Over the past many years the security industry has coined the phrase “Defense In Depth”. While many Pundants have stated that defense in depth is dead, what I believe the point the Pundants are really trying to get across is administrators are not practicing defense in depth. A spoken or written language, when people no longer use it, is in-fact a dead language. However, with defense in depth, there are still some security professionals that believe defense in depth has not seen it’s true implementation. This is mainly because IT professionals in general are not identifying the roles each network device will play in a defense in depth program.
Because of the this, NWN STAR will help provide a foundation to which IT professionals can better understand some of the roles network devices can play in a defense in depth program. As part of the foundation NWN STAR will identify some of the possible roles an IT professional may encounter or identify in their own network. Then each month NWN STAR will publish an article about the various roles, helping to extend the knowledge and practical deployment of an effective defense in depth program.
The Roles of Network Devices
Due to the nature of network devices requiring an always up status and complexity sometimes surrounding networking equipment, IT professionals usually take a “If it is not broke, don’t fix it” approach. Meaning network devices forgo software upgrades and configuration hardening. However, if the IT professional were able to identify the various roles each device in the network portrayed, then possibly a better plan or approach could be taken to patching and hardening of network systems.
As I see it, there are 2 fundamental types of network equipment, a layer 3 packet switch (a.k.a. a ROUTER), and a layer 2 packet switch (a.k.a switch). Now I know most of you are saying, what about firewalls, IDS/IPS, wireless controllers and so on. If you were to step back, what is a firewall, but a very smart router. What is a wireless controller, but a 802.11a/b/g/n switch. Even an IPS/IDS, depending on the deployment, can be a layer 2 bridging device, i.e a switch, or a layer 3 forwarding device, i.e. a router. So with diving into to all the possibilities up front, if we focus on the core functions of a router and switch, we can identify the roles portrayed by networking devices.
As I was in the Marines for many years in the 1990’s, the analogies I will make will be similar to Marine Infantry. The switch is the initial point of access, so it could be referred to as the front line in our defense perimeter, a.k.a. a Marine Rifle Company. Some of the roles on the front line are the infantry, medics, fire and support, and finally the artillery.
The Switch
In the role of the infantry, the switch will engage with the endpoint and make the first decision on if the node allowed. The switch will monitor the switch traffic and decide if the correct system is connected and if so is the traffic from that system the correct kind.
Then as the medic, the switch must be able to detect injuries to the network and respond accordingly. The medic must also be able to anticipate where problems are going to arise and attempt to divert the injury. An example of this is Navy Corpsman would always make sure the Marines drank lots of water and wore sunscreen. These are two fairly low-tech tasks, yet if Marines don’t have water or are sun burned very badly, they can’t fight. The medic functions of the switch would be similar to a BPDU filter or broadcast storm monitor, and both functions are low-tech and easily configured, they can reduce the threat of tools which can flood the cam table in switch turning it into a HUB.
The fire and support aspect will be the Weapons platoon in a rifle company. The Weapons platoon has heavy machine guns, like the M-60 (Yes I was in when Marines still carried M-60’s) and the 40mm mortars. These systems would be able to attack a larger number of enemy combatants, but remain extremely portable. The switches must be able to act in the same manner, using 802.1x or port-security, a switch can be extremely effective against blocking unauthorized users from gaining access to the network. Additionally using STP port security or private VLAN’s the switch can also provide a greater level of segmentation.
The Router
If the switch is the Marine rifle company, the router and firewalls could be seen as the Marine Expeditionary Unit (MEU). The MEU has an Infantry Battalion, Armored Assault Company, Tank Company, Artillery Company, and an Air Support Wing. All the big fire support needed to support a highly mobile and deadly Infantry Marine. That said, what is the role the router is going to play again, you ask? The answer is quite simple, A BIG role.
A function of the Air Wing and Armored Assault is transportation, hopefully a secure mode of transportation. The role of the router is to secure the transport from one end point to another end point. In doing this, the router can deploy different forms of IPSec, routing table segmentation, and varying levels of packet inspection and filtering.
By packet inspection, a router can now do a deep inspection of packet headers, using Network Based Application Recognition (NBAR), Zone Based Firewall (ZBF), and Quality of Service (QoS). These services can detect flaws in a packet and allow or deny the packet as needed. While the IT professional will not configure all of these features, they might combine the varying features at different levels. For example, when configuring ZBF, the class-maps used to identify traffic could identify traffic using DSCP, IP Pref, or CoS, just to name a few. While the TOS bits, used in the DSCP and IP Pref, can be set using NBAR. Then once the traffic is identified, the traffic can be permitted, denied, and modified in some way to reduce the overall threat. These features can be used to reduce the impact of a DDoS attack, deny packets over a certain size, or throttle traffic down to a limiting factor.
Similar to artillery, the Router can use NULL routes to totally block certain threats based on black lists. A great set of firewall rules and snort rules can be found at http://www.emergingthreats.net. The firewall rules can be changed into NULL route statements, and then advertised via an Interior Gateway Protocol (IGP), to a central router, and then forwarded to a NULL interface, a.k.a. the BIT BUCKET. This is just one way the router can act like artillery and block large blanketing attacks across a wide area.
For a more precise targeted attack against hard targets, the infantry will call in Tanks or Cobra Attack Helicopters. These are great, fast, and super effective. In a similar way, a router can make smaller, more targeted routing rules called Policy Based Routing (PBR). PBR can target traffic entering an interface and forcing traffic to move in a special direction based on a wide number of layer 3 and layer 4 headers.
The Defense in Depth Plan
As with any Marine operation, the Commander gets a set of orders, then formats a plan. So the IT Professional will get a set of business requirements and will format a strategy for supporting these requirements. When the commander first begins his planning, he/she goes to an overlay map and evaluates the current state of the battlefield. So should the IT professional map out the network, even if the map is a high level functional map. Identify critical systems or potential targets, then do a threat assessment. Who is going to attack the system, why would they want to attack the system, and what methods will they use. Then format a plan to defend against those attacks.
For defense in depth to work, the IT Professional must do defense in depth. Look at each layer of access in the network. Some examples are the end-point, switch, wireless, routers, servers, firewalls, VPN termination, and intrusion identification systems (IDS, IPS, SEIM, etc). Once all of these layers can be identified, create your plan. But don’t forget about overwhelming power of network devices, much like the human brain, IT Professionals only use 10% of the features found in networking devices.
Configuration Examples
I also have a blog (www.melcara.com), where I post configuration builders. These are spreadsheet tools used to complete a hardened configuration and create a template easily followed by users with differing skill sets. So feel free to check out the config builders.