Network Security

External Network Scanning

One of the core mechanisms for protecting networks is to install a firewall to mediate traffic between systems on the internal network, publicly accessible systems is a DMZ (from the military term demilitarised zone) and the internet.

Although an effective firewall is an important part of any network, is does not provide a complete solution:

Firewall topology

  • Most default operating system implementations leave many services unnecessarily exposed.
  • Trojans such as BackOrifice and various denial-of-service tools operate on high ports usually allowed through firewalls.
  • External services accessible through ‘allowed’ ports can violate site acceptable use policies (eg. browsing inappropriate sites)
  • A poorly configured or weak firewall can provide a false sense of security.
  • The firewall itself can be vulnerable to attack.

There are several steps which can verify and enhance the security of a network exposed to the internet. As well as identifying potential problems, these analyses assist in documenting the level of threat to which a network is exposed.

Network Mapping

Network mapping is the first step in any attack and helps identify likely targets and modes of attack. Not all network mapping probes are hostile but all attackers rely on some network mapping information.

Where possible, your network should deny all such information gathering attempts. Where some part of the internal (or DMZ) network must visible, the amount of information exposed should be minimized.

A high-level network map can identify some service configurations which reveal too much information and determines the scope of further analysis.

Port scanning / Traffic analysis

There are 64K IP ports on which services may be listening. Common services use the well-known IANA port numbers from 0 to 1023, although over 4500 registered services using over 1200 higher port numbers. Traffic for IP ports which are not required by legitimate services should be blocked by a firewall.

Firewall ingress rules (controlling traffic originating from the internet) can be validated by attempting connections to a range of port numbers from an external device. This scan identifies those services that are advertising their presence to the outside world.

Firewall egress rules (controlling traffic originating from the internal network) can be partially validated by analysis of firewall traffic logs (depending on the features of the firewall). These logs record the actual connections made from computers on the internal network to internet hosts as well as connections originating from the internet.

Analysis of firewall logs can reactively identify attempted breaches of the firewall rules from either the internal network or from the internet. Live intrusion detection is a complex subject generally requiring a substantial investment in systems and support infrastructure.

Service vulnerability checks / Threat detection

Controlling the types of traffic allowed between your internal networks and the internet reduces the scope of attacks possible against your systems. The remaining ‘allowed’ services still offer avenues of attack.

Most internet based attacks use widely known vulnerabilities is operating system or application software:

  • The internet ‘worm’ which infected hundreds of internet host in 1988 exploited the email transfer system.
  • Web pages are frequently attacked through bugs or configuration problems with the web server software.

In many cases, these faults can be readily identified by a series of standard requests from a computer connected to the internet. Once identified, many of these vulnerabilities can be addressed by relatively minor reconfigurations.

Analysis of web server logs can reactively identify attempted exploitation of these problems from either the internal network or from the internet.

Security Infrastructure Planning

A structured, organised approach to systems security is necessary to ensure that:

  • Security policies are aligned with the business requirements and supported by management;
  • All components of the systems environment are included – although the level of control will likely vary with the level of sensitivity and exposure in each area;
  • Response procedures are in place for system problems. This can vary from ‘normal’ hardware or software failures to concerted hostile internet attacks;
  • There is a basis for communicating security issues to users and, if required, to customers and suppliers.

In the real world, security is a compromise between the risks of exposure and the need to operate in a flexible and functional way. Network scanning processes can provide evidence of the potential for attack – log analysis can show traces of past attack attempts (although some successful attackers can conceal this evidence). Some specific areas of systems security planning are:

Server implementation processes

Before any system is made available in a live environment - either on an internal network or exposed to the internet – the configuration should be checked for appropriate operational and security robustness.

These checks include basic processes such as:

  • Ensuring that the backup procedures will correctly include the new device;
  • Checking the operating system and application software revisions for known weaknesses;
  • Checking the user authentication mechanisms.

More sophisticated checks are appropriate for systems with higher exposures, such as those directly connected to the internet (i.e. in the DMZ).

A server implementation checklist, with the details specific to each server, should form part of the server log. The configuration details recorded on the checklist contribute to any disaster recovery procedure, allowing a more rapid rebuild of a failed system.

User accounts and passwords

The level of access to any computer system should be governed by appropriate authorization procedures which form part of the security policy. Although establishing initial access is frequently part of an employee induction process, later changes – in particular the removal of the user account – tend to be less controlled. Accounts which have not been used for some time should be disabled and marked for removal.

Strong passwords, changed regularly are a basic security requirement. Unfortunately, many users rely on passwords easily guessed by automated programs. Identify these passwords before the attackers do!

Acceptable use guidelines

Unacceptable use of systems can include harassment, offensive behaviour, criminal activity and loss of productivity. Guidelines must be enforced to protect both the company and the possible targets of inappropriate behaviour.

Guidelines must be made available to and accepted by all users - sometimes by formal agreement. Users should have a sense of personal responsibility for their use of internal systems and any external systems (eg internet) accessed using the resources of the business.

Firewall configuration and operation

A firewall ruleset should be based on the services which support the network requirement of the business. In practice, most firewalls are configured ‘on-the-fly’ in response to perceived needs and the convenience of the users and system administrators. Such firewalls generally retain outdated ‘testing’ rules and lack the proper planning and documentation required to demonstrate the correctness of the ruleset.

Firewall rules can be developed from the needs of the business with the supporting documentation and structures to provide:

  • Clear definitions of what services are supported and why;
  • Classification of users and internal systems to determine access permissions;
  • Logging rules for forensic analysis to help identify attacks and security breaches.

Internal monitoring

Reliable figures are difficult to obtain but a consistent theme of security surveys is that most attacks are either entirely or partly conducted by personnel within the target organization.

Appropriate consideration of the security exposures and possible approaches provides the information required for the business managers to balance openness and ease of use against the potential damage of a poorly secured system.

Internal publicity about the existence of regular internal monitoring and analysis, with some published results can directly contribute to self-censorship amongst users.

Intrusion Detection and Recovery

  • Would you know if your systems were attacked?
  • Would you know if the attack succeeded?
  • What would you do about it?

Any changes to a server’s operating environment may represent a system breach; the complexity of modern operating systems makes manual detection of such changes impractical.

Automated system checking tools, supported by appropriate administration procedures, can provide specific information about any modifications to core system files. Knowing what has changed provides a key starting points for differentiating legitimate upgrades from hostile changes and can minimise the time required to restore the system operations.

Need Assistance?

Dropbear Consulting Pty Limited can provide a range of analysis and consulting services to assist businesses in policy creation, implementation and the on-going management and monitoring of system security.

We do not sell security hardware or software but work to leverage the performance of your existing systems and assist in the development of an improved security consciousness within your organization.

Search Tags

wireless  psychology  programming  implementation  security  email  website  browser  vba  moodle  software  testing  process  analysis  office  owncloud  documentation  joomla  open source  audit

Features Articles

Online surveys

How do you know what your customers want? Perhaps you should ask them.

Surveying your internal or external customers gives you hard information on which to base decisions about product development, marketing campaigns, resourcing or any other area where you organisation or department interacts with another group (which means in nearly everything you do).

Beyond the Blackboard

Considerations when designing or specifying an on‑line learning environment.

For many organisations, the provision of training to staff and customer represents a significant cost. As the processing power and network bandwidth available to desktop PCs increases, the performance and features of on‑line learning systems have improved to the point where the delivery of training via a computer has become a viable option.

While on‑line learning is not an appropriate solution for all training needs, it does provide an effective training delivery mechanism in the right circumstances.

This article discusses some of the issues involved in creating an on‑line learning environment, viewed from the perspective of the different interest groups involved. The information and concepts shown here are not definitive; you should carefully consider your own specific requirements before implementing any computer system.

A Taxonomy of Loss

The widespread commercial use of the internet has led to an increasing focus on systems security. Media driven hype and a lack of independent information can make the true level of threat to an organization difficult to determine. Adopting a structured approach to the analysis of computer system security risks and allows an organization to more effectively balance their operational requirements against the potential for loss, whether that loss involves physical equipment, information or reputation.

This article discusses the components of a computer system, the types of attack to which they are exposed, some typical defence mechanisms and some weaknesses in the standard defences. The information and concepts shown can form a starting point for the development of suitable security and operational strategies to assist organizations to obtain the maximum value from their investments in computer systems.

Network Security

External Network Scanning

One of the core mechanisms for protecting networks is to install a firewall to mediate traffic between systems on the internal network, publicly accessible systems is a DMZ (from the military term demilitarised zone) and the internet.

Open Source

You shouldn't be using open source software because it's cheaper (although it is), you should be using it because of its features and flexibility and the fact that it doesn't lock you in to restrictive license agreements.

Documentation

It might be the last thing you want to read, but not having a well documented IT infrastructure (servers and networks) can lead to surprising events like critical systems running on unsupported servers.

Documentation must not only be accurate at the time it was created it should also meet these additional criteria:

  • Available The people who need the information must be able to get at it.
  • Editable Any documentation in the IT industry is quickly out of date, so it is essential that information is able to be correctly updated as soon as a change is required. Ideally the client or end-user should be able to do this, rather than waiting on the 'approved editor'.
  • Current 'Out of date' is just a nice way of saying 'wrong'. The date on which the underlying information was updated should be shown on any reports either printed or viewed online.

Latest blog posts

"It is a terrible thing to see and have no vision."
Helen Keller
FacebookTwitterLinkedinRSS Feed

Hosted at Panthur web hosting.

© Dropbear Consulting Pty Limited
Privacy policy