Friday, July 9, 2010

The Role Network Devices Play in Defense in Depth

Over the past many years the security industry has coined the phrase “Defense In Depth”. While many Pundants have stated that defense in depth is dead, what I believe the point the Pundants are really trying to get across is administrators are not practicing defense in depth. A spoken or written language, when people no longer use it, is in-fact a dead language. However, with defense in depth, there are still some security professionals that believe defense in depth has not seen it’s true implementation. This is mainly because IT professionals in general are not identifying the roles each network device will play in a defense in depth program.

Because of the this, NWN STAR will help provide a foundation to which IT professionals can better understand some of the roles network devices can play in a defense in depth program. As part of the foundation NWN STAR will identify some of the possible roles an IT professional may encounter or identify in their own network. Then each month NWN STAR will publish an article about the various roles, helping to extend the knowledge and practical deployment of an effective defense in depth program.

The Roles of Network Devices

Due to the nature of network devices requiring an always up status and complexity sometimes surrounding networking equipment, IT professionals usually take a “If it is not broke, don’t fix it” approach. Meaning network devices forgo software upgrades and configuration hardening. However, if the IT professional were able to identify the various roles each device in the network portrayed, then possibly a better plan or approach could be taken to patching and hardening of network systems.

As I see it, there are 2 fundamental types of network equipment, a layer 3 packet switch (a.k.a. a ROUTER), and a layer 2 packet switch (a.k.a switch). Now I know most of you are saying, what about firewalls, IDS/IPS, wireless controllers and so on. If you were to step back, what is a firewall, but a very smart router. What is a wireless controller, but a 802.11a/b/g/n switch. Even an IPS/IDS, depending on the deployment, can be a layer 2 bridging device, i.e a switch, or a layer 3 forwarding device, i.e. a router. So with diving into to all the possibilities up front, if we focus on the core functions of a router and switch, we can identify the roles portrayed by networking devices.

As I was in the Marines for many years in the 1990’s, the analogies I will make will be similar to Marine Infantry. The switch is the initial point of access, so it could be referred to as the front line in our defense perimeter, a.k.a. a Marine Rifle Company. Some of the roles on the front line are the infantry, medics, fire and support, and finally the artillery.

The Switch

In the role of the infantry, the switch will engage with the endpoint and make the first decision on if the node allowed. The switch will monitor the switch traffic and decide if the correct system is connected and if so is the traffic from that system the correct kind.

Then as the medic, the switch must be able to detect injuries to the network and respond accordingly. The medic must also be able to anticipate where problems are going to arise and attempt to divert the injury. An example of this is Navy Corpsman would always make sure the Marines drank lots of water and wore sunscreen. These are two fairly low-tech tasks, yet if Marines don’t have water or are sun burned very badly, they can’t fight. The medic functions of the switch would be similar to a BPDU filter or broadcast storm monitor, and both functions are low-tech and easily configured, they can reduce the threat of tools which can flood the cam table in switch turning it into a HUB.

The fire and support aspect will be the Weapons platoon in a rifle company. The Weapons platoon has heavy machine guns, like the M-60 (Yes I was in when Marines still carried M-60’s) and the 40mm mortars. These systems would be able to attack a larger number of enemy combatants, but remain extremely portable. The switches must be able to act in the same manner, using 802.1x or port-security, a switch can be extremely effective against blocking unauthorized users from gaining access to the network. Additionally using STP port security or private VLAN’s the switch can also provide a greater level of segmentation.

The Router

If the switch is the Marine rifle company, the router and firewalls could be seen as the Marine Expeditionary Unit (MEU). The MEU has an Infantry Battalion, Armored Assault Company, Tank Company, Artillery Company, and an Air Support Wing. All the big fire support needed to support a highly mobile and deadly Infantry Marine. That said, what is the role the router is going to play again, you ask? The answer is quite simple, A BIG role.

A function of the Air Wing and Armored Assault is transportation, hopefully a secure mode of transportation. The role of the router is to secure the transport from one end point to another end point. In doing this, the router can deploy different forms of IPSec, routing table segmentation, and varying levels of packet inspection and filtering.

By packet inspection, a router can now do a deep inspection of packet headers, using Network Based Application Recognition (NBAR), Zone Based Firewall (ZBF), and Quality of Service (QoS). These services can detect flaws in a packet and allow or deny the packet as needed. While the IT professional will not configure all of these features, they might combine the varying features at different levels. For example, when configuring ZBF, the class-maps used to identify traffic could identify traffic using DSCP, IP Pref, or CoS, just to name a few. While the TOS bits, used in the DSCP and IP Pref, can be set using NBAR. Then once the traffic is identified, the traffic can be permitted, denied, and modified in some way to reduce the overall threat. These features can be used to reduce the impact of a DDoS attack, deny packets over a certain size, or throttle traffic down to a limiting factor.

Similar to artillery, the Router can use NULL routes to totally block certain threats based on black lists. A great set of firewall rules and snort rules can be found at http://www.emergingthreats.net. The firewall rules can be changed into NULL route statements, and then advertised via an Interior Gateway Protocol (IGP), to a central router, and then forwarded to a NULL interface, a.k.a. the BIT BUCKET. This is just one way the router can act like artillery and block large blanketing attacks across a wide area.

For a more precise targeted attack against hard targets, the infantry will call in Tanks or Cobra Attack Helicopters. These are great, fast, and super effective. In a similar way, a router can make smaller, more targeted routing rules called Policy Based Routing (PBR). PBR can target traffic entering an interface and forcing traffic to move in a special direction based on a wide number of layer 3 and layer 4 headers.

The Defense in Depth Plan

As with any Marine operation, the Commander gets a set of orders, then formats a plan. So the IT Professional will get a set of business requirements and will format a strategy for supporting these requirements. When the commander first begins his planning, he/she goes to an overlay map and evaluates the current state of the battlefield. So should the IT professional map out the network, even if the map is a high level functional map. Identify critical systems or potential targets, then do a threat assessment. Who is going to attack the system, why would they want to attack the system, and what methods will they use. Then format a plan to defend against those attacks.

For defense in depth to work, the IT Professional must do defense in depth. Look at each layer of access in the network. Some examples are the end-point, switch, wireless, routers, servers, firewalls, VPN termination, and intrusion identification systems (IDS, IPS, SEIM, etc). Once all of these layers can be identified, create your plan. But don’t forget about overwhelming power of network devices, much like the human brain, IT Professionals only use 10% of the features found in networking devices.

Configuration Examples

I also have a blog (www.melcara.com), where I post configuration builders. These are spreadsheet tools used to complete a hardened configuration and create a template easily followed by users with differing skill sets. So feel free to check out the config builders.

Thursday, July 1, 2010

SMB Security - The Forgotten Target

I've performed security assessments for organizations that have thousands or employees and for organizations that could fit every member of the company on a city bus. Some of these assessments were done for very "high-tech" organizations while others barely use computers. Logic would dictate that high-tech large, enterprise-class organizations make the biggest targets and that is probably true but it is not the entire picture. Big organizations make big targets but they also can bring to bear big resources. Even having a single person with the correct skill set focused on security can make a huge difference in the effectiveness of an organization's security program. Small or mid-sized businesses (SMB), on the other hand, are often under-staffed with respect to IT in general and have no security expertise whatsoever. This creates a big problem because while they may know how to deploy a firewall, they don't fully understand the threats and thus have minimal or even non-existent security programs.

Now, you could say that small organizations aren't really big targets because they don't have anything that the bad guys would want. After all, they are small and/or not particularly technical. Well, that's not always the case.

I recently did work for a couple of collections companies. Both were small (with less than 50 employees) but each maintained a database with millions of records containing personal information (can you say identity theft) and even credit card and bank account information. Another customer with less than 50 employees stored significant amounts of sensitive information about pharmaceuticals. Still another sub-50 person company manages over $3 billion in assets. If you were a bad guy hacker, would these targets be interesting to you?

I can wonder and suppose all day long but this is all theory, right? WRONG! A recent article on the Dark Reading site (http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=225701975&cid=RSSfeed) told the story of a Demolition firm in California that suffered a computer breach that resulted in hackers transferring almost a half a million dollars from the firm's accounts to various accounts worldwide. This happened because an employee clicked on a link in an email that directed them to a malicious web site. The site leverages a vulnerability in Internet Explorer to load a Trojan horse on the employees system. From there the attackers collected information about the company and its finances. This allowed the hackers to conduct 27 transactions involving $447,000.

This example is news for the simple fact that it involved actual theft. The only reason the crime was detected was that funds were transferred. If the attackers were after credit card numbers, personal information or even a place to store contraband child pornography, they might never have been discovered. This should make us wonder.....how many SMBs have already been hacked and just don't know about it? Of equal importance, what can small to medium-sized businesses do to promote security if they have a limited staff, limited resources and limited expertise. Oddly enough, I think for most businesses, the answer is simple. Following a few basic steps, organizations of virtually any size can create an environment that is resistant to attack.

  • Step 1: Patch your technology. This means patching not only Microsoft Operating systems but non-Microsoft operating systems, Microsoft applications, non-Microsoft applications (e.g. Adobe, etc.) and network devices.
  • Step 2: Baseline your environment. Understanding what your environment looks like when it is running normally is critical if you are going to identify abnormal or malicious activity.
  • Step 3: Run anti-virus software and keep it updated. AV is not a silver bullet but it can help. Running AV won't stop all threats but stopping 60% of the malware is better than falling victim to all of it.
  • Step 4: Regularly test your environment using a network vulnerability scanner such as Nessus. This allows you to identify problems before the bad guys can. Vulnerability scanning should be run, at a minimum, weekly and scans should be "credentialled" if possible. Any vulnerabilities that are discovered should be addressed in a timely manner.
  • Step 5: Use mail and web filtering technologies. As shown in the story about the demolitions company, hackers today target end users via their mail clients and web browsers. Leveraging a product or service that scans incoming and outgoing email and web traffic for harmful content reduces the size of these attack vectors and should be considered a mandatory part of any security program.
These steps won't make organizations 100% secure. These steps shouldn't be considered a total security solution. They should be considered to be a good start. They will make any environment more resistant to attack and will allow organizations to more easily identify problems and thus are a decent starting point. The best part - taking these steps can generally be done with a very limited IT staff, minimal security expertise and in a way where the costs can scale to fit virtually any environment.

Remember, from a hackers perspective size does not matter. Smaller organizations represent juicy targets because the rewards can be great and the risk of discovery is small. Change the game and take steps to make your environment more secure. Take control.