Defense in Depth
A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many remain underneath it. No concept carries more importance when discussing network security than defense in depth. Defense in depth helps you protect network resources even if one of the security layers is compromised. After all, no single security component can be guaranteed to withstand every attack it might need to face.
We operate in a real world of system misconfigurations, software bugs, disgruntled employees, and overloaded system administrators. Moreover, any practical security design needs to accommodate business needs that might require us to open certain firewall ports, leave additional services running on the server, or prevent us from applying the latest security patch because it breaks a business-critical application. Treating perimeter security components as parts of a coherent infrastructure allows us to deploy them in a way that accounts for the weaknesses and strengths of each individual component. Of course, given the requirements of your organization, you might choose not to implement every component discussed in this chapter. The extent to which you need to apply network security layers depends on the needs and capabilities of your business.
After introducing defense in depth in this section, we will use it as the guiding principle behind designs and implementations throughout this book. In fact, this topic is so important, we will conclude the book with a chapter devoted specifically to this topic.
Components of Defense in Depth
What exactly does defense in depth entail? The simple answer is the perimeter, the internal network, and a human factor. Each of these comprises many components, which are independently not enough to secure a network. The key lies in each component complementing the others to form a complete security picture.
When we think of network security, we most often think of the perimeter. As we mentioned earlier in this chapter, the perimeter includes any or all of the following:
Static packet filter
IDS and IPS
We have already introduced these security components to you. Now, let's take a look at how they might work together to form a defense-in-depth infrastructure.
Static packet filters inspect basic information within every packet and are typically implemented as routers. The border device is the first incoming and the last outgoing layer of your network security. It contributes to defense in depth by filtering traffic before it enters or exits your network. All too often, we only consider filtering incoming traffic, but then we don't get the full usability of our border router.
Improperly destined traffic might be internal addresses that hit your external interface, or vice versa, and they can be addressed with ingress and egress filtering. Border routers can also block traffic that is considered high risk from entering your network, such as traffic on the SANS Top 20 Vulnerabilities list (http://www.sans.org/top20). ICMP is a favorite of attackers both for DoS attacks and reconnaissance, so blocking this protocol in whole or in part is a common function of a border router. You may also consider blocking source-routed packets at the border router because they can circumvent defenses. The border router can also block out-of-band packets, such as SYN-FIN packets.
On February 9, 2000, websites such as Yahoo! and CNN were temporarily taken off the Internet, mostly by distributed denial of service (DDoS) Smurf attacks. A Smurf attack involves sending spoofed ICMP echo requests (ping) to the broadcast address, resulting in a response from every host. In this case, spoofing allowed attackers to direct the large number of responses to a victim network. Ingress and egress filtering would have blocked the spoofed traffic and allowed them to weather the DDoS storm. Every network should have ingress and egress filtering at the border router to permit only traffic that is destined for the internal network to enter and traffic that is destined for the external network to exit. We will cover filteringincluding ingress and egress filtersin Chapter 2, "Packet Filtering."
Static packet filters, such as routers, are faster at screening traffic than stateful or proxy firewalls. This speed comes in handy when you are under attack or when the firewall is already under a heavy load. What if you don't have a border router under your exclusive control? If your Internet connection is relatively small (T1 or less), then performing filtering solely on a firewall might be sufficient.
Unlike static packet filtering devices, stateful firewalls keep track of connections in a state table and are the most common type of firewall. A stateful firewall blocks traffic that is not in its table of established connections. The firewall rulebase determines the source and destination IP and port numbers permitted to establish connections. By rejecting nonestablished, nonpermitted connections, a stateful firewall helps to block reconnaissance packets, as well as those that may gain more extensive unauthorized access to protected resources.
Stateful firewalls are able to recognize and block traffic that is part of a nonestablished, nonpermitted connection, such as attempts at reconnaissance. The ability to block reconnaissance attempts that hit your firewall, such as the Nmap ACK scan, make stateful firewalls a valuable part of defense in depth by adding another layer of security to your network. An alternative, and sometimes a complement to a stateful firewall, is a proxy firewall.
Proxy firewalls are the most advanced and least common type of firewall. Proxy firewalls are also stateful, in that they block any nonestablished, nonpermitted connections. As with stateful firewalls, the firewall rulebase determines the source and destination IP and port numbers that are permitted to establish connections. Proxy firewalls offer a high level of security because internal and external hosts never communicate directly. Rather, the firewall acts as an intermediary between hosts. Proxy firewalls examine the entire packet to ensure compliance with the protocol that is indicated by the destination port number. Ensuring that only protocol-compliant traffic passes through the firewall helps defense in depth by diminishing the possibility of malicious traffic entering or exiting your network.
Using proxy firewalls diminishes the possibility of malicious traffic entering or exiting your network by ensuring that only protocol-compliant traffic passes through. However, what happens if malicious traffic appears to be appropriate material and adheres to the protocol?
An IDS represents the eyes and ears of a network by monitoring the network and hosts from critical points for malicious activity. Typical network IDS sensor placement includes each network segment directly connected to the firewall, as well as critical points within the network. If malicious traffic bypasses your other defense mechanisms, an IDS should be able to detect it, as well as communicate what it sees. This is precisely how an IDS helps with defense in depth.
For example, a network IDS could identify and alert on the following:
DNS zone transfer requests from unauthorized hosts
Unicode attacks directed at a web server
Buffer overflow attacks
There are numerous incidents where successive fast-spreading worms have brought down large international networks. If these companies had been able to identify and isolate the infected machines quickly each time a new worm hit, they could have kept their networks functioning. An IDS with the correct signature would facilitate that identification. An IDS can help identify malicious traffic that might otherwise appear normal to an untrained eye. For example, a DNS zone transfer is a legitimate and common operation for peered DNS servers to engage in. However, we should consider zone transfers outside of those hosts dangerous.
An IDS contributes toward a defense-in-depth architecture by detecting and reporting suspicious activity. This functionality can be augmented by deploying an IPS, which, in addition to detecting attacks, attempts to automatically thwart them. Intrusion prevention is becoming a popular term in literature describing firewall and IDS productssuch "active response" technology gives us an opportunity to block malicious activity in situations where the likelihood of falsely identifying an attack is low.
An IDS allows us to tune our defenses to match the current threats. Furthermore, correlation of router, firewall, VPN, and system logs can yield some information about suspicious activity on the network. These logs are not meant to replace the granularity and extensiveness of IDS logs, but to augment them. Logs from non-IDS perimeter components can help significantly when the network IDS logs are of no use, such as when the traffic is encrypted in route to a VPN device.
VPNs protect communications over unprotected networks, such as the Internet. They improve security by offering confidentiality, integrity, and nonrepudiation. For example, a VPN can allow your employees working from home to connect to your servers in a trustworthy manner even while traversing the Internet. In this scenario, the VPN will make sure that no one can monitor the protected traffic, that no one can modify it without being detected, and that the data really came from the expected user. VPNs are appropriate for a wide range of applications and are often useful when dedicated private lines are too expensive or impractical for connecting network nodes. Protecting communications over unprotected networks helps us defend our networks with depth.
VPNs are wonderful tools or wonderful weapons, depending on who is using them. By providing protected communications over unprotected channels, a VPN is a tool to legitimate users. If, however, the endpoints of a VPN connection are not secure, an attacker might be able to gain a protected channel into your internal network, giving him an awesome weapon. In our experience, many large networks that have been severely crippled by worms were affected by the same type culprit during every infection: a VPN user who was working from home. Users would surf the Web using their personal broadband connections at night before logging onto the internal network the following day via the VPN. A worm infected their machines when they were connected to the Internet at night. When they connected to the internal network the following day, the worm propagated to the internal network and ran rampant.
VPNs offer significant cost savings over the previous alternative of frame relay or a private line. We can use a VPN to protect all traffic from one network to another (network to network), between two hosts (host to host), or from a single host to a network (host to network). Knowing this, the way in which we configure our networks becomes increasingly important.
All too often, security is not a primary concern to a business when putting a network in place. A thought-out network architecture is vital to defense in depth because it segregates resources and provides for performance and redundancy. A well-designed infrastructure can act as a business enabler, rather a stumbling block to the organization.
We need to do the following when evaluating a network security architecture:
Determine what resources need to be protected.
Determine the risk.
Determine business requirements.
With this information, we can make educated decisions regarding our network defenses.
A solid network architecture created with security in mind will segregate resources and provide for performance and redundancy. Segregating resources is vital to defense in depth, and we will look at it closely in Chapter 13, "Separating Resources." We must keep in mind that no matter how segregated a host is from a network viewpoint, its configuration must also be hardened.
We've discussed how various components of the perimeter contribute to the overall security of our network through defense in depth. Although vital, the external perimeter is only one piece of defense in depth. Next, we examine a piece that many organizations neglect to properly address: the internal network.
The Internal Network
The internal network is the network that is protected by the perimeter and that contains all the servers, workstations, and infrastructure with which a company conducts business.
So often, administrators of various types say, "We can trust our own people." Organizations often neglect the security of the internal network because they don't consider an internal attack a risk. An internal attack doesn't have to be a malicious employee; it can be a careless employee as well. As organizations are learning each time a new worm comes out, they cannot afford to overlook the security of the internal network!
Let's shift gears for a minute. Conjure up an image of what you consider a highly skilled attacker. Imagine him breaking into your most sensitive systems...while sitting at your desk. What would stop him?
On the internal network, we could have the following "perimeter" devices:
Ingress and egress filtering on every router
Internal firewalls to segregate resources
IDS sensors to function as "canaries in a coal mine" and monitor the internal network
On protected systems, we can use the following:
Host-centric (personal) firewalls
Operating system hardening
Host-centric (personal) firewalls are generally implemented as software modules that run on individual machines, screening network traffic as it enters and leaves the system. Many are configurable on a per-application basis, meaning that the user determines which applications have rights to access the Internet or function as servers (accept incoming connections). Personal firewalls help defense in depth by augmenting the perimeter on every host.
You might ask, "Why do I need a personal firewall if I'm already behind a network firewall at work?" A personal firewall at work can protect you from malicious programs, such as Trojans, and other internal hosts, as is the case with malicious internal users. If you do not have a personal firewall and connect to the Internet outside of work (such as the hotel room while traveling or the home office when working from home), you cannot assume that you are being protected.
Host-centric firewalls are wonderful pieces of software that augment the perimeter. If a traditional firewall cannot be deployed at the network's entry point, host-centric firewalls are cost-effective alternatives, especially if the network hosts a small number of systems. Host-centric firewalls are also useful for mobile users who connect to a network outside of work. Almost every network needs firewall technology of some sort, be it with static packet filters, stateful firewalls, or proxy firewalls on the perimeter or the individual machines. Most networks with user-level workstations also need an antivirus capability.
In many respects, antivirus software and network IDSs are similar in that they frequently operate by examining data for signatures of known malicious intent. Antivirus software typically looks at the data on the file system and in RAM, whereas a network IDS examines data on the network. As vendors package antivirus, personal firewall, and IDS technology into a single product, the line distinguishing the three becomes increasingly vague. The role of antivirus in defense in depth is clearit protects against malicious code.
We can augment our antivirus capability on the desktop through products that couple with perimeter components, such as firewalls and email servers. The effectiveness of antivirus software drastically decreases if it is not regularly updated, or if it does not yet provide a signature to identify the latest virus or worm. This is often the case with worms, which propagate very quickly. Locking down the host's configuration becomes critically important in the case of ineffective antivirus software.
Host hardening is the process of tightening the configuration of the host's OS and applications with the purpose of securing any unnecessary openings on the system. This typically involves applying relevant OS and application patches, setting file system permissions, disabling unnecessary services, and enforcing password restrictions. If everything else fails, host hardening is the last layer protecting an individual system. That makes it vital to defense in depth.
Consider the nontechnical co-worker who was checking her personal email through a hotel's dial-up connection. What if she had not installed a personal firewall or antivirus software? If basic hardening had been performed, she would have likely presented the attacker with a variety of vulnerabilities to exploit. It is all too easy to forget about host hardening when multiple layers of defense are surrounding the system. The fact remains that those defenses are not perfect, and we need that last layer. The question of how to keep on top of host hardening naturally arises.
Configuration management is the process of establishing and maintaining a known configuration for systems and devices that are on the network. Large companies might have an automated means of manipulating the configuration of all hosts, whereas small companies might perform the process manually. Defense in depth benefits from the ability to enforce a standard configuration.
Configuration management can enforce the following:
That all Windows machines have a particular service pack installed
That all Linux machines have a specific kernel running
That all users with remote-access accounts have a personal firewall
That every machine has antivirus signatures updated daily
That all users agree to the acceptable-use policy when they log on
Some of these tasks naturally lend themselves to large-scale automation, whereas others we can accomplish manually.
Configuration management is the best way to establish a standard, secure configuration so that damage from incidents is limited. It can also enable your organization to control unauthorized software installation. Configuration management is an important piece of defense in depth because it enforces a standard configuration. How can we verify that a configuration is a secure one that remains unchanged?
Auditing is the process of resolving perception to reality and improving upon that. Internal staff or external consultants can perform audits. The information that we present next was written from a perspective of an external consultant, but it applies to either situation. Verifying the current state of security and improving upon it is vital to defense in depth.
An audit typically progresses like this:
An informational meeting is held to plan the audit. At the first informational meeting, the auditor finds out what the client wants and expects and establishes risks, costs, cooperation, deliverables, timeframes, and authorization.
Fieldwork begins (implementing the audit). When the client is ready, the auditor performs the audit in line with what we established in the planning session.
The initial audit report (technical report) takes place. The auditor might prefer to give an initial audit report to the technical representatives of a client before their management sees the final report. This provides the technical staff with an opportunity to address some concerns before the final report goes to management. This also ensures that the technical representatives know what their management will see and can offer clarification on any issues.
The final audit report (a nontechnical report with the final technical report) takes place. The final audit report typically contains an executive summary, the general approach used, the specific methodology used, and the final technical report.
Follow-up occurs (verified recommendations are performed).
When the client is ready, the auditor may return to verify that the issues have been resolved.
Just like you go to your doctor on a regular basis for a physical to make sure you're as healthy as you think you are, you should check your network on a regular basis to ensure that your perception and the reality of your defenses coincide. Consider an audit preventative maintenance. An audit is the only tool in defense in depth to verify that everything is as it should be.
Securing the internal network with host-centric firewalls, antivirus software, and host hardening is not a trivial task. Configuration management and audits can help you accomplish this. Addressing security on the external perimeter and the internal network is not enough. Next, we will complete the defense-in-depth picture by discussing the human factor.
The Human Factor
Frequently, we get caught up in the technical aspect of network security without considering its nontechnical element. Tasks such as optimizing the firewall rulebase, examining network traffic for suspicious patterns, and locking down the configuration of systems are certainly important to network security. What we often forget is the human end of things, such as the policies and awareness that go along with the technical solution.
Policy determines what security measures your organization should implement. As a result, the security policy guides your decisions when implementing security of the network. An effective defense-in-depth infrastructure requires a comprehensive and realistic security policy.
Hallmarks of good policy include the following:
AuthorityWho is responsible.
ScopeWho it affects.
ExpirationWhen it ends.
SpecificityWhat is required.
ClarityCan everyone understand it?
User awareness is like driver's education. Users can reduce risk and help defense in depth if they know and follow the security policy. Here are some of the actions you can take to increase user awareness of your organization's security policy:
Have every user sign an acceptable-use policy annually.
Set up a security web page with policies, best practices, and news.
Send a "Security Tip of the Week" to every user.
A direct benefit of aware users comes when considering social-engineering attacks. For example, if users know not to give their password to other people, a potential attack might be thwarted. When users are aware of policy, there tends to be fewer incidents and misunderstandings, and users feel more involved in security. Additionally, in the case of policy violations, if the users are educated, it's harder for people to claim that they didn't know they were doing something wrong.
Remember: Defense in depth hinges on the human factor of policy and user awareness. Policy determines what security measures your organization should implement. Those security measures should reflect policy. Defense in depth is the means to policy implementation; it depends on it.
We've examined the components of defense in depth and how they contribute to security of the network. Defense in depth is a flexible concept that allows you to create an effective security infrastructure that reflects the requirements of your organization. For example, smaller organizations might not be able to afford some of the components we discussed, but alternatives usually exist. Regardless of the size of your organization, policy and user awareness are necessary.
We'll wrap up this chapter by looking at a real-world case where defense in depth could have saved an organization a lot of time, effort, and money.