Chapter 1 Perimeter Security Fundamentals Layered Security Advantage - FLEXIBILITY - allows us to select components based on technical, budgetary, and political constraints - combine them in a way that doesn’t compromise the overall security or usability of the network Terminology Perimeter – fortified boundary of our network that might include (Routers, Firewalls, IDSs, VPN Devices, Software, DMZs and screened subnets) Border Router – the last router you control before the Internet – Because all of an organizations’s Internet traffic goes through this router – first and last line of defense through initial and final filtering Router – traffic cops of networks Firewall – device that has a set of rules specifying what traffic it will allow or deny – picks up where the border router leaves off and makes a much more thorough pass at filtering traffic o Different Types – Static Packet Filters, stateful firewalls, and proxy firewalls IDS – like a burglar alarm system for your network that is used to detect and alert on malicious events – System might comprise many different IDS sensors placed at strategic points in your network o Different Types – 1) network-based (NIDS) – devices that monitor network traffic for suspicious activity – reside on subnets that are directly connected to the firewall, as well as at critical points on the internal network 2) host-based (HIDS) – reside on and monitor an individual host o Sensors watch for predefined signatures of bad events, and might perform statistical and anomaly analysis o When sensors detect bad events, they can alert in several different ways including email, paging, or logging the occurrence o Can report to a central database that correlates their information to view the network from multiple points VPN – protected network session formed across unprotected channels, such as the Internet – allows an outside user to participate on the internal network as if connected directly to it Software Architecture – an application that are hosted on the organizations network, and defines how they are structured DMZs and Screened Subnets – (De-Militarized Zone) screened subnet in reference to a small network containing public services that are connected directly to and offered protection by the firewall or other filtering device – insecure area between secure areas – located outside the firewall - Screened Subnets – isolated network that is connected to a dedicated interface of a firewall or another filtering device – frequently used to segregate servers that need to be accessible from the Internet from systems that are used solely by the organization’s internal users Internet Border Router DMZ Firewall Screened Subnet Internal Network Laptop Defense in Depth Defense in depth helps you protect network resources even if one of the security layers is compromised Real World 1. Systems are misconfigurations 2. Software bugs 3. disgruntled employees 4. overloaded system administrators 5. applications may require us to open certain firewall ports 6. applications may require us to leave additional services running on the server 7. applications may prevent us from applying the latest security patch because it breaks a businesscritical application Defense in Depth: Components The Perimeter o Static Packet Filter 1. Inspect basic information within every packet 2. Can be either routers or firewalls 3. First incoming and the last outgoing layer of your network security – filtering traffic before it enters or exits your network 4. Ingress/Egress filtering 5. Border routers can also block traffic that is considered high risk 6. Faster at screening traffic than stateful or proxy firewalls Example – DDoS by spoofed smurf attacks – involves sending an ICMP Echo Request to the broadcast address, resulting in a response from every host – An Ingress/Egress Filter would have blocked the spoofed traffic o Stateful Firewall 1. Keep track of connections in a state table and are the most common type of firewall 2. Most common type of Firewall 3. Blocks traffic that is not in its table of established connections – rulebase determines the source and destination IP and port numbers that are permitted to establish connections 4. Consider any reconnaissance you detect to be a strong indication of a pending attack 5. Able to recognize and block traffic that is part of an unestablished, non-permitted connection o Proxy Firewalls 1. most advanced and least common type of firewall 2. Are also stateful, in that they block any non-established, non-permitted connection 3. Proxy firewalls offer a high level of security because internal and external hosts never communicate directly 4. Proxy firewalls examine the entire packet to ensure compliance with the protocol that is indicated by the destination port number – diminishing the possibility of malicious traffic entering or existing your network Example – Web Request a. An internal client sends the proxy a request for a URL b. The proxy requests the URL from the external site c. The external site responds to the proxy d. The proxy sends t response to the internal client o IDS 1. Represents the eyes and ears of a network by monitoring the network and host from critical points for malicious activity 2. sensor placement includes each network segment directly connected to the firewall, as well as critical points within the network 3. IDS could alert on a. DNS Zone Transfer requests from unauthorized hosts b. Unicode attacks directed at a web server c. Buffer overflow attacks d. Worm propagation o VPN 1. Protect communications over unprotected networks 2. Protect by offering confidentiality, integrity, and non-repudiation 3. Appropriate for a wide range of applications, and are often useful when dedicated private lines are too expensive or impractical for connection network nodes 4. VPNs are wonderful tools or wonderful weapons 5. Offer significant cost savings over the previous alternative of frame relay 6. Protect all traffic from one network to another, between two hosts, or from a single host to a network 7. Evaluating an Architecture a. Determine what resources need to be protected b. Determine the risk c. Determine business requirements The Internal Network o Network that is protected by the perimeter that contains all the servers, workstations, and infrastructure with which a company conducts business o Organizations often neglect the security of the internal network because they don’t consider an internal attack a risk – doesn’t have to be malicious but could be careless employee o Possible “perimeter” devices 1. ingress and egress filtering on every router 2. Internal firewalls to segregate resources 3. Proxies to enhance performance and security 4. IDS sensors and monitor the internal network o Possible Internal devices 1. Personal firewalls 2. Anti-virus Software 3. Operating System hardening 4. Configuration management 5. Audits o Personal Firewalls 1. Generally implemented as software modules that run individual machines, screening network traffic as in enters and leaves the sytem 2. Configurable on a per-application basis 3. Are Cost Effective 4. Useful for mobile users who connect to a network outside of work 5. Anti-virus software and network IDSs are similar in that they frequently operate by examining data for signatures of known malicious intent. o Host hardening 1. process of tightening the configuration of the host’s OS and applications with the purpose of securing any unnecessary openings on the system 2. Applying any OS and application patch, setting file system permissions, disabling unnecessary services, and enforcing password restrictions 3. Last layer protecting an individual system o Configuration management 1. process of establishing and maintaining a know configuration for system and devices that are on the network 2. Can enforce the following a. That all Windows machines have Service Pack x installed b. That all Linux machines have kernel x.x.x running c. That all users with remote-access accounts have a personal firewall d. That every machine has anti-virus signatures updated daily e. That all users accept the acceptable use policy when they log on o Audit 1. Process of resolving perception to reality and improving upon that 2. typically progresses like a. An informational meeting is held to plan the audit – find out what the client wants and expects and establish risks, costs, cooperation, deliverables, timeframes, and authorization b. Fieldwork begins c. The initial audit report takes place d. The final audit report takes plance e. Follow-up occurs The Human Factor o Frequently, we get caught up in the technical aspect of network security without considering the non-technical aspect – Policies and awareness that goes along with the technical solution o Policies 1. Authority (Who is responsible) 2. Scope (Who it affects) 3. Expiration (When it affects) 4. Specificity (what is required) 5. Clarity (can everyone understand it) o Awareness 1. Have every user sign and acceptable use policy annually 2. Set up a security web page with policies, best-practices, and news 3. Send a “Security Tip of the Week” to every user