This lesson discusses securing networks and making them harder to
attack. Objectives important to this lesson:
Detection and prevention of attacks
Incident response and forensics
Mobile device management
Data center management
Monitoring and log files
Chapter 14, Network Hardening
text begins with some discussion of detection and reaction. Consider the
definitions from one of our security texts:
intrusion - someone tries
to access or disrupt a system
intrusion detection - if a
product only does detection, it will notice an attempted or actual intrusion,
and will probably tell someone; a detection system does not take action
against the intrusion
intrusion reaction - if a
product reacts to intrusions, it attempts to stop them, contain them,
or minimize their effects
intrusion prevention - if
a product acts to prevent intrusion, it probably does detection as well;
I am sometimes notified by my security suite that an attempted intrusion
has been detected and stopped, which is what you want such a system
When you are researching products in this category, you should be careful
to note what the product actually does. If it is marketed as an intrusion
detection system, don't expect
it to prevent or stop intrusions. An intrusion
detection and prevention system (IDPS)
would be preferable to a system that only performed one of those functions.
The the security text asks the question "Why use an IDPS?" Well, which
would you rather see on your screen, a message that says an attack has
just been stopped without damage,
or a (insert your favorite emblem of disaster)? There are some reasons
that go a bit farther:
If employees know about an IDPS, they may be less likely to go postal
on your network.
Detection of events will tell you when your other layers of security
are not working.
Dealing with probes that are used before an attack may serve to present
that "walled city" Sun Tzu wrote about.
An IDPS keeps a log of events, which can be analyzed for current threats
and for trends.
As mentioned in another chapter, an IDPS may be installed on a computer
or a network appliance and allowed
to sniff all the packets that pass by. This sort of network-based
IDPS may need to be duplicated in various parts of your network,
since it has to watch every packet that goes by, and it will not see any
packets that are not passed to the network segment it lives on.
The second major option for an IDPS is a host-based
IDPS. This kind of system can detect changes on the host where
it is installed that do not depend on network traffic. On the other hand,
it needs to be installed on every host you intend to protect. In a home
network, this is not a large burden, but in a commercial setting it can
be a lot of work. A convincing argument may be that the antivirus program
provided as part of your home contract with a cable provider probably
includes this feature. If you are installing Norton 360, for example,
you are already installing a system to watch for intrusions as well as
to watch for viruses.
Other security measures are discussed, including some that are not used
much. You should be familiar with these terms, know what the devices do,
and know why you will probably not
honeypot - The usual explanation
of this metaphor is Winnie the Pooh getting stuck in a jar of honey.
The idea is to put a fake, attractive looking, unprotected resource
on your network that will attract the attention of a hacker looking
for assets to steal, destroy, or otherwise vandalize. The honeypot system
should include an IDPS element that notes the intrusion and sets off
alarms, but does not actually stop it. One of the tricks here is that
the honeypot system must be attractive: it must look like a real asset
ready to be attacked. Ideally, it should be something that will take
the attacker a significant amount of time to exploit, so that your security
staff have time to react.
honeynet - A more extensive
collection of honeypots on a subnet may be called a honeynet.
padded cell - Another variation,
this one is a honeypot that presents a challenge to the hacker. In this
regard, it is more credible to the hacker. If the resource was real
and valuable, why would it not be protected? Of course, if it is too
well protected, why should the attacker break into the padded cell instead
of one of your real assets?
trap-and-trace - Taking this
concept to the next level, if we have detected an intruder, why not
figure out who and where the attacker is? Well, the reason not
to do it is to avoid the cost of the lawsuit that will follow.
Consider the ideas of entrapment
and enticement that could be part
of lawsuits brought against your company, and which apply to all the items
in this list. Be aware of the concepts and accept the idea that you will
do better without most of this.
We have already discussed intrusion detection and prevention tools and
firewalls. The authors suggest vulnerability scanners, log analyzers (application
log, security log,system log), and packet sniffers. These are tools that
a would-be attacker might use in gathering information about a target.
Common early practices are examining web resources and using social engineering.
This is a list of network tools useful to people looking for vulnerabilities:
port scanners - The text recommends
This sort of utility looks for devices on a network, and scans them
for open ports. In this case, a port is not a physical thing waiting
for a plug. It is a service running on a computer that is identified
by a number which stands for a place in that computer's memory. A service
of this sort may run at a port whose number is commonly used (like 80
for HTTP, or 25 for SMTP) or it may run at any port number specified
by the person or process that started it. A Wikipedia page with lots
of port numbers and their commonly associated services can
be seen here. If a port is open,
it can receive requests, and possibly commands from an attacker.
firewall analysis tools -
The text explains one way the Nmap can be used to determine if a machine
is live beyond a firewall. It also discusses Firewalk
and HPING, two other tools that
can help an attacker determine what a firewall is allowing to pass.
operating system detection tools
- The only tool mentioned by the text is XProbe,
which sends ICMP packets to computers and checks their responses against
a list of responses from machines with known operating systems. Why
do you want to know the OS of a computer? To exploit known vulnerabilities
or protect against such exploits.
vulnerability scanners - The
text recommends Nessus, a free
program that does everything we have discussed so far, as well as having
other features. It is effective for scanning a network that is using
over the counter software. To scan a network with custom or in-house-developed
software, it recommends a "fuzzy" scanner called SPIKE.
It features a proxy server that sounds like a good tool for a man in
the middle attack, as well as being a tool to test the stability of
your own web servers and sites. These are both active scanners, that
send traffic into a network to test it.
The text mentions two passive scanners, that only watch the traffic
that is already being sent through a network. The two products mentioned
are Passive Vulnerability Scanner
(PVS) and RNA.
packet sniffers - A more formal
term is network protocol analyzer.
The text lists three products. Sniffer
is one you have to buy, Snort
is an open source product, and Wireshark
is freeware. They are useful for scanning networks and for penetration
testing. Do not use them unless
all three of the tests below
You must be using this on a network your organization owns.
You must have been authorized by the network owners to do this.
You must be doing this with the knowledge and consent of the content
As you might imagine, it is rather difficult to pass all three of these
wireless security tools- In
passing, the text informs you that the IEEE standard that applies to
wireless networking is 802.11.
TestOut's reveiw questions cover a lot of terminology about penetration
testing. Reveiw the terms associated with this part of the material.
The material also covers enabling security through Network Access
Control, also call Network Access Prevention. This
link goes to a Microsoft article about hardening servers in this way.
This service examines a device that is trying to connect to a network,
and allows full or partial access to the network depending
on what the examination shows. Medical metaphors are used to describe
this service and its features: System Health Agent, Statement of Health,
Health Registration Authority, Health Certificate, and Quarantine VLAN
are terms you should review from this section.
A forensic investigation is typically one that concerns
a crime. This section is about computer forensics, investigations into
crimes that involve computers and other information system equipment.
The text discusses five aspects of an investigation:
secure the scene and determine what items are evidence - The team
mentioned in the text may be called an Incident Response Team
a Forensics Response Team, a Digital Forensics Team, or another title
that means the same thing. They are responsible for taking possession
of devices that might hold any data that might contain evidence of the
crime being investigated.
acquire and preserve the evidence - This aspect is closely related
to the first, in that the response team may have to take images of data
in RAM that would be lost if not recorded before the power is turned
establish (and maintain) the chain of custody - There must be a continuous
documentation of who has had access to seized devices and data, who
has done what with it, and who it is turned over to at each change in
examine for evidence - Although the other discussions have used the
word "evidence" several times, this one brings up the point that not
everything you find is actually evidence. At this stage, only things
that indicate or prove a crime was committed can be considered as evidence
that will be presented in court.
report to proper authority - the proper authority will always include
the people you work for, and may include police or court officers, depending
on the type of investigation
15: Network Management
material covers some ideas about maintaining and updating servers, workstations,
and network components.
configuration - The text list
five steps that can lead to
a secure configuration.
security policy - Establish
a policy for all devices about
the security settings that your equipment will use.
host software baselining
- The text means that you must perform an audit
of each device/operating system combination being used in your enterprise,
to see how it does or does
not meet your security policy requirements.
OS security settings - Your
technical staff must determine what changes
to make to the baseline for each device to bring it into compliance
with your security policy.
deploying and managing
settings - The text describes applying an established configuration
by making changes manually
on each machine, by applying a security
template to machines so their settings are all the same, and
by applying a Group Policy
in Active Directory to make an automated
application of your security configuration.
patch management - The application
of security patches should be done in a regular, managed way, even
when there are patches to apply in a hurry. The text introduces three
related terms on page 151, but that list is incomplete. Some patches
are not related to security:
critical update - typically corrects a failure
in the program; usually not a security failure
feature pack - a collection of additions
that are typically not critical: they are new features, not fixes
for existing ones; usually not a security fix
update - a collection of fixes
that correct problems; typically not security related, but Adobe
seems to use this word to include security updates
security patch - a publicly released update, typically to repair/remove
hotfix - a package with one or more fixes, often
related to security issues, that may only apply
in a custom environment
update rollup - a set of fixes that may include all of
the above types
service pack - a package that contains all the
above changes to the program that apply since its release, or since
the last service pack
The first three types in the patch management
list typically do not address
security issues, but the last four types do.
Managing patches and other updates
does not have a clear cut best answer. The four options options
below, offered by Windows, are presented as representative examples of
download automatically, but let me choose what to install
check for update, notify me, but let me choose to download and install
The first three include automatically checking
for updates, or their functions would not take place. In the environment
of my day job, we typically do not have devices check
Microsoft for updates because of the degree of customization
of applications and the possibility of patches breaking
In environments where the users do
not own their computers (e.g. large companies, government offices,
schools) it is better to have central control over configuration and patches.
Several advantages apply:
a distributed network of servers can be used for patch distribution
to workstations, making better use of bandwidth and access (this has
the greatest value when the LANs are in different geographic locations)
computers that are not allowed to go to the Internet can get updates
(for example, computers secure areas where Internet access is not allowed)
administrators can test updates before general deployment, and request
hotfix updates for a customized environment instead
administrators can choose not to deploy updates that do not apply
to their configurations
hotfixes provided by the vendor can be deployed, which would not be
available from the general update site of the vendor
users cannot refuse updates to "their" computers
discusses some material about making backups of devices. It tells us that
backkups of computers running Windows 7 (and later) can be managed through
the Backup and Restore console of Control Panel. It points out the difference
between backing up a collection of files and creating a system image,
which is like a compressed version of everything on a hard drive, including
the operating system.
is some discussion of connecting remotely to devices in order to manage
them, such as using Telnet or Secure Shell to connect to a server. TestOut
also discusses using one of several remote desktop applications to remotely
operate a computer across a LAN or WAN connection.
is a unit on managing mobile devices. This category includes smart phones,
tablets, and other small devices. It generally does not include laptops
or notebooks because these devices run operating systems identical to
standard workstations. All devices, including mobile devices, should be
properly documented. The information kept about them should include operating
system version, warranty information, ownership, and authorized users.
discusses management of power in terms of surge suppression, line conditioning,
uninterruptable power supplies, and pwoer converters. You should know
about these concepts and common deployment of them. You should also know
about HVAC matters such as using positive pressure systems to force air
out of a secure location when a door or window is opened. The material
also discusses placing cold aisles (areas in which cold air is supplied)
in the center of data rooms, and hot aisles (areas in which hot air is
removed) at the outside of data rooms. Typically, equipement should receive
cold air on its front side, and emit hot air for collection on its back
a look at this short clip of notes from the wireless networking class
spectrum analyzer - This analyzer measures the frequency, voltage,
period, and shape of the many waves used in wireless. Because we use
lots of frequencies, lots of power levels, and lots of frame methods,
this is more complicated than it is on a wired network. The text explains
that we should run an analyzer to detect interference with the operation
of APs, and move them or the interfering devices.
The technician in the
video above is very precise and correct, but he may be a little
old fashioned for some. Take a look at this
video from a more media friendly technician.
protocol analyzer - This is like a packet analyzer,
such as Wireshark, but it is also more complicated in wireless because
of the number of frequencies, power levels, and frame methods. Like
wired network sniffers, these analyzers can be used to monitor
traffic on a network, to look for problems, and to watch for particular
types and sources of traffic.
documentation tools - Some site survey tools do not create
documentation, so a tool of this sort can be a useful addition, adding
the ability to document the findings of the survey.
Monitoring system logs can be a dull subject. Take a look at this
lecture on the subject from Professor Messer, whose web site is
a good source for Network examination candidates.
15 closes with some material about using SNMP to manage your network.
Please look over this tutorial
about SNMP from another good review source.
Week 8 Assignment: Labs for Chapters 14 and 15
(and all the chapters after that)
Complete as many labs as you can, as soon as you can.
For this week, concentrate on doing the labs in Chapters 3 and 4 of the
TestOut lessons. Repeat the labs until you score at least 80% on them.
When you have done what you can for this week,
capture a screen that shows your current progress, and submit it to me
as this week's report of your progress.