Why implement a firewall if your border router is not using an access control list (ACL)? We began this series with the article
Combating existing forms of attacks begins with an understanding of the proven technologies used by hackers to penetrate your company's network security. It's imperative that you are cognizant of the new programs being developed to facilitate the attack process through new levels of automation. These programs not only automate the discovery process, but can detect security exploits at a faster speed. Advanced hacking tools with automated capability and faster discovery process will enable a hacker to wreak havoc on your network if the proper security measures are not in place.
If your company is proactive, security is an initial consideration in the design and planning phases of your network implementation. If your company is reactive, security is an afterthought and a desperate measure to recover from an attack. In both cases, security is a moving target and requires ongoing attention and modifications to combat existing and new forms of attacks.
Let's start by examining the known techniques utilized by many hackers, and the strategies to combat each security threat. IP spoofing occurs when a hacker alters the packet headers and falsifies the source IP address (of a trusted host) to infiltrate your network site with his or her pseudo trusted host. Remember, in the absence of security, there is an opportunity for intrusion. Anti-spoofing begins with your border router and your ISP. Check with your ISP to confirm (and don't assume) that they have implemented anti-spoofing on their router (that provides the Internet uplink) to your perimeter router.
Tip #1: Reduce the threat of inbound IP spoofing attacks.
Discard any incoming packet (on the external interface) that is using the source IP address of a trusted host (on the internal interface). Even though your firewall offers anti-spoofing protection, you need to guard against the potential of inbound spoofing attacks in your border router. You can apply all the security hotfixes you like, but if you don't take care of your routers, eventually a hacker will! I've included a sample config file at the end of this article with tips to limit the effects of IP spoofing and denial of service (DoS) attacks.
A DoS attack occurs when a hacker floods your network with repetitive packet requests (e.g. ICMP, UDP, etc.) to create unnecessary network congestion and deny network resources to affected users. The hacker's objective is to cause a service outage that will disrupt network communications within your infrastructure, cease server uptime availability, and prevent delivery of services to desktops. Improperly configured routers and the lack of security hotfixes allow hackers to exploit these areas and eventually launch one of several DoS attacks (e.g. sync-based, ping-based, distributed-based, etc.) against your network. In addition, different DoS types have different results, such as causing a buffer overflow in your router, running scripts in your computer's memory, or using your server's disk space as a central repository for sharing files on the Internet.
Tip #2: Limit the damage of DoS attacks.
Disable unnecessary services (e.g. echo) in your router and use ACLs for both inbound and outbound traffic filtering. Read Protecting your border routers for more details. Understand the services your routers are running and apply relevant tested security hotfixes for known bugs, review your router's configuration and make appropriate modifications to improve your router's security, monitor your logs closely and carefully investigate any suspicious probes or activities, check protocol statistics periodically and report suspicious patterns to your ISP immediately. The bottom line: It is vitally important that you are aware of normal traffic patterns in your network 24/7/365, which can be a baseline and assist you when you detect abnormal network patterns. To reiterate, stay current with applicable security hotfixes.
A worm attack occurs when a hacker infects your computer or network using a program with malicious code (like Nimda). This program replicates itself and propagates from infected networks to other networks on the Internet with the intent of collapsing part (or most) of the Internet. This type of attack spreads through email, html documents, and network shares.
Tip #3: Restrict worms using Network-Based Application Recognition (NBAR) and ACLs to discard HTTP packets based on specified MIME types, URL strings, and hostname strings.
If your startup-config file lacks the rules in the sample configuration file listed below, then you have found a weak link. Remember to make a backup of your existing running-config before making any changes.Let's examine the sample config file. Only anti-spoofing and anti-DOS rules will be covered, therefore this is a partial file; it assumes you understand how to install an ACL.
! Sample anti-spoofing & anti-DoS config file -- in particular, inbound anti-spoofing
! Although you can add separate deny rules, an implicit "deny ip any any" rule
! is added to the end when you use permit rules -- the latter is better since you don't
! have to add a deny rule for every port you want to block.
! Bind access-group 112 to external interface for inbound filtering
interface <external interface>
ip address <external IP address> <subnet mask>
ip access-group 112 in
service-policy in anti-http
! Anti-spoofing and anti-DoS tip -- prevents hackers from using PING to your network
! from a spoofed source IP address and creating network congestion.
no ip directed-broadcast
! Anti-http – block http packets by MIME types, URL strings, or hostname strings
! through NBAR and ACL. Repeat "match protocol" rule for additional strings.
class-map match-any <your criteria name> ! For example, anti-http
match protocol http url "<your executable>" ! For example, *cmd.exe
policy-map <your policy criteria name>
class anti-http ! From class-map
ip dscp 1
! Anti-http tip
! Deny incoming http packets with "cmd.exe" executables
access-list 112 deny ip any any dscp 1 log
! Anti-spoofing tip
! Deny incoming packets that use source IP addresses from your private network/subnet
access-list 112 deny ip <your network> <inverted mask> any log
! Anti-spoofing tip -- deny incoming multicast packets
access-list 112 deny ip 184.108.40.206 220.127.116.11 any log
! Anti-spoofing tip - deny incoming localhost packets
access-list 112 deny ip 127.0.0.0 0.255.255.255 any log
! Anti-DOS tip – prevents attackers from sending ICMP echo requests
! Restrict ping to specific outside hosts to your servers
! See "Protecting your border router" article for tips on permits rules
access-list 112 permit icmp host <outside host> host <your server> echo log
! Anti-DOS tip -- prevents hackers from using private networks defined in RFC 1918
! Deny incoming packets from reserved private networks
access-list 112 deny ip 10.0.0.0 0.255.255.255 any log
access-list 112 deny ip 172.16.0.0 0.15.255.255 any log
access-list 112 deny ip 192.168.0.0 0.0.255.255 any log
! General security tip – deny hackers from initiating a connection from outside
! Don't even think about installing an access-list if this line is not one of your rules
! This rule allows inbound access only when the connection is initiated from inside.
access-list 112 permit tcp any <your network> <inverted mask> established log
! This rule allows domain name resolution so users can browse the Internet
! If possible, limit this rule to your ISP's DNS servers
access-list 112 permit udp any eq domain any log
Did you pass the test? Does your config file already include the above rules? If yes, kudos! In our next issue, we'll focus on a "Profile of sophisticated hackers."
It's been my experience that experienced IT professionals have often overlooked some of these basic steps. If you're serious about security, you must pay attention to details and leave no room for hackers.
Did this article bring any potential weak links in your network to light? Write to Luis and let him know.
This was first published in July 2002