| Most of what the average organization hears about modern security products comes from what they are told by product vendors, partners of vendors, and certified product users. This oftentimes does not provide the clearest understanding of the various security technologies on the market. Most advertisements for security products include some form of disclaimer stating: "This product alone does not guarantee complete security," but they never give the details as to why this is the case. It is important before implementing any security solution to understand a defense's shortcomings so that we are prepared to handle them. This is not intended in any way to discourage the use of security countermeasures, for without them, it would be very difficult to protect any organization. Rather, the purpose of this chapter is to point out the common misconceptions that can lead to tragic security flaws within an organization. The weaknesses found in each type of security technology do not negate the need for such products, but simply reinforce the need for layering security practices. The Reality of Firewalls A network firewall is an application or device that sits on the chokepoint between two or more networks. Each network has most likely been defined as a zone with different security needs and the firewall is used to enforce the access policies between them. An object wishing to communicate to a network within a different zone must first have its communication inspected and approved by the firewall. The firewall does this by comparing the communication against a series of predefined rules. In short, a firewall is one place where we enforce the Rule of Least Privilege between two or more zones. Packet Filtering or Proxying? The two most common methods used by firewalls are packet filtering and proxying. Most modern firewalls can no longer simply be classified as packet filtering or proxying since they combine some aspects of both. It is rare to find a firewall that does not have both of these capabilities. However, most firewalls will focus on one approach and use the other to extend compatibility and enhance security features. Packet filtering Packet filtering refers to a process that takes place at the network or session layer of communication. This means that the firewall will pick up each communication packet and make a security decision based on network information like: Most packet filtering firewalls are now considered stateful, which means that they no longer look at a single packet, but rather keep a short history of previous transactions and make more intelligent decisions based on this past information. Packet filtering is the fastest, simplest, and more flexible of the two firewall types. Proxying Proxying refers to a process that takes place higher up in the communication layers. This means that the firewall can make security decisions based on inspecting the actual context of a communication rather than simply evaluating a series of communication packets. Using the proxy method, a firewall receives a communication, processes it as if it was the recipient, and then relays it to the real recipient. The firewall then receives a reply back from the real system, processes it, and passes it on to the originating system. As you may recall from the zoning discussion, this is a more secure way of handling communications since it creates a stronger separation between sender and receiver. If an attack occurs, it will be against the firewall, which is designed specifically to handle it. Proxies, unfortunately, consume a lot of processing power and memory to provide this level of protection. Proxies are not as fast or as flexible as packet filters. Hybrids Looking at the advantages and disadvantages of packet filtering and proxying, it is easy to see why firewall manufacturers choose to embrace both methods within their products. Packet filtering firewalls, for example, normally have proxies for important services such as email and DNS. Proxying firewalls normally include packet filtering to speed up specific rules, or provide compatibility when a transaction does not function with proxy services. This is called a hybrid firewall, and it is the most common form of firewall found on the market.
The Problem with Firewalls Unfortunately, having a computer guarding a network or system is similar to hiring the most inexperienced, uncreative, and unintelligent guard to protect the front door of the treasure room. We hand this thug a giant book of rules and have him look at every situation to find the corresponding instances. Most of these rules are common and thus are known to our enemies as well. This means that an enemy has only to stand in front of the guard and try to act on different loopholes in the rulebook. The guard does not understand that the enemy is trying to deceive him; he will simply follow the book until the rules eventually break and allow the enemy in. 
Many times, I hear security professionals state that, "A firewall is not a solution by itself," but they cannot explain why this is the case. In reality, a firewall is not a solution in itself because there are too many limitations to the concept behind firewalls. Take, for instance, the following issues: Firewalls are not creative and cannot make sense of original human actions. Firewalls deal strictly with pattern recognition. Such patterns are also known to our enemies. Firewalls are computers themselves and are prone to errors, flaws, and vulnerabilities. Firewalls have limited memory capacity and can only recognize a series of events that happen quickly in succession. Firewalls are configured by humans and are subject to human error.
| In reality, the only firewall that could be considered 99% secure is the firewall that allows no communications to take place on either side of the network, and even this is not 100% secure since the firewall itself could potentially be compromised. |
Using Firewalls Securely As we will discuss in the next chapter, firewalls are a vital element in guarding our network perimeters. A well configured firewall is a great ally in our efforts to keep the enemies on the outside of our castle walls. A common security failure in most organizations, however, is to put too much faith in their firewalls or to treat their firewall as a one-time effort. It is vital when dealing with firewalls to think with a security mind. Here are some good pointers for securely using firewalls: Always layer security on all sides of the firewall device. It must be assumed the firewall has vulnerabilities or has been misconfigured. Screen routers, IDSs, and internal defenses should all work to enhance security beyond the firewall. Firewalls are complex devices. Be sure the firewall is implemented and maintained by someone who is very familiar with the product. Firewalls are useless if they are not maintained. It is important to apply patch fixes to the software and operating system, as well as to perform regular inspections of the configuration and rule set. Firewalls return a great deal of information via logs and alerts. Since a firewall is incapable of "thinking" it is important that such information be reviewed and analyzed by a human being on a regular basis.
Intrusion Detection Systems An IDS is a device that sits on a network or system and attempts to monitor for hacker activities. An IDS sits quietly and passively, watching for attacks, and sends out alarms when it notices suspicious patterns. Normally, there will be numerous IDS sensors watching different networks or systems, all of which are controlled by and report back to a central console and DB. Signature Recognition or Statistical Sampling? Similar to firewalls, there are two main ways in which IDSs operate. IDS products can base their decisions on signature recognition, statistical sampling, or some combination of the two. Signature recognition In signature recognition, the IDS device will passively monitor its target network or server and watch for specific patterns (signatures) that it has been preprogrammed to recognize. Signatures are created by the manufacturer or end-users and simply tell the IDS what series of events correspond to a known attack. Many email viruses, for example, have a specific message in their subject header and an IDS could be programmed to look for such emails. Statistical sampling IDS products that perform statistical sampling embrace a more behavior-based attack recognition method. With such an IDS, activity samples are taken over time to develop a baseline for "normal activities." Once that baseline is established, the IDS will sit and watch for any "abnormal activities." This method of monitoring allows for a much wider variety of issues to be discovered, but usually results in a significantly higher number of false-positives.
The Problem with IDSs An IDS is similar to an annoying person who finds numerous problems but never does anything about them. IDS sensors will sit quietly, and once an attack happens, will say, "You just got hit by a bomb; you probably should have prepared for this." Basically, the whole job of an IDS is to sit there and say, "Hmmm… Hate it when that happens!" Of course, knowing when we have been attacked, or more importantly, when we are being attacked, is a great advantage in security. It is important, however, to remember that IDSs are reactionary by nature and do not provide security by themselves. | There are a few IDS products that allow for active measures to be taken when a suspected attack is taking place. Most vendors, however, recommend that such features be turned off and to rely on the firewall for decision-making. This is due to the high number of false-positives the average IDS generates, and the potential for blocking legitimate traffic. |
The main problems with IDS products are: The average IDS creates a high number of false-positives, making it difficult to work in stillness. IDS measures are only reactionary and don't really serve to protect networks. Network-based IDS products often have trouble keeping up with high-speed networks. This is normally handled by secretly dropping random packets, which may cause an attack to be missed. Host-based IDS products introduce a new complexity into servers, increasing the number of processes, communications, and patches required. All this increases the likeliness of a system failure or new vulnerability. IDS devices are often configured with two network connections, one attached to the untrusted network and one attached to the trusted network. This creates a bridge around the firewall, and if a hacker exposes a vulnerability or misconfiguration, the trusted network could be directly exposed to an attack.
On top of this, we still have the same problems that we have with firewalls: IDSs are not creative and cannot make sense of most human actions. Most IDSs deal strictly with pattern recognition. Patterns are known to both our enemies and us. IDSs are computers themselves and are prone to errors, flaws, and vulnerabilities. IDSs in general have more memory for recognizing patterns than do firewalls; however, they still have limited memory and can only recognize a series of events that happen in succession. IDSs are configured by humans and are subject to human error.
Using IDSs Securely Similar to a firewall, an IDS should only a small part of a larger security effort. The IDS is a great addition to security, however it is also prone to errors, attacks, and misconfiguration. In addition, IDSs are unable to "think", making it imperative that IDS logs and alerts be actively monitored by a human. The same recommendations we reviewed for firewalls apply to IDSs. Vulnerability Scanners Vulnerability scanners are used to discover well-known weaknesses in servers, networks, applications, and other objects within an organization. The most common vulnerability scanners are those that probe for network-based vulnerabilities against standard operating systems and devices. Scanners are commonly used during audits to proactively search for vulnerabilities. Types of Vulnerability Scanning There are several types of vulnerability scanning; most products embrace one or more of the following methods: Basic probing This is the traditional one-layer scanning process that checks for open communication ports via the network. These scanners look for services and applications with known vulnerabilities by matching a specific request with an expected series of replies. Most often, this is as simple as trying to access Telnet on a system to see if it is enabled and then matching the reply with a series of expected replies that give away system information. Enhanced probing Some scanning products include an extra level of probing that yields useful information. When a vulnerability is found, these scanners will exploit it to find more information about the object. For example, if the basic probing process finds an account without a password, then the enhanced probing process can use the discovered access to download the password file or discover more information about the system. DoS simulation Some scanners come with the ability to perform a DoS scan. This is really more of an exploit than a scan since the goal is to actually attack an object with a series of DoS exploits and see what happens. This scan provides a much more accurate view of an object's vulnerabilities, but can only be performed with the assumption that the object may become unstable.
The Problem with Vulnerability Scanners Running a vulnerability scan is similar to hiring an inexperienced and uncreative hacker, giving him or her a laptop, and having him/her follow a huge manual on different attack methods. The hacker is not given any orientation into the environment and is not allowed any interactions outside of his/her local laptop (i.e., he/she can't talk to anyone or even take a look around). On top of all this, the hacker is instructed to only perform attacks halfway, using methods that will not harm the local networks or devices. Thus, the hacker is greatly limited. The main problem with scanners is that it is impossible to test objects like a hacker would. This can be a good thing since we probably don't want to cripple a network while searching for vulnerabilities. This, however, presents a paradox: To secure objects from exploits, we must exploit the objects! Here are some of the limitations that should be understood when using vulnerability scanners: Scanners will only perform "nice" hacks, which does not give an accurate picture of vulnerabilities and potential threats. Scanners will only work on devices that are turned on, attached to the network, functioning, and responding to the scanner. If desktops or servers are off during a scan, we will get an inaccurate view of the vulnerabilities. Even worse, if a hacker wants to hide a back door, he or she may program the back door to respond only to his/her system. Thus, the scanner will not detect its presence.
On top of this, we still have the same problems that we have with firewalls and IDSs: Scanners are not creative and cannot really simulate a human hacker. Scanners deal strictly with pattern recognition. Only previously known vulnerabilities can be discovered. Scanners are computers themselves, and they are prone to errors, flaws, and vulnerabilities. Scanners are operated by humans and are subject to human error.
Using Vulnerability Scanners Securely Vulnerability scanners can be a great tool in proactively searching for the weakest links within an organization. Scans should be performed on a regular bases and results should be tracked over time. The following points are essential when using a vulnerability scanner: Remember that a scanner can be a powerful tool. Be sure to fully understand the product and all potential negative effects before performing a scan. Never assume the scanner will find all vulnerabilities. A scanner is unable to "think" and, as such, is greatly limited in its hacking abilities. Scanner products are usually updated regularly. To keep up with modern vulnerabilities and attacks, be sure to update the scanner software often.
|
