dropping frames because too much data is incoming, an alert can be sent to the network management system's console and potentially other locations, such as the network manager's pager.

Many network management systems use the Simple Network Management Protocol (SNMP) to gather information from a variety of systems, including individual hosts on the network. Cisco, IBM, and Hewlett-Packard all offer network management systems that can monitor network devices.

Implementing Intrusion Detection

An intrusion detection system (IDS) is a hardware device with software that is used to detect unauthorized activity on your network. An IDS is usually configured to log and alert you to unauthorized activity on your network. IDSs can be implemented on individual hosts, servers, at the network perimeter, or throughout the entire network. Some IDS solutions are designed as distributed systems, with agents on all hosts on the network. There are several different ways in which IDSs might be implemented. Here is a general list of how they are implemented and used:

  • A network intrusion detection system (NIDS) is used to discover attackers on your network. A NIDS monitors network traffic and traffic patterns that can be used to discover someone attempting a denial-of-service attack, port scans, or attempts to guess the password to a secured resource. Snort is one of the most popular examples of a NIDS.

  • A system integrity verifier (SIV) monitors a single system's file structure to determine if (and when) an attacker modifies, deletes, or changes a system file. Tripwire is one of the most popular examples of an SIV.

  • A log file monitor (LFM) parses system log entries to identify possible system attacks or compromises. LFMs can protect a single computer or multiple computers. SWATCH (The Simple WATCHer and filter) is a popular example of an LFM for UNIX operating systems.

Although IDSs are designed to protect your network, attackers might attempt to attack, bypass, disable, or fool those systems. During heavy network traffic, an NDIS could be overwhelmed and might have to drop some packets. Those packets could be evidence of a network attack. Because many IDSs are configured to recognize attack patterns, it is important that you keep attack definition files current. Support agreements and frequent updates are usually available from IDS vendors.

Chapter 11, "Incident Detection and Response," covers intrusion detection in greater detail.

Using Honeypots and Honeynets

Honeypots are systems that have no production value and are designed to be targets for attackers. Honeynets are networks of honeypot systems or a single honeypot system that simulates a network of vulnerable devices. Honeypots do not solve security issues or protect hosts from direct attacks, however, as do firewalls and IDSs.

For the sake of efficiency, the word honeypot is used to represent both honeypots and honeynets in the remainder of this text.

Following are some of the potential benefits of using honeypots:

  • When compared to IDSs and system logs, honeypots are more likely to give you valuable information about an attack. IDSs and system logs track large amounts of information that might not be related to any specific attacks. Connections to honeypots are likely to be actual attacks. Someone scanning, probing, or attempting to access a honeypot is probably not looking for his or her home directory (or anything else that he or she is supposed to be able to access).

  • Honeypots are designed to track access, so they are not likely to run out of system resources when under attack. Production systems and firewalls are not usually able to operate optimally when they are under attack during heavy traffic periods. They might even fail to log an attack. The same is true for IDSs: When network traffic is coming at gigabit speeds, they might drop packets. Some of those packets could be attempted system attacks.

  • Honeypots are often easier to configure and monitor than IDSs and firewalls. They are simply targets for attack. When someone connects to the honeypot, it is probably worth checking out.

Honeypots are usually more interesting and visible than other security devices. Firewalls might be good at preventing attacks, but they rarely capture actual attempts to compromise a system. Attacks on a honeypot illustrate that there are attackers on the network. Honeypots can also give you an idea of how sophisticated an attacker's skills are and how well that attacker knows the network. The honeypot's logs can even be used to make a case against a network attacker, if you are able to identify that person. There are potential drawbacks to placing honeypots on your network, however:

  • Honeypots require extra resources. Typically, the honeypot is a software component installed on a separate computer (or maybe multiple computers). Some honeypots are separate hardware appliances.

  • If honeypots are never attacked, they won't provide any information.

  • Some attackers might be able to identify (fingerprint) a honeypot. If an attacker is able to determine that a system is a honeypot, he or she is likely to move on to another target.

  • If a honeypot is compromised, it could be used to attack other systems. When you configure additional services or hosts on your network, you increase the number of potential targets for attackers.

More Info
For more information on honeypots, visit the following Web site: http://www.tracking-hackers.com.

Exercise: Identifying Security Devices

Match the term in the right column with the most appropriate statement in the left column:

  1. Can help to secure your data if your laptop is stolen

  2. Helps you to learn attacker techniques and potential future exploits

  3. Alerts you when a recognized attack is underway

  4. Helps you to keep your laptop from being stolen

  1. Honeypot

  2. IDS

  3. Motion-sensing alarm

  4. Data encryption

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. What security methods are common to workstations and servers?

  2. What security steps are typically implemented on mobile devices that aren't usually necessary on workstations and servers?

  3. What tools can you use to monitor your network infrastructure devices?

  4. What security benefits does an intrusion detection system provide?

  5. How can you use a honeypot to help protect your network?

Lesson Summary

  • Workstations, mobile devices, and servers can be targets of network attack. To protect your workstations, you should configure virus-scanning software, perform frequent backups, and monitor workstation logs.

  • Wireless devices usually require additional security, such as antitheft devices and file encryption.

  • Servers require all of the security that workstations on the network require. In addition, servers can be physically secured inside locked rooms. Additional monitoring should be configured on servers based on the services they provide.

  • Network monitoring systems can be used to monitor routers, switches, hubs, and hosts. Network monitoring systems can alert you when problems arise on your network, such as when a connectivity device is not responding or can no longer keep up with the amount of incoming network traffic.

  • IDSs help protect your network from attackers by alerting you to the presence of potential attacks. IDSs can also log activity so that you can track down points of attack and compromise.

  • Honeypots and honeynets are used to help you detect and learn from attackers. Honeypots are attractive targets for attackers because they are often exposed directly to the Internet without the protection of a firewall. The devices are configured to track the activities of attackers so that you can learn about security weaknesses that might exist on your internal network before an attacker has a chance to exploit them.


Previous page
Table of content
Next page
Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55
Authors: Microsoft Corporation, Andy Ruth, Kurt Hudson
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
SQL Tips & Techniques (Miscellaneous)
Systematic Software Testing (Artech House Computer Library)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy