IT Infrastructure Security Issue -Step by Step

Steps in Security :

• Comprehend your IT infrastructure, network (configuration and topology), network traffic and communication system 

• Prepare a security policy, processes, procedures, and their implementation plan 

• Obtain approval of the above from management

• Implement the above policies and plans

• Maintain a standardized documentation of the entire IT infrastructure 

• Periodically test and audit the entire network security 

• Create security awareness among users through training, crash courses or “tip of the day” messages 

• Undertake preventive measures, before corrective measures become necessary. 

Security Model 

It is said “Defense is in Depth”.This security model is represented in the figure below. This model consists of 4 layers of security  


Most of us don’t work for organizations with budgets for procurement of security equipment or systems (or security personnel). In this context. These tools perform data collection, analysis, reporting and generation of alarms. 

Security Layer-1: Perimeter Defense Security Systems

This layer is like the four walls and the roof of a secure house. It includes firewalls, routers and proxy servers. A national survey showed that 70-80% of attacks are internal i.e., from within the organization’s internal network. Therefore, securing from internal attacks is the first line of defense. However, having only this line is not enough to protect any network and valuable information.One of the common attacks on this layer is DoS (Denial of Service) attack, which involves flooding the point of connection to outside world with unproductive traffic. common DoS attacks on routers are Smurf, Syn, Ack and Rst attacks. Cisco researchers/security analysts have produced a wonderful document (Refer: http://www.cisco.com/warp/public/707/21.html) on how to configure a router to protect against these attacks. There are numerous solutions documented by various vendors. I have discussed the Cisco’s findings here since I am implementing and managing the same in my organization.The aforesaid paper describes how attacks like Smurf target victim systems using source-spoofed packets originating from a third-party’s (middle) system. One of the methods to stop this involves filtering at the point of connection to the Internet in your network or your ISP. Additionally router vendors have added options to disallow packets with spoofed IP source addresses. Cisco has implemented this by adding a command: “[no] ip verify unicast reverse-path”.To prevent one’s system from being the middle system (the system used to attack the target), Cisco has added another command: “no ip directed-broadcast” in IOS 12.0. This option is set by default, and protects the OSI layer3 broadcast into OSI layer 2 broadcast.If you have a DMZ, make sure the filters between your internal network and DMZ are configured properly:-  DMZ is setup as an external network to the internal network (production network)
However, to implement such a security system the following precautions should be taken at a minimum: 

• Install appropriate filters such as:

- “access-list number deny icmp any any redirect” . This disallows ICPM packets- “Anti-spoofing”. This will control access through router and would stop packets with source address with internal IP addresses from coming in- “no ip directed-broadcast”. This will stop packets broadcasts. 
Control and monitor filter configurations in terms of privileges and their use:

1. -  who can modify

1. -  who modified

1. -  when modified

• Updatefilters:

1. -  as and when required to implement network changes

1. -  install new software releases

- prevent future attacks that may exploit existing or newly discovered vulnerabilities

• Test filters to ensure that the rules are still working:

           - Periodically           - Break testing

• Configure Anti-virus software for real time scanning at the gateway

•  Implement intelligent logging at a level that is enough to trace back the attack

• TraceIntrusions,if any,and analyze them in detail to take corrective measures to harden the security infrastructure
• Maintain detailed documentation of the filter (router and proxy) configurations and follow change management

Security Layer-2: OS and Application Servers Security Systems  

This layer holds protection of operating system, the application servers, web servers, and mail servers.
While traffic is regulated at the perimeter depending on the needs of the organization, the applications utilizing the traffic run on different application/webservers which in turn run on operating systems. An abuse of operating system privileges can potentially compromise network security. Users with access to the underlying operating system can jeopardize the availability and integrity of the firewall and expose critical network resources to both internal and external security threats. Hardening this layer will protect the network from number of internal threats.
Vulnerabilities exist in operating systems, web servers, proxy servers, mail servers and application servers that need patches / service packs / hotfixes to fill those holes.
An organization may have multiple operating systems in its network. It is the responsibility of the OS vendors to make their products secure. 
Windows NT 4.0 / 2000
Microsoft’s Windows NT is C2 compliant. This C2 rating does not guarantee that NT is the operating system with the best security. Out of the box NT has to be configured and patched to meet C2 ratings.
Given below are steps I followed to make NT a secure operating system and feel bit comfortable (I said comfortable not satisfied or done with) about security of my networks

• Install minimum Service Pack 3 in case of NT 4.0, and Service Pack 2 in case of Windows 2000. SP3 for NT allows you to better secure your system. One of its major features is the addition of the "Authenticated Users" group to help eliminate anonymous connections. SP6a is now recommended for NT 4.0 systems. Installing post SP3 hot fixes or having SP4 or later service packs, will protect the server from attacks like GetAdmin and RedButton.

•  Enable auditing (it is not by default). Audit failed login as well as successful logins.

• Enable ‘change periodic password’ policy (not enabled by default). An important aspect of NT passwords that needs to be understood is that NT does not store encrypted passwords, but hashed versions of the password. These hashes are one-way encryption algorithms, which means that they can’t be decrypted.

•  Another one of NT’s biggest problems is that even with SP3 installed, anyone who has network access to an NT machine can find out the name of the administrator, and the privileged shared drives of that box. Disable this by changing the registry key, “HKLM/SYSTEM/CurrentControlSet/Control/LSA: RestrictAnonymous.”

• Change the default user rights in “user manager menu”. You may like to restrict user to login locally on Primary Domain Controller.

• Make proper backups. Don’t rely on NTBACKUP and instead use third party backup software (e.g. ArcServeIT from Computer Associates) depending on whether multiple servers/workstations are to be backed up.

•  Have NT registry backed up using RDISK/S or NT-resource kit utilities (Regback.exe)

• Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This helps prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted.

Linux

There are different flavors of UNIX. Linux is one of the widely used and popular variant of UNIX. Like any other operating system, we have to keep fine-tuning Linux too. Some of the precautionary measures related to Linux systems security are as follows:
q Passwords, in Unix are the first line of defense. Make sure you implement a strong password policy and keep checking once a week that the passwords are strong. Also force users to change them at least every 30 days.

• Use “umask” for default file creation on your system

•  Make sure that your system files are not open for casual editing by users and groups who shouldn't be doing such system maintenance q Be very careful while configuring the kernel    

• For further details related to above listed security parameters refer to http://www.linuxdoc.org/HOWTO/Security-HOWTO.html 

• Linux, by default, starts the services like HTTP, FTP, SMB, sendmail, which may not be required but are waiting for some one to connect. Stop the services not required.

•  Check for ‘.rhost’ file and avoid using it. This file contains names of systems on which you have an account

• Check for syslog and messages regularly

• Check for unsuccessful as well as successful logons q Check for suspicious entries in ‘inetd.conf’

•  Be very careful while configuring anonymous FTP accounts such as, /incoming directory should be made writeable and that too by user root and FTP only. User ‘anonymous’ should only have read access to /incoming and /pub directories. 

Security Layer-3: Host Protection 

Now that we have our perimeter defense tightened and the OS fine-tuned, we need to look at another threat from the internal workstations connected to the network. We need to have workstation security for two reasons:
-  to protect against someone trying to attack from within the network
-  to protect the data stored on workstation from someone coming in through the
firewall
Security Layer-4: Data/Information Protection

With above three layers taken care of, I believe we should have one more layer on our data. Have encryption, whenever possible. I prefer Windows 2000 to Win9x. Given the budget, I would make Windows 2000 the standard for mobile users.
Read more on Windows2000 for mobile computing at http://www.microsoft.com/ windows2000/professional/evaluation/business/overview/mobile/default.asp

• Having all the security layers implemented on the corporate network helps secure all the PCs in the network but once the PC is removed for use at home or on the road, security becomes more at risk.

• Data protection can be broken down into three distinct categories: operating system security, sensitive data storage practices, and data encryption.

• Operating system security covers the normal operating system (and services) security best practices.

• Sensitive data storage practices cover the data that has to be on a server and data that can be on a desktop/laptop

•  Data encryption covers the need of having the data protected by means of encryption. 

Conclusion 

Security cannot be achieved by merely implementing various security systems, tools or products. However security failures are less likely through the implementation of security policy, process, procedure and product(s). Multiple layers of defense need to be applied to design a fail-safe security system. The idea behind multi-layered defense security is to manage the security risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will, ideally, prevent a full breach. The author believes that, at a minimum, managers must apply a range of security perimeter defenses so that their resources are not exposed to external attacks and ensure that the security system is not limited by the weakest link of the security layer. 

List of References:

Web Sites

•  Cisco-Improving security on Cisco routers

- http://www.cisco.com/warp/public/707/21.html

• Microsoft-How to clear Windows NT password at shutdown

- http://support.microsoft.com/directory/article.asp?id=KB;EN-US;q18208
NT Security Sites
-  http://www.microsoft.com/security/default.asp
-  http://www.ntsecurity.com/security-news.asp
-  http://www.labmice.net/articles/securingwin2000.htm
-  http://www.sans.org/infosecFAQ/win2000/win2000_l ist.htm
-  http://windows.microsoft.com/windows2000/en/server/help/default.asp?url=/wind
ows2000/en/server/help/sag_ADtopnode.htm
Linux Security
- http://www.linuxdoc.org/HOWTO/Security-HOWTO.html 
Books:
-  By Mathew Strebe, Charles Perkins & Michael G. Moncur
-  Building Internet Firewalls
-  By Elizabeth D. Zwicky, Simon Cooper and D.Brent Chapman 

• 
  
  •