Identifying and Classifying Network Security Threats
- Jun 26, 2008
This chapter covers the following topics:
- Network Visibility
- Telemetry and Anomaly Detection
- Intrusion Detection and Intrusion Prevention Systems (IDS/IPS)
Worms and denial of service (DoS) attacks are used maliciously to consume the resources of your hosts and network that would otherwise be used to serve legitimate users. In some cases, misconfigured hosts and servers can send traffic that consumes network resources unnecessarily. Having the necessary tools and mechanisms to identify and classify security threats and anomalies in the network is crucial. This chapter presents several best practices and methodologies you can use to successfully and quickly identify and classify such threats.
Most people classify security attacks into two separate categories: logic attacks and resource attacks. Logic attacks exploit existing software deficiencies and vulnerabilities to cause systems to crash, to substantially degrade their performance, or to enable attackers to gain access to a system. An example of this type of attack is the exploit of the Microsoft PnP MS05-039 Overflow Vulnerability, in which the attacker exploits a stack overflow in the Windows "plug and play" (PnP) service. You can exploit this vulnerability on Windows 2000 without a valid user account. Another example is the famous and old ping-of-death, whereby an attacker sends the system Internet Control Message Protocol (ICMP) packets that exceed the maximum legal length (65535 octets). You can prevent most of these attacks by either upgrading the vulnerable software or by filtering particular packet sequences.
The second category of attacks is referred to as resource attacks. The goal with these types of attacks is to overwhelm the victim system/network resources, such as CPU and memory. In most cases, this is done by sending numerous IP packets or forged requests. An attacker can build up a more powerful attack with a more sophisticated and effective method of compromising multiple hosts and installing small attack daemon(s). This is what many call zombies or bot hosts/nets. Subsequently, an attacker can launch a coordinated attack from thousands of zombies onto a single victim. This daemon typically contains both the code for sourcing a variety of attacks and some basic communications infrastructure to allow for remote control. A zombie attack is illustrated in Figure 3-1.
Figure 3-1 Zombies and Bots
In Figure 3-1, an attacker controls compromised hosts in Company A and Company B to attack a web server farm in another organization.
You can use different mechanisms and methodologies to successfully identify and classify these threats/attacks depending on their type. In other words, depending on the threat, you can use specific techniques to identify and classify them accordingly. Following are the most common methodologies:
- The use of anomaly detection tools
- Network telemetry using flow-based analysis
- The use of intrusion detection and intrusion prevention systems (IDS/IPS)
- Analyzing network component logs (that is, SYSLOG from different network devices, accounting records, application logs, Simple Network Management Protocol (SNMP), and so on)
Complete visibility is one of the key requirements when identifying and classifying security threats. The following sections explain best practices for achieving complete network visibility and the use of the previously mentioned tools and mechanisms.
The first step in the process of preparing your network and staff to successfully identify security threats is achieving complete network visibility. You cannot protect against or mitigate what you cannot view/detect. You can achieve this level of network visibility through existing features on network devices you already have and on devices whose potential you do not even realize. In addition, you should create strategic network diagrams to clearly illustrate your packet flows and where, within the network, you may enable security mechanisms to identify, classify, and mitigate the threat. Remember that network security is a constant war. When defending against the enemy, you must know your own territory and implement defense mechanisms in place. Figure 3-2 illustrates a fairly simple high-level enterprise diagram.
Figure 3-2 High-Level Enterprise Diagram
In Figure 3-2, the following sections are numbered:
- The Internet edge: In this example, the enterprise headquarters is connected to the Internet via redundant links. Two Cisco Adaptive Security Appliances (ASA) are configured to protect the infrastructure.
- Site-to-Site VPN: The headquarters office is connected to two branches via IPsec site-to-site VPN tunnels terminated on two Cisco IOS routers.
- End users: The headquarters building has its sales, finance, engineering, and marketing departments on four separate floors.
- Call center: There is a call center with more than 100 agents on the 5th floor.
- Data center: The data center includes e-commerce, e-mail, database, and other application servers.
You can create this type of diagram not only to understand the architecture of your organization but also to strategically identify places within the infrastructure where you can implement telemetry mechanisms like NetFlow and identify choke points where you can mitigate an incident. Notice that the access, distribution, and core layers/boundaries are clearly defined.
Look at the example illustrated in Figure 3-3. A workstation at the call center usually communicates over TCP port 80 (HTTP) to a server in the data center. This traffic is allowed within the access control lists because it is legitimate traffic to the server. However, the traffic from this specific workstation increased more than 400 percent over normal. Subsequently, performance on the server is degraded, and the infrastructure is congested with unnecessary packets.
Figure 3-3 NetFlow at the Distribution Switch
In this case, NetFlow was configured at the distribution layer switch, and the administrator was able to detect the anomaly. The administrator then configures a host-specific ACL to deny the traffic from the call center workstation, as shown in Figure 3-4. In more sophisticated environments, you can even implement remotely triggered black hole (RTBH) routing to mitigate this incident.
Figure 3-4 Abnormal Traffic Stopped
In the example illustrated in Figure 3-4, the problem was a defect within the call center workstation application. The administrator was able to perform detailed analysis and patch the machine while preventing disruption of service.
You can also develop a different type of diagram to visualize operational risks within your organization. These diagrams are based on device roles and can be developed for critical systems you want to protect. For example, identify a critical system within your organization and create a layered diagram similar to the one in Figure 3-5. In this example, a database called ABC is the most critical application/data source for this company. The diagram presents ABC Database Server in the center.
Figure 3-5 Layered Diagram for Visualizing Risk
You can use this type of diagram to audit device roles and the type of services they should be running. For example, you can decide in what devices you can run services like Cisco NetFlow or where to enforce security policies. In addition, you can see the life of a packet within your infrastructure depending on the source and destination. An example is illustrated in Figure 3-6.
Figure 3-6 Illustrating a Packet Flow
Figure 3-6 shows the packet flow that occurs when a user from the sales department accesses an Internet site. You know exactly where the packet is going based on your architecture and your security and routing policies. This is a simple example; however, you can use this concept to visualize risks and to prepare your isolation policies.