If you know the enemy and know yourself, you need not fear the result of a hundred battles . If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
A general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.
Sun Tzu, The Art of War
Why would a book on hardening network infrastructure open with a couple of quotes on warfare by Sun Tzu? The answer is that today s networks are under attack. It is nothing less than digital warfare .
On one side, you have hackers, crackers, and script kiddies who are attempting to gather information and gain access to protected resources. They are the enemy, and you need to know who they are and what they do. You need to understand the methods of attack and the types of exploits they use. An excellent resource for understanding the existing threats to your network is the Hacking Exposed series (McGraw-Hill/Osborne). These books contain examples and explanations of the types of tactics that hackers employ . Knowing the enemy, however, is only part of the equation.
On the other side of the digital battlefield, you have the security professionals.
We are the folks who attempt to prevent the hackers, crackers, and script kiddies from exploiting our systems. It is not good enough just to know what kinds of threats exist to your network. You must know not only the enemy, but also yourself and your network. You must know what resources exist on your network, from firewalls to routers to switches and everything in between. Once you are familiar with these, you need to know how to harden those network resources. For example, if you know that hackers will employ spoofing in an attempt to gain access to resources, how do you configure your firewalls and routers to protect against that threat? This book adds to the valuable information in Hacking Exposed by detailing the specific methods and procedures that you can implement to harden your network resources. I will show you what to defend so that your enemy s attacks will be in vain.
I have been frustrated with many technical books and whitepapers I have read because they rarely provide specific examples of what to do. They provide a great depth of conceptual information and explanations, but I often find myself asking, OK, so now that I understand the issue, what exactly should I do about it? When I was approached about writing this book, the one thing that intrigued me most was the publisher s desire to answer the question, What should I do about it? I decided to write this book from the perspective of a consultant. Instead of explaining the details of how various exploits work and then telling you that you need to fix the problems, I will tell you what you can do to harden your resources to prevent attacks, providing specific configuration examples as much as I can. I want you to be able to take this book and use it as a pocket consultant or procedural manual to guide you through the steps and procedures to follow in order to harden your network infrastructure.
We will look at all aspects of hardening network infrastructure, separated into four distinct parts . In Part I, Do This Now! , we will start with an examination of six things that you should do right now, if you aren t doing them already.
In Part II, Take It from the Top ”The Systematic Hardening Process, we will start by performing an examination of a security policy, and then we will provide guidelines that you can follow to develop a good security policy. You cannot bring all your network devices into a consistent hardened state unless you have clearly defined what that state looks like, and this is why writing a security policy must be the first step to hardening your network. Then we will examine the specific network infrastructure hardware that needs to be hardened. We will look not only at what you can do to protect that hardware, but also at how you can use that hardware to protect your network. For example, we will investigate not only the steps to take to protect the firewall itself from being compromised, but also the steps needed to use the firewall to protect your network infrastructure. Part II will wrap up with a look at all of the various technologies and concepts, and integrate them into a systematically hardened network infrastructure design.
Part III, Once Is Never Enough, will explore how to address changes that will occur with your network infrastructure. From security policy changes to patches and updates, we will cover how to effectively address the changes that need to occur without compromising your network security posture .
Finally, Part IV, How to Succeed at Hardening Your Network Infrastructure, will address the soft-skills aspects of hardening your network. Issues covered will range from how to justify expenses to the powers that be to staffing and training concerns. We will wrap up with a look at the hard reality of network security: what to do when your best efforts fail and your network is compromised.
It is my sincere desire that after reading this book and implementing its suggestions, you will not only know your enemy but you will know yourself and your network, and by extension, you will know what to defend and how to defend it.
At the end of some code lines throughout this book (as in the example below), you ll see a right-pointing arrow (’). This signifies that the single-line command, which really should fall on one line, must break due to width limitations of the printed page.
L -1 iptables -A INPUT -I eth0 -p tcp -m tcp -s 192.168.1.100 -d 192.168.1.1 --dport 443 --syn -j ACCEPT