IT Infrastructure Security Issue -Step by Step

Steps in Security :

• Comprehend your IT infrastructure, network (configuration and topology), network traffic and communication system 

• Prepare a security policy, processes, procedures, and their implementation plan 

• Obtain approval of the above from management

• Implement the above policies and plans

• Maintain a standardized documentation of the entire IT infrastructure 

• Periodically test and audit the entire network security 

• Create security awareness among users through training, crash courses or “tip of the day” messages 

• Undertake preventive measures, before corrective measures become necessary. 

Security Model 

It is said “Defense is in Depth”.This security model is represented in the figure below. This model consists of 4 layers of security  


Most of us don’t work for organizations with budgets for procurement of security equipment or systems (or security personnel). In this context. These tools perform data collection, analysis, reporting and generation of alarms. 

Security Layer-1: Perimeter Defense Security Systems

This layer is like the four walls and the roof of a secure house. It includes firewalls, routers and proxy servers. A national survey showed that 70-80% of attacks are internal i.e., from within the organization’s internal network. Therefore, securing from internal attacks is the first line of defense. However, having only this line is not enough to protect any network and valuable information.One of the common attacks on this layer is DoS (Denial of Service) attack, which involves flooding the point of connection to outside world with unproductive traffic. common DoS attacks on routers are Smurf, Syn, Ack and Rst attacks. Cisco researchers/security analysts have produced a wonderful document (Refer: http://www.cisco.com/warp/public/707/21.html) on how to configure a router to protect against these attacks. There are numerous solutions documented by various vendors. I have discussed the Cisco’s findings here since I am implementing and managing the same in my organization.The aforesaid paper describes how attacks like Smurf target victim systems using source-spoofed packets originating from a third-party’s (middle) system. One of the methods to stop this involves filtering at the point of connection to the Internet in your network or your ISP. Additionally router vendors have added options to disallow packets with spoofed IP source addresses. Cisco has implemented this by adding a command: “[no] ip verify unicast reverse-path”.To prevent one’s system from being the middle system (the system used to attack the target), Cisco has added another command: “no ip directed-broadcast” in IOS 12.0. This option is set by default, and protects the OSI layer3 broadcast into OSI layer 2 broadcast.If you have a DMZ, make sure the filters between your internal network and DMZ are configured properly:-  DMZ is setup as an external network to the internal network (production network)
However, to implement such a security system the following precautions should be taken at a minimum: 

• Install appropriate filters such as:

- “access-list number deny icmp any any redirect” . This disallows ICPM packets- “Anti-spoofing”. This will control access through router and would stop packets with source address with internal IP addresses from coming in- “no ip directed-broadcast”. This will stop packets broadcasts. 
Control and monitor filter configurations in terms of privileges and their use:

1. -  who can modify

1. -  who modified

1. -  when modified

• Updatefilters:

1. -  as and when required to implement network changes

1. -  install new software releases

- prevent future attacks that may exploit existing or newly discovered vulnerabilities

• Test filters to ensure that the rules are still working:

           - Periodically           - Break testing

• Configure Anti-virus software for real time scanning at the gateway

•  Implement intelligent logging at a level that is enough to trace back the attack

• TraceIntrusions,if any,and analyze them in detail to take corrective measures to harden the security infrastructure
• Maintain detailed documentation of the filter (router and proxy) configurations and follow change management

Security Layer-2: OS and Application Servers Security Systems  

This layer holds protection of operating system, the application servers, web servers, and mail servers.
While traffic is regulated at the perimeter depending on the needs of the organization, the applications utilizing the traffic run on different application/webservers which in turn run on operating systems. An abuse of operating system privileges can potentially compromise network security. Users with access to the underlying operating system can jeopardize the availability and integrity of the firewall and expose critical network resources to both internal and external security threats. Hardening this layer will protect the network from number of internal threats.
Vulnerabilities exist in operating systems, web servers, proxy servers, mail servers and application servers that need patches / service packs / hotfixes to fill those holes.
An organization may have multiple operating systems in its network. It is the responsibility of the OS vendors to make their products secure. 
Windows NT 4.0 / 2000
Microsoft’s Windows NT is C2 compliant. This C2 rating does not guarantee that NT is the operating system with the best security. Out of the box NT has to be configured and patched to meet C2 ratings.
Given below are steps I followed to make NT a secure operating system and feel bit comfortable (I said comfortable not satisfied or done with) about security of my networks

• Install minimum Service Pack 3 in case of NT 4.0, and Service Pack 2 in case of Windows 2000. SP3 for NT allows you to better secure your system. One of its major features is the addition of the "Authenticated Users" group to help eliminate anonymous connections. SP6a is now recommended for NT 4.0 systems. Installing post SP3 hot fixes or having SP4 or later service packs, will protect the server from attacks like GetAdmin and RedButton.

•  Enable auditing (it is not by default). Audit failed login as well as successful logins.

• Enable ‘change periodic password’ policy (not enabled by default). An important aspect of NT passwords that needs to be understood is that NT does not store encrypted passwords, but hashed versions of the password. These hashes are one-way encryption algorithms, which means that they can’t be decrypted.

•  Another one of NT’s biggest problems is that even with SP3 installed, anyone who has network access to an NT machine can find out the name of the administrator, and the privileged shared drives of that box. Disable this by changing the registry key, “HKLM/SYSTEM/CurrentControlSet/Control/LSA: RestrictAnonymous.”

• Change the default user rights in “user manager menu”. You may like to restrict user to login locally on Primary Domain Controller.

• Make proper backups. Don’t rely on NTBACKUP and instead use third party backup software (e.g. ArcServeIT from Computer Associates) depending on whether multiple servers/workstations are to be backed up.

•  Have NT registry backed up using RDISK/S or NT-resource kit utilities (Regback.exe)

• Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This helps prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted.

Linux

There are different flavors of UNIX. Linux is one of the widely used and popular variant of UNIX. Like any other operating system, we have to keep fine-tuning Linux too. Some of the precautionary measures related to Linux systems security are as follows:
q Passwords, in Unix are the first line of defense. Make sure you implement a strong password policy and keep checking once a week that the passwords are strong. Also force users to change them at least every 30 days.

• Use “umask” for default file creation on your system

•  Make sure that your system files are not open for casual editing by users and groups who shouldn't be doing such system maintenance q Be very careful while configuring the kernel    

• For further details related to above listed security parameters refer to http://www.linuxdoc.org/HOWTO/Security-HOWTO.html 

• Linux, by default, starts the services like HTTP, FTP, SMB, sendmail, which may not be required but are waiting for some one to connect. Stop the services not required.

•  Check for ‘.rhost’ file and avoid using it. This file contains names of systems on which you have an account

• Check for syslog and messages regularly

• Check for unsuccessful as well as successful logons q Check for suspicious entries in ‘inetd.conf’

•  Be very careful while configuring anonymous FTP accounts such as, /incoming directory should be made writeable and that too by user root and FTP only. User ‘anonymous’ should only have read access to /incoming and /pub directories. 

Security Layer-3: Host Protection 

Now that we have our perimeter defense tightened and the OS fine-tuned, we need to look at another threat from the internal workstations connected to the network. We need to have workstation security for two reasons:
-  to protect against someone trying to attack from within the network
-  to protect the data stored on workstation from someone coming in through the
firewall
Security Layer-4: Data/Information Protection

With above three layers taken care of, I believe we should have one more layer on our data. Have encryption, whenever possible. I prefer Windows 2000 to Win9x. Given the budget, I would make Windows 2000 the standard for mobile users.
Read more on Windows2000 for mobile computing at http://www.microsoft.com/ windows2000/professional/evaluation/business/overview/mobile/default.asp

• Having all the security layers implemented on the corporate network helps secure all the PCs in the network but once the PC is removed for use at home or on the road, security becomes more at risk.

• Data protection can be broken down into three distinct categories: operating system security, sensitive data storage practices, and data encryption.

• Operating system security covers the normal operating system (and services) security best practices.

• Sensitive data storage practices cover the data that has to be on a server and data that can be on a desktop/laptop

•  Data encryption covers the need of having the data protected by means of encryption. 

Conclusion 

Security cannot be achieved by merely implementing various security systems, tools or products. However security failures are less likely through the implementation of security policy, process, procedure and product(s). Multiple layers of defense need to be applied to design a fail-safe security system. The idea behind multi-layered defense security is to manage the security risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will, ideally, prevent a full breach. The author believes that, at a minimum, managers must apply a range of security perimeter defenses so that their resources are not exposed to external attacks and ensure that the security system is not limited by the weakest link of the security layer. 

List of References:

Web Sites

•  Cisco-Improving security on Cisco routers

- http://www.cisco.com/warp/public/707/21.html

• Microsoft-How to clear Windows NT password at shutdown

- http://support.microsoft.com/directory/article.asp?id=KB;EN-US;q18208
NT Security Sites
-  http://www.microsoft.com/security/default.asp
-  http://www.ntsecurity.com/security-news.asp
-  http://www.labmice.net/articles/securingwin2000.htm
-  http://www.sans.org/infosecFAQ/win2000/win2000_l ist.htm
-  http://windows.microsoft.com/windows2000/en/server/help/default.asp?url=/wind
ows2000/en/server/help/sag_ADtopnode.htm
Linux Security
- http://www.linuxdoc.org/HOWTO/Security-HOWTO.html 
Books:
-  By Mathew Strebe, Charles Perkins & Michael G. Moncur
-  Building Internet Firewalls
-  By Elizabeth D. Zwicky, Simon Cooper and D.Brent Chapman 

• 
  
  • 
    
    
    
    

IT Infrastructure Security

IT security is a multi-discipline subject requiring a number of different skills sets and knowledge areas. A key area of knowledge which is vital for any security specialist is a clear understanding of IT infrastructure and how it relates to the creation of a comprehensive security strategy.

Understanding Firewalls

Much like a firewall in real life protects parts of a building from a spreading fire, an IT firewall protects computer systems from the dangers posed by an internet connection. A firewall is essentially a component located between a computer or a network of computers and the internet. The specific purpose of a firewall is to prevent unauthorized access to the computer systems it is configured to protect. Firewalls take the form of software, hardware or a combination of both and are not limited to use by large companies. Anyone who owns a computer (including home users) that is connected to the internet for even short periods of time should have a firewall configured.

A good security strategy should consist of multiple layers of protection and in such a scenario the firewall is typically the first line of defense.

Firewalls fall into three main categories - Packet-filtering, Proxy-service and Stateful-inspection firewalls, each of which will be covered in detail here.

Proxy Service Firewalls

A proxy service firewall is placed between the internet and an internal network of computers and acts as a go-between for the two environments. With a proxy service in place, internal client computers do not connect directly to outside resources. Instead they connect to the proxy server which in turn connects with the external resource on behalf of the client, thereby masking the internal IP address of the client. Any responses from the external resources are handled by the proxy service which passes them along to the client that originally requested the data.

Under such a scenario no internal systems are ever in direct contact with a remote server or service and all internal IP addresses are masked by the proxy server. Proxy servers can also provide caching functions, where web pages that are frequently accessed by internal clients are stored by the server such that they can quickly be supplied when subsequently requested leading to faster response times. Proxy service firewalls are available in two basic forms, Circuit-level gateway which works at the Session layer of the OSI model to verify that all sessions are legitimate and Application level-gateway which works at the OSI Application layer to control traffic of particular types (such as HTTP, FTP and SNMP).

Stateful Inspection Firewalls

Stateful-inspection firewalls (also known as dynamic packet filtering firewalls) operate at the OSI Network layer and combine some features of both packet-filtering and proxy server firewalls. A stateful-inspection firewalls not only examines the header information of packets, but also monitors sessions to ensure that they are legitimate and maintains state tables for each connection. Using these state tables, every packet received by the firewall can be viewed within the context of preceding traffic, allowing malicious data to be intercepted and blocked.

Routers

Routers are devices used to connect different network segments and operate at the OSI Network layer. Routers operate by examining each received packet and using algorithms together with routing tables to determine the optimal path for the data to reach its ultimate destination. Routers essentially form the backbone of the internet. Routing tables are either updated manually by an administrator, for configured automatically using a variety of different protocols including Routing Information Protocol (RIP), Interior Gateway Routing Protocol(IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF).

Routers also include some security in the form of Access Control Lists (ACLs) which drop packets based on pre-defined rules, stateful-inspection and packet filtering.

Perhaps the biggest potential security risk for routers involves remote access to internal functions and configuration options. Due to their distributed nature all routers provide remote administration features. It is essential, therefore, that strict password conventions are implemented and that encrypted communications are used when logging into a remote router.

Switches

Most switches operate at the Data Link layer (layer 2) of the OSI model (although newer models are now moving up to the Network Layer) and are the basis of most Ethernet based local networks. Each port on a switch is a separate collision domain making switches much more efficient than Hubs where all ports are on the same collision domain (whereby data for a specific network client is broadcast on all hub ports, not just the port to which the destination client is connected). Routing is based on the MAC addresses of devices connected to the switch.

As with routers, administrative access to switch devices must be carefully controlled using strict passwords and secure communications protocols during remote access.

Wireless

Starting with wide spread deployment in home networks, Wireless Access Points and corresponding wireless network adapters have now begum to appear within business enterprises. This progress has accelerated considerably since the introduction of the N variant of the 802.11 Wi-Fi standard.

Wireless networking introduces a unique set of security threats that must be taken into consideration. First and foremost, the data transmitted over a wireless network is not confined to the cables concealed under floor boards, within wall cavities and false ceilings. Instead the data is quite literally traveling through the air waves. This means that anyone within range of the signal transmissions has the potential to intercept the data. In fact, placing a wireless device behind a firewall essentially renders the firewall impotent. The firewall will only block unwanted intrusion coming into the firewall via the physical connection to the internet. Compromising the wireless network from outside the building effectively bypasses the firewall.

A number of techniques are available to provide at least some level of security to wireless networks. One standard is Wired Equivalent Privacy (WEP) which was initially intended to provide a level of security for wireless networks which was at least as secure as a wired network. WEP relies on encryption to prevent the easy interception of wireless data by eavesdroppers. Encryption is RC4 based using shared 40-bit or 128-bit encryption keys. Unfortunately both levels of encryption have been proven to be breakable. That said, WEP is better than no protection at all, and if it is your only option be sure to choose the highest level of encryption.

An improved wireless encryption and authentication standard is called Wi-Fi Protected Access (WPA and WPA2). WPA data is encrypted using the RC4 stream cipher, (both 128-bit key and 48-bit) together with keys which dynamically change as the system is operational. WPA is considered to be considerably more secure than the WEP standard.

Most wireless access points also provide MAC address filtering, accepting only data from devices with a MAC address which matches a pre-defined list of trusted devices. Once again the ability to fake the IP address of many systems increases the chances that a rogue system can be made to masquerade as a trusted system.

Just like routers and switches, wireless access points provide support for remote administration. Strict password selection enforcement and secure communications must always be used when accessing the access point's administration interfaces.