|
|
Defense-in-depth assumes that every countermeasure can potentially be bypassed by an attacker. However, if you put many countermeasures together, the odds of bypassing all of them without being detected becomes much more unlikely. However, because of operational concerns, the most secure solution cannot always be implemented and is not always practical. Consider securing houses. The strongest walls are thick concrete walls with no windows. These walls are also more expensive than normal wooden framed walls. Furthermore, people prefer to have natural lighting, so most houses have numerous windows made of glass. The glass lets light in and enables people to view things happening outside their house. Although the glass windows are a weak link (because they are breakable), you can improve on them using the defense-in-depth strategy. By adding a clear plastic laminate to the inside of the window, you can ensure that when the window breaks, the pieces stay together. This laminate then prevents attackers from easily getting through the window even if they break the glass. In conjunction with the laminate, you probably want to add an alarm mechanism that triggers when the window is opened or the glass is broken. Both of these measures make it more difficult for robbers to get into your house through the window without being detected. This section walks through two examples that show the strength of a defense-in-depth approach:
External Attack Against a Corporate DatabaseA prime target on your network is your corporate database. Hopefully, this database is housed on your internal network and protected by various security measures. These security measures should make it difficult for an attacker to launch a successful attack against your corporate database. Many people might think that an external attack needs to come directly from your network Internet connection. However, external attackers can attack your corporate database in various ways. Some of the attack paths and mechanisms include the following:
Protecting against these external attacks falls into the following areas or layers:
Layer 1: The Internet Perimeter RouterThe first layer of protection from an attack is your external router. A router, if properly configured, can prevent traffic from entering your network while spoofing your internal address space. A commonly used and effective method for preventing spoofed traffic is to enable unicast reverse path forwarding (uRPF). uRPF uses the router's routing table to examine incoming traffic on an interface. This means that when traffic arrives on an interface with a source IP address of 10.10.10.1, for example, the router examines its routing table to see which interfaces it would send traffic that had 10.10.10.1 as a destination address. If these two interfaces aren't the same, the spoofed traffic is dropped. Routers can also use access control lists (ACLs). ACLs are rules that permit, deny, or simply identify traffic based on the following parameters:
A weakness of traditional router ACLs is that they must trust information contained within the network traffic. The router does not maintain state information on traffic and instead relies on whether or not bits are set in a packet to determine whether or not the traffic is valid. For example, a crafted attack packet could potentially set the ACK bit to 1, and a router might believe this traffic is response traffic to a session that originated inside the network.
For example, suppose ACME's corporate databases run on Microsoft's SQL Server, which defaults to using User Datagram Protocol (UDP) port 1434 for access to the database. Most companies already block this port, but ACME should verify that the ACLs on the router do not allow this port to pass, especially to the SQL Server. Because this traffic is UDP-based, this ACL should block all external traffic to this port. Simply limiting external connections, however, via ACLs is usually not effective because an attacker can spoof UDP traffic fairly easily. Layer 2: The Internet Perimeter FirewallMost companies want their default protection to prevent traffic from the Internet to the internal network, although they allow internal systems to easily access the Internet. A perimeter firewall can implement rules to enforce these protections. The firewall, however, also has additional functionality such as the following:
Your perimeter firewall should be configured to prevent an external computer from making connections to your internal database server. In the example, the perimeter firewall prevents any inbound connections to the internal network. At the same time, this firewall allows internal systems to make outbound connections (allowing return traffic only for connections initiated from the internal network). The application inspection processing enables your firewall to perform a detailed analysis of network traffic at the application layer. This analysis can automatically alter packet contents (such as performing NAT on IP fields in the application data). It can also open up pinhole connections through the firewall based on application data (such as opening up voice audio streams). Layer 3: The DMZ FirewallExternal users need to access many systems (such as your corporate web server). These systems, therefore, are a prime attack target. By placing these systems in a demilitarized zone (DMZ), you limit the ability of an attacker to impact other areas of your network if they happen to be compromised (see Figure 4-2). If a DMZ server is compromised by an attacker, the only other systems an attacker can attempt to attack from the compromised server are other systems on the same DMZ. Any connectivity to other DMZs or the internal network must be explicitly defined on the firewall. Figure 4-2. DMZ ZoneNote You should also limit the ability of your DMZ servers to initiate connections to other systems on the Internet. This prevents your public servers from attacking other systems on the Internet should they be compromised. The firewall provides access to your web server and mail server; however, it can also provide some protection against many flooding attacks (such as a SYN flood). For example, the Cisco PIX firewall software version 7.0 and the Adaptive Security Appliance (ASA) provide various measures to protect against SYN flood attacks. In the example, placing the public servers on a DMZ network prevents them from being used to attack the database server because they have no access to the internal network and the firewall is not configured to allow it. All connections to these public servers are initiated from the internal network. Layer 4: Network IPSYour Network IPS is continually analyzing the traffic passing through key points in your network. Using a large database of known attack signatures (a combination of patterns, protocol decodes, anomaly and behavioral analysis) your IPS sensors can prevent many attacks from reaching systems on your network. If an attacker manages to pass attack traffic through your firewall, your Network IPS should detect it and take action. Actions are usually predefined and can include setting off an alarm or stopping the attack. You can also configure your Network IPS to alarm if it detects unauthorized traffic, such as connections originating from the database server destined to systems on the Internet. Layer 5: NetFlowNetFlow enables you to analyze the connections that occur on your network. Looking at the following connection parameters, you can identify patterns and other potentially anomalous activity:
In the example, NetFlow is used for anomaly identification. A baseline of connections patterns is established. Then using NetFlow, any connections that deviate from the established baseline are investigated. In fact, Cisco Security Monitoring, Analysis and Response System (CS-MARS) accepts NetFlow data from routers and Layer 3 switches and then automates the security analysis of the NetFlow information. By learning what normal traffic is on the network, CS-MARS is able to alert on sudden changes in behavior. Layer 6: AntivirusAntivirus software protects systems on your network from a wide variety of viruses, Trojans, and worms. Antivirus software runs on the actual system that it protects. Therefore, the protection moves with the system. This is especially beneficial for highly mobile systems, such as laptops. Your business network might have a wide variety of security measures in place, but when your users take their corporate laptops home, those same protections are usually not in place (except for those that run on the laptops themselves). In the example, antivirus software protects user systems from becoming compromised by known viruses. Protecting user systems prevents the user computers from being used as a launching point for attacks against the network. Layer 7: Host IPSSimilar to antivirus, Host IPS runs on the actual system being protected. If your Host IPS implements behavioral signatures, it has the ability to protect your systems from day zero attacks.
Another advantage of Host IPS is that it can detect malicious software, such as keyloggers and Trojans, that an attacker might attempt to install on your systems. A Host IPS system such as Cisco Security Agent (CSA) can be installed on the database systems, as well as all user systems. CSA protects the systems from buffer overflow attacks and from the installation of malicious software. It also alerts the user whenever it appears that software is being installed on the system. These alerts provide a visual indication to the user indicating that software is being installed on the system. This enables users to prevent many malicious applications and spyware from being installed on the system while still allowing them to install other software successfully. CSA can also be configured to protect against many malicious applications automatically (without informing the user). Internal Attack Against a Management ServerBesides external attacks, you also need to worry about internal people who attempt to access unauthorized resources (either intentionally or accidentally). Because your management systems control the configuration on devices throughout your network, protecting these systems is a vital component of your overall network security strategy. Hopefully, an attacker must compromise several security mechanisms to access your management systems. Protecting against these internal attacks falls into the following areas or layers:
Layer 1: The SwitchThe first layer of protection on your network is the switch ports that connect devices to your internal network. By separating different ports into different VLANs, you force traffic between different VLANs to go through your Layer 3 protection mechanisms, such as ACLs on your routers. When you turn off unused ports or use a port-based authentication system like 802.1x, you decrease the chances that someone can plug into an unused port and gain access to important systems.
In this example, the only ports configured for the server VLAN are the three server systems. Furthermore, ACLs limit access to only specific user systems. You can also get benefit by enabling port security on the switch's ports. Port security restricts the number of Ethernet addresses that a specific switch port is allowed to use, along with preventing a device from pretending to be another device's Ethernet address using Address Resolution Protocol (ARP) spoofing (common techniques used by tools such as Ettercap and DSNIFF). Layer 2: Network IPSYour Network IPS is constantly monitoring the traffic on your network looking for potential attack traffic. In this example, you can also use your Network IPS to identify anomalous connections to or from your management servers. Sensors running in inline mode can actually prevent connections from or to unauthorized systems. If attackers do compromise one of the servers, they can attempt to establish a connection to an external system on the Internet. This connection can be observed by the Network IPS. Layer 3: EncryptionMany tools are available to sniff (or capture) the traffic on a network. To prevent successful sniffing, encrypt traffic to your management servers so that you stop an attacker from capturing vital information (such as login credentials). Common encrypted protocols for management include Secure Shell (SSH) and Secure Socket Layer (SSL). In the example, encrypting the network traffic makes it almost impossible for an internal attacker (who has access to the network) to gain login credentials by using a simple network sniffer unless the attacker is able to successfully initiate a man-in-the-middle attack. Note Enabling port security, however, can minimize or eliminate the ability of the attacker to initiate a successful man-in-the-middle attack. Layer 4: Strong AuthenticationStrong authentication is important to protect critical assets (such as your management systems). One way to implement strong authentication is to implement one-time passwords. Even if an attacker manages to observe the password during a login attempt, the password could not be used by the attacker to gain access to the management system.
Layer 5: Host IPSFinally, Host-based IPS, like CSA, protects the management system from attempts at exploiting vulnerabilities in the operating system or applications running on it. In addition, it can enforce policies that define what applications are allowed to run, which systems they are allowed to communicate with, and which users are allowed to run them. This final line of defense provides a final hurdle for an internal attacker. |
|
|