Centuries ago, security professionals may have debated the merits of new technologies, like moats or drawbridges for example. Today, the equipment may have changed, but the debate remains the same.
Today, your network has become the castle; and instead of invading armies, the security professional is constantly besieged by twelve-year-olds with downloaded cracker suites and thirty-year-old entrepreneurs looking to host a new warez site.
While 100% security is hardly a possibility, there are several things that you can do to make your network more secure.
1. Ensure that your firewalls are up-to-date and properly configured.
Yes, that is firewalls, as in more than one. The most secure configuration will include, at a minimum, two firewalls between any network client and the wild, wild Web. This includes a software firewall on the system, as well as a hardware firewall in the network path.
Although it is an excellent tool, most hardware firewalls have one fatal flaw: they are designed to trust all outgoing traffic. Unfortunately, this traffic may include captured keystrokes or other unwanted data. A software firewall, properly configured, is able to distinguish unsafe traffic from benign.
Your firewall manual will go into greater detail, but as a general rule of thumb, you should start by manually allowing all inbound and outbound traffic, and setting policies to allow only the desired packets.
2. Ensure that virus protection is up-to-date.
A virus will never be detected by your firewall, although some symptoms such as replication attempts may be flagged by your software firewall. A virus might be limited in scope and destroy data on one system (or server!), or might infect software firewalls and spread through the network. Once the software firewall is infected, the system is open to greater security risks.
Establishing and enforcing a policy of updates and regular virus scans now can save a weekend spent restoring a server and workstations later!
3. Maintain a security point of contact (POC)
Having a dedicated point of contact for all security issues, whether an assigned member of the IT department or an entire CIRT team, will ensure that security efforts and responses are coordinated, trends and patterns can be identified, and other groups or departments can be warned before the incident affects them. Similarly, the POC can coordinate assistance if the organization does not have the resources to deal with the threat.
4. Is your data passing through an unsecured medium?
Each node that your data passes thorough must be considered a potential security risk. Physical security is paramount when the network path runs through wiring closets, hubs, etc. For that matter, are you sure that you can trust your ISP?
If you cannot guarantee the security of your datapath, you can encrypt your network traffic. Programs such as Pretty Good Privacy allow seamless encryption of network traffic, as well as e-mail and messaging protection.
5. Baseline your network.
The network administrator has the "home field advantage" over a potential attacker. As the network administrator, you should know what 'usual' network traffic is, and what could be an indication of an attack.
Using a packet sniffer, such as Ethereal, under normal network loads should give you a good indication of expected network activity.
6. Ensure that OS and applications are properly patched.
A drawbridge will do you no good if you leave the key to the backdoor under that mat. Similarly, a firewall will do you no good if your OS opens a back door into your system. A recent example was the discovery that unpatched versions of Windows and MSN messenger can allow an attacker complete control over the system!
It is vital that each system OS is regularly patched, and at the very minimum, each program that accesses the Internet should be patched and upgraded in addition to being monitored by the firewall.
7. Utilize and configure an IDS.
An intrusion detection system is a crucial piece of your network security toolkit. An IDS can be as simple as a laptop running Snort or a highly priced, dedicated Cisco device. This will allow you to identify trends and patterns, and respond to attacks while they are still in the reconnaissance phase.
An IDS is nothing without skilled analysis of the results, however. The analyst will validate positive matches from the IDS, and if an attack is suspected, must validate it with the system logs, if possible. Ensure that that all clocks on the network are synced. This allows you to identify reconnaissance activity preceding an attack, or to quickly determine the characteristics of an attack in progress. It's much easier to identify the scope of the attack if all the systems show that it happened at 11:03:28, rather than 11:01:15, 12:03:30 and 12:00:00!
8. Secure the wireless network
Approximately 80% of wireless networks are unsecured networks, and this could prove to be the Achilles heel of an otherwise secure network.
First, make sure that all access points (APs) are password protected. And it goes without saying that the default password doesn't count! This will prevent most users from accessing the AP through their browser and altering the security settings. Also, use 128 bit WEP to protect data while airborne. Most APs allow you to hide the SSID (check your product documentation for details), which makes it more difficult for unauthorized users to detect your wireless network.
Lastly, if your router offers it, filter traffic by MAC address, or at the very least, IP address. This ensures that only authorized users have access to the network. Again, it is important to consider backdoors. Make sure that all users are aware of network security policies, which should ban unauthorized APs on the network. Most users will not configure their AP security polices in accordance with your own.
9. Consider your most dynamic security threat: human nature.
At one time, it was said that the only way to truly secure a system was to unplug it and leave it off. Unfortunately, this is no longer true, in addition to being completely impractical!
Users are capable of unintentionally jeopardize the security of the network by failing to properly secure their own systems. A user may choose a weak password that is easy to remember, or the administrator may assign a strong password that the user ends up writing down and "hiding" under the keyboard.
You can enforce strong password policies by using the snap-in console "gpedit.msc." The selection "Computer Configuration," "Windows Settings," "Account Policies" and "Password Policies" will allow you to define policies for users.
Ensure that your users are briefed on the very real threat of social engineering. As an example:
A user receives a call from tech support asking for help testing the new server. Tech support asks the user to change their password to "test," to log on to the server briefly, "for testing purposes." The user does so and is able to connect with no problems. Before hanging up, tech support reminds the user to change their password back to a private, secure selection, and stresses the importance of not saying the password out loud, even to the technician.
The entire transaction takes less than five minutes, but in that time a hacker has received unrestricted access to your network. No firewall could prevent it, no IDS can detect it.
In The art of deception, Kevin Mitnick describes several techniques that social engineers will use to exploit the trust of privileged users, and his guidelines should be part of any new employee training program.
Remember, a hacker will never call up and ask for the big picture, but a piece of the puzzle.
There may never be a way to plug every security hole, or to anticipate the new ones. However, a properly configured network, with an established security policy, can be the next best thing.
Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.
Dig deeper on Network Security Monitoring and Analysis