External Network Scanning

One of the core mechanisms for protecting networks is to install a firewall to mediate traffic between systems on the internal network, publicly accessible systems is a DMZ (from the military term demilitarised zone) and the internet.

Although an effective firewall is an important part of any network, is does not provide a complete solution:

Firewall topology

  • Most default operating system implementations leave many services unnecessarily exposed.
  • Trojans such as BackOrifice and various denial-of-service tools operate on high ports usually allowed through firewalls.
  • External services accessible through ‘allowed’ ports can violate site acceptable use policies (eg. browsing inappropriate sites)
  • A poorly configured or weak firewall can provide a false sense of security.
  • The firewall itself can be vulnerable to attack.

There are several steps which can verify and enhance the security of a network exposed to the internet. As well as identifying potential problems, these analyses assist in documenting the level of threat to which a network is exposed.

Network Mapping

Network mapping is the first step in any attack and helps identify likely targets and modes of attack. Not all network mapping probes are hostile but all attackers rely on some network mapping information.

Where possible, your network should deny all such information gathering attempts. Where some part of the internal (or DMZ) network must visible, the amount of information exposed should be minimized.

A high-level network map can identify some service configurations which reveal too much information and determines the scope of further analysis.

Port scanning / Traffic analysis

There are 64K IP ports on which services may be listening. Common services use the well-known IANA port numbers from 0 to 1023, although over 4500 registered services using over 1200 higher port numbers. Traffic for IP ports which are not required by legitimate services should be blocked by a firewall.

Firewall ingress rules (controlling traffic originating from the internet) can be validated by attempting connections to a range of port numbers from an external device. This scan identifies those services that are advertising their presence to the outside world.

Firewall egress rules (controlling traffic originating from the internal network) can be partially validated by analysis of firewall traffic logs (depending on the features of the firewall). These logs record the actual connections made from computers on the internal network to internet hosts as well as connections originating from the internet.

Analysis of firewall logs can reactively identify attempted breaches of the firewall rules from either the internal network or from the internet. Live intrusion detection is a complex subject generally requiring a substantial investment in systems and support infrastructure.

Service vulnerability checks / Threat detection

Controlling the types of traffic allowed between your internal networks and the internet reduces the scope of attacks possible against your systems. The remaining ‘allowed’ services still offer avenues of attack.

Most internet based attacks use widely known vulnerabilities is operating system or application software:

  • The internet ‘worm’ which infected hundreds of internet host in 1988 exploited the email transfer system.
  • Web pages are frequently attacked through bugs or configuration problems with the web server software.

In many cases, these faults can be readily identified by a series of standard requests from a computer connected to the internet. Once identified, many of these vulnerabilities can be addressed by relatively minor reconfigurations.

Analysis of web server logs can reactively identify attempted exploitation of these problems from either the internal network or from the internet.

Security Infrastructure Planning

A structured, organised approach to systems security is necessary to ensure that:

  • Security policies are aligned with the business requirements and supported by management;
  • All components of the systems environment are included – although the level of control will likely vary with the level of sensitivity and exposure in each area;
  • Response procedures are in place for system problems. This can vary from ‘normal’ hardware or software failures to concerted hostile internet attacks;
  • There is a basis for communicating security issues to users and, if required, to customers and suppliers.

In the real world, security is a compromise between the risks of exposure and the need to operate in a flexible and functional way. Network scanning processes can provide evidence of the potential for attack – log analysis can show traces of past attack attempts (although some successful attackers can conceal this evidence). Some specific areas of systems security planning are:

Server implementation processes

Before any system is made available in a live environment - either on an internal network or exposed to the internet – the configuration should be checked for appropriate operational and security robustness.

These checks include basic processes such as:

  • Ensuring that the backup procedures will correctly include the new device;
  • Checking the operating system and application software revisions for known weaknesses;
  • Checking the user authentication mechanisms.

More sophisticated checks are appropriate for systems with higher exposures, such as those directly connected to the internet (i.e. in the DMZ).

A server implementation checklist, with the details specific to each server, should form part of the server log. The configuration details recorded on the checklist contribute to any disaster recovery procedure, allowing a more rapid rebuild of a failed system.

User accounts and passwords

The level of access to any computer system should be governed by appropriate authorization procedures which form part of the security policy. Although establishing initial access is frequently part of an employee induction process, later changes – in particular the removal of the user account – tend to be less controlled. Accounts which have not been used for some time should be disabled and marked for removal.

Strong passwords, changed regularly are a basic security requirement. Unfortunately, many users rely on passwords easily guessed by automated programs. Identify these passwords before the attackers do!

Acceptable use guidelines

Unacceptable use of systems can include harassment, offensive behaviour, criminal activity and loss of productivity. Guidelines must be enforced to protect both the company and the possible targets of inappropriate behaviour.

Guidelines must be made available to and accepted by all users - sometimes by formal agreement. Users should have a sense of personal responsibility for their use of internal systems and any external systems (eg internet) accessed using the resources of the business.

Firewall configuration and operation

A firewall ruleset should be based on the services which support the network requirement of the business. In practice, most firewalls are configured ‘on-the-fly’ in response to perceived needs and the convenience of the users and system administrators. Such firewalls generally retain outdated ‘testing’ rules and lack the proper planning and documentation required to demonstrate the correctness of the ruleset.

Firewall rules can be developed from the needs of the business with the supporting documentation and structures to provide:

  • Clear definitions of what services are supported and why;
  • Classification of users and internal systems to determine access permissions;
  • Logging rules for forensic analysis to help identify attacks and security breaches.

Internal monitoring

Reliable figures are difficult to obtain but a consistent theme of security surveys is that most attacks are either entirely or partly conducted by personnel within the target organization.

Appropriate consideration of the security exposures and possible approaches provides the information required for the business managers to balance openness and ease of use against the potential damage of a poorly secured system.

Internal publicity about the existence of regular internal monitoring and analysis, with some published results can directly contribute to self-censorship amongst users.

Intrusion Detection and Recovery

  • Would you know if your systems were attacked?
  • Would you know if the attack succeeded?
  • What would you do about it?

Any changes to a server’s operating environment may represent a system breach; the complexity of modern operating systems makes manual detection of such changes impractical.

Automated system checking tools, supported by appropriate administration procedures, can provide specific information about any modifications to core system files. Knowing what has changed provides a key starting points for differentiating legitimate upgrades from hostile changes and can minimise the time required to restore the system operations.

Need Assistance?

Dropbear Consulting Pty Limited can provide a range of analysis and consulting services to assist businesses in policy creation, implementation and the on-going management and monitoring of system security.

We do not sell security hardware or software but work to leverage the performance of your existing systems and assist in the development of an improved security consciousness within your organization.