COEN 350
Network Defense in Depth

In this module, we are looking at all the mechanisms that decrease the likelihood of a successful intrusion.

Terms of the Trade

The perimeter of a local network consists of all the fortifications that make it hard to gain unauthorized access into the network or to exploit such an access. It typically consists of a number of components:
Border Router A border router is the first / last component under the system administrator's control through which an entering / leaving packet goes. Because of this position, a border router is the first / last line of defense.
DMZ The Demilitarized Zone is an area of the network in which security is low. In this glacis, we position those devises such as webservers that we do not want to be protected by a firewall, e.g. because of the traffic they generate, or that need to be in a less protected position. The hosts in the DMZ need to be hardened, such as by turning of unnecessary services.
Firewall A firewall is a device that filters traffic according to certain rules. Firewalls can be relatively simple, only looking at the data within a package, they can be complex such as maintaining the state of a connection, or they can be proxies, that is, acting to the outside as the client, but to the inside, acting as the server. A hardened proxy is the most secure, but also the worst-performing of these possibilities. In a more complex network, traffic might pass through more than a single firewall.
IDS Intrusion detection systems can be networked based (NIDS) or host-based (HIDS). NIDS try to glean signatures of an intrusion from the traffic in the network, whereas HIDS are located at the host they monitor. Intrusion detection is difficult, since legitimate activity can match an attack signature, but hostile activity does not need to have a known signature.
VPN Virtual private networks form protected sessions over an unprotected channel.
Screened Subnets A screened subnet is isolated from the rest of the network. A typical use for a screened subnet is the placement of servers that need to be accessible to the internet.
Configuration Management Known vulnerabilities account for the vast majority of successful intrusions. For most of them, patches were available but were not installed. Configuration management tries to enforce installation of patches and equally important the screening of services that are running but might not be needed.
Backdoors Backdoors are ways of entering a system that evade perimeter defenses. Typical backdoors are the use of dial-up modems for units within the system to access personal email, use of remote control software such as PCanywhere that are installed because a user wants to work at home, too, or even the laptop brought from home and plugged into the corporate system. Lately, wireless networking has opened new backdoors.

Defense in Depth

Defense in Depth is one of the current buzzwords in Computer Security. It is also the one paradigm that gives some hope of running secure systems. Basically, defense in depth sets up multiple security mechanisms. For example, an organization that relays on firewalls to keep out the bad guys sets up a Klondike bar: crunchy on the outside, munchy on the inside. With other words, once an attacker has passed through the perimeter defenses, the attacker has an easy go at all the systems on the inside. Even easier if the attacker did not have to go through the perimeter, but exploited a backdoor, such as a workstation running a poorly secured remote control tool such as PCAnywhere, or maybe a rogue wireless access point.

Defense in depth consists in applying security measures to all components of the system. Of course, a good perimeter defense consisting of firewalls and bastion hosts will filter internet traffic. On strategic positions within the the internal net, Intrusion Detection Monitors watch the traffic. Each system inside is also well maintained, i.e. is patched. Logs are running, and important logs are kept on write once media. Security audits are frequent, and maybe most important of all, users and management have developped and embraced security consciousness.

Cheswick et al. (Firewalls etc.) relate the story of a break-in to Clark, a non-production system within ATT research. Clark was one of two stations used for high-speed networking demos, but usually collected dust unless used by a summer intern. This does not mean that Clark was an obvious security risk, but Clark was reachable from the outside and Clark was no longer maintained. A break-in was discovered in 1994 when a casual login revealed a new banner, consisting of a diatribe against corporate America and the feedom of cyberspace. Crude forensics discovered that the attacker wanted to embarass ATT and Cheswick in particular by using Clark to stage other attacks. The same forensics revealed that the attacker had gained root access, and that Cheswick and ATT were saved by some redundant security mechanisms that the attacker failed to observe: (1) the notorious UNIX sendmail utility was disabled (instead of being ignored) and Clark was not connected directly to the ATT main network, so that Clark could not have been used for sniffing. That Clark was taken shows that even an initially tightly administered system can become a problem, it shows that the bad guys only need to win once, but also that they might not be able to jump all the hurdles.

©2003 Thomas Schwarz, S.J., COEN, SCU SCU COEN COEN350 T. Schwarz