Defense-in-Depth Examples


Defense-in-depth assumes that every countermeasure can potentially be bypassed by an attacker. However, if you put many countermeasures together, the odds of bypassing all of them without being detected becomes much more unlikely. However, because of operational concerns, the most secure solution cannot always be implemented and is not always practical.

Consider securing houses. The strongest walls are thick concrete walls with no windows. These walls are also more expensive than normal wooden framed walls. Furthermore, people prefer to have natural lighting, so most houses have numerous windows made of glass. The glass lets light in and enables people to view things happening outside their house. Although the glass windows are a weak link (because they are breakable), you can improve on them using the defense-in-depth strategy. By adding a clear plastic laminate to the inside of the window, you can ensure that when the window breaks, the pieces stay together. This laminate then prevents attackers from easily getting through the window even if they break the glass. In conjunction with the laminate, you probably want to add an alarm mechanism that triggers when the window is opened or the glass is broken. Both of these measures make it more difficult for robbers to get into your house through the window without being detected.

This section walks through two examples that show the strength of a defense-in-depth approach:

  • External attack against a corporate database

  • Internal attack against a management server

External Attack Against a Corporate Database

A prime target on your network is your corporate database. Hopefully, this database is housed on your internal network and protected by various security measures. These security measures should make it difficult for an attacker to launch a successful attack against your corporate database.

Many people might think that an external attack needs to come directly from your network Internet connection. However, external attackers can attack your corporate database in various ways. Some of the attack paths and mechanisms include the following:

  • Accessing the database server from Internet

  • Accessing the database server from a compromised internal system

  • Accessing the database server from compromised DMZ web server

  • Accessing the database server from a worm attack

Protecting against these external attacks falls into the following areas or layers:

  • Layer 1: The Internet perimeter router

  • Layer 2: The Internet perimeter firewall

  • Layer 3: The DMZ firewall

  • Layer 4: Network IPS

  • Layer 5: NetFlow

  • Layer 6: Antivirus

  • Layer 7: Host IPS

Layer 1: The Internet Perimeter Router

The first layer of protection from an attack is your external router. A router, if properly configured, can prevent traffic from entering your network while spoofing your internal address space. A commonly used and effective method for preventing spoofed traffic is to enable unicast reverse path forwarding (uRPF). uRPF uses the router's routing table to examine incoming traffic on an interface. This means that when traffic arrives on an interface with a source IP address of 10.10.10.1, for example, the router examines its routing table to see which interfaces it would send traffic that had 10.10.10.1 as a destination address. If these two interfaces aren't the same, the spoofed traffic is dropped. Routers can also use access control lists (ACLs). ACLs are rules that permit, deny, or simply identify traffic based on the following parameters:

  • Source IP address

  • Destination IP address

  • Source port

  • Destination port

  • IP protocol

A weakness of traditional router ACLs is that they must trust information contained within the network traffic. The router does not maintain state information on traffic and instead relies on whether or not bits are set in a packet to determine whether or not the traffic is valid. For example, a crafted attack packet could potentially set the ACK bit to 1, and a router might believe this traffic is response traffic to a session that originated inside the network.

Valid TCP Connection

A valid TCP connection is one that has been initiated with a complete three-way handshake that starts with a SYN packet from the client, followed by a SYN-ACK packet from the server, followed by an ACK from the client. Valid TCP traffic also has sequence and acknowledgment numbers that match the current values for the TCP connection. For more information on the TCP protocol, refer to RFC 793.


For example, suppose ACME's corporate databases run on Microsoft's SQL Server, which defaults to using User Datagram Protocol (UDP) port 1434 for access to the database. Most companies already block this port, but ACME should verify that the ACLs on the router do not allow this port to pass, especially to the SQL Server. Because this traffic is UDP-based, this ACL should block all external traffic to this port. Simply limiting external connections, however, via ACLs is usually not effective because an attacker can spoof UDP traffic fairly easily.

Layer 2: The Internet Perimeter Firewall

Most companies want their default protection to prevent traffic from the Internet to the internal network, although they allow internal systems to easily access the Internet. A perimeter firewall can implement rules to enforce these protections. The firewall, however, also has additional functionality such as the following:

  • Application inspection processing

  • Stateful connection processing

  • Network Address Translation (NAT)

Your perimeter firewall should be configured to prevent an external computer from making connections to your internal database server.

In the example, the perimeter firewall prevents any inbound connections to the internal network. At the same time, this firewall allows internal systems to make outbound connections (allowing return traffic only for connections initiated from the internal network).

The application inspection processing enables your firewall to perform a detailed analysis of network traffic at the application layer. This analysis can automatically alter packet contents (such as performing NAT on IP fields in the application data). It can also open up pinhole connections through the firewall based on application data (such as opening up voice audio streams).

Layer 3: The DMZ Firewall

External users need to access many systems (such as your corporate web server). These systems, therefore, are a prime attack target. By placing these systems in a demilitarized zone (DMZ), you limit the ability of an attacker to impact other areas of your network if they happen to be compromised (see Figure 4-2). If a DMZ server is compromised by an attacker, the only other systems an attacker can attempt to attack from the compromised server are other systems on the same DMZ. Any connectivity to other DMZs or the internal network must be explicitly defined on the firewall.

Figure 4-2. DMZ Zone


Note

You should also limit the ability of your DMZ servers to initiate connections to other systems on the Internet. This prevents your public servers from attacking other systems on the Internet should they be compromised.


The firewall provides access to your web server and mail server; however, it can also provide some protection against many flooding attacks (such as a SYN flood). For example, the Cisco PIX firewall software version 7.0 and the Adaptive Security Appliance (ASA) provide various measures to protect against SYN flood attacks.

In the example, placing the public servers on a DMZ network prevents them from being used to attack the database server because they have no access to the internal network and the firewall is not configured to allow it. All connections to these public servers are initiated from the internal network.

Layer 4: Network IPS

Your Network IPS is continually analyzing the traffic passing through key points in your network. Using a large database of known attack signatures (a combination of patterns, protocol decodes, anomaly and behavioral analysis) your IPS sensors can prevent many attacks from reaching systems on your network.

If an attacker manages to pass attack traffic through your firewall, your Network IPS should detect it and take action. Actions are usually predefined and can include setting off an alarm or stopping the attack. You can also configure your Network IPS to alarm if it detects unauthorized traffic, such as connections originating from the database server destined to systems on the Internet.

Layer 5: NetFlow

NetFlow enables you to analyze the connections that occur on your network. Looking at the following connection parameters, you can identify patterns and other potentially anomalous activity:

  • Source IP address

  • Destination IP address

  • Source port

  • Destination port

  • IP protocol

  • Amount of data transmitted

In the example, NetFlow is used for anomaly identification. A baseline of connections patterns is established. Then using NetFlow, any connections that deviate from the established baseline are investigated.

In fact, Cisco Security Monitoring, Analysis and Response System (CS-MARS) accepts NetFlow data from routers and Layer 3 switches and then automates the security analysis of the NetFlow information. By learning what normal traffic is on the network, CS-MARS is able to alert on sudden changes in behavior.

Layer 6: Antivirus

Antivirus software protects systems on your network from a wide variety of viruses, Trojans, and worms. Antivirus software runs on the actual system that it protects. Therefore, the protection moves with the system. This is especially beneficial for highly mobile systems, such as laptops. Your business network might have a wide variety of security measures in place, but when your users take their corporate laptops home, those same protections are usually not in place (except for those that run on the laptops themselves).

In the example, antivirus software protects user systems from becoming compromised by known viruses. Protecting user systems prevents the user computers from being used as a launching point for attacks against the network.

Layer 7: Host IPS

Similar to antivirus, Host IPS runs on the actual system being protected. If your Host IPS implements behavioral signatures, it has the ability to protect your systems from day zero attacks.

Day Zero Attacks

Day zero attacks refer to attacks that were previously unpublished when they are used. Therefore, these attacks are not included in the signature database of many antivirus products.


Another advantage of Host IPS is that it can detect malicious software, such as keyloggers and Trojans, that an attacker might attempt to install on your systems.

A Host IPS system such as Cisco Security Agent (CSA) can be installed on the database systems, as well as all user systems. CSA protects the systems from buffer overflow attacks and from the installation of malicious software. It also alerts the user whenever it appears that software is being installed on the system. These alerts provide a visual indication to the user indicating that software is being installed on the system. This enables users to prevent many malicious applications and spyware from being installed on the system while still allowing them to install other software successfully. CSA can also be configured to protect against many malicious applications automatically (without informing the user).

Internal Attack Against a Management Server

Besides external attacks, you also need to worry about internal people who attempt to access unauthorized resources (either intentionally or accidentally). Because your management systems control the configuration on devices throughout your network, protecting these systems is a vital component of your overall network security strategy. Hopefully, an attacker must compromise several security mechanisms to access your management systems.

Protecting against these internal attacks falls into the following areas or layers:

  • Layer 1: The switch

  • Layer 2: Network IPS

  • Layer 3: Encryption

  • Layer 4: Strong authentication

  • Layer 5: Host IPS

Layer 1: The Switch

The first layer of protection on your network is the switch ports that connect devices to your internal network. By separating different ports into different VLANs, you force traffic between different VLANs to go through your Layer 3 protection mechanisms, such as ACLs on your routers. When you turn off unused ports or use a port-based authentication system like 802.1x, you decrease the chances that someone can plug into an unused port and gain access to important systems.

802.1X

802.1x is a protocol that requires a device to be authenticated before the port that the device is connected to is allowed to access the protected network. Initially, the port provides the device with access only to the switch itself. Then if the device can authenticate successfully, the switch reconfigures the port and provides the device with greater access to the network.


In this example, the only ports configured for the server VLAN are the three server systems. Furthermore, ACLs limit access to only specific user systems. You can also get benefit by enabling port security on the switch's ports. Port security restricts the number of Ethernet addresses that a specific switch port is allowed to use, along with preventing a device from pretending to be another device's Ethernet address using Address Resolution Protocol (ARP) spoofing (common techniques used by tools such as Ettercap and DSNIFF).

Layer 2: Network IPS

Your Network IPS is constantly monitoring the traffic on your network looking for potential attack traffic. In this example, you can also use your Network IPS to identify anomalous connections to or from your management servers. Sensors running in inline mode can actually prevent connections from or to unauthorized systems. If attackers do compromise one of the servers, they can attempt to establish a connection to an external system on the Internet. This connection can be observed by the Network IPS.

Layer 3: Encryption

Many tools are available to sniff (or capture) the traffic on a network. To prevent successful sniffing, encrypt traffic to your management servers so that you stop an attacker from capturing vital information (such as login credentials). Common encrypted protocols for management include Secure Shell (SSH) and Secure Socket Layer (SSL).

In the example, encrypting the network traffic makes it almost impossible for an internal attacker (who has access to the network) to gain login credentials by using a simple network sniffer unless the attacker is able to successfully initiate a man-in-the-middle attack.

Note

Enabling port security, however, can minimize or eliminate the ability of the attacker to initiate a successful man-in-the-middle attack.


Layer 4: Strong Authentication

Strong authentication is important to protect critical assets (such as your management systems). One way to implement strong authentication is to implement one-time passwords. Even if an attacker manages to observe the password during a login attempt, the password could not be used by the attacker to gain access to the management system.

One-Time Passwords

By stealing basic username and passwords, an attacker can log in to vital systems. Using one-time passwords, your accounts are protected even if the password is observed because a new password is generated for each login attempt and is usually valid only for a short period of time. These passwords are generated by a smartcard, token, or computer program.


Layer 5: Host IPS

Finally, Host-based IPS, like CSA, protects the management system from attempts at exploiting vulnerabilities in the operating system or applications running on it. In addition, it can enforce policies that define what applications are allowed to run, which systems they are allowed to communicate with, and which users are allowed to run them. This final line of defense provides a final hurdle for an internal attacker.




Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net