Home arrow General Security arrow Five steps to securing your network
Five steps to securing your network Print E-mail
Written by Jason   
Aug 11, 2007 at 09:44 AM

A friend recently asked me about a security methodology for a very small company he works with that doesn't have a large amount of money to throw at security. This made me think: are people being convinced that money = security?

I decided to put together a methodology that doesn't spend any money on software costs. So, here's five steps that can be used to secure almost any environment, even small ones.

 

Step 1) And knowing is half the battle

"If you don't know what's on your network, you can't manage it." This is a mantra every system administrator should repeat over and over in their head. For very small networks this usually isn't a problem; but the problem grows as the network grows.

There are a wide variety of ways to discover what's on a network. Rogue Scanner is a good tool for this for smaller networks. It only works on the local subnet it's being ran on, but aside from that it's pretty good at determining what kind of device is running.

For larger networks, P0f is a good choice. It acts as a passive fingerprinting tool and creates no additional network traffic. It's very reliable at fingerprinting odd devices and works on devices behind packet filtering front ends, such as most firewalls.

Along with these, running an nmap port scan across the entire network usually provides good results. For example:

nmap -v -O -A 192.168.1.0/24

This would run a nmap scan (stealth scan if you're logged in with administrative access) using the nmap default ports and attempt OS detection against anything it finds on the private network 192.168.1.x. Be aware that although most systems handle port scanning very well, certain embedded systems (such as SCADA devices like GE Fanuc PLCs or Kronos timeclocks) do not handle port scanning well at all.

Combine the tried and true nmap port scanner with Rogue Scanner/P0f and you should be able to discover all systems currently plugged into your network (and turned ON!) fairly reliably.

Step 2) Patch management is a chore, but do it anyway

Almost everyone that works in IT probably knows that installing OS patches as they come out is critical to security. At least, I hope they know. But when was the last time you installed a third party patch for an application?

Many system administrators are overwhelmed as it is, so checking for updates to third party applications isn't always a top priority, but it should be. Applications like Java, Adobe, etc. are all popular applications that virus/worm/trojan writers love. In many environments the mantra 'If it ain't broke, don't fix it' rules the day but leaves systems in a very vulnerable state. If there's a patch release for an application it's almost always a good idea to install it, at least from a security point of view.

Keeping up with third party patches however has always been problematic due to logistics. There is no single location to go to find out every third part patch that's been released, so knowledge of your environment here is key. A good software inventory on a reoccurring basis is the most important aspect of keeping the door closed on third party security holes for the simple reason that if you don't know what's running you can't patch it.

OCS Inventory is an open source software inventory package that's worth taking a look at. It's become an invaluable tool suite to those that need to know what applications have been installed on their systems and have no money to implement a more expensive solution.

Step 3) Be like a onion, not a Tootsie pop. Oh, and tie your shoelaces.

Layered security is one of the best deterrents against hackers. The idea is to rely on multiple layers of security so that if one is breached, there are still many more to protect the underlying data. Just like an onion, your security should be composed of many layers. Unfortunantly, most networks are more like a Tootsie pop, with a hard, crunchy shell on the outside due to firewalls but soft and gooey on the inside with little to no security.

What good is layered security?

"Two men were walking through the African savanna on a tour one day.
Suddenly, one of the men spots a lion about 200 yards away.
"We're in trouble!", shouts the first man. "What are we going to do?!"
The second man calmly bends down and begins tightening his shoelaces.
"Are you crazy, you'll never be able to outrun that lion!", the first man shouts.
"I don't need to outrun the lion," says the first man. "I only need to outrun you."
 

The concept is that even if every layer of your security could be compromised with a great deal of effort, a hacker would get bored and move on to a softer target long before he was successful.

Separating clients from servers in separate virtual LANs (VLANs) is a start. Block unnecessary traffic between VLANs with access control lists (ACLs) and implement port based security by locking down switch ports to MAC addresses of your systems. Implement IPSec authentication (notice I didn't recommend IPSec encryption - it's almost always overkill for smaller networks and a waste of resources). Additionally, consider a NAC/NAP/802.1x solution to add even more security.

Step 4) If you're being shot at it would be nice to hear the gunshots

Many system administrators would have no idea if the system they were standing in front of was under attack. Without insight into their network, anything could be happening. Sure, there are server logs that will log malicious behavior (if configured correctly), but what if the hacker penetrates the server and erases them?

Having an intrusion detection system (IDS) is one of the most overlooked solutions to provide rapid insight into what is happening on your network. The open source package Snort is one of the most powerful IDS packages found anywhere and is worth the effort to get running. Use port mirroring on your network switch to relay traffic to the Snort server or put the Snort server inline between your network gateway and your network.

Another method is to record your network traffic. Using Ethereal/Wireshark in RAW mode to constantly capture packets that are coming in and going out of your network can be a job saver if you need a record of what happened for law enforcement.

Step 5) Screendoors on submarines

Considering your firewall protection for your entire network is a bit like asking someone to test your bullet proof vest by stabbing you with a knife. Yet, this is exactly what many administrators rely on. Other points of entry aren't as obvious, but are more likely targets for hackers that want your data.

For example, if I were to mail you a brand new shiny flash drive, would you use it? What if you found one laying near your cubicle at work, or outside next to your car? Most people would plug it in to at least see what's on it.

It could very well be a bad mistake. U3 capable flash drives come with a small read only partition that looks like a CD-ROM drive to the system. Since it's fairly simple to modify (with a little hacker know-how) the normally read only CD-ROM partition, any files of an attackers choosing could be launched automatically in any system the thumb drive has been plugged in and autorun enabled on.

There's not much need to hack through a firewall if you can simply go around it. Wireless access points with weak encryption, USB devices (such as iPods, thumb drives, etc), and old fashioned modems make excellent targets to hackers. These threats are very real and most networks are very vulnerable to them.

Disabling USB ports on systems that don't need them and using operating system controls on ones that do, disabling dangerous services such as autorun, limiting user accounts to non administrative rights, scanning your phone lines on occasion for unauthorized modems with free software like iWar or ModemScan, and periodic scanning for rogue wireless access points with free software like Kismet or Netstumbler are all important actions to take to plug holes in your network's defenses.

 

Last Updated ( Aug 15, 2007 at 01:08 PM )
� http://www.roboguys.com, Mambo and Designed by Siteground