Network Security Recommendations
As you can see, depending on your environment and the location of hosts, a complex set of rules can be required on your firewall. Don't let the complexity prevent you from properly configuring the firewall, however. A little work initially can mean a better, more secure monitoring solution.
The following sections discuss issues regarding firewall protection for MARS and network-based IPSs and IDSs. The suggestions given are a good place to begin, but they by no means work in every network. For example, the TCP and UDP ports described in the preceding sections are only defaults. You can configure most of these services, which are common in many networks, to use other ports. Check Point firewalls, for example, are commonly configured to use different ports than the defaults of TCP ports 18184, 18190, and 18210.
Ingress Firewall Rules
To simplify the work involved, you should define some network object groups on your firewall. If you're not familiar with this term, think of object groups as variables that you can use while configuring the firewall to make life easier. Rather than referring to a large list of IP addresses or TCP/UDP ports, you can simply refer to a name instead. The following examples use an object group called CORP_NET, which consists of all IP addresses used on your organization's network.
Ingress traffic refers to traffic that is inbound to a firewall (toward CS-MARS) from a less trusted network. Figure 4-1 shows both ingress traffic and egress traffic, or traffic that leaves CS-MARS to go toward the less trusted network.
Figure 4-1 Ingress and Egress Traffic
The following ingress rules are a good starting point for most companies:
- Step 1 Permit syslog and SNMP trap traffic (UDP 162 and 514) from security operations (SecOps).
- Step 2 Permit NetFlow traffic (UDP 2049) from SecOps.
- Step 3 Permit HTTPS (TCP 443) from SecOps if a large number of people will be accessing the web console of MARS to run ad hoc reports. Otherwise, permit HTTPS to a restricted range of addresses.
- Step 4 Permit SSH (TCP 22) to a very restricted set of addresses. If the security management network has its own VPN gateway, which might be a function of the firewall, you might want to require administrators to establish a VPN connection before permitting SSH.
- Step 5 Permit HTTP (TCP 80) from any monitored web servers running iPlanet or Apache. If you're using NetCache appliances, permit HTTP from it as well.
- Step 6 If your MARS deployment consists of multiple MARS LCs that communicate to a centralized MARS GC, permit required management traffic between those systems (TCP 443 and 8444).
- Step 7 Deny all other traffic.
Egress Firewall Rules
Egress firewall rules refer to filters that restrict traffic from the protected network to less trusted networks. Ideal security would restrict outbound traffic to only those ports that are necessary for proper functioning of the MARS appliance. However, in real life, this might be unmanageable. You need to determine the proper balance between security and manageability.
For example, a strict default egress policy might make sense for your company's public-facing web server. Hopefully, connectivity from the Internet to your web server (ingress rule) is permitted only on either TCP 80 or 443, depending on whether your web server uses encrypted HTTP. The egress policy should deny all traffic that originates from the web server to hosts on the Internet. In other words, someone should never be allowed to browse the Internet from your web server, to download files from the web server, or to have other communications from the web server to the Internet. By applying a proper egress rule on the firewall that denies it, an attacker is also denied that same communications path. In most instances where a web server, or any other server, is compromised by a hacker, the hacker's next steps include copying files to the web server. This is either to deface websites, install root kits, or retrieve the software needed to further hack into the network. Strict egress filters raise the difficulty level, often to a level that exceeds the capabilities of the hacker.
Depending on your environment and which MARS features you're using, strict egress filters might be unmanageable. However, you should evaluate them to see whether they are workable in your environment.
The following list of egress filters serves as a good starter set for most networks:
- Step 1 Permit traffic required for name resolution to CORP_NET—for example, Domain Name System (DNS) and Server Message Block (SMB) for Windows hosts (TCP and UDP 53, TCP 137 and 445) to CORP_NET.
- Step 2 Permit Network Time Protocol (NTP) to specified NTP servers, either on your network or internetwork.
- Step 3 Permit device discovery traffic on CORP_NET for routers and switches—for example, Telnet (TCP 23), SSH (TCP 22), and SNMP (UDP 161).
- Step 4 Permit HTTPS to CORP_NET to allow MARS to discover Cisco IDS/IPS sensors as well as to allow event retrieval from Cisco IDSs/IPSs and Cisco routers running IOS IPS, and to allow communications between MARS LCs and GCs. If possible, restrict this range to a subset of CORP_NET.
- Step 5 Permit FTP (TCP 21) to a centralized FTP server that contains configuration files of routers and switches, if you want to take advantage of this feature.
- Step 6 Permit Simple Mail Transfer Protocol (SMTP) (TCP 25) to allow MARS to e-mail reports and alerts to your SMTP gateway.
- Step 7 Permit NFS (UDP 2049) if your MARS archive server resides on a different network (not recommended).
- Step 8 Permit TCP 8444 to allow communications between MARS LCs and GCs, if they reside in different locations.
- Step 9 Deny all other traffic.
If you want to take advantage of the MARS internal vulnerability assessment capabilities, the preceding list of rules will not work. Instead, use the following egress filter list:
- Step 1 Permit all TCP and UDP traffic sourced from CS-MARS or a third-party vulnerability scanner.
- Step 2 Permit NTP traffic to defined NTP servers, if they do not exist locally on SecOps.
- Step 3 Deny all other traffic.
In day-to-day use of MARS, when you choose to get more information about a specific host, the internal vulnerability assessment feature of MARS initiates a port scan of the host. You cannot accurately define an egress rule list that permits the vulnerability assessment to take place while also restricting outbound ports. If you already use a supported third-party vulnerability assessment tool, such as QualysGuard, you do not need to use the internal tool. Otherwise, using the tool can greatly improve the accuracy of information presented to you by MARS.
Network-Based IDS and IPS Issues
A network-based IPS offers an additional level of protection to complement that provided by a stateful inspection firewall. An IPS is closely related to an IDS. At first glance, the most obvious difference between the two is how they are deployed.
An IDS examines copies of network traffic, looking for malicious traffic patterns. It then identifies them and can sometimes be configured to take an automated response action, such as resetting TCP connections or configuring another network device to block traffic from an attacker.
As shown in Figure 4-2, an IDS is typically deployed beside a traffic flow. It receives copies of network traffic from the network switches, hubs, taps, or routers. Because it does not sit in the flow of traffic, it does not break anything that MARS requires.
Figure 4-2 Intrusion Detection System
An IDS often issues a large number of alerts based on traffic generated from MARS, especially if you're using the internal vulnerability assessment feature. You need to tune your IDS so that it does not alert on the vulnerability scans that originate from MARS. You might want to adjust the IDS tuning so that scans from MARS to your CORP_NET are ignored, but scans directed to the Internet trigger an alert. It is generally considered a bad practice to automatically scan hosts outside your own network; the practice might even be illegal. Make sure that MARS is not configured to scan anything that is not on your own network. Your firewall egress rules should not allow this either. However, in the case of a misconfiguration, your IDS can alert the appropriate personnel so that the configuration errors can be corrected.
An IPS sits in the path of network traffic (see Figure 4-3), usually as a transparent device (like a bridge), and watches for many of the same behaviors as an IDS. A major difference between the two, though, is the capability of the IPS to act instantly when malicious traffic is seen.
Figure 4-3 Intrusion Prevention System
Because traffic must pass through an IPS, the IPS can prevent MARS from functioning properly if it is misconfigured. Take time to closely watch alerts generated by your IPS and tune it appropriately. Like the IDS, you should tune the IPS to allow vulnerability scanning to occur from MARS to CORP_NET, while preventing it from scanning the Internet.
Some of the newest types of IPSs, such as the Cisco IPS, have a feature called traffic normalization. This feature, in particular, causes the MARS vulnerability assessment to fail. Traffic normalization enables several functions, including the following:
- Prevents illegal combinations of TCP flags from passing, or removes the illegal flags
- Prevents fragmented traffic from passing, or rebuilds it so that it is not fragmented
- Changes all packets in a traffic flow to have the same time to live (TTL)
This is just a small sampling of what a traffic normalizer does. In general, you can think of it as an engine that takes traffic that does not conform to standards, and either prevents the traffic from passing through the IPS or makes it conform to standards first.
By itself, traffic normalization breaks a large amount of attacks and reconnaissance activities. It also stops vulnerability assessment tools from being able to accurately determine information such as the operating system that a target host is running.
If you're protecting your security management network with an IPS that supports traffic normalization, you need to tune it to either ignore the scans from MARS and Qualys (or other vulnerability scanners) or disable the traffic normalization capabilities.