Chapter 11 and 12
Web proxy fetures
A web proxy is a proxy server that provides anonymous access to web-based content. Web proxies can incorporate several enhanced features. User security Enables an administrator to grant or deny Internet access based on user names or group membership. Gateway services Enables proxies to translate traffic between protocols. Auditing Enables administrators to generate reports on users' Internet activity. Remote access services Provides access to the internal network for remote clients. Content filtering Evaluates the content of websites based on words or word combinations, and blocks content that an administrator has deemed undesirable.
Firewalls
Firewalls permit traffic that has specifically been permitted by a system administrator, based on a defined set of rules. Information about the incoming or outgoing connections can be saved to a log and used for network monitoring or hardening purposes. Firewalls use complex filtering algorithms that analyze incoming packets based on destination and source addresses, port numbers, and the data type. Firewalls are universally deployed between private networks and the Internet. They can also be used between two separate private networks, or on individual systems, to control data flow between any two sources. Firewalls can be of different types based upon the requirements of the network. There are four common types of firewalls. Packet filters Packet filters are the simplest implementation of a firewall and work at the Network layer (Layer 3) of the OSI model. Each packet being passed along the network is compared to a set of default criteria or a set of rules configured by a network administrator. Once a packet is compared to the criteria, it is passed or dropped, or a message is sent back to the originator. Packet filters are usually a part of a router. Stateful inspection firewall Stateful inspection firewalls work at the Session layer (Layer 5) of the OSI model by monitoring the condition, or state, of the connection. It monitors the TCP connection-establishment to determine if a request is legitimate. Stateful inspection firewalls are also known as circuit-level gateways. Note: Stateful inspection is covered in greater detail later in this topic. Proxy firewall Proxy firewalls work at the Application layer (Layer 7) of the OSI model and require incoming and outgoing packets to have a proxy to access services. This functionality allows proxy firewalls to filter application- specific commands. Proxy firewalls can be used to log user activity and logons, which offers administrators a high level of security but significantly affects network performance. Also known as Application-level gateways. Hybrid firewall Hybrid firewalls combine the functions of a packet filter, a stateful inspection firewall, and a proxy firewall. They operate on all three OSI layers, Network, Session, and Application, simultaneously.
Intrusion detection
Intrusion detection is the process of monitoring the events occurring on a device or a network, and analyzing them to detect possible incidents. An incident is a violation or an imminent threat of violation of both information security policies and standard security practices. Though this process cannot prevent intrusions from occurring, it is predominantly used to monitor events, gather information, create a log of events, and alert you to the incident. The incidents may be unintentional or deliberate, but many of them are malicious. Intrusion detection can be performed manually or automatically. The most popular way to detect intrusions is by using the audit data generated by the operating system. It is a record of activities logged chronologically. As almost all activities are logged, it is possible that a manual inspection of the logs would allow intrusions to be detected. Audit trails are particularly useful because they can be used to establish the attacker's guilt. In any case, they are often the only way to detect unauthorized and subversive user activity.
Network access control (NAC)
Network access control (NAC) is a general term for the collected protocols, policies, and hardware that govern access on network interconnections. NAC provides an additional security layer that scans devices for conformance and allows or quarantines updates to meet policy standards. Security professionals will deploy a NAC policy according to an organization's needs based on three main elements: the authentication method, endpoint vulnerability assessment, and network security enforcement. Once the NAC policy is determined, professionals must determine where NAC will be deployed within their network structure.
Network scanners
Network scanners are computer programs used for scanning networks to obtain user names, host names, groups, shares, and services. Some network scanners provide information about vulnerabilities or weak spots on the network. Network scanners are sometimes used by attackers to detect and exploit the vulnerabilities on a network. Network scanners are also known as network enumerators. There are several network scanners available. Nmap and QualysGuard are popular among them. Another popular and effective network scanner you can use on both Windows and Linux is Nessus. The home version is free for personal use. You can download it from www.tenable.com .
Port filtering
Port filtering is a technique of selectively enabling or disabling TCP and UDP ports on computers or network devices. It ensures that no traffic, except for the protocol that the administrator has chosen to allow, can pass through an open port. Port filtering works by examining the packet's header, source address, destination address, and port number. However, a packet's header can be spoofed; a sender can fake his IP address or any other data stored in the header. Port filtering is most often used in firewalls and for device hardening. Normally, in organizations, administrators disable/block ports above 1024 as a security measure. They selectively enable ports above 1024 during the installation of the associated services that use the port number.
Website caching
The website caching process enables web proxies to cache web data for clients. Step 1: Client request The client requests data from a website. Step 2: Packet intercepted The proxy server intercepts the packet, generates a new request, and transmits it to the website. Step 3: Download content The proxy server downloads all requested content, caches it, and sends it to the client. Step 4: Verify cache If the client requests the same data, the proxy server intercepts the request, verifies that the files are current based on the time-to-live (TTL) values in its cache index, and sends the cached data to the client. Step 5: Update cache If the files are not current, the proxy server updates both cache contents from the external website and the TTL on the cache . Step 6: Purge cache The proxy server purges its cache once the TTL value on an indexed item expires. One important danger of using a proxy server is that, if an external website updates its contents before the TTL of the cache on the web proxy expires, a client might get outdated information from the web proxy's cache. Proxy servers can use either passive or active caching to ensure that cache data is current. • In passive caching, the proxy server does not cache any data marked as time sensitive, but sends repeated requests to external sites to ensure that data is current. • In active caching, the proxy server profiles cache indexes of websites based on the volume of use. The proxy server actively refreshes the cache contents for sites that have had multiple hits from internal clients. Another technique the proxy server can use is to request time stamps from the external website, compare them to the stamp in its cache, and download only new data. The time stamp requests generate only a small amount of traffic and eliminate unnecessary content downloads.
Proximity readers and key fobs
There are also proximity readers that require the user to place a key fob near the reader to gain access. A proximity reader is a card reader that can read a smart card when it is held near it. The proximity card is held near an electronic reader for a moment. The reader usually produces a beep or other sound to indicate the card has been read. Proximity cards typically have a range of around 5 cm (2 inches) for reading. Electronic key fobs are small devices which can be used for activating things such as remote keyless entry systems on motor vehicles, and in buildings for access to certain areas. Electronic key fobs now use a challenge-response authentication over radio frequency, and do not need line-of-sight to operate. The fob operates in much the same manner as a proximity card to communicate with a central server for the building, which can be programmed to allow access only to certain areas, or only within certain time frames
Firewalls and ACLs
Firewall functionality was initially performed by ACLs, usually on routers. ACLs have good scalability and high performance, but cannot read past packet headers in the way some firewalls can. For that reason, ACL packet filtering alone does not have the capacity to keep threats out of the network.
Edge networks and access control
Access control starts at the edge network. A virtual private network (VPN) server, or even a firewall itself, can accept client VPN connections at the edge. These clients and their users have to pass some sort of access control to authenticate, and the client may also have to prove its health before the connection is accepted. If there is no VPN connection, the firewall will still have many access control rules to filter out undesirable or uninvited traffic.
Application-Aware and context-aware firewalls
Application-aware firewalls provide the same capabilities as traditional firewalls, and they can also enforce security rules on applications, regardless of port or protocol. This allows them to protect against threats that can run over any port, use encryption, or tunnel to evade security. Context-aware firewalls include application-aware capabilities and include the ability to extract the user identity, origin of the access, and the type of device used for the access. It can then permit or deny the access based on these attributes, thus giving you even more ways to protect against threats.
Documentation
Documentation of the scene begins with the first responder. It is important to start taking notes from the time of arrival at the scene. Include any details on the condition of the scene, and talk to witnesses, if any, and get their statements. Stick to the facts at this stage, and do not include your opinions or thoughts and guesses. You can also take photos and videos to help document the scene.
eDiscovery
Electronic discovery, also known as eDiscovery, is the electronic aspect of identifying, collecting, and producing electronically stored information (ESI) in response to a request in a lawsuit or investigation. ESI includes, but is not limited to, email, documents, presentations, databases, voice mail, audio and video files, social media, and websites. The nature of the incident and the investigation will determine what information will be ESI
Data transport
In certain situations, you may need to transport data from your organization to another entity. Digital evidence can be altered, damaged, or destroyed due to improper handling. If this occurs, the data may be unreadable or inadmissible, or lead to an inaccurate conclusion. You will need to transport the data securely by using some sort of encrypted portable drive. You can also obtain devices built specifically for this purpose.
Port forwarding
Port forwarding, also called port mapping, enables a permanent translation entry that maps a protocol port on a gateway to an IP address and protocol port on a private LAN. Network clients cannot see that port forwarding is being done. This allows communications from an external source to a destination within a private LAN. For example, a remote device could connect to a specific device or service within a private LAN by using port forwarding.
Security guards
Security guards protect the property, people, and assets of an organization. They can be employed by the organization or through an agency. They act to protect property by maintaining a high- visibility presence to deter illegal and inappropriate actions. They watch for signs of crime, fire, or disorder and then take action and report any incidents to the client and emergency services as appropriate.
The NAT process
The NAT process translates external and internal addresses based on port numbers. Step 1: Client request An internal client sends a request to an external service, such as a website, using the external destination IP address and port number. Step 2: Source address conversion The NAT device converts the source address in the request packet to its own external address, and adds a reference port number to identify the originating client. Step 3: Data return The service returns data to the NAT device's external address using the reference port number. Step 4: Internal source identification NAT uses the reference port number to identify the correct internal source address. Step 5: Data delivery NAT readdresses the packet to the internal system and delivers the data.
Chain of custody
The idea of chain of custody is borrowed from law enforcement. The premise is to track the evidence from the time it is collected until it is released back to the owner. It will track the chronological handling of the evidence and is a paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. A chain of custody document might also contain basic information about the organization, any affected clients, details about the seized media such as brand, type, and serial number, as well as other information. The form can also track each person who has touched the media for purposes of collection, imaging, and return of property.
Switch port security
There are different methods for implementing security for switch ports. DHCP snooping Can harden the security on the network to allow only clients with specific IP or MAC addresses to have access to the network. It uses information from the Dynamic Host Configuration Protocol (DHCP) server to track the physical location of hosts, ensure that hosts use only the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible. ARP inspection Validates Address Resolution Protocol (ARP) packets in a network. ARP inspection determines the validity of packets by performing an IP-to-MAC address binding inspection before forwarding the packet to the appropriate destination. ARP packets with invalid IP-to-MAC address bindings that fail the inspection are dropped. MAC address filtering Provides a simple method of securing a wireless network. By configuring a wireless access point (WAP) to filter MAC addresses, you can control which wireless clients can access your network. Typically, an administrator configures a list of client MAC addresses that are allowed to join the network. Those pre-approved clients are granted access if the MAC address is "known" by the access point. A note of caution, though: It is not difficult for someone with a little skill and know-how to change a MAC address, falsely gain authorization by using another computer, and gain access to your network. Although MAC filtering is usually implemented on wireless networks, it can also be used on wired networks. IP filtering Determines which packets will be allowed to pass and which packets will be dropped by screening the packet based on certain criteria. An administrator can set criteria to determine which packets to filter, such as the protocol type, source IP address, and destination IP address. When a packet is dropped, it is deleted and treated as if it was never received. IP filtering operates mainly at Layer 2 of the TCP/IP protocol stack and is generally performed by a screening router, although other network devices can also perform IP filtering. VLAN assignments Can segment a network so that traffic from one VLAN does not interfere with the traffic on other VLANs.
Traffic filtering
Traffic filtering is a method that allows only legitimate traffic through to the network. It blocks unwanted traffic, thereby minimizing valuable resource consumption. Traffic is filtered based on rules that accept or deny traffic based on the source or destination IP address. Whenever a filtering device receives traffic, it attempts to match the traffic with a rule. Firewalls and servers are the most commonly used traffic filtering devices. Some devices filter traffic that originates only from the internal network, whereas other, more sophisticated, devices filter traffic from external networks also. Firewalls will sometimes block network discovery from other devices. In the case of Windows, the option for network discovery is disabled. Network discovery is a method for devices to find each other on the network. In order to use this feature, it will need to be enabled.
Video monitoring
Video monitoring allows you to increase the visual awareness of your organization. On your video monitoring system, you can use traditional closed circuit (CC) analog cameras with a CCTV network. You can also use Internet Protocol (IP) cameras, which are digital video cameras that connect to an IP network. IP cameras can be accessed across the network or the Internet. Some IP cameras also include local storage in case the network connection is lost. When the camera is connected to the network again, the data stored locally is downloaded to the video monitoring network. Video monitoring can take two forms: • A video intercom that has a camera and a monitor so that users can see who is requesting access. This adds an added level of security when you are visually able to identify the person requesting entry. Video surveillance cameras don't restrict access by themselves but they do provide security. They allow you to monitor and document who has gained access to the building or sensitive areas. They can also act as a deterrent to those who want to violate your security.
Biometric locks
A biometric lock is a lock that is activated by biometric features, such as a fingerprint, voice, retina, or signature. Biometric locks make it more difficult for someone to counterfeit the "key" used to open the lock. An example of a biometric lock is an optical or thermal scanner that reads and stores the fingerprints of authorized users. The user then places his or her hand on the scanner to gain access to a door.
Guest Networks
A guest network is a subset of an organization's network that is designed for temporary use by visitors. Typically, guest networks provide full Internet connectivity while severely restricting access to the internal intranet. This helps keep an organization's internal information private, and helps avoid spreading any malware that visitors may have on their devices.
Honeypots and honeynets
A honeypot is a security tool that lures attackers away from legitimate network resources while tracking their activities. Honeypots appear and act as a legitimate component of the network but are actually secure lockboxes in which security professionals can block the intrusion and begin logging activities for use in court or even launch a counterattack. The act of luring individuals in could potentially be perceived as entrapment or violate the code of ethics of your organization. These legal and ethical issues should be discussed with your organization's legal counsel and human resources department. Honeypots can be software emulation programs, hardware decoys, or an entire dummy network, known as a honeynet . A honeypot implementation often includes some kind of IDS to facilitate monitoring and tracking of intruders. Some dedicated honeypot software packages can be specialized types of IDSs.
Forensic reports
A forensic report simply and succinctly summarizes the substantive evidence. It typically contains several sections to help the reader understand not only what was found (or not found) by the investigator, but also to detail the steps performed to acquire and analyze the data
Passisve and active IDSs
An IDS can be either passive or active. A passive IDS detects potential security breaches, logs the activity, and alerts security personnel. An active IDS does the same, and then takes the appropriate action to block the user from the suspicious activity. Some people consider the active IDS a type of intrusion prevention system (IPS) , and not a separate system.
Demilitarized zone (DMZ)
A demilitarized zone (DMZ) is a small section of a private network that is located between two firewalls and made available for public access. A DMZ enables external clients to access data on private devices, such as web servers, without compromising the security of the internal network as a whole. The external firewall enables public clients to access the service, whereas the internal firewall prevents them from connecting to protected internal hosts.
Quarantine networks
A quarantine network is a restricted network that provides users with routed access only to certain hosts and applications. Users are denied access to the network and are assigned to a quarantine network when a NAC product determines that an end user's device is out-of-date. They are assigned to a network that is routed only to patch and update servers, and not to the rest of the network. They can then update their devices to bring them up to NAC standards and gain access to the network. Another commonly used term for quarantine network is remediation network . These are often implemented using VLAN configurations.
First responders
A first responder is the first experienced person or a team of trained professionals that arrive on the scene of an incident. In a non-IT environment, this term can be used to define the first trained person, such as a police officer or firefighter, to respond to an accident, a damage site, or a natural disaster. In the IT world, first responders can include security professionals, human resource personnel, or IT support professionals
Legal holds
A legal hold is a process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. The legal hold is initiated by a notice or communication from legal counsel to an organization that suspends the normal disposition or processing of records, such as backup tape recycling, archived media, and other storage and management of documents and information. A legal hold will be issued as a result of current or anticipated litigation, audit, government investigation, or other such matter to avoid evidence spoliation. Legal holds can encompass business procedures affecting active data, including, but not limited to, backup tape recycling.
Mantraps
A mantrap is two sets of interlocking doors inside a small space, where the first set of doors must close before the second set opens. If the mantrap is manual, a guard locks and unlocks each door in sequence. In this case, an intercom or video camera is typically used to allow the guard to control the trap from a remote location. If the mantrap is automatic, identification or a key of some kind may be required for each door, and sometimes different measures may be required for each door. Metal detectors are often built in, in order to prevent entrance of people carrying weapons. Such use is particularly frequent in banks and jewelry shops.
Host-based and network-based firewalls
A network-based firewall is a dedicated hardware/software combination that protects all the devices on a network behind the firewall. A host-based firewall (also known as a personal firewall) is software that is installed directly on a host and filters incoming and outgoing packets to and from that host. Note: Some popular personal firewalls are ZoneAlarm ® and Norton ™ Personal Firewall.
Port scanners
A port scanner is a type of software that searches a network host or a range of IP addresses for open TCP and UDP ports. A port scanner looks for open ports on the target device and gathers information including whether the port is open or closed, what services are running on that port, and any available information about the operating system. Administrators can use a port scanner to determine what services are running on the network and potential areas that are vulnerable. A port scanning attack occurs when an attacker scans your devices to see which ports are listening in an attempt to find a way to gain unauthorized access. Note: When multiple hosts are scanned simultaneously or consecutively, it is called portsweeping. Nmap is a widely available open source port scanner. It can rapidly scan a single host or an entire network. It can determine what hosts are available on a network, what services are offered, what types of operating systems are being used, what types of firewalls are being used, and numerous other characteristics of the target. There are many utilities available that potential attackers can use to scan ports on networks, including Nmap, SuperScan, and Strobe. Many utilities can be downloaded for free from the Internet. Performing port scanning attacks is often the first step an attacker takes to identify live devices and open ports to launch further attacks with other tools.
Proxy and reverse proxy servers
A proxy server is a system that isolates internal clients from the servers by downloading and storing files on behalf of the clients. It intercepts requests for web-based or other resources that come from the clients, and, if it does not have the data in its cache, it can generate a completely new request packet by using itself as the source, or simply relay the request. In addition to providing security, the data cache can also improve client response time and reduce network traffic by providing frequently used resources to clients from a local source. A proxy puts the client session on hold while it fetches the content for the client. It will then cache the fetched data for the next client that wants the same content. One potential issue with a proxy is that the cached content can quickly become stale. This is especially a nuisance for businesses that depend on quick updates such as stock availability on a website, continually updated news or stock market quotes, or website developers that are constantly uploading web pages to remote servers and then displaying the results. An administrator will have to accurately judge how long cached content should be kept, and configure the proxy accordingly. Depending on your traffic level and network needs, different proxy servers can be configured for different external services. For example, one proxy server can handle HTTP requests, while another server can handle FTP content. A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are returned to the client as if they originated from the reverse proxy server itself. A reverse proxy acts as an intermediary for its associated servers and returns resources provided by those associated servers only.
Security incident management
A security incident is a specific instance of a risk event occurring, whether or not it causes damage. Security incident management is the set of practices and procedures that govern how an organization will respond to an incident in progress. The goals of incident management are to contain the incident appropriately, and ultimately minimize any damage that may occur as a result of the incident. Incident management typically includes procedures to log, and report on, all identified incidents and the actions taken in response.
Battery backups and UPSs
A backup battery is a device that provides power to a computing device when the primary source of power is unavailable. Backup batteries can range from small single cells used to retain clock time and date inside computers and devices, to large battery room facilities that power uninterruptible power supply (UPS) systems for large data centers. A UPS is different from battery backup because it will provide near-instantaneous protection from power interruptions, power conditioning by removing power quality problems, and real-time monitoring and controlled shutdown of protected equipment. A UPS is typically used to protect hardware such as computers, data centers, telecommunication equipment, or other electrical equipment in which an unexpected power disruption could cause serious business disruption or data loss.
Online Resources for Employee Education
A common way to promote all phases of the employee education process is to provide employees with access to security-related resources and information online. You can provide proprietary, private security information, such as your corporate security policy document, through an organization's intranet. You can also point employees to a number of reputable and valuable security resources on the Internet. However, both you and employees should be cautious whenever researching information on the Internet, as not all sources are trustworthy. Just because information is posted on a website does not mean it is factual or reliable. Monitor the websites you recommend to your employees periodically to make sure that they are providing worthwhile information, and encourage employees to verify any technical or security-related information with a reliable third party before acting on the information or passing it along to others. Here are just a few of the valuable information security resources from technology vendors and other organizations that you can find on the Internet: • www.microsoft.com/security/default.mspx • tools.cisco.com/security/center/home.x • www.symantec.com/business/index.jsp • www.sans.org
Incident response policy (IRP)
An incident response policy (IRP) is the security policy that determines the actions that an organization will take following a confirmed or potential security breach. The IRP usually specifies: • Who determines and declares if an actual security incident has occurred. • What individuals or departments will be notified. • How and when they are notified. • Who will respond to the incident. • Guidelines for the appropriate response. Incident response will usually involve several departments and, depending on the severity of the incident, may involve the media. The human resources and public relations departments of an organization generally work together in these situations to determine the extent of the information that will be made available to the public. Information is released to employees, stockholders, and the general public on a need-to-know basis.
Intrusion detection system (IDS)
An intrusion detection system (IDS) is software or hardware, or a combination of both, that scans, audits, and monitors the security infrastructure for signs of attacks in progress and automates the intrusion detection process. It is used to quickly detect malicious behavior that compromises the integrity of a device so that appropriate action can be taken. IDS software can also analyze data and alert security administrators to potential infrastructure problems. A variety of hardware sensors, intrusion detection software, and IDS management software can comprise an IDS. Each implementation is unique, depending on the security needs and the components chosen. Both a firewall and an IDS enforce network policies, but the way they accomplish that task is significantly different. An IDS collects information and will either notify you of a possible intrusion or block packets based on configuration settings determined by a defined signature. A firewall filters traffic based on configuration settings alone. It can be helpful to keep in mind that many firewall and IDS systems have functionality that overlaps, or is integrated into the same device or appliance. Snort is an open-source, free IDS software available for detecting and preventing intrusions. It is available at www.snort.org . This software has the capability to log data, such as alerts and other log messages, to a database.
IPSs
An IPS is an inline security device that monitors suspicious network and/or device traffic and reacts in real time to block it. An IPS may drop packets, reset connections, sound alerts, and, at times, even quarantine intruders. It can regulate traffic according to specific content, because it examines packets as they travel through the IPS. This is in contrast to the way a firewall behaves, which blocks IP addresses or entire ports Note: Network behavior analysis is a behavior-based IPS that constantly monitors network traffic and identifies potential threats such as Distributed Denial of Service (DDoS), malware, and policy violations.
Anti-malware software
Anti-malware software is a category of protective software that scans devices and sometimes networks for known viruses, Trojans, worms, and other malicious programs. Some anti-malware programs attempt to scan for unknown harmful software. It is advisable to install anti-malware software on all devices and keep it updated according to your organization's patch management policy. In addition to detection, most anti-malware software is capable of logging scan and detection information. These logs should be monitored to make sure that scans are taking place and ensure that infections are reported properly. Anti-malware can be host-based, where the application runs on the host and protects only that device. That system also needs to download its own updates. Server-based and cloud-based anti- malware can manage anti-malware applications installed on other hosts and provide the updates to them. In some cases, they can also run scans on the other hosts. Network-based anti-malware scans traffic entering and leaving the network for malware. Anti-malware software vendors maintain and update the libraries of virus definitions and malware signatures; the customer must periodically update the definitions on all systems where the software is installed. Most vendors provide an automatic update service that enables customers to obtain and distribute current virus definitions on a schedule. Periodically, administrators should manually check to verify that the updates are current. When there is a known active threat, administrators should also manually update definitions. Some vendors offer enterprise malware suites that include malware protection for all devices in a company, automatic updating, and the ability to download and distribute updates from a central server. Distributing the updates from a local server instead of obtaining them directly from the vendor enables the administrator to review and verify virus definitions before they are deployed. Because almost all devices today are connected to the Internet, email is a source of serious virus threats. Companies can implement Internet email virus protection by: • Screening the Internet gateway devices for viruses • Employing reliable desktop antivirus software • Scanning incoming email between the Internet and the email server • Scanning email again at the device level • If a virus attack is detected, disabling all Internet connections and isolating affected devices
Evidence and Data Collection
As you document a scene or perform eDiscovery, you can collect evidence or data. If you are investigating an issue of some kind, then you can collect any evidence or data as you see fit. However, if you are investigating a legal issue that may involve other parties, then you should consult your manager and possibly a lawyer, as there may be legal restrictions you need to follow. If you are trying to retrieve data that has been erased or damaged, then you may need to consult with a data collection and recovery specialist. They are trained and possess tools that enable them to recover data that is not normally recoverable through standard tools.
User security responsibilities
Because security is most often breached at the end-user level, users need to be aware of their specific security responsibilities. Physical security Employees should not allow anyone in the building without a proper ID. Employees should not allow other individuals to "piggyback" on a single ID badge. Employees should be comfortable approaching and challenging unknown or unidentified persons in a work area. Access within the building should be restricted to only those areas an employee needs to access for job purposes. Hard copies of confidential files must be stored securely where they are not visible to others. System security Employees must use their user IDs and passwords properly. This information should never be shared or written down where it is accessible to others. All confidential files should be saved to an appropriate location on the network where they can be secured and backed up, not just on a hard drive. Device security Employees must use correct procedures to log off all devices and shut them down when not in use. Wireless communication devices must be approved by the IT department and installed and secured properly. Portable devices, such as laptops, tablets, and cell phones, must be properly stored and secured when not in use.
Change management
Change management is a systematic way of approving and executing change in order to ensure maximum security, stability, and availability of information technology services. When an organization changes its hardware, software, infrastructure, or documentation, it risks the introduction of unanticipated consequences. Changes may also be necessary in response to a security incident where modifications are required to resolve the issue. Therefore, it is important that an organization be able to properly assess risk; to quantify cost of training, support, maintenance, or implementation; and to properly weigh benefits against the complexity of a proposed change. By maintaining a documented change management procedure, an organization can protect itself from potential adverse effects of hasty change.
Keypads and cipher locks
Cipher locks require that a user press buttons in the correct sequence in order to open a door. The buttons may be mechanical and built into the door handle, or they may be in the form of a keypad. A cipher lock may have four or five push buttons, depending on the manufacturer, and the code may be one to five digits. The codes can be changed at any time. Some organizations use keyed locks to maintain physical security, and use cipher locks to control access, limiting unannounced intrusions or unescorted entry to particular areas of a building.
Door Access Controls
Door access controls provide an electronic and programmable device that people have to interact with in order to gain access to a door. Some of these controls can also limit access based on the time and date. This includes devices such as electronic keypads, card readers, and intercoms. • Electronic keypads require that the user enter a code before the door will unlock. You can program different codes for different users and remove codes for users who no longer require access. • Card readers require that a user insert their card before the door will unlock. The card identifies the user and the user's profile determines which doors they have access to. User profiles can be edited or removed as necessary. • Intercoms require that a user press a button to speak to a user inside the building and request access. The user inside the building can then press a button to unlock the door.
Traffic control
Firewalls control traffic by blocking or allowing communications. Inbound and outbound traffic can be blocked or allowed by firewall rules. These rules are specific to inbound or outbound traffic and thus one kind of traffic may be allowed when outbound but blocked when it is inbound, depending on the rules. Typically, rules can be configured to specify the device, user, program, service, or port and protocol that they apply to. A firewall may be configured to allow or block all traffic for either inbound or outbound. If all traffic is blocked by default, then you can create rules to allow specific traffic. If all traffic is allowed by default, then you can create rules to block specific traffic. Blocking all traffic and adding exceptions to allow specific traffic is more secure.
Guidelines for hardening networks
Follow these guidelines to harden networks: • Keep devices up-to-date with the latest security patches. • Use an organized patch management system to optimize the task of managing and applying patches. • Use an anti-malware application to protect devices from malicious programs. • Keep anti-malware applications up-to-date. • Consider using switch port security methods to make switches more secure. • Use secure protocols whenever transmitting secure data or user credentials. • Employ wireless security controls to make your wireless networks more secure. • Consider disabling unneeded network services to reduce the possible avenues for attacks. • Disable unneeded user accounts. • Change default passwords. • Implement security settings based on the concept of least privilege. • Implement access lists such as web content/filtering, port filtering, IP filtering, and implicit deny to improve network security. • Be sure to use some form(s) of user authentication, such as Challenge Handshake Authentication Protocol (CHAP)/Microsoft Challenge Handshake Authentication Protocol (MSCHAP), Password Authentication Protocol (PAP), EAP, Kerberos, multifactor authentication, two-factor authentication, and single sign-on (SSO). • Consider using vulnerability testing tools to scan the system for any remaining vulnerabilities.
NAC and Protocols
IEEE 802.1x is a standard for securing networks by implementing Extensible Authentication Protocol (EAP) as the authentication protocol over either a wired or wireless Ethernet LAN, rather than the more traditional implementation of EAP over Point-to-Point Protocol (PPP). IEEE 802.1x, often referred to as port authentication, employs an authentication service, such as Remote Authentication Dial-In User Service (RADIUS), to secure clients, removing the need to implement security features in access points (APs), which typically do not have the memory or processing resources to support complex authentication functions. In 802.1x, the switch or wireless access point puts the client session on hold and does not allow it to enter the network until either the device or user is authenticated and authorized by a RADIUS server. If you have ever been to a wireless hotspot where you had to enter a user name and password in a browser before you could access the Internet, you have experienced 802.1x. An IEEE standard is used to provide a Port-based Network Access Control (PNAC), using the 802.11a and 802.11b protocols. 802.1x uses EAP to provide user authentication against a directory service.
Routed mode and virtual wire mode
In Routed mode, the firewall is considered to be a router hop in the network. It can perform NAT between connected networks, and can use Open Shortest Path First (OSPF) or Routing Information Protocol (RIP) (in single context mode). Routed mode supports many interfaces in which each is on a different subnet. In Virtual Wire mode, the firewall logically binds two ports together and passes all traffic to the other port without any switching or routing. It is not seen as a router hop to connected devices. Full inspection and control for all traffic is enabled, and no networking protocol configuration is required.
Area security
In a situation that requires investigation, try to secure the area as best you can. If it is a physical location such as a room, then close off the area using doors. You can put up signs and send out a notice that the area is off limits until further notice. If it is a digital location, then you can try to take it offline if it won't have a negative impact on operations. If it is a single device, then you can put that in a secure location. The main idea is that you want to preserve the area as it is so that you can investigate without other people adding, removing, or altering any evidence that may exist. If you have trouble getting the area secured because other people insist they need to be there, escalate the issue to a manager or other senior employee who can help you.
Emergency procedures
In the event of an emergency, your organization needs to have established emergency procedures and the proper equipment. In the case of a fire, earthquake, or similar disaster, employees need to know where the emergency exits are and where to gather once outside the building. There also need to be procedures in place to inform employees how to act if hostile intruders gain access to the premises. Emergency equipment such as smoke detectors, fire extinguishers, and fire and security alarms need to be in place and maintained. Document these procedures and ensure that each employee is familiar with them. If there is ever an emergency in your building, you need to get everyone out safely and protect your network assets at the same time. The building layout can be an important key to keeping people and assets safe. Server rooms that are in the center of the building are better positioned not only for running cables to all areas, but also this location provides some protection from people on the street easily gaining access to it. Someone posing as an emergency responder who is actually there to attack or steal network assets would have to pass many employees and other emergency personnel to reach a server room located in the center of the building. Your building should have clearly marked safety and emergency exits, and the fire escape plan should be drilled at least twice a year. In the event of a fire, hostage situation, or natural disaster, employees should be alerted to any potential problems through an emergency alert system. This might include sirens and lights within the building, being included on lists of business and school closings, and phone or text messages to alert network users to the problem. When developing applications or allowing network access, developers need to determine what will happen if an error or exception is encountered. Fail open and fail closed relate to the behavior of applications and networks when an error or exception is encountered. After the error, a fail open system continues to allow access; a fail closed system denies access. A Material Safety Data Sheet (MSDS) is a technical bulletin that is designed to give users and emergency personnel information about the proper procedures for the storage and handling of a hazardous substance. This applies to any situation in which an employee is exposed to a chemical under normal use conditions or in the event of an emergency. The manufacturers supply MSDSs with the first shipment to a new customer and with any shipment after the MSDS is updated with significant and new information about safety hazards. You can get MSDSs online; the Internet has a wide range of free resources. The Occupational Health and Safety Administration (OSHA) regulations govern the use of MSDSs and the information an MSDS must contain in the U.S.
Empoloyee education
Information security is not the exclusive responsibility of information professionals. A comprehensive security plan can succeed only when all members of an organization understand and comply with the necessary security practices. IT professionals are often the ones responsible for educating employees and encouraging their compliance with security policies. You will need a process for implementing end-user awareness and training. The process of employee security education consists of three components. Awareness Education begins with awareness. Employees must be aware of the importance of information security and be alert to its potential threats. Employees also need to be aware of the role they play in protecting an organization's assets and resources. A network security professional can create awareness through seminars, email, or information on a company intranet. Education Employees should be trained and educated in security procedures, practices, and expectations from the moment they walk through the door. Employees' responsibility for organizational security starts the second they join the organization and have access to the physical building and resources, as well as the intellectual property inside. Education should continue as the technology changes and new information becomes available. Education takes many forms, from training sessions to online courses employees can take at work. Educated users are one of your best defenses against social engineering attacks. Communication Once employees are aware of security issues and the role they play in protecting the organization's assets, the lines of communication between employees and the security team must remain open. Network security professionals can accomplish this by encouraging employees to ask questions and provide feedback on security issues. Also, the security team must take responsibility for keeping the workforce informed of ongoing security concerns and updated practices and standards.
Firewall placement
It is important to consider where firewalls should be placed in your network. Typically, firewalls are placed on the network perimeter where the private LAN connects to the Internet or other public WAN. This is a critical placement because the private-public network edge is still considered particularly vulnerable to intrusions from external sources. Firewalls should also be placed throughout the internal network in key locations. This will help protect against internal threats. To increase protection from internal threats, firewalls can also be placed at internal network perimeters. Examples of these perimeters, or trust boundaries, are between switches and back-end servers, between different departments, and where a wireless LAN connects the wired network. Placing firewalls in multiple network segments also helps organizations comply with the latest corporate and industry governance mandates. Sarbanes-Oxley, Gramm-Leach-Bliley (GLB), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS), for example, contain requirements about information security auditing and tracking.
Common firewall features
Modern firewall software and hardware can offer many features and a great deal of functionality. Scanning services Provides the ability to scan incoming and outgoing packets and perform some action based on the content of those packets. Content filtering Blocks restricted websites or content. This can be accomplished by URL filtering, or inspection of each file or packet. Some firewalls have this functionality built in; in other cases, each request is passed to a filtering server that can approve or deny the request. Signature identification Many modern firewalls can scan for and detect indicators and patterns that may indicate that a network-based attack is under way. These indicators could also signify that data in question is not legitimate or could be infected with a virus, Trojan, or other malicious code. These indicators are compared against a list of known features, or signatures, of common threats including network-based attacks and viruses. The data is then handled according to the rules established by the firewall administrator. Zones Firewall zones are used to create a virtual or physical network topology or architecture that creates separate areas (zones) with differing security levels. For example, web servers may be placed inside firewalls with increased security due to frequent attacks, while a departmental file server might be placed in a medium security zone because it is less likely to be directly attacked. Port security Port security is the process of properly securing ports on a network. The process includes: • Disabling unnecessary services. • Closing ports that are by default open or have limited functionality. • Regularly applying the appropriate security patches. • Hiding responses from ports that indicate their status and allow access to pre-configured connections only. In higher-security environments, you also can configure firewalls to block unapproved outbound traffic from leaving the private network.
Network address translation (NAT)
Network address translation (NAT) conceals internal addressing schemes from external networks such as the Internet. A router is configured with a single public IP address on its external interface and a nonroutable address on its internal interface. A NAT service running on the router or on another device translates between the two addressing schemes. Packets sent to the Internet from internal hosts all appear as if they came from a single IP address, thus preventing external hosts from identifying and connecting directly to internal devices. Both proxy servers and NAT devices readdress outgoing packets. However, NAT simply replaces the original source address on the packet. Proxy servers actually examine the packet contents and then generate a new request packet, thus providing an additional level of protection between the original requesting client and the external network. NAT can be implemented as software on a variety of systems, or as hardware in a dedicated device such as a router. Internet Connection Sharing (ICS) in Windows systems includes a simple software- based NAT implementation, but requires a separate device, such as a modem, to provide Internet connectivity. Hardware-based NAT devices, such as cable modems and digital subscriber line (DSL) routers, often have extended functionality and can double as Internet access devices. In static NAT, an unregistered address is mapped to a single specific registered address. In dynamic NAT, a single unregistered address is mapped to the first registered address in an address pool. In Windows, you can configure NAT in Routing and Remote Access. In Linux ® , you can configure it by entering the following commands as root: modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -j ACCEPT Port address translation (PAT) is a subset of dynamic NAT functionality that maps either one or more unregistered addresses to a single registered address using multiple ports. PAT is also known as overloading. SNAT is an intensely debated acronym that can stand for Secure NAT, Stateful NAT, Source NAT, or Static NAT, depending on the source of information. Per Cisco, the originators of NAT, SNAT stands for Stateful NAT. SNAT includes two or more routers working together to perform NAT. Dynamic NAT (DNAT) uses a group of public IP addresses, rather than mapping to a specific public IP address.
Network closets and server rooms
Network closets and server rooms provide a place to store your network hardware and your servers. At a minimum, they allow you to organize and remove equipment from open areas where it can be exposed to accidental damage or interference. They also provide an opportunity to secure and limit access to equipment. Physical access controls can be used to limit the users who can enter these rooms. A network closet contains the hubs, switches, and other network components for that floor or building. A server room contains some or all of the servers for an organization. Both rooms should be dry and have adequate electricity available. A server room may also require air-conditioning. Depending on the layout of the building and the requirements of the organization, these two areas can be in the same room or in separate rooms.
Patch management
Patch management is the practice of monitoring for, obtaining, evaluating, testing, and deploying software patches and updates. As the number of computing devices in use has grown over recent years, so has the volume of vulnerabilities and corresponding patches and updates intended to address those vulnerabilities. So, the task of managing and applying them can be very time- consuming and inefficient without an organized patch management system. In typical patch management, software updates are evaluated for their applicability to an environment and then tested in a safe way on non-production devices. Finally, an organized plan for rolling out a valid patch across the organization is executed. When vulnerabilities are found in the operating system, updates are made available to users. You will want to test the functionality of the updates before allowing your users to install the updates. Some updates might interfere with the functionality of how some of your applications work. However, you might need to weigh the balance between known vulnerabilities and the functioning of the applications on your network. In order for some updates to function properly, you might need to also update system firmware and drivers. Firmware updates and driver updates should also be thoroughly tested before deploying them in a large rollout. Additional features might be available with some updates. Be sure you know how the feature changes and updates will affect your users before installing updates. Updates will usually be a minor version number update. For example, if the current version of an application is version 5.4, a minor version might be 5.4.1 or 5.4a. A major version update will usually go from 5.4 to 5.5. If vulnerabilities in the firmware or operating system software on a server, workstation, or other network device are detected, and an update is issued, you should immediately begin testing the updates. Leaving a vulnerability unprotected can open up your network to attack or failure. Be sure to back up your systems before applying updates. This way, if something goes wrong with updates or additional problems are found after deploying the updates, you can downgrade again to the previous version. If possible, keep a configuration backup of all devices stored so that the devices can easily be restored to the previous configuration if necessary. Patch Management Policies Many organizations have taken to creating official patch management policies that define the who, what, where, when, why, and how of patch management for that organization. Example: Patch Management A patch management program might include: • An individual responsible for subscribing to and reviewing vendor and security patches and updating newsletters • A review and triage of the updates into urgent, important, and non-critical categories • An offline patch-test environment where urgent and important patches can be installed and tested for functionality and impact • Immediate administrative "push" delivery of approved urgent patches • Weekly administrative "push" delivery of approved important patches • A periodic evaluation phase and "pull" rollout for non-critical patches
Penetration testing
Penetration testing is an attack authorized by the owner of a computing device or a network, with the purpose of finding security weaknesses that could be exploited by a real attacker. The goal is to determine if the device or network has any weaknesses. A penetration test may be a white box or black box. A white box is where all background and device information is provided to the attacker, and a black box is where only basic or even no information is provided except the company name. Penetration testing can help discover if a device's defenses prevented a successful attack, if it is vulnerable to attack, and which defenses, if any, were defeated. The results of the penetration test should then be reported to the owners so that they are aware of any issues they need to address. Penetration test reports may also assess the potential impact to the organization and suggest countermeasures to reduce risks.
General Physical Security Considerations
Physical security is as important as network security in protecting an organization and employees from crime. An organization's physical components have vulnerabilities that should be mitigated by employing appropriate physical security measures. Building and grounds Location: • Is the building located in a high-crime area or in a relatively remote location that would be hard to access in the event of a natural disaster? • If so, what protections do you have in place to deter theft or vandalism, and to recover from disaster? • Is it in a flood area? Fire risks: • Is the building adequately covered by a fire-suppression system? Not just the server room, but other general areas as well. • Are critical devices and server rooms equipped with special fire- protection methods? Will a fire accidentally destroy the storage systems? Will data be compromised? • Is network cabling in the plenum areas of the building fire-resistant? Electrical shielding: Are the building and the network equipment protected from electrical surges and other interference from the outside? Physical access control: • Are there physical barriers in place, such as fences, locks, mantraps, and monitored reception areas, to protect the building from unauthorized access? • Are strict physical access controls, such as biometric authorization, deployed to restrict access to sensitive areas? • Is there video or still-image surveillance in place to deter or help prosecute any unwanted access? Devices Servers: • Are all the servers in one physical location? • If someone gains access to a server room, does she have access to every server in the company? Laptops/Tablets: These items are easily misplaced or stolen and often contain highly sensitive information. Mobile phones: Confidential conversations about proprietary company information should be held on land lines and not over wireless channels that do not use encryption. You may also want to disallow the use of unencrypted wireless devices for business purposes. Other wireless devices: Cameras, iPods, and similar digital devices can carry enormous amounts of data. Do you want those being carried around the building? Communications Telecommunications: Phone company cables, transformers, and switches can be intentionally or unintentionally damaged or tapped. Service providers: Third-party ISPs and other service providers may have security holes that your organization has no control over. Can your provider maintain your service if they have a loss or failure and, if not, do you have a backup plan? Wireless cells: Are your wireless access points placed and secured properly so that outside parties cannot connect to your network?
Air flow
Proper air flow management is the effort to maximize cooling by either supplying cooling air to equipment, or by eliminating the mixing and recirculation of hot equipment exhaust air. Most network equipment has an optimal temperature and humidity that it needs to be kept at to ensure proper performance. If it gets too hot or cold it may not run effectively or even fail. An ambient temperature range of 68° to 75°F (20° to 24°C) and humidity levels between 45 and 55 percent is generally recommended for performance and reliability. Your heating, ventilation, and air conditioning (HVAC) system is an important part of keeping your network devices running. Providing proper air flow in server rooms helps keep servers and network devices from overheating. Rows of servers should be placed with fronts facing fronts, creating a cold aisle, and the rear of units creating a hot aisle where ventilation systems can gather up the hot air, cool it, and recirculate the cooled air. There are several techniques and equipment that can help you control temperature and humidity levels. Some of these are: • Position diffusers so that they deliver cool air directly to the equipment. • Use blanking panels on unused rack spaces so that air passes through the equipment rather than around it. • Use structured cabling systems to eliminate disorganized and excess cables that might restrict exhaust air flow from rack mounted equipment. Also consider cutting cables and power cords to the correct length to allow more room for air to flow away from the back of the rack. • Remove unnecessary sub-floor obstructions to increase air flow. For example, cabling in the sub-floor plenum can impede proper air circulation. • Use floor grommets to improve cooling by sealing areas where cables enter and exit plenums. • Consider getting a professional air flow assessment to help identify ways to improve cooling efficiency.
Rack security
Rack security involves physically securing the racks so that they cannot be tampered with. Lockable doors and covers will prevent access to the rack, and some allow an unobstructed view of knob settings. Server boots can be added to a rack system to fully enclose servers within the rack. Patch panel protectors and cable tracks with covers can be used to restrict unauthorized access to patch panels and cables.
Secure protocols
Secure protocols are ones that do not expose data and/or credentials in cleartext, so they are less likely to allow for the credentials or data to be viewed and captured by someone else. • Secure Shell (SSH): Is used for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked devices. It was designed as a replacement for Telnet and other insecure remote shell protocols. • Hypertext Transfer Protocol Secure (HTTPS): Is used for secure communication over a network, with especially wide deployment on the Internet. The main purpose for HTTPS is to prevent wiretapping and man-in-the-middle attacks. • Transport Layer Security/Secure Sockets Layer (TLS/SSL): Are used to provide communication security over the Internet. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging, and Voice over IP (VoIP). • Secure File Transfer Protocol (SFTP): Is used for secure file access, file transfer, and file management functionalities. • Simple Network Management Protocol (SNMP) (v3): Is used for managing devices on IP networks. Version 3 added cryptographic security to secure data and user credentials. • Internet Protocol Security (IPSec) : Is used for securing IP communications by authenticating and encrypting each IP packet of a communication session.
SOHO firewalls
Small office/home office (SOHO) firewalls are typically derived from enterprise-level firewalls. They have more features than just using the broadband router's firewall provided through NAT. SOHO firewalls retain many of the features of enterprise firewalls with features such as NAT, stateful packet inspection, and port forwarding. Typically, SOHO firewalls have two interfaces, with one connection to the external or public Internet connection and one for the internal private network. A SOHO will have very simple firewall needs and therefore could use any traditional firewall. Typically, the rules for a SOHO will be to block all unsolicited inbound traffic, and permit all outbound traffic and its responses. A few ports or protocols might be permitted and mapped to an internal computer, such as a gaming server. There would be no need for a DMZ, and typically no host-to-site VPN, though you might have a site-to-site VPN if the SOHO had two locations. There would also be little or no need for monitoring or alerts. SOHOs would typically not host any public servers such as web, email, or Domain Name System (DNS) servers. They would use a provider to host these services instead. A SOHO may not have a separate firewall. In this case, it would use the firewall capabilities of its router.
Software firewalls and hardware firewalls
Software firewalls can be useful for small home offices and businesses, as well as providing extra protection to clients and servers on the internal network. The firewall provides many features that can be configured to suit various computing needs. Some features include: • Enabling or disabling port security on certain ports. • Filtering inbound and outbound communication. A user can set up rules or exceptions in the firewall settings to limit access to the web. • Reporting and logging activity. • Protecting systems from malware and spyware. • Blocking pop-up messages. • Assigning, forwarding, and triggering ports. A hardware firewall is a hardware device, either stand-alone or built into a router. A router configured with an ACL (a packet filtering router) can also be used as a simple stateless firewall. By today's standards, however, this is considered insufficient to provide any real network security, and would ordinarily be used by an upstream router to help "weed out" undesirable traffic before it reaches the firewall. Software and hardware firewalls can be used together, where the hardware firewall provides protection for the entire network and the software firewall provides additional protection for individual systems. Note: ACLs and stateless firewalls are discussed in greater depth later in this topic.
Software updates
Software manufacturers regularly issue different types of system updates that can include security- related changes to software. Patch A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system. Hotfix A patch that is often issued on an emergency basis to address a specific security flaw. Rollup A collection of previously issued patches and hotfixes, usually meant to be applied to one component of a device, such as the web browser or a particular service. Service pack A larger compilation of operating system updates that can include functionality enhancements, new features, and typically all patches, updates, and hotfixes issued up to the point of the release of the service pack.
Posture assessment
Sometimes authorization in NAC can be done by using a compliance check. This process is called posture assessment . In this process, a network's security is assessed based on the security applications that are running on the network. These might include things such as Windows ® registry settings or the presence of security agents such as antivirus or personal firewall.
stateful and stateless inspection
Stateful inspection examines the data within a packet as well as the state of the connection between the internal and external devices. Stateless inspection examines the data within a packet but ignores the state of the connection between the internal and external devices. An Application-layer gateway builds on the process of stateful inspection by analyzing each packet to ensure that the content matches the expected service it is communicating with. For example, an Application-layer gateway would check web traffic data to ensure that it is HTML data. If the data type did not match the acceptable use for the service, the Application-layer gateway would block the packet from passing through. Application-layer gateways can perform deep packet inspection, even when files are compressed with products such as winzip and winrar. It is possible to do antivirus checks and even quarantine suspicious data if it matches certain criteria. An Application-layer gateway is a very powerful feature, but it comes at a cost. The processing overhead incurred in analyzing every individual packet passing through the filter is extremely resource intensive. Many products have a separate service for each protocol that will be inspected. Significant processor and memory resources are required in order to provide the stateful inspection capability and to minimize network latency. In addition, Application-layer gateways are typically expensive. A stateless firewall performs a stateless inspection by comparing each individual packet to a rule set to see if there is a match, and then if there is a match, acts on that packet (permits or denies) based on the rule. It does not track the lifetime of a connection. It has no memory of whether there was a starting handshake, and cannot detect if an address, port, or protocol has changed in the middle of the conversation. Stateless firewalls can be easily deceived by specially crafted packets. For example, when the TCP ACK flag is raised, that normally indicates that the packet is part of an already existing conversation. A stateless firewall, having no memory of whether the conversation actually started, will permit such a packet to enter the internal network on the assumption that it is part of a legitimate response from an external server to an internal host. In contrast, a stateful firewall performs stateful inspections and monitors entire conversations from start to finish. It can detect if the communication has suddenly changed ports (often an indication of hacking activity), if an appropriate TCP three-way handshake occurred, or if packets have TCP flags raised illegally in an effort to spoof the firewall into letting them pass
Persistent and Non-persistent agents
The code that authenticates users and devices on behalf of an application for network access control can be a persistent or non-persistent agent. The agent can verify that the user or device meets specific requirements before being allowed access. This might include verifying that the device has or does not have certain applications installed and that the antivirus software is up-to-date. A persistent agent is a piece of software that installs on the client device, and can respond continuously to queries from the NAC about the device's health. It stays on the device until uninstalled. A non-persistent agent , also known as a dissolvable agent, is one that is installed on demand and then removed after it is used. The agent installs, responds to NAC queries to check the health of the device, authenticates the device, and then disappears when the session is over. There is also an "agentless" approach. This uses a device's Active Directory domain membership to verify health. Services that already exist on any Microsoft ® operating system are used to perform the task. You have to enable the services before you can use them.
Implicit deny and firewalls
The principle of implicit deny dictates that when using a firewall, anything that is not explicitly allowed is denied. Users and software should only be allowed to access data and perform actions when permissions are specifically granted to them. No other action is allowed. Most hardware firewalls are configured out of the box with implicit deny in both directions, inbound and outbound. It is then up to the administrator to permit traffic as desired. Most administrators will allow some level of outbound traffic, but will continue to deny inbound traffic that is not already part of an established connection. Most software firewalls on a host are configured to permit all outbound traffic originating from the host, but with an implicit deny disallowing inbound traffic from entering the host. Usually, when an application or service is configured on a host, the host firewall is also automatically configured to permit the traffic by that service.
Wireless security controls
There are different controls that can be used to harden wireless networks. WEP Wired Equivalent Privacy (WEP) encrypts wireless communications, making them less vulnerable. It was designed to provide the same level of security as wired networks, but WEP has many well-known security flaws. WPA/WPA2 Wi-Fi Protected Access (WPA) and WPA2 both encrypt wireless communications, making them less vulnerable to unauthorized access. Both offer better security that WEP, with WPA2 being more secure. Both protocols have a Personal and Enterprise mode. Personal mode uses a preshared key that all clients use for encryption. Enterprise mode uses 802.1x authentication and a unique encryption key for every client who logs on to the network. TKIP/AES Temporal Key Integrity Protocol (TKIP) is what provides the encryption for the WPA protocol, and Advanced Encryption Standard (AES) is what provides the encryption for the WPA2 protocol. TLS/TTLS Transport Layer Security (TLS) is a security protocol that protects sensitive communication from being eavesdropped and tampered. Tunneled Transport Layer Security (TTLS) is an Extensible Authentication Protocol (EAP) protocol that extends TLS by providing authentication that is as strong as TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates. MAC filtering MAC filtering restricts access to a wireless network by allowing access only to devices with specified MAC addresses.
Types of IDSs
There are several general categories of IDSs that you can use, alone or in combination with each other. Network-based An IDS that monitors network traffic and restricts or alerts when unacceptable traffic is seen in the system. It can be connected to a switch and is most often referred to as a network intrusion detection system (NIDS) . An example of an NIDS is Snort. A network-based IDS primarily uses passive hardware sensors to monitor traffic on a specific segment of the network. A network-based IDS cannot analyze encrypted packets because it has no method for decrypting the data. It can sniff traffic and send alerts about anomalies or concerns. Many network-based IDSs allow administrators to customize detection rules so that they may be tailored to a specific environment. Host-based An IDS capability installed on a workstation or server to protect that device. It monitors the device internally, and detects which program accesses the particular resource(s). It checks the host completely, and gathers information from the file system, log files, and similar places and detects any deviations from the security policy. This types of IDS is most often referred to as a host intrusion detection system (HIDS). A host-based system primarily uses software installed on a specific host, such as a web server. Host-based IDSs can analyze encrypted data if it is decrypted before reaching the target host. However, host-based IDSs use the resources of the host they are installed on, and this can add to the processing time from other applications or services. Many host-based IDSs allow administrators to customize detection rules so that they can be tailored to a specific environment. Pattern- or signature-based An IDS that uses a predefined set of rules to identify traffic that is unacceptable. These rules can contain patterns and signatures provided by software vendors to identify known security issues. Anomaly- or behavior-based An IDS that uses a database of unacceptable traffic patterns identified by analyzing traffic flows. Anomaly-based systems are dynamic and create a baseline of acceptable traffic flows during their implementation process. Protocol-based An IDS installed on a web server and used to monitor the protocol(s) used by the device. It contains a system or agent at the front end of a server that is used for the monitoring and analysis of the communication protocol between a connected device and the system. Application protocol-based An IDS that monitors the application protocol(s) in use by the system. Contains an agent that interfaces between a process, or between multiple servers, and analyzes the application protocol between two devices. Application-based IDSs monitor traffic within or related to a specific application. They may be used in conjunction with a network- or host-based IDS to add another layer of protection to a critical application, such as a customer database.
Types of IPSs
There are two major types of IPS: host-based and network-based. HIPS A host-based IPS (HIPS) is an application that monitors the traffic from a specific host or a list of host addresses. This method is efficient because it blocks traffic from a specific host or an attack targeted against a specific host. The host-based IPS is also effective against internal attacks and threats from viruses, worms, Trojan horses, and keyloggers, among others. NIPS A network-based IPS (NIPS) monitors the entire network and analyzes its activity. It detects malicious code and unsolicited traffic, and takes the necessary action. The NIPS is built to identify distorted network traffic; analyze protocols; and secure servers, clients, and network devices from various threats and attacks. NIPS is deployed in an organization and is considered a checkpoint to all incoming traffic.
HIDs and NIDs
This table will help you compare the two most popular types of IDS implementations. Components Primarily hardware sensors Primarily software applications Monitoring method Monitors traffic on a specific network segment Monitors traffic on the host it is installed on Monitoring target Packets for protocol anomalies and known virus signatures Log files, inadvisable settings or passwords, and other policy violations Encrypted data Cannot analyze encrypted data Can analyze encrypted data if it is decrypted before it reaches the target host Passive vs. active Passive Passive or active Resource utilization Uses resources from the network Uses computing resources from the host it is monitoring Capabilities Broad scope; very general Narrow scope; very specific Alerts Management console or email messages Management console or email messages Best use To secure a large area with non-critical data, provide broad-based overall security; most cost effective To secure a specific resource, such as a web server, that has critical data; cost prohibitive Management issues Can be installed on a network Service agreements or other policy restrictions prevent the installation on a host Legal issues Hard to use as evidence in a lawsuit May be admissible as evidence in a lawsuit
Unified threat management (UTM)
Unified Threat Management (UTM) is a network security solution that is used to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console. UTMs provide multiple security functions such as network firewalling, network intrusion prevention, anti-malware, VPN, spam and content filtering, load balancing, data leak prevention, and on-appliance reporting. UTMs can be network appliances or a cloud service.
Educating Users
When you educate your users, you give them the ability to participate in the process of ensuring the security of the organization. Because many attacks involve the unwitting participation of unsuspecting users, educating them to raise their level of awareness of proper security procedures can greatly increase the overall security of your organization. To educate your users on security practices, follow these guidelines: • Train new users on how to use their devices and applications, and follow organizational security policies. Focus on potential security problems throughout the training. For example, don't trust messages with attachments or links, even if you know the sender. • Consider implementing humor or other means to help users remember the messages you are trying to convey. For instance, you might create posters or other communications with messages like "Is it legit? If not, quit!" and "Passwords are like toothbrushes. Change them often, and never share them with others!" • Post all relevant security policies so that they are easily available to all users. • Notify users when changes are made to the policies. Educate them on the changes. • Test user skills periodically after training to ensure that they are implementing proper security. For example, you can use planned social engineering attacks. • Post information such as a link to http://hoaxbusters.org/ on the company website to assist users in determining whether or not email messages they receive are hoaxes. • In a high-security or highly regulated environment, consider requiring all users to take a pass/fail quiz or some other validation method immediately after training to verify the training's effectiveness and gather metrics on training results. • Periodically refresh the users' training, including any relevant updates that they should be aware of. Example: Educating Users at Greene City Interiors At Greene City Interiors, during new-hire orientation, all new employees are briefed on the security standards of the company. A representative from the security team shows them how to connect to the company's intranet and locate links to all the company's security policy documents from the security page. The security representative also demonstrates basic device security procedures, such as how to create a strong password. After training, you email the address of the intranet security page to all new employees, along with the addresses of other Internet resources they can consult to identify email threats, such as spam and hoaxes. Any time there is a change to any policy, you update the policy and notify users of the change. Significant policy changes are rolled out in conjunction with security training refresher sessions, which all employees are required to attend.
ACLs
An access control list (ACL) is a set of data (user names, passwords, time and date, IP addresses, media access control [MAC] addresses, and so on) that is used to control access to a resource such as a device, file, or network. ACLs are commonly implemented as MAC address filtering on wireless routers and access points. When a wireless client attempts to access the network, that client's MAC address is compared to the list of authorized MACs and access is granted or restricted based on the result.
Edge networks
An edge network is a network located on the periphery of a centralized network. It is where an organization's network actually connects to the Internet, or to a provider's carrier network. It is the least secure of all the organization's networks. Physically located on the customer's premises, it is a link between the provider's demarc and the organization's router. Providers too can have an edge network, where they connect to other providers. Most edge devices are routers or firewalls.
A basic forensic process
Any time you have an incident that needs to be investigated, you need to have a forensic process established to help you perform it properly. Although each organization might develop its own forensic process, it is recommended that the following steps be included: 1. The first responder(s) arrive on the scene of an incident. 2. Secure the area to preserve the scene of the incident. 3. Documentation of the scene can begin. 4. Electronic discovery (eDiscovery) is performed to identify and collect any electronically stored information. 5. Collect any other evidence and data related to the incident. 6. Preserve the chain of custody when evidence is collected and until the end of the investigation. 7. If data needs to be transported to another entity, then follow proper data transport procedures. 8. Report your forensic findings. 9. If there is litigation, then follow legal hold procedures.