Defense in Depth | Inside Network Perimeter Security (2nd Edition)

A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many remain underneath it. No concept carries more importance when discussing network security than defense in depth. Defense in depth helps you protect network resources even if one of the security layers is compromised. After all, no single security component can be guaranteed to withstand every attack it might need to face.

We operate in a real world of system misconfigurations, software bugs, disgruntled employees, and overloaded system administrators. Moreover, any practical security design needs to accommodate business needs that might require us to open certain firewall ports, leave additional services running on the server, or prevent us from applying the latest security patch because it breaks a business-critical application. Treating perimeter security components as parts of a coherent infrastructure allows us to deploy them in a way that accounts for the weaknesses and strengths of each individual component. Ofcourse, given the requirements of your organization, you might choose not to implement every component discussed in this chapter. The extent to which you need to apply network security layers depends on the needs and capabilities of your business.

After introducing defense in depth in this section, we will use it as the guiding principle behind designs and implementations throughout this book. In fact, this topic is so important, we will conclude the book with a chapter devoted specifically to this topic.

Crown Jewels

Think of any information that would have significant adverse affects if compromised as your organization's crown jewels. What are your company's crown jewels? How well protected are they?

Take the case of CD-Universe. Maxim, a Russian cracker, compromised 300,000 credit card numbers late in 1999. CD-Universe refused to pay his $100,000 ransom demand. In response, Maxim posted 25,000 numbers on a website on Christmas Day 1999.

CD-Universe had their crown jewels compromised and undoubtedly felt the effects in lost sales and consumer confidence. When mitigating such risks, we must consider what our organization's crown jewels are and what protecting them is worth when we implement defense in depth if we want to avoid similar problems for our organizations.

Components of Defense in Depth

What exactly does defense in depth entail? The simple answer is the perimeter, the internal network, and a human factor. Each of these comprises many components, which are independently not enough to secure a network. The key lies in each component complementing the others to form a complete security picture.

The Perimeter

When we think of network security, we most often think of the perimeter. As we mentioned earlier in this chapter, the perimeter includes any or all of the following:

Static packet filter
Stateful firewall
Proxy firewall
IDS and IPS
VPN device

We have already introduced these security components to you. Now, let's take a look at how they might work together to form a defense-in-depth infrastructure.

Static packet filters inspect basic information within every packet and are typically implemented as routers. The border device is the first incoming and the last outgoing layer of your network security. It contributes to defense in depth by filtering traffic before it enters or exits your network. All too often, we only consider filtering incoming traffic, but then we don't get the full usability of our border router.

Improperly destined traffic might be internal addresses that hit your external interface, or vice versa, and they can be addressed with ingress and egress filtering. Border routers can also block traffic that is considered high risk from entering your network, such as traffic on the SANS Top 20 Vulnerabilities list (http://www.sans.org/top20). ICMP is a favorite of attackers both for DoS attacks and reconnaissance, so blocking this protocol in whole or in part is a common function of a border router. You may also consider blocking source-routed packets at the border router because they can circumvent defenses. The border router can also block out-of-band packets, such as SYN-FIN packets.

On February 9, 2000, websites such as Yahoo! and CNN were temporarily taken off the Internet, mostly by distributed denial of service (DDoS) Smurf attacks. A Smurf attack involves sending spoofed ICMP echo requests (ping) to the broadcast address, resulting in a response from every host. In this case, spoofing allowed attackers to direct the large number of responses to a victim network. Ingress and egress filtering would have blocked the spoofed traffic and allowed them to weather the DDoS storm. Every network should have ingress and egress filtering at the border router to permit only traffic that is destined for the internal network to enter and traffic that is destined for the external network to exit. We will cover filteringincluding ingress and egress filtersin Chapter 2, "Packet Filtering."

Static packet filters, such as routers, are faster at screening traffic than stateful or proxy firewalls. This speed comes in handy when you are under attack or when the firewall is already under a heavy load. What if you don't have a border router under your exclusive control? If your Internet connection is relatively small (T1 or less), then performing filtering solely on a firewall might be sufficient.

Unlike static packet filtering devices, stateful firewalls keep track of connections in a state table and are the most common type of firewall. A stateful firewall blocks traffic that is not in its table of established connections. The firewall rulebase determines the source and destination IP and port numbers permitted to establish connections. By rejecting nonestablished, nonpermitted connections, a stateful firewall helps to block reconnaissance packets, as well as those that may gain more extensive unauthorized access to protected resources.

Recon Is the Name of the Game

My cable modem at home receives several scans per day. Previously with the IPChains firewall I had in place, Nmap ACK scans would pass through and successfully scan me. They were successful because nonstateful, static packet filters, such as IPChains, evaluated each packet independently and did not track state. The presence of the ACK bit made it appear that I had initiated the connection and the ACK was the response. Without a stateful firewall in place, reconnaissance of my machine was relatively easy.

Stateful firewalls are able to recognize and block traffic that is part of a nonestablished, nonpermitted connection, such as attempts at reconnaissance. The ability to block reconnaissance attempts that hit your firewall, such as the Nmap ACK scan, make stateful firewalls a valuable part of defense in depth by adding another layer of security to your network. An alternative, and sometimes a complement to a stateful firewall, is a proxy firewall.

Proxy firewalls are the most advanced and least common type of firewall. Proxy firewalls are also stateful, in that they block any nonestablished, nonpermitted connections. As with stateful firewalls, the firewall rulebase determines the source and destination IP and port numbers that are permitted to establish connections. Proxy firewalls offer a high level of security because internal and external hosts never communicate directly. Rather, the firewall acts as an intermediary between hosts. Proxy firewalls examine the entire packet to ensure compliance with the protocol that is indicated by the destination port number. Ensuring that only protocol-compliant traffic passes through the firewall helps defense in depth by diminishing the possibility of malicious traffic entering or exiting your network.

Using proxy firewalls diminishes the possibility of malicious traffic entering or exiting your network by ensuring that only protocol-compliant traffic passes through. However, what happens if malicious traffic appears to be appropriate material and adheres to the protocol?

An IDS represents the eyes and ears of a network by monitoring the network and hosts from critical points for malicious activity. Typical network IDS sensor placement includes each network segment directly connected to the firewall, as well as critical points within the network. If malicious traffic bypasses your other defense mechanisms, an IDS should be able to detect it, as well as communicate what it sees. This is precisely how an IDS helps with defense in depth.

For example, a network IDS could identify and alert on the following:

DNS zone transfer requests from unauthorized hosts
Unicode attacks directed at a web server
Buffer overflow attacks
Worm propagation

There are numerous incidents where successive fast-spreading worms have brought down large international networks. If these companies had been able to identify and isolate the infected machines quickly each time a new worm hit, they could have kept their networks functioning. An IDS with the correct signature would facilitate that identification. An IDS can help identify malicious traffic that might otherwise appear normal to an untrained eye. For example, a DNS zone transfer is a legitimate and common operation for peered DNS servers to engage in. However, we should consider zone transfers outside of those hosts dangerous.

An IDS contributes toward a defense-in-depth architecture by detecting and reporting suspicious activity. This functionality can be augmented by deploying an IPS, which, in addition to detecting attacks, attempts to automatically thwart them. Intrusion prevention is becoming a popular term in literature describing firewall and IDS productssuch "active response" technology gives us an opportunity to block malicious activity in situations where the likelihood of falsely identifying an attack is low.

An IDS allows us to tune our defenses to match the current threats. Furthermore, correlation of router, firewall, VPN, and system logs can yield some information about suspicious activity on the network. These logs are not meant to replace the granularity and extensiveness of IDS logs, but to augment them. Logs from non-IDS perimeter components can help significantly when the network IDS logs are of no use, such as when the traffic is encrypted in route to a VPN device.

VPNs protect communications over unprotected networks, such as the Internet. They improve security by offering confidentiality, integrity, and nonrepudiation. For example, a VPN can allow your employees working from home to connect to your servers in a trustworthy manner even while traversing the Internet. In this scenario, the VPN will make sure that no one can monitor the protected traffic, that no one can modify it without being detected, and that the data really came from the expected user. VPNs are appropriate for a wide range of applications and are often useful when dedicated private lines are too expensive or impractical for connecting network nodes. Protecting communications over unprotected networks helps us defend our networks with depth.

VPNs are wonderful tools or wonderful weapons, depending on who is using them. By providing protected communications over unprotected channels, a VPN is a tool to legitimate users. If, however, the endpoints of a VPN connection are not secure, an attacker might be able to gain a protected channel into your internal network, giving him an awesome weapon. In our experience, many large networks that have been severely crippled by worms were affected by the same type culprit during every infection: a VPN user who was working from home. Users would surf the Web using their personal broadband connections at night before logging onto the internal network the following day via the VPN. A worm infected their machines when they were connected to the Internet at night. When they connected to the internal network the following day, the worm propagated to the internal network and ran rampant.

VPNs offer significant cost savings over the previous alternative of frame relay or a private line. We can use a VPN to protect all traffic from one network to another (network to network), between two hosts (host to host), or from a single host to a network (host to network). Knowing this, the way in which we configure our networks becomes increasingly important.

All too often, security is not a primary concern to a business when putting a network in place. A thought-out network architecture is vital to defense in depth because it segregates resources and provides for performance and redundancy. A well-designed infrastructure can act as a business enabler, rather a stumbling block to the organization.

We need to do the following when evaluating a network security architecture:

Determine what resources need to be protected.
Determine the risk.
Determine business requirements.

With this information, we can make educated decisions regarding our network defenses.

A solid network architecture created with security in mind will segregate resources and provide for performance and redundancy. Segregating resources is vital to defense in depth, and we will look at it closely in Chapter 13, "Separating Resources." We must keep in mind that no matter how segregated a host is from a network viewpoint, its configuration must also be hardened.

At Least Lock the (Screen) Door

I once encountered a network without a screened subnet or a DMZ. The DNS server resided on the internal network, which was a hub-based environment. When an attacker compromised the DNS server, he installed a sniffer and was able to glean internal passwords. If the DNS server had been on a switched screened subnet, the attacker's ability to sniff passwords would have been greatly inhibited.

The Perfect Onion?

Recently I was on site with a client who was telling me all about his company's layered security. The company had proxy firewalls, a big border router, IDSs, VPNs, a good designyou name it. When I asked about the security of the public DNS server, he told me that "it was fine" and that with so much security in front, the company wasn't too worried about it. Talk about locking the door but leaving the window open!

The organization had segregated and protected this DNS server quite well. However, in neglecting to harden the host, the company had wasted a lot of work on securing the rest of the perimeter. Further investigation revealed that an attacker could have easily compromised the server, obtained a shell, and exploited a trust relationship with the internal DNS server, leaving him inside the network with a critical server.

We've discussed how various components of the perimeter contribute to the overall security of our network through defense in depth. Although vital, the external perimeter is only one piece of defense in depth. Next, we examine a piece that many organizations neglect to properly address: the internal network.

The Internal Network

The internal network is the network that is protected by the perimeter and that contains all the servers, workstations, and infrastructure with which a company conducts business.

So often, administrators of various types say, "We can trust our own people." Organizations often neglect the security of the internal network because they don't consider an internal attack a risk. An internal attack doesn't have to be a malicious employee; it can be a careless employee as well. As organizations are learning each time a new worm comes out, they cannot afford to overlook the security of the internal network!

Let's shift gears for a minute. Conjure up an image of what you consider a highly skilled attacker. Imagine him breaking into your most sensitive systems…while sitting at your desk. What would stop him?

On the internal network, we could have the following "perimeter" devices:

Ingress and egress filtering on every router
Internal firewalls to segregate resources
IDS sensors to function as "canaries in a coal mine" and monitor the internal network

On protected systems, we can use the following:

Host-centric (personal) firewalls
Antivirus software
Operating system hardening
Configuration management
Audits

Host-centric (personal) firewalls are generally implemented as software modules that run on individual machines, screening network traffic as it enters and leaves the system. Many are configurable on a per-application basis, meaning that the user determines which applications have rights to access the Internet or function as servers (accept incoming connections). Personal firewalls help defense in depth by augmenting the perimeter on every host.

You might ask, "Why do I need a personal firewall if I'm already behind a network firewall at work?" A personal firewall at work can protect you from malicious programs, such as Trojans, and other internal hosts, as is the case with malicious internal users. If you do not have a personal firewall and connect to the Internet outside of work (such as the hotel room while traveling or the home office when working from home), you cannot assume that you are being protected.

Personal Firewall to the Rescue

Recently, a nontechnical co-worker asked me why a personal firewall on her office desktop kept popping up alerts. My curiosity immediately piqued, as I seriously doubted there was a hole in the company firewall. I discovered that she used a dial-up connection to check her personal email, and it had created a tunnel to her machine. She was being probed through the dial-up network for a vulnerability her machine had. If she had not had a personal firewall in place, an attacker could have run rampant on the internal company network.

Host-centric firewalls are wonderful pieces of software that augment the perimeter. If a traditional firewall cannot be deployed at the network's entry point, host-centric firewalls are cost-effective alternatives, especially if the network hosts a small number of systems. Host-centric firewalls are also useful for mobile users who connect to a network outside of work. Almost every network needs firewall technology of some sort, be it with static packet filters, stateful firewalls, or proxy firewalls on the perimeter or the individual machines. Most networks with user-level workstations also need an antivirus capability.

In many respects, antivirus software and network IDSs are similar in that they frequently operate by examining data for signatures of known malicious intent. Antivirus software typically looks at the data on the file system and in RAM, whereas a network IDS examines data on the network. As vendors package antivirus, personal firewall, and IDS technology into a single product, the line distinguishing the three becomes increasingly vague. The role of antivirus in defense in depth is clearit protects against malicious code.

We can augment our antivirus capability on the desktop through products that couple with perimeter components, such as firewalls and email servers. The effectiveness of antivirus software drastically decreases if it is not regularly updated, or if it does not yet provide a signature to identify the latest virus or worm. This is often the case with worms, which propagate very quickly. Locking down the host's configuration becomes critically important in the case of ineffective antivirus software.

Host hardening is the process of tightening the configuration of the host's OS and applications with the purpose of securing any unnecessary openings on the system. This typically involves applying relevant OS and application patches, setting file system permissions, disabling unnecessary services, and enforcing password restrictions. If everything else fails, host hardening is the last layer protecting an individual system. That makes it vital to defense in depth.

Consider the nontechnical co-worker who was checking her personal email through a hotel's dial-up connection. What if she had not installed a personal firewall or antivirus software? If basic hardening had been performed, she would have likely presented the attacker with a variety of vulnerabilities to exploit. It is all too easy to forget about host hardening when multiple layers of defense are surrounding the system. The fact remains that those defenses are not perfect, and we need that last layer. The question of how to keep on top of host hardening naturally arises.

Configuration management is the process of establishing and maintaining a known configuration for systems and devices that are on the network. Large companies might have an automated means of manipulating the configuration of all hosts, whereas small companies might perform the process manually. Defense in depth benefits from the ability to enforce a standard configuration.

Configuration management can enforce the following:

That all Windows machines have a particular service pack installed
That all Linux machines have a specific kernel running
That all users with remote-access accounts have a personal firewall
That every machine has antivirus signatures updated daily
That all users agree to the acceptable-use policy when they log on

Some of these tasks naturally lend themselves to large-scale automation, whereas others we can accomplish manually.

Who Is Responsible for Configuration Management?

A client recently called me in to handle a worm outbreak. My first question of the systems administrator was whether the OS on all hosts was up to the latest patch level. It turned out that he had not kept up with the latest patches because every host had antivirus software that each user was to update weekly. As you can imagine, many hosts had out-of-date antivirus signatures, which resulted in the worm freely exploiting unpatched OS vulnerabilities. We ended up spending at least a week eradicating worm infections and updating system configurations to make them more resilient to such attacks.

Configuration management is the best way to establish a standard, secure configuration so that damage from incidents is limited. It can also enable your organization to control unauthorized software installation. Configuration management is an important piece of defense in depth because it enforces a standard configuration. How can we verify that a configuration is a secure one that remains unchanged?

Auditing is the process of resolving perception to reality and improving upon that. Internal staff or external consultants can perform audits. The information that we present next was written from a perspective of an external consultant, but it applies to either situation. Verifying the current state of security and improving upon it is vital to defense in depth.

An audit typically progresses like this:

1.	An informational meeting is held to plan the audit. At the first informational meeting, the auditor finds out what the client wants and expects and establishes risks, costs, cooperation, deliverables, timeframes, and authorization.
2.	Fieldwork begins (implementing the audit). When the client is ready, the auditor performs the audit in line with what we established in the planning session.
3.	The initial audit report (technical report) takes place. The auditor might prefer to give an initial audit report to the technical representatives of a client before their management sees the final report. This provides the technical staff with an opportunity to address some concerns before the final report goes to management. This also ensures that the technical representatives know what their management will see and can offer clarification on any issues.
4.	The final audit report (a nontechnical report with the final technical report) takes place. The final audit report typically contains an executive summary, the general approach used, the specific methodology used, and the final technical report.
5.	Follow-up occurs (verified recommendations are performed).

When the client is ready, the auditor may return to verify that the issues have been resolved.

Just like you go to your doctor on a regular basis for a physical to make sure you're as healthy as you think you are, you should check your network on a regular basis to ensure that your perception and the reality of your defenses coincide. Consider an audit preventative maintenance. An audit is the only tool in defense in depth to verify that everything is as it should be.

Securing the internal network with host-centric firewalls, antivirus software, and host hardening is not a trivial task. Configuration management and audits can help you accomplish this. Addressing security on the external perimeter and the internal network is not enough. Next, we will complete the defense-in-depth picture by discussing the human factor.

The Human Factor

Frequently, we get caught up in the technical aspect of network security without considering its nontechnical element. Tasks such as optimizing the firewall rulebase, examining network traffic for suspicious patterns, and locking down the configuration of systems are certainly important to network security. What we often forget is the human end of things, such as the policies and awareness that go along with the technical solution.

Policy determines what security measures your organization should implement. As a result, the security policy guides your decisions when implementing security of the network. An effective defense-in-depth infrastructure requires a comprehensive and realistic security policy.

Hallmarks of good policy include the following:

Authority Who is responsible.
Scope Who it affects.
Expiration When it ends.
Specificity What is required.
Clarity Can everyone understand it?

The Importance of Having a Documented Security Policy

In the initial planning meeting with clients, the first thing I always ask for is the security policy. Many times, the client gives me a quizzical look and asks why I would need it. I try to explain that policy and security are not separate entities, but determine one another.

If only a lawyer could read your security policy, it needs to be reevaluated. We'll take a good, long look at this issue in Chapter 5, "Security Policy." A caveat about policy: It only works if someone reads it.

User awareness is like driver's education. Users can reduce risk and help defense in depth if they know and follow the security policy. Here are some of the actions you can take to increase user awareness of your organization's security policy:

Have every user sign an acceptable-use policy annually.
Set up a security web page with policies, best practices, and news.
Send a "Security Tip of the Week" to every user.

A direct benefit of aware users comes when considering social-engineering attacks. For example, if users know not to give their password to other people, a potential attack might be thwarted. When users are aware of policy, there tends to be fewer incidents and misunderstandings, and users feel more involved in security. Additionally, in the case of policy violations, if the users are educated, it's harder for people to claim that they didn't know they were doing something wrong.

Get It in Writing

I'm reminded of a time in my intemperate youth when I used the phrase, "I didn't know that; it was never communicated to me," regarding an acceptable-use policy. I've heard this same phrase repeated in a number of different circumstances. There is not much to be said when you have a signature affirming that a user agrees to and understands a policy. I have found a signed policy statement to be more valuable than gold in terms of time and effort saved.

Remember: Defense in depth hinges on the human factor of policy and user awareness. Policy determines what security measures your organization should implement. Those security measures should reflect policy. Defense in depth is the means to policy implementation; it depends on it.

We've examined the components of defense in depth and how they contribute to security of the network. Defense in depth is a flexible concept that allows you to create an effective security infrastructure that reflects the requirements of your organization. For example, smaller organizations might not be able to afford some of the components we discussed, but alternatives usually exist. Regardless of the size of your organization, policy and user awareness are necessary.

We'll wrap up this chapter by looking at a real-world case where defense in depth could have saved an organization a lot of time, effort, and money.