Understanding Point Security Weaknesses

Point security refers to the security strategy of protecting individual devices or systems with no overall plan or view toward integration of the different tactics employed. This section explores the weakness of this security method by defining point security and illustrating common attacks on the point security approach.

Using Point Security Products

Just a few short years ago, many people believed that securing a network meant adding a firewall to the perimeter and adding passwords to network resources. This simplistic approach proved to be an unsuccessful strategy in securing networks. Attackers began using well-known protocols for transporting their malicious code and causing widespread DoS attacks. Many of these attacks would compromise known vulnerabilities in common application layer protocols such as FTP, TFTP, SMTP, and HTTP. Servers running these particular services are often behind a firewall. However, because firewalls traditionally only limit connections to end systems over desired acceptable ports, coupled with the fact that communication to these services is required from an untrusted network such as the Internet, firewalls cannot stop the hacker from gaining a legitimate connection to the server. If the application server was compromised, the hacker could use it as a jumping point to connect to other systems that would not typically be visible from the outside world.

To combat the inherent problems with firewalls at the time, security administrators began using other techniques to attempt detection of malicious behavior. A device commonly used to accomplish this task is an Intrusion Detection Sensor/System (IDS). By pattern matching sniffed packets using known attack signatures as a baseline, this device proved to be fairly successful in alerting the security team when a known attack was underway.

IDS technology still has its place in network security today, but its reliance on signature definition updates is still its major flaw; however, a great deal of time and effort is being put into making this technology a much more efficient and successful way to defeat both the known and unknown threat, including taking actions specific to the threat encountered. Regardless, when placed at the edge of the network, an IDS can only see what passes by its sensing interface and is therefore commonly still an edge security mechanism (although this is not always the case).

Most typical network security mechanisms passwords, firewalls, and IDSs are standalone technologies, known as point security because they individually secure a single point in the network or only cover one point of your security needs. The best designs possible include a combination of each security mechanism mentioned previously as well as additional controls such as Host Intrusion Prevention software and physical security controls.

Candy Shell Security

Many networks around the world have a very similar security issue: The security mechanisms are at the edge attempting to deny access to the network from abroad. These edge security mechanisms do not focus on the internal portion of the network with advanced security products that could protect the endpoints effectively. This issue is known as candy shell security by many security professionals.

Candy shell security refers to a network that has a hard candy shell or strong perimeter security but easily compromised endpoints, which are the soft chewy center in this analogy. If you rely on signature-based technologies such as network IDS and perimeter defenses to protect your most valuable resources, you are guaranteeing a treat for the hackers and blended threats will come knocking on your door.

Backdoor Attack Vectors

Throughout this book, you will learn about many endpoint security vulnerabilities and endpoint-specific infection and exploitation methods common today. Many of these methods are considered back doors because they circumvent candy shell perimeter security measures. One issue perimeter detection methods face today (in addition to relying on signatures) is encryption. E-mailing a virus that is encrypted in a password-protected zip file is a very popular way of slipping a virus past network virus scanners. Encrypted files are not the only problem. Sometimes, the transfer mechanism itself is the issue. Many worms today are beginning to propagate via encrypted protocols such as Secure Sockets Layer (SSL) and Secure Shell (SSH). Network scanners and pattern-matching techniques have no chance to detect a downloaded virus if it is encrypted.

Encrypted communication is very common today, and many organizations have had viruses and worms enter through this communication path. Two different network mechanisms that use this communication path are web page e-mail applications and IPSec VPN. Enterprise users often utilize personal e-mail accounts via web pages that use SSL encryption from corporate computing assets. IPSec VPN tunnels are not as common for the everyday corporate user, but many corporate partners may connect to the enterprise via this mechanism and thereby provide an unsecured path between the two organizations.

Although you may believe that an encrypted stream is the only way malicious code may enter your network, do not forget the old standby known as the sneakernet method of propagation. Today s sneakernet is in some ways even more damaging because it does not rely on floppy disks with limited storage but rather media such as USB keys, CD-Rs, and DVD-Rs. Network security devices cannot detect transported code that is not physically passing through the various security inspection devices located at the perimeter or pervasively throughout the network architecture.