NET 102 - Networking Essentials II

Chapter 14, Network Hardening; Chapter 15, Network Management

Objectives:

This lesson discusses securing networks and making them harder to attack. Objectives important to this lesson:

  1. Detection and prevention of attacks
  2. Penetration testing
  3. Network hardening
  4. Incident response and forensics
  5. Update management
  6. Data protection
  7. Remote management
  8. Mobile device management
  9. Data center management
  10. Monitoring and log files
  11. Using SNMP
Concepts:
Chapter 14, Network Hardening

The text begins with some discussion of detection and reaction. Consider the definitions from one of our security texts:

  • intrusion - someone tries to access or disrupt a system
  • intrusion detection - if a product only does detection, it will notice an attempted or actual intrusion, and will probably tell someone; a detection system does not take action against the intrusion
  • intrusion reaction - if a product reacts to intrusions, it attempts to stop them, contain them, or minimize their effects
  • intrusion prevention - if a product acts to prevent intrusion, it probably does detection as well; I am sometimes notified by my security suite that an attempted intrusion has been detected and stopped, which is what you want such a system to do

When you are researching products in this category, you should be careful to note what the product actually does. If it is marketed as an intrusion detection system, don't expect it to prevent or stop intrusions. An intrusion detection and prevention system (IDPS) would be preferable to a system that only performed one of those functions.

The the security text asks the question "Why use an IDPS?" Well, which would you rather see on your screen, a message that says an attack has just been stopped without damage, or a  (insert your favorite emblem of disaster)? There are some reasons that go a bit farther:

  • If employees know about an IDPS, they may be less likely to go postal on your network.
  • Detection of events will tell you when your other layers of security are not working.
  • Dealing with probes that are used before an attack may serve to present that "walled city" Sun Tzu wrote about.
  • An IDPS keeps a log of events, which can be analyzed for current threats and for trends.

As mentioned in another chapter, an IDPS may be installed on a computer or a network appliance and allowed to sniff all the packets that pass by. This sort of network-based IDPS may need to be duplicated in various parts of your network, since it has to watch every packet that goes by, and it will not see any packets that are not passed to the network segment it lives on.

The second major option for an IDPS is a host-based IDPS. This kind of system can detect changes on the host where it is installed that do not depend on network traffic. On the other hand, it needs to be installed on every host you intend to protect. In a home network, this is not a large burden, but in a commercial setting it can be a lot of work. A convincing argument may be that the antivirus program provided as part of your home contract with a cable provider probably includes this feature. If you are installing Norton 360, for example, you are already installing a system to watch for intrusions as well as to watch for viruses.

Other security measures are discussed, including some that are not used much. You should be familiar with these terms, know what the devices do, and know why you will probably not use them:

  • honeypot - The usual explanation of this metaphor is Winnie the Pooh getting stuck in a jar of honey. The idea is to put a fake, attractive looking, unprotected resource on your network that will attract the attention of a hacker looking for assets to steal, destroy, or otherwise vandalize. The honeypot system should include an IDPS element that notes the intrusion and sets off alarms, but does not actually stop it. One of the tricks here is that the honeypot system must be attractive: it must look like a real asset ready to be attacked. Ideally, it should be something that will take the attacker a significant amount of time to exploit, so that your security staff have time to react.
  • honeynet - A more extensive collection of honeypots on a subnet may be called a honeynet.
  • padded cell - Another variation, this one is a honeypot that presents a challenge to the hacker. In this regard, it is more credible to the hacker. If the resource was real and valuable, why would it not be protected? Of course, if it is too well protected, why should the attacker break into the padded cell instead of one of your real assets?
  • trap-and-trace - Taking this concept to the next level, if we have detected an intruder, why not figure out who and where the attacker is? Well, the reason not to do it is to avoid the cost of the lawsuit that will follow.

Consider the ideas of entrapment and enticement that could be part of lawsuits brought against your company, and which apply to all the items in this list. Be aware of the concepts and accept the idea that you will do better without most of this.

We have already discussed intrusion detection and prevention tools and firewalls. The authors suggest vulnerability scanners, log analyzers (application log, security log,system log), and packet sniffers. These are tools that a would-be attacker might use in gathering information about a target. Common early practices are examining web resources and using social engineering.

This is a list of network tools useful to people looking for vulnerabilities:

  • port scanners - The text recommends Nmap. This sort of utility looks for devices on a network, and scans them for open ports. In this case, a port is not a physical thing waiting for a plug. It is a service running on a computer that is identified by a number which stands for a place in that computer's memory. A service of this sort may run at a port whose number is commonly used (like 80 for HTTP, or 25 for SMTP) or it may run at any port number specified by the person or process that started it. A Wikipedia page with lots of port numbers and their commonly associated services can be seen here. If a port is open, it can receive requests, and possibly commands from an attacker.
  • firewall analysis tools - The text explains one way the Nmap can be used to determine if a machine is live beyond a firewall. It also discusses Firewalk and HPING, two other tools that can help an attacker determine what a firewall is allowing to pass.
  • operating system detection tools - The only tool mentioned by the text is XProbe, which sends ICMP packets to computers and checks their responses against a list of responses from machines with known operating systems. Why do you want to know the OS of a computer? To exploit known vulnerabilities or protect against such exploits.
  • vulnerability scanners - The text recommends Nessus, a free program that does everything we have discussed so far, as well as having other features. It is effective for scanning a network that is using over the counter software. To scan a network with custom or in-house-developed software, it recommends a "fuzzy" scanner called SPIKE. It features a proxy server that sounds like a good tool for a man in the middle attack, as well as being a tool to test the stability of your own web servers and sites. These are both active scanners, that send traffic into a network to test it.
    The text mentions two passive scanners, that only watch the traffic that is already being sent through a network. The two products mentioned are Passive Vulnerability Scanner (PVS) and RNA.
  • packet sniffers - A more formal term is network protocol analyzer. The text lists three products. Sniffer is one you have to buy, Snort is an open source product, and Wireshark is freeware. They are useful for scanning networks and for penetration testing. Do not use them unless all three of the tests below are met:
    • You must be using this on a network your organization owns.
    • You must have been authorized by the network owners to do this.
    • You must be doing this with the knowledge and consent of the content owners.
    • As you might imagine, it is rather difficult to pass all three of these tests.
  • wireless security tools- In passing, the text informs you that the IEEE standard that applies to wireless networking is 802.11.

TestOut's reveiw questions cover a lot of terminology about penetration testing. Reveiw the terms associated with this part of the material.

The material also covers enabling security through Network Access Control, also call Network Access Prevention. This link goes to a Microsoft article about hardening servers in this way. This service examines a device that is trying to connect to a network, and allows full or partial access to the network depending on what the examination shows. Medical metaphors are used to describe this service and its features: System Health Agent, Statement of Health, Health Registration Authority, Health Certificate, and Quarantine VLAN are terms you should review from this section.

A forensic investigation is typically one that concerns a crime. This section is about computer forensics, investigations into crimes that involve computers and other information system equipment. The text discusses five aspects of an investigation:

  • secure the scene and determine what items are evidence - The team mentioned in the text may be called an Incident Response Team  a Forensics Response Team, a Digital Forensics Team, or another title that means the same thing. They are responsible for taking possession of devices that might hold any data that might contain evidence of the crime being investigated.
  • acquire and preserve the evidence - This aspect is closely related to the first, in that the response team may have to take images of data in RAM that would be lost if not recorded before the power is turned off.
  • establish (and maintain) the chain of custody - There must be a continuous documentation of who has had access to seized devices and data, who has done what with it, and who it is turned over to at each change in custody.
  • examine for evidence - Although the other discussions have used the word "evidence" several times, this one brings up the point that not everything you find is actually evidence. At this stage, only things that indicate or prove a crime was committed can be considered as evidence that will be presented in court.
  • report to proper authority - the proper authority will always include the people you work for, and may include police or court officers, depending on the type of investigation

Chapter 15: Network Management

The material covers some ideas about maintaining and updating servers, workstations, and network components.

  • configuration - The text list five steps that can lead to a secure configuration.
    • security policy - Establish a policy for all devices about the security settings that your equipment will use.
    • host software baselining - The text means that you must perform an audit of each device/operating system combination being used in your enterprise, to see how it does or does not meet your security policy requirements.
    • OS security settings - Your technical staff must determine what changes to make to the baseline for each device to bring it into compliance with your security policy.
    • deploying and managing settings - The text describes applying an established configuration by making changes manually on each machine, by applying a security template to machines so their settings are all the same, and by applying a Group Policy in Active Directory to make an automated application of your security configuration.
    • patch management - The application of security patches should be done in a regular, managed way, even when there are patches to apply in a hurry. The text introduces three related terms on page 151, but that list is incomplete. Some patches are not related to security:
      • critical update - typically corrects a failure in the program; usually not a security failure
      • feature pack - a collection of additions that are typically not critical: they are new features, not fixes for existing ones; usually not a security fix
      • update - a collection of fixes that correct problems; typically not security related, but Adobe seems to use this word to include security updates as well
      • security patch - a publicly released update, typically to repair/remove a vulnerability
      • hotfix - a package with one or more fixes, often related to security issues, that may only apply in a custom environment
      • update rollup - a set of fixes that may include all of the above types
      • service pack - a package that contains all the above changes to the program that apply since its release, or since the last service pack

The first three types in the patch management list typically do not address security issues, but the last four types do. Managing patches and other updates does not have a clear cut best answer. The four options options below, offered by Windows, are presented as representative examples of your choices:

    • install automatically
    • download automatically, but let me choose what to install
    • check for update, notify me, but let me choose to download and install
    • never check

The first three include automatically checking for updates, or their functions would not take place. In the environment of my day job, we typically do not have devices check Microsoft for updates because of the degree of customization of applications and the possibility of patches breaking some functionality.

In environments where the users do not own their computers (e.g. large companies, government offices, schools) it is better to have central control over configuration and patches. Several advantages apply:

  • a distributed network of servers can be used for patch distribution to workstations, making better use of bandwidth and access (this has the greatest value when the LANs are in different geographic locations)
  • computers that are not allowed to go to the Internet can get updates (for example, computers secure areas where Internet access is not allowed)
  • administrators can test updates before general deployment, and request hotfix updates for a customized environment instead
  • administrators can choose not to deploy updates that do not apply to their configurations
  • hotfixes provided by the vendor can be deployed, which would not be available from the general update site of the vendor
  • users cannot refuse updates to "their" computers

TestOut discusses some material about making backups of devices. It tells us that backkups of computers running Windows 7 (and later) can be managed through the Backup and Restore console of Control Panel. It points out the difference between backing up a collection of files and creating a system image, which is like a compressed version of everything on a hard drive, including the operating system.

There is some discussion of connecting remotely to devices in order to manage them, such as using Telnet or Secure Shell to connect to a server. TestOut also discusses using one of several remote desktop applications to remotely operate a computer across a LAN or WAN connection.

There is a unit on managing mobile devices. This category includes smart phones, tablets, and other small devices. It generally does not include laptops or notebooks because these devices run operating systems identical to standard workstations. All devices, including mobile devices, should be properly documented. The information kept about them should include operating system version, warranty information, ownership, and authorized users.

TestOut discusses management of power in terms of surge suppression, line conditioning, uninterruptable power supplies, and pwoer converters. You should know about these concepts and common deployment of them. You should also know about HVAC matters such as using positive pressure systems to force air out of a secure location when a door or window is opened. The material also discusses placing cold aisles (areas in which cold air is supplied) in the center of data rooms, and hot aisles (areas in which hot air is removed) at the outside of data rooms. Typically, equipement should receive cold air on its front side, and emit hot air for collection on its back side.

Take a look at this short clip of notes from the wireless networking class last year:

  • spectrum analyzer - This analyzer measures the frequency, voltage, period, and shape of the many waves used in wireless. Because we use lots of frequencies, lots of power levels, and lots of frame methods, this is more complicated than it is on a wired network. The text explains that we should run an analyzer to detect interference with the operation of APs, and move them or the interfering devices.


    The technician in the video above is very precise and correct, but he may be a little old fashioned for some. Take a look at this video from a more media friendly technician.



  • protocol analyzer - This is like a packet analyzer, such as Wireshark, but it is also more complicated in wireless because of the number of frequencies, power levels, and frame methods. Like wired network sniffers, these analyzers can be used to monitor traffic on a network, to look for problems, and to watch for particular types and sources of traffic.
  • documentation tools - Some site survey tools do not create documentation, so a tool of this sort can be a useful addition, adding the ability to document the findings of the survey.
Monitoring system logs can be a dull subject. Take a look at this short lecture on the subject from Professor Messer, whose web site is a good source for Network examination candidates.

Chapter 15 closes with some material about using SNMP to manage your network. Please look over this tutorial about SNMP from another good review source.

Week 8 Assignment: Labs for Chapters 14 and 15 (and all the chapters after that)

  1. Complete as many labs as you can, as soon as you can. For this week, concentrate on doing the labs in Chapters 3 and 4 of the TestOut lessons. Repeat the labs until you score at least 80% on them.
  2. When you have done what you can for this week, capture a screen that shows your current progress, and submit it to me as this week's report of your progress.