Internal Defenses

It is close to impossible to read any security publication without seeing a phrase like, "The majority of successful hackers come from the insides of networks, not the Internet," and this book is no exception to this standard. Protecting internal networks is a very different task than that of protecting the perimeter. With our perimeter, we can define specific chokepoints and consolidate security measures; on an internal network, we are dealing with everything as a whole. There is no firewall that we can filter everyone through, and there is no IDS that will adequately monitor the average internal infrastructure. On top of it all, we have to grant much higher levels of access to internal systems and users than to external customers and vendors. Lucky for us, good internal defenses still conform to the rules of security.

Can it Really be Done?

Certainly, the answer to this question is, "Yes, it can be done." To have a highly secure internal network is achievable and I have seen organizations accomplish this on a minimal budget. Again, the real key to securing an internal network is to focus on the virtues and rules in everything. Security at the perimeter is simply a warm-up; the internal network is where we really get our hands dirty with the concepts of the security mind.

Let's face it: There is no technical solution for securing the inside of a network. Yes, there are thousands of products, each with their own little piece of the internal security pie, but securing an internal network is a prime example of where focusing on the details will cause failure. At least with the Internet, we had a firewall chokepoint, and those who focused purely on the technologies could remain somewhat in control. When we progress to the internal network, however, such methods simply do not work and a great many organizations end up leaving the internal network vulnerable. Securing the internal network requires a much broader vision and the ability to see the rules of security in everything.

The Need for Internal Security

The need for internal security can be seen everywhere, and simply leaving the internal network vulnerable should never be considered. A bank does not just put guards at the front door and let all the money pile up behind the tellers. There are layers and layers of security between the lot where we park our cars and where we touch our first coin. If we choose to launch an attack from the outside, the hallway, the lobby, or from the vault itself, there will be security measures to stop us.

In information security, we need to adopt similar practices. An attack could come from anywhere and under any set of circumstances. A hacker could find a hole in the perimeter defenses, in which case, an attack will surely come from inside. Likewise, a hacking employee, consultant, or anyone to whom we extend a high level of trust will have direct access to the internal network. In these situations, we need to be prepared.

Employee Attacks

Employees within an organization are under constant temptation when it comes to internal access. Even employees without direct motivation often become curious and desire to perform some form of prohibited action. But it is when we have employees with some motivation and some technical abilities that we are really in trouble. I talked about employee hackers at some length in Chapter 7, Know Thy Enemy and Know Thyself. Here, I would make an educated guess and say that the average organization with five or more technical employees has probably employed at least one person who has attempted to gain unauthorized access to resources at some point in time.

In general, when someone knows that they are NOT going to get caught, there is a much greater chance that they will perform illegal actions. The temptation to gain unauthorized access to resources within organizations that deploy no internal security is incredible for many employees. Internal security not only applies direct protection, but also keeps honest people honest and greatly reduces the temptation to take unauthorized action.

Successful External Attacks

Eventually, someone will break into the network. Eventually, there will be an unseen entry point opened into the network. Eventually, a worm will crawl through all defenses. Eventually, the perimeter security will fail. What happens next depends completely on the defenses we have deployed internally. A worm that finds its way through external defenses has not yet done any damage. If the worm, once inside the network, finds that all systems are patched, protected, and monitored, we will probably not suffer any damage. This is also the case with hackers who work themselves through a perimeter only to find themselves locked down in a secure environment.

By applying internal defenses, we are essentially layering overall security. When an individual or group manages to penetrate the outer defenses, the amount of damage they can do directly corresponds to the degree of protection deployed on the inside of the network.

Internal Rules

The rules of security are going to be our best allies when working with internal defenses. There are no canned solutions for protecting an internal environment; protection can only come from layering different forms of security measures to comply with the corresponding rules. Every decision about the internal environment should reflect back on the practices already discussed. I have pulled from the following rules because they are often the most useful when securing an internal environment:

Put the Rules in Writing

Earlier in this book, I mentioned that our ability to enforce the rules is highly dependent on the rules being in writing. Proper internal security requires rules to be written and formally accepted by everyone within the organization. The rules should be incorporated into internal security policies and acceptable use policies. Writing internal policies should be performed by policy experts with the guidance of information security staff, or drawn from a good working template. In particular, written rules should commonly include:

• Policies against gaining unauthorized access Using the Rule of Least Privilege, these policies should state how systems and services may be properly used and end by stating that anything not written in the policies is unacceptable. Users should also be directly forbidden from bypassing security mechanisms or establishing unapproved links outside the local network. This should specifically include the use of modems and unauthorized Internet and WAN connections.

• Policies concerning security administration practices These policies enforce strong password and account management practice, the assignment of access privileges, and the monitoring of account activities. These policies should also reflect on the Rule of Least Privilege as well as the Rule of Separation.

• Policies against unauthorized software These policies should provide a list of software authorized for use on desktops and servers, including operating systems, browsers, word processors, and other acceptable applications. The policy should state that software products other than those on the "approved" list are not allowed.

• Policies against hacker tools and processes These policies should expressly forbid the use of hacker tools or any attempts to bypass or compromise security. It is common for employees to download such tools from the Internet or try some form of attack for non-malicious purposes. To maintain security, it is important that the organization be aware of the installation and use of every hacker tool within the environment.

• Other policies There are many other policies that are important to security, especially those concerning how to handle security in specific situations and during disasters. For important security events and for security events that will recur, it is important to establish a standard policy.

Authorized Use Banners

After policies have been established, it is important to create a short summary statement that refers back to the full security policy. This short statement should then be placed in as many locations as possible, including every system and device that allows for a display banner. Common areas where banners should be deployed include:

• Server and workstation authentication prompts

• Telnet, Secure Shell (SSH), FTP, and other remote access service prompts

• VPN and dial-up access points

• Email message footers (usually a variation specific to email)

Rule of Least Privilege

Internal security practices should enforce the Rule of Least Privilege across the entire network. Since we are not dealing with specific chokepoints, the Rule of Least Privilege will need to be placed on individual systems, devices, and applications. These objects should be built and maintained with the idea that access will not be given unless required. Since there are literally hundreds of places where the Rule of Least Privilege should be practiced, it must be a part of our thought process in everything and dealt with through higher security practices. The following is a small set of examples of where the Rule of Least Privilege could be enforced:

• Internal servers and devices should have multiple levels of access defined based on access requirements. For example, someone needing to administer a specific application or set of accounts should not be given full administrator access, but rather an account that limits access to that which is required.

• Access to physical areas should be limited based on an individual's required access. Server rooms, wiring closets, and other critical areas should only be accessible by those who require such access.

• Employees should enforce the Rule of Least Privilege and be instructed not to give out information about internal systems, devices, applications, or procedures to external entities unless there is a verified need for the information.

It cannot be said enough that the Rule of Least Privilege is vital for maintaining proper security practices. The Rule of Least Privilege should be practiced in all aspects of internal security. If access is not required, do not grant it.

Rule of the Three-Fold Process

The Rule of the Three-Fold Process is not limited to specific devices or project implementations; the entire internal network and its security as a whole are subject to this rule as well. Many organizations create internal networks and never provide any form of maintenance or monitoring. The maintenance and monitoring tasks associated with the Rule of the Three-Fold Process are often pushed out to the perimeter, leaving the internal network vulnerable as time passes. Using the Rule of the Three-Fold Process for internal systems and devices has a dramatic effect on the security of an organization.

Internal Auditing

Some of the most powerful security tools available for internal security are the assessment, audit, and penetration testing processes. The goals of such measures are to:

• Understand our risks so that we may apply proper security

• Find vulnerabilities before our enemies do

Of course, performing a full risk assessment or hands-on analysis of each workstation would not be a practical solution. As such, an internal audit must balance effectiveness and practicality. I have already covered one such audit process in Chapter 8, Practical Security Assessments.

Internal Monitoring

Internal logging and monitoring are ways we can gain insight as to what is going on within a network. Most modern devices and systems include logging capabilities that can be included in an organization-wide monitoring effort. More specifics on monitoring techniques are included in the later section titled Logging and Monitoring. Here, I will simply point out important areas for internal network monitoring:

• Logging from servers and devices Just about every modern operating system in a server or device comes with some form of logging and monitoring option. Normally, such processes affect the performance of the system and so they are turned off by default. It is important to enable logging on servers and devices and have them report to a central console.

• Mobile IDS logging While it is often impractical to implement a full IDS within all internal networks, it is common to have one or two IDS sensors that can be rotated in the organization. Packaged IDS appliances and Open Source IDS applications installed on laptops are ideal for this type of work. Each IDS should sit in place for some predefined period of time, commonly a week or so, after which it can be moved to the next undisclosed network until all networks have been covered. Once complete, the cycle starts all over again. (Note: An IDS used for perimeter intrusion detection should be a dedicated device and should not be rotated. This practice is intended for organizations that can deploy an additional internal IDS within the environment.)

• Host-based IDS logging A great way to enhance internal logging and monitoring is through host-based IDSs. In this scenario, an agent is installed on each critical server and monitors for suspicious activities. Activities are logged to a central logging server, where they must be monitored regularly. This option can, however, be somewhat expensive.

The Concept of Internal Zoning

Network-based zoning practices should not be thought of as belonging to the perimeter only. Creating a chokepoint and isolating devices in their own zone is a great way to enhance security for other critical services, especially those on the internal network. Devices on the internal network are directly exposed to all other systems on the network, which makes it more difficult to maintain network-based security. Organizations that host critical internal services should consider placing such services behind an internal firewall, helping to layer defenses, separate access, and otherwise protect them from internal hackers.

• Internal DMZ network For large organizations with large investments in critical servers, it may be worthwhile to create chokepoints and install separate firewalls to guard such systems. For smaller organizations unable to implement such measures, a filtering router or some other such device will still add tremendously to the security of these systems.

• Isolating back-end services For an organization with a critical DB service accessed only by a designated server, it may be possible to isolate this server on a back-end network without using a firewall. If, for example, an Oracle server is feeding a series of customer tracking systems, we may be able to place the Oracle server on a separate network attached to secondary interface cards on the front-end systems. Of course, such practices are not as effective as implementing a separate firewall. They are, however simple and cost-effective solutions for enhancing internal security.

Rule of Change

Uncoordinated changes within the internal environment often lead to disastrous security issues. With all the potential variables that can lead to vulnerabilities, it is vital that changes be managed in accordance with the Rule of Change. Likewise, it is important to avoid the guinea pig effect and to work with a standard set of applications, tools, and devices.

Rule of Preventative Action

Practicing proactive security in the internal environment requires us to spend time each day researching new security issues. We must prepare ourselves for new worms, viruses, and new types of attacks by keeping up with security news. We must then look back at our own environment and evaluate it for these vulnerabilities and weak links. It is important to stay several steps ahead of hackers by performing vulnerability scans and other checks regularly.

Considering Desktop Management Practices

A great tool for enhancing internal security practices is a desktop management system. Many vendors have developed different types of desktop management products; many include security options that conform to the rules of security. In particular, a desktop management implementation can assist in:

• Rule of Least Privilege Desktop management platforms often let us lock down workstations so that unauthorized applications cannot be installed. Many can also lock down certain commands to prevent them from being executed on a desktop.

• Rule of the Three-Fold Process Many desktop management platforms provide centralized logging for various desktop-related security issues. This can often allow an organization to monitor the security of all desktops from a single location.

• Rule of Preventative Action Desktop management products often include automated virus and patch updates to help ensure that virus definitions and security patches stay up-to-date on the organization's workstations.