Network Appliances for Security
Proxies
- A basic proxy server provides for protocol-specific outbound traffic. - For example, you might deploy a web proxy that enables client computers to connect to websites and secure websites on the Internet. In this case, you have deployed a proxy server that services TCP ports 80 and 443 for outbound traffic. - This type of device is placed at the network edge, usually in some sort of DMZ. - Web proxies are often also described as web security gateways as usually their primary functions are to prevent viruses or Trojans infecting computers from the Internet, block spam, and restrict web use to authorized sites, acting as a content filter. - Proxy servers can generally be classed as non-transparent or transparent. • A non-transparent server means that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080. • A transparent (or forced or intercepting) proxy intercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance.
FIREWALL CONFIGURATION
- A firewall, proxy, or content filter is an example of rule-based management. - Firewall and other filtering rules are configured on the principle of least access. This is the same as the principle of least privilege; only allow the minimum amount of traffic required for the operation of valid network services and no more. - The rules in a firewall's ACL are processed top-to-bottom. If traffic matches one of the rules, then it is allowed to pass; consequently, the most specific rules are placed at the top. - The final default rule is typically to block any traffic that has not matched a rule (implicit deny). Each rule can specify whether to block or allow traffic based on several parameters, often referred to as tuples. - If you think of each rule being like a row in a database, the tuples are the columns. For example, in the previous screenshot, the tuples include Protocol, Source (address), (Source) Port, Destination (address), (Destination) Port, and so on. - Even the simplest packet filtering firewall can be complex to configure securely. - It is essential to create a written policy describing what a filter ruleset should do and to test the configuration as far as possible to ensure that the ACLs you have set up work as intended. - Also test and document changes made to ACLs. Some other basic principles include: • Block incoming requests from internal or private IP addresses (that have obviously been spoofed). • Block incoming requests from protocols that should only be functioning at a local network level, such as ICMP, DHCP, or routing protocol traffic. • Use penetration testing to confirm the configuration is secure. Log access attempts and monitor the logs for suspicious activity. • Take the usual steps to secure the hardware on which the firewall is running and use of the management interface.
SDN
- As networks become more complex—perhaps involving thousands of physical and virtual computers and appliances—it becomes more difficult to implement network policies, - it is better to take a step back and consider an abstracted model about how the network functions. In this model, network functions can be divided into three planes: • Control plane—makes decisions about how traffic should be prioritized and secured and where it should be switched. • Data plane—handles the actual switching and routing of traffic and imposition of Access Control Lists (ACLs) for security. • Management plane—monitors traffic conditions and network status. - A software defined networking (SDN) application (or suite of applications) can be used to define policy decisions on the control plane. - These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using application programming interfaces (APIs). - The interface between the SDN applications and the SDN controller is described as the "northbound" API, while that between the controller and appliances is the "southbound" API. - At the device level, SDN can use virtualized appliances or physical appliances. The appliances just need to support the southbound API of the network controller software. - This architecture saves the network administrator the job and complexity of configuring each appliance with appropriate settings to enforce the desired policy. It also allows for fully automated deployment (or provisioning) of network links, appliances, and servers. - greater security insight because it enables a centralized view of the network. This makes SDN an important part of the latest software deployment and disaster recovery technologies.
ROUTER ACCESS CONTROL LIST (ACL) CONFIGURATION
- As well as configuring routers with network reachability information, most routers can also be configured to block traffic, acting as a firewall. - Network traffic can be filtered using an access control list (ACL). - A network ACL comprises a set of rules processed in order from top-to-bottom. - Each rule can be set to accept or deny traffic based on things such as source and destination IP addresses or TCP/UDP port. - A router would normally be configured with ACLs for inbound and outbound traffic.
IN-BAND VS. OUT-OF-BAND IDS MONITORING
- As well as considering the placement of the sensor, when configuring an IDS/IPS you need to consider how it will provide event reporting and alerting. - The management channel could use the same network as the link being monitored (in-band). This is less secure because the alerts might be detected by an adversary and intercepted or blocked. - An out-of-band link offers better security. This might be established using separate cabling infrastructure or using the same cabling and physical switches but a separate VLAN for the management channel. - You may also be implementing a complex architecture where the feeds from multiple sensors are aggregated by a security information and event management (SIEM) server and backend database. This architecture should use dedicated network links for both security and performance (the link utilization is likely to be very high).
SECURE LOGGING/WORM
- For computer logs to be accepted as an audit trail, they must be shown to be tamper-proof (or tamper-evident). - It is particularly important to secure logs against tampering by rogue administrative accounts as this would be a means for an insider threat to cover his or her tracks. - Log files should be writable only by system processes or by secure accounts that are separate from other administrative accounts. -Log files should be configured to be "append only" so that existing entries cannot be modified. Another option is for the log to be written to a remote server over a secure communications link. - Alternatively, log files could be written to Write Once, Read Many (WORM) media. WORM technology used to mean optical drives, such as CD-R and DVD-R. - There are now magnetic WORM drives and RAID arrays developed for secure logging solutions by companies such as EMC (http://www.emc-centera.com/more-about-centera).
HOST HEALTH CHECKS
- Posture assessment is the process by which host health checks are performed against a client device to verify compliance with the health policy. - Most NAC solutions use client software called an agent to gather information about the device, such as its anti-virus and patch status, presence of prohibited applications, or anything else defined by the health policy. - An agent can * be persistent, in which case it is installed as a software application on the client, or non-persistent. * A non-persistent (or dissolvable) agent is loaded into memory during posture assessment but is not installed on the device. Some - NAC solutions can perform agentless posture assessment. * This is useful when the NAC solution must support a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available with an agentless solution. - If implemented as a primarily software-based solution, NAC can suffer from the same sort of exploits as any other software. - There have been instances of exploits to evade the NAC admission process or submit false scan results. * One fruitful line of attack is to use virtual machines to evade the initial admission policy; one VM is created that complies with the policy, and when access is granted, the user switches to a second non-compliant VM. This is why post-admission control is an increasingly important requirement for NAC solutions.
NAC
- The IEEE 802.1X standard defines a port-based network access control (PNAC) mechanism. - PNAC means that the switch (or router) performs some sort of authentication of the attached device before activating the port. Under 802.1X, the device requesting access is the supplicant. - The switch, referred to as the authenticator, enables the Extensible Authentication Protocol over LAN (EAPoL) protocol only and waits for the device to supply authentication data. - Using EAP, this data could be a simple username/password (EAP-MD5) or could involve using a digital certificate or token. The authenticator passes this data to an authenticating server, typically a RADIUS server, which checks the credentials and grants or denies access. - If access is granted, the switch will configure the port to use the appropriate VLAN and enable it for ordinary network traffic. - Unauthenticated hosts may also be placed in a guest VLAN with only limited access to the rest of the network. - As well as authentication, most network access control (NAC) products allow administrators to devise policies or profiles describing a minimum security configuration that devices must meet to be granted network access. This is called a health policy. - Typical policies check things such as malware infection, firmware and OS patch level, personal firewall status, and the presence of up-to-date virus definitions. A solution may also be to scan the registry or perform file signature verification. - The health policy is defined on a NAC management server along with reporting and configuration tools.
Siem
- The first task for SIEM is to aggregate data outputs from multiple sources. This is an obviously complex process if the sources use different formats for data output. - Some tools are oriented toward using eXtensible Markup Language (XML) formatted output. This provides a self-describing file format that can be imported more easily. Most data sources are vendor-specific, however, so - SIEM solutions need a way of standardizing the information from these different sources. - SIEM software features collectors or connectors to store and interpret (or parse) the logs from different types of systems (host, firewall, IDS sensor, and so on), and to account for differences between vendor implementations. - A collector would usually be implemented as plug-in code written for the SIEM and would scan and parse each event as it was submitted to the SIEM over the network. - A collector might also be implemented as a software agent running on the device. - The agent would parse the logs generated by the device and establish the network connection back to the SIEM. - Usually, parsing will be accomplished using regular expressions tailored to each log file format to identify attributes and content that can be mapped to standard fields in the SIEM's reporting and analysis tools. - The SIEM system might also be able to deploy its own sensors to collect network traffic.
TAPS AND PORT MIRRORS
- Typically, NIDS sensors are placed inside a firewall or close to a server of particular importance. * The idea is usually to identify malicious traffic that has managed to get past the firewall. - A single IDS can generate a very large amount of logging and alerting data so you cannot just put multiple sensors everywhere in the network without provisioning the resources to manage them properly. - Depending on network size and resources, one or just a few sensors will be deployed to monitor key assets or network paths. - There are three main options for connecting a sensor to the appropriate point in the network: • SPAN (switched port analyzer)/mirror port—this means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load. • Passive test access point (TAP)—this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. There are types for copper and fiber optic cabling. Unlike a SPAN, no logic decisions are made so the monitor port receives every frame—corrupt or malformed or not—and the copying is unaffected by load. • Active TAP—this is a powered device that performs signal regeneration (again, there are copper and fiber variants), which may be necessary in some circumstances. Gigabit signaling over copper wire is too complex for a passive tap to monitor and some types of fiber links may be adversely affected by optical splitting. Because it performs an active function, the TAP becomes a point of failure for the links in the event of power loss. When deploying an active TAP, it is important to use a model with internal batteries or connect it to a UPS. - A TAP will usually output two streams to monitor a full-duplex link (one channel for upstream and one for downstream). Alternatively, there are aggregation TAPs, which rebuild the streams into a single channel, but these can drop frames under very heavy load.
Firewalls
- are the devices principally used to implement security zones, such as intranet, demilitarized zone (DMZ), and the Internet. - The basic function of a firewall is traffic filtering. - A firewall resembles a quality inspector on a production line; any bad units are knocked off the line and go no farther. - The firewall processes traffic according to rules; traffic that does not conform to a rule that allows it access is blocked. There are many types of firewalls and many ways of implementing a firewall. - One distinction can be made between firewalls that protect a whole network (placed inline in the network and inspecting all traffic that passes through) and firewalls that protect a single host only (installed on the host and only inspect traffic destined for that host). - Another distinction can be made between border firewalls and internal firewalls. * Border firewalls filter traffic between the trusted local network and untrusted external networks, such as the Internet. DMZ configurations are established by border firewalls. * Internal firewalls can be placed anywhere within the network, either inline or as host firewalls, to filter traffic flows between different security zones. A further distinction can be made about what parts of a packet a particular firewall technology can inspect and operate on.
NIPS
- can provide an active response to any network threats that it matches. - One typical preventive measure is to end the TCP session, sending a spoofed TCP reset packet to the attacking host. - Another option is for the sensor to apply a temporary filter on the firewall to block the attacker's IP address (shunning). - Other advanced measures include throttling bandwidth to attacking hosts, applying complex firewall filters, and even modifying suspect packets to render them harmless. - Finally, the appliance may be able to run a script or third-party program to perform some other action not supported by the IPS software itself. - Some IPS provide inline, wire-speed anti-virus scanning. Their rulesets can be configured to provide user content filtering, such as blocking URLs, applying keyword-sensitive blacklists or whitelists, or applying time-based access restrictions. - IPS appliances are positioned like firewalls at the border between two network zones. - As with proxy servers, the appliances are "inline" with the network, meaning that all traffic passes through them (also making them a single point-of-failure if there is no fault tolerance mechanism). * This means that they need to be able to cope with high bandwidths and process each packet very quickly to avoid slowing down the network.
TLS/ SSl Accelerator
- is a hardware device with a specialist chipset—Application Specific Integrated Circuit (ASIC)—dedicated to performing these calculations. - They are usually implemented as plug-in cards for server equipment or load balancing appliances and therefore can be placed anywhere in the network where SSL/TLS offloading is desired. - An SSL decryptor, inspector, or interceptor is a type of proxy used to examine encrypted traffic before it enters or leaves the network. This ensures that traffic complies with data policies and that encryption is not being misused, either as a data exfiltration mechanism or to operate a Command & Control (C2) Remote Access Trojan. - An SSL decryptor would be positioned at the network edge and implemented as a transparent bridge. This makes it almost impossible for an adversary to evade the device, unless there is a separate backdoor network channel. - The drawback is that the decryptor appliance will be a single point of failure, unless a load balancing and failover system is implemented. -Some typical functions of SSL decryptors include: • Block connections that use weak cipher suites or implementations. • Block connections that cannot be inspected (for instance, they do not use a standard enterprise certificate). • Do not inspect authorized traffic that is subject to privacy or compliance regulations. • Integrate with IDS, DLP, and SIEM to apply security policies and provide effective monitoring and reporting.
dmz
- is also referred to as a perimeter network. The idea of a DMZ is that traffic cannot pass through it. - A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole. - the hosts in a DMZ are not fully trusted by the internal network because of the possibility that they could be compromised from the Internet. They are referred to as bastion hosts. - A bastion is a defensive structure in a castle. * The bastion protrudes from the castle wall and enables the defenders to fire at attackers that have moved close to the wall. A bastion host would not be configured with any services that run on the local network, such as user authentication.
NIDS
- is basically a packet sniffer (referred to as a sensor) with an analysis engine to identify malicious traffic and a console to allow configuration of the system. - The basic functionality of a NIDS is to provide passive detection; that is, to log intrusion incidents and to display an alert at the management interface or to email the administrator account. - This type of passive sensor does not slow down traffic and is undetectable by the attacker (it does not have an IP address on the monitored network segment). - A NIDS will be able to identify and log hosts and applications, and detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations (ports or IP addresses that are not permitted, for instance). - You can use analysis of the logs to tune firewall rulesets, remove or block suspect hosts and processes from the network, or deploy additional security controls to mitigate any threats you identify.
WAF
- is one designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks. - WAFs use application-aware processing rules to filter traffic. - be programmed with signatures of known attacks and use pattern matching to block requests containing suspect code. - output from a WAF will be written to a log, which you can inspect to determine what threats the web application might be subject to.
segmentation
- means that the hosts in one segment are restricted in the way they communicate with hosts in other segments. They might only be able to communicate over certain network ports, for instance. - An isolated segment is one that has no connectivity with other segments. - A host or network segment that has no sort of physical connectivity with other hosts or networks is referred to as air gapped.
Anti- Virus Endpoint protection
- or intrusion prevention system works by identifying when processes or scripts are executed and intercepting (or hooking) the call to scan the code first. - If the code matches a signature of known malware or exhibits malware-like behavior that matches a heuristic profile, the scanner will prevent execution and attempt to take the configured action on the host file (clean, quarantine, erase, and so on). -An alert will be displayed to the user and the action will be logged (and also may generate an administrative alert). - The malware will normally be tagged using a vendor proprietary string and possibly by a CME (Common Malware Enumeration) identifier. These identifiers can be used to research the symptoms of and methods used by the malware. This may help to confirm the system is fully remediated and to identify whether other systems have been infected.
DLP
- products scan content in structured formats, such as a database with a formal access control model or unstructured formats, such as email or word processing documents. These products use some sort of dictionary database or algorithm (regular expression matching) to identify confidential data. - The transfer of content to removable media, such as USB devices, or by email, IM, or even social media, can then be blocked if it does not conform to a predefined policy. - Such solutions will usually consist of the following components: • Policy server—to configure confidentiality rules and policies, log incidents, and compile reports. • Endpoint agents—to enforce policy on client computers, even when they are not connected to the network. • Network agents—to scan communications at network borders and interface with web and messaging servers to enforce policy.
UTM
- refers to a system that centralizes various security controls—firewall, anti-malware, network intrusion prevention, spam filtering, content inspection, etc.—into a single appliance. - a single console from which you can monitor and manage various defense settings. - UTM was created in response to several difficulties that administrators face in deploying discrete security systems; namely, managing several complex platforms as well as meeting the significant cost requirements. - simplify the security process by being tied to only one vendor and requiring only a single, streamlined application to function. - This makes management of your organization's network security easier, as you no longer need to be familiar with or know the quirks of each individual -single point of failure that could affect an entire network. Distinct security systems, if they fail, might only compromise that particular avenue of attack. - struggle with latency issues if they are subject to too much network activity.
SNMP v3
- supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions. - When authentication is required, the SNMP message is signed with an MD5 (or SHA) hash of the user's passphrase. The agent can verify the signature and authenticate the user using its own record of the passphrase. - SNMP v3 can also use DES or (in most products) AES to encrypt the contents of traps and query responses. - A query can be set to use no security (noAuthNoPriv), authentication only (authNoPriv), or authentication and encryption (authPriv).
FORWARD PROXY SERVERS AND CONTENT FILTERS
A basic proxy server provides for protocol-specific outbound traffic. * For example, you might deploy a web proxy that enables client computers to connect to websites and secure websites on the Internet. In this case, you have deployed a proxy server that services TCP ports 80 and 443 for outbound traffic. - This type of device is placed at the network edge, usually in some sort of DMZ. - Web proxies are often also described as web security gateways as usually their primary functions are to prevent viruses or Trojans infecting computers from the Internet, block spam, and restrict web use to authorized sites, acting as a content filter.
multipurpose proxy
A proxy server must understand the application it is servicing. For example, a web proxy must be able to parse and modify HTTP and HTTPS commands (and potentially HTML too). Some proxy servers are application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types, such as HTTP, FTP, and SMTP.
VPN Concentrators
All the major NOS are bundled with software supporting VPNs. A server configured in this role is usually called a Network Access Server (NAS) or Remote Access Server (RAS). Where the functionality is part of a router or dedicated security appliance, it may be called a VPN concentrator. In either case, the server would be placed on the network edge, protected by a firewall configuration in a Demilitarized Zone (DMZ).
NETWORK-BASED FIREWALLS
An appliance firewall is a stand-alone hardware firewall that performs the function of a firewall only. The functions of the firewall are implemented on the appliance firmware. This is also a type of network-based firewall and monitors all traffic passing into and out of a network segment. This type of appliance could be implemented with routed interfaces or as a layer 2/virtual wire transparent firewall.
IDS/ IPS
An intrusion detection system (IDS) is a means of using software tools to provide real-time analysis of either network traffic or system and application logs. IDS is similar to anti-virus software but protects against a broader range of threats.
APPLICATION-BASED FIREWALLS
Firewalls can also run as software on any type of computing host. There are several types of application-based firewalls: • Host-based firewall (or personal firewall)—implemented as a software application running on a single host designed to protect that host only. • Application firewall—software designed to run on a server to protect a particular application only (a web server firewall, for instance, or a firewall designed to protect an SQL Server® database). This is a type of host-based firewall and would typically be deployed in addition to a network firewall. • Network operating system (NOS) firewall—a software-based firewall running under a network server OS, such as Windows® or Linux®. The server would function as a gateway or proxy for a network segment.
REMEDIATION
Remediation refers to what happens if the device does not meet the security profile. A non-compliant device may be refused connection completely or put in a quarantined guest network or captive portal. • Guest network—this would be a VLAN or firewalled subnet (DMZ) granting limited access to network resources. For example, you might allow visitors with non-compliant devices to use your Internet routers to browse the web and view their email but not grant them any access to your corporate network. • Quarantine network—this is another type of restricted network, usually based on a captive portal. A captive portal allows only HTTP traffic and redirects the HTTP traffic to a remediation server. The remediation server would allow clients to install OS and anti-virus updates in order to achieve or return to compliance.
ROGUE SYSTEM DETECTION
Rogue system detection refers to a process of identifying (and removing) hosts on the network that are not supposed to be there. You should be aware that "system" could mean several different types of devices (and software): • Wired clients (PCs, servers, laptops, appliances). • Wireless clients (PCs, laptops, mobile devices). • Software (rogue servers and applications, such as malicious DHCP or DNS servers or a soft access point). • Virtual machines. Several techniques are available to perform rogue machine detection: • Visual inspection of ports/switches will reveal any obvious unauthorized devices or appliances. It is, however, possible to imagine a sophisticated attack going to great lengths to prevent observation, such as creating fake asset tags. • Network mapping/host discovery—unless an OS is actively trying to remain unobserved (not operating when scans are known to be run, for instance), network mapping software should identify hosts. Identifying a rogue host on a large network from a scan may still be difficult. • Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations. • Network monitoring can reveal the use of unauthorized protocols on the network or identify hosts producing an unusual volume of network traffic. • NAC and intrusion detection—security suites and appliances can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
HIDS
captures information from a single host, such as a server, router, or firewall. Some organizations may configure HIDS on each client workstation. HIDS come in many different forms with different capabilities. The core ability is to capture and analyze log files, but more sophisticated systems can also monitor OS kernel files, monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP. HIDS/HIPS software produces similar output to an anti-malware scanner.
SMNP
is a widely used framework for management and monitoring. SNMP consists of an SNMP monitor and agents. • The agent is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device. * This agent maintains a database called a Management Information Base (MIB) that holds statistics relating to the activity of the device (for example, the number of frames per second handled by a switch). * The agent is also capable of initiating a trap operation where it informs the management system of a notable event (port failure, for instance). * The threshold for triggering traps can be set for each value. * Device queries take place over port 161 (UDP); * traps are communicated over port 162 (also UDP). • The SNMP monitor (a software program) provides a location from which network activity can be overseen. It monitors all agents by polling them at regular intervals for information from their MIBs and displays the information for review. It also displays any trap operations as alerts for the network administrator to assess and act upon as necessary. - If SNMP is not used, you should remember to change the default configuration password and disable it on any SNMP-capable devices that you add to the network. - If you are running SNMP v1 or v2c, keep to the following guidelines: • SNMP community names are sent in plaintext and so should not be transmitted over the network if there is any risk that they could be intercepted. • Use difficult-to-guess community names; never leave the community name blank or set to the default. • Use Access Control Lists to restrict management operations to known hosts (that is, restrict to one or two host IP addresses).
router firewall
is similar, except that the functionality is built into the router firmware. Most SOHO Internet router/modems have this type of firewall functionality. An enterprise-class router firewall would be able to support far more sessions than a SOHO one. Additionally, some layer 3 switches can perform packet filtering.
The main advantage of HIDS/HIPS
is that they can be much more application specific than NIDS. For example, HIDS/HIPS can analyze encrypted traffic (once it has been decrypted on the host) and it is easier to train the system to recognize normal traffic.
HIPS
with active response can act to preserve the system in its intended state. This means that the software can prevent system files from being modified or deleted, prevent services from being stopped, log off unauthorized users, and filter network traffic.
The main disadvantages of HIDS/HIPS are:
• The software is installed on the host and, therefore, detectable. This means that it is vulnerable to attack by malware. • The software also consumes CPU, memory, and disk resources on the host.