Your global information security experts

GSA

BBB

Privacy Policy

Search for Vulnerabilities via
The National Vulnerability Database

Valid XHTML 1.0!
Valid CSS!

Designing the Full Security Model


by Russ Rogers - 10/15/1999

We see a lot of articles about the specific vulnerabilities of each operating system that lead to exploitation by crackers. Solaris has them. Linux has them. Most versions of BSD have them. And, of course, Windows has them. But securing the operating system isn't the only thing we need to look at if we want total security on our network. Failure to address all the layers of security leaves you vulnerable and gives you a false sense of security.

Security, in and of itself, does not consist solely of patching buffer overflow problems in component systems or installing a firewall. Security is actually one big puzzle that contains all of these pieces. The goal here is to layer our defenses so that each intruder coming to our system will have to defeat multiple levels of security. At each new level in our security model, we present another obstacle that the intruder might not be able to surpass.

model The chart to the left shows how each additional level of security simply adds another barrier for an intruder to pass through. This increases the percentage of chance that the intruder will be stopped and also increases the amount of auditing information needed to track the intruder.

I.

Our first level of protection is the router. The router filters out unwanted traffic by IP address and service. For example, our first step is to initiate a 'deny all IP addresses rule' and then selectively allow certain addresses access to our network from the outside. It's always better to deny everything and then allow addresses as they are needed, rather than allowing all addresses and then having to explicitly deny all the IP's we don't want to have access. The real life exception to this is if you are providing a public service, such as http.

Routers are also capable of filtering by the service protocol. For example, suppose we have a public web server but we don't want any other services allowed through. We simply allow universal access to http and block the others, such as ftp, telnet, and sendmail.

II.

Firewalls are the next step. Firewalls perform somewhat like the router in that you can filter out unwanted traffic by IP or service. You can also create virtual private networks across the Internet using various security implementations that are built into the different firewall products. Using a VPN allows you to connect satellite offices in other locations to your network more securely. Most firewall products will allow you to authenticate through them, but be careful because the user name and password is passed in the clear unless you specify some form of encryption.

Different firewalls have different pros and cons. It's impossible to cover them all in one weekly article. Some allow remote administration of the product. This might sound convenient at first, but consider the possibility of someone else being able to administer your firewall remotely. Other products can automatically update your router to block harmful traffic. One thing to be cognizant of is the logging ability of the product. You'll want to see what your firewall is doing and who is trying to get by it. But firewalls typically only log the traffic they see. What this means is that an application level firewall is missing all the actual network traffic and is not logging any of that activity. Suffice it to say that you need to do your homework to choose your firewall and get it set up correctly.

III.

Intrusion Detection Systems (IDS) are passive devices that sit on your network promiscuously monitoring all packets on the network. The intention here is to catch activity on your network that might be harmful or malicious. IDS log like crazy and are run using the rules that you define. Once again we find that improper configuration of an IDS is like not even having one. They have the ability to pick up traffic signatures like port scans, syn floods, etc, but you have to know how to use the system.

IV.

Proper configuration of each host operating system is also very important. Failure to impose restrictions on the services run on each box or what privileges each user has can result in some seriously bad karma. Restrict those silly Simple TCP protocols like chargen, echo, and date. These particular protocols were meant to be network test tools and can be used to perform denial of service attacks on your network.

Turn off services like FTP if you don't intend to serve publicly. Turn off http. Some folks installing Windows NT server mistakenly install the internet services, which includes IIS web server. The IIS has a default password and the user name is easy to figure out as well. This opens a big hole, so be aware of what you're setting up. Just keep in mind that taking the defaults on ANY security package right out of the box is a HUGE mistake.

Patches and Hotfixes are released each week to fix both operational holes in the OS and security holes in the OS. Try to keep up to date on those patches because they plug holes in your box that are public knowledge. Maintaining control of the filesystem permissions and user privileges is also mandatory.

V.

The single biggest security vulnerability I've seen in my work is the user. Users have the ability to sell you out to the intruder through sheer ignorance of good security practices. At times, even sound knowledge of security practices gives way to human nature. Passwords are the big offender here. Easy to guess passwords are nearly as bad as not having a password for the account at all. Even if the user understands the concept of choosing a good password, they might write the password down because it's difficult to remember.

Network users can cause problems with the way they set up their own personal accounts. A user might share out their C:\ drive or their home directory. They might put a .rhost or .netrc file in their home directory to make file transactions easier. Many users won't know the inherent risks with these actions. Keep an eye on your users and help them stay educated.

VI.

Your networks may or may not need more security than what is presented here. Don't be pressured into making hasty decisions into security products, there are a ton of them out there. There are network scanners to help you find your network weaknesses, system scanners that help you locate host level vulnerabilities, and tools that log everything that happens on a local machine. Choose your defenses carefully, but remember to layer them. Just as castles used to contain a moat, walls, and guards; your network needs similar defenses to stay off intruders.