Network Defense in Depth
In this module, we are looking at all the mechanisms that decrease the likelihood of a successful intrusion.
|The perimeter of a local network consists of all the fortifications that make
it hard to gain unauthorized access into the network or to exploit such an access.
It typically consists of a number of components:
Border Router A border router is the first / last component under the system administrator's control through which an entering / leaving packet goes. Because of this position, a border router is the first / last line of defense.
DMZ The Demilitarized Zone is an area of the network in which security is low. In this glacis, we position those devises such as webservers that we do not want to be protected by a firewall, e.g. because of the traffic they generate, or that need to be in a less protected position. The hosts in the DMZ need to be hardened, such as by turning of unnecessary services.
Firewall A firewall is a device that filters traffic according to certain rules. Firewalls can be relatively simple, only looking at the data within a package, they can be complex such as maintaining the state of a connection, or they can be proxies, that is, acting to the outside as the client, but to the inside, acting as the server. A hardened proxy is the most secure, but also the worst-performing of these possibilities. In a more complex network, traffic might pass through more than a single firewall.
IDS Intrusion detection systems can be networked based (NIDS) or host-based (HIDS). NIDS try to glean signatures of an intrusion from the traffic in the network, whereas HIDS are located at the host they monitor. Intrusion detection is difficult, since legitimate activity can match an attack signature, but hostile activity does not need to have a known signature.
VPN Virtual private networks form protected sessions over an unprotected channel.
Screened Subnets A screened subnet is isolated from the rest of the network. A typical use for a screened subnet is the placement of servers that need to be accessible to the internet.
Configuration Management Known vulnerabilities account for the vast majority of successful intrusions. For most of them, patches were available but were not installed. Configuration management tries to enforce installation of patches and equally important the screening of services that are running but might not be needed.
Backdoors Backdoors are ways of entering a system that evade perimeter defenses. Typical backdoors are the use of dial-up modems for units within the system to access personal email, use of remote control software such as PCanywhere that are installed because a user wants to work at home, too, or even the laptop brought from home and plugged into the corporate system. Lately, wireless networking has opened new backdoors.
Defense in depth consists in applying security measures to all components of the system. Of course, a good perimeter defense consisting of firewalls and bastion hosts will filter internet traffic. On strategic positions within the the internal net, Intrusion Detection Monitors watch the traffic. Each system inside is also well maintained, i.e. is patched. Logs are running, and important logs are kept on write once media. Security audits are frequent, and maybe most important of all, users and management have developped and embraced security consciousness.
Cheswick et al. (Firewalls etc.) relate the story of a break-in to Clark, a non-production system within ATT research. Clark was one of two stations used for high-speed networking demos, but usually collected dust unless used by a summer intern. This does not mean that Clark was an obvious security risk, but Clark was reachable from the outside and Clark was no longer maintained. A break-in was discovered in 1994 when a casual login revealed a new banner, consisting of a diatribe against corporate America and the feedom of cyberspace. Crude forensics discovered that the attacker wanted to embarass ATT and Cheswick in particular by using Clark to stage other attacks. The same forensics revealed that the attacker had gained root access, and that Cheswick and ATT were saved by some redundant security mechanisms that the attacker failed to observe: (1) the notorious UNIX sendmail utility was disabled (instead of being ignored) and Clark was not connected directly to the ATT main network, so that Clark could not have been used for sniffing. That Clark was taken shows that even an initially tightly administered system can become a problem, it shows that the bad guys only need to win once, but also that they might not be able to jump all the hurdles.
|©2003 Thomas Schwarz, S.J., COEN, SCU||SCU||COEN||COEN350||T. Schwarz|