Securing Your Network
Updated : February 6, 2004
On This Page
In This Module
Objectives
Applies To
How to Use This Module
Overview
Threats and Countermeasures
Methodology
Router Considerations
Firewall Considerations
Switch Considerations
Additional Considerations
Snapshot of a Secure Network
Summary
Additional Resources
In This Module
The network is the entry point to your application. It provides the first gatekeepers that control access to the various servers in your environment. For example servers are protected with their own operating system gatekeepers, but it is important not to allow them to be deluged with attacks from the network layer.
This module breaks down network security by devices, which allows you to focus on single points of configuration. In keeping with the philosophy of this guide, this module uses the approach of analyzing potential threats. Without threat analysis, it is impossible to apply security properly. The module mainly focuses on the software that drives the network hardware that is responsible for delivering ASP.NET applications.
At the end of the module a "Snapshot of a Secure Network" is provided to give you a benchmark for evaluating your solution.
Objectives
Use this module to:
Improve the security of your network components (router, firewall and switch).
Harden your router configuration and make it more resilient to attacks.
Know which firewall filters and policies to apply.
Understand the advantages and disadvantages of creating a perimeter network.
List the characteristics of a secure network using the snapshot provided.
Know which countermeasures to apply to address common Network threats including Information gathering, sniffing, spoofing, session hijacking and denial of service.
Applies To
This module applies to the following products and technologies:
Routers
Firewalls
Switches
How to Use This Module
This module provides a methodology and steps for securing a network. The methodology can be adapted for your own scenario. The steps put the methodology into practice.
To get most out of this module:
Read Module 2, " Threats and Countermeasures ." This will give you a better understanding of potential threats to Web applications.
Use the snapshot. Table 15.3, which is at the end of this module, provides a snapshot of a secure network. Use this table as a reference when configuring your network.
Use the checklist. Use "Checklist: Securing Your Network" in the "Checklist guide to quickly evaluate and scope the required steps. The checklist will also help you complete the individual steps.
Use vendor details to implement the guidance. The guidance in this module is not specific to specific network hardware or software vendors. Consult your vendor's documentation for specific instructions on how to implement the countermeasures given in this module.
Overview
The network is the entry point to your application. It provides the first gatekeepers that control access to the various servers in your environment. Servers are protected with their own operating system gatekeepers, but it is important not to allow them to be deluged with attacks from the network layer. It is equally important to ensure that network gatekeepers cannot be replaced or reconfigured by imposters. In a nutshell, network security involves protecting network devices and the data that they forward.
The basic components of a network, which act as the front-line gatekeepers, are the router, the firewall, and the switch. Figure 15.1 shows these core components.
Figure 15.1Network components: router, firewall, and switch
Threats and Countermeasures
An attacker looks for poorly configured network devices to exploit. Common vulnerabilities include weak default installation settings, wide-open access controls, and unpatched devices. The following are high-level network threats:
Information gathering
Sniffing
Spoofing
Session hijacking
Denial of service
With knowledge of the threats that can affect the network, you can apply effective countermeasures.
Information Gathering
Information gathering can reveal detailed information about network topology, system configuration, and network devices. An attacker uses this information to mount pointed attacks at the discovered vulnerabilities.
Vulnerabilities
Common vulnerabilities that make your network susceptible to an attack include:
The inherently insecure nature of the TCP/IP protocol suite
Configuration information provided by banners
Exposed services that should be blocked
Attacks
Common information-gathering attacks include:
Using Tracert to detect network topology
Using Telnet to open ports for banner grabbing
Using port scans to detect open ports
Using broadcast requests to enumerate hosts on a subnet
Countermeasures
You can employ the following countermeasures:
Use generic service banners that do not give away configuration information such as software versions or names.
Use firewalls to mask services that should not be publicly exposed.
Sniffing
Sniffing, also called eavesdropping, is the act of monitoring network traffic for data, such as clear-text passwords or configuration information. With a simple packet sniffer, all plaintext traffic can be read easily. Also, lightweight hashing algorithms can be cracked and the payload that was thought to be safe can be deciphered.
Vulnerabilities
Common vulnerabilities that make your network susceptible to data sniffing include:
Weak physical security
Lack of encryption when sending sensitive data
Services that communicate in plain text or weak encryption or hashing
Attacks
The attacker places packet sniffing tools on the network to capture all traffic.
Countermeasures
Countermeasures include the following:
Strong physical security that prevents rogue devices from being placed on the network
Encrypted credentials and application traffic over the network
Spoofing
Spoofing, also called identity obfuscation, is a means to hide one's true identity on the network. A fake source address is used that does not represent the actual packet originator's address. Spoofing can be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.
Vulnerabilities
Common vulnerabilities that make your network susceptible to spoofing include:
The inherently insecure nature of the TCP/IP protocol suite
Lack of ingress and egress filtering. Ingress filtering is the filtering of any IP packets with untrusted source addresses before they have a chance to enter and affect your system or network. Egress filtering is the process of filtering outbound traffic from your network.
Attacks
An attacker can use several tools to modify outgoing packets so that they appear to originate from an alternate network or host.
Countermeasures
You can use ingress and egress filtering on perimeter routers.
Session Hijacking
With session hijacking, also known as man in the middle attacks, the attacker uses an application that masquerades as either the client or the server. This results in either the server or the client being tricked into thinking that the upstream host is the legitimate host. However, the upstream host is actually an attacker's host that is manipulating the network so that it appears to be the desired destination. Session hijacking can be used to obtain logon information that can then be used to gain access to a system or to confidential information.
Vulnerabilities
Common vulnerabilities that make your network susceptible to session hijacking include:
Weak physical security
The inherent insecurity of the TCP/IP protocol suite
Unencrypted communication
Attacks
An attacker can use several tools to combine spoofing, routing changes, and packet manipulation.
Countermeasures
Countermeasures include the following:
Session encryption
Stateful inspection at the firewall
Denial of Service
A denial of service attack is the act of denying legitimate users access to a server or services. Network-layer denial of service attacks usually try to deny service by flooding the network with traffic, which consumes the available bandwidth and resources.
Vulnerabilities
Vulnerabilities that increase the opportunities for denial of service include:
The inherent insecurity of the TCP/IP protocol suite
Weak router and switch configuration
Unencrypted communication
Service software bugs
Attacks
Common denial of service attacks include:
Brute force packet floods, such as cascading broadcast attacks
SYN flood attacks
Service exploits, such as buffer overflows
Countermeasures
Countermeasures include:
Filtering broadcast requests
Filtering Internet Control Message Protocol (ICMP) requests
Patching and updating of service software
Methodology
Security begins with an understanding of how the system or network that needs to be secured works. This chapter breaks down network security by devices, which allows you to focus on single points of configuration. In keeping with this guide's philosophy, this chapter uses the approach of analyzing potential threats; without these analyses, it's impossible to properly apply security.
The network infrastructure can be broken into the following three layers: access, distribution, and core. These layers contain all of the hardware necessary to control access to and from internal and external resources. The recommendations apply to an Internet or intranet- facing Web zone and therefore might not apply to your internal or corporate network.
The following are the core network components:
Router
Firewall
Switch
Router
The router is the outermost security gate. It is responsible for forwarding IP packets to the networks to which it is connected. These packets can be inbound requests from Internet clients to your Web server, request responses, or outgoing requests from internal clients. The router should be used to block unauthorized or undesired traffic between networks. The router itself must also be secured against reconfiguration by using secure administration interfaces and ensuring that it has the latest software patches and updates applied.
Firewall
The role of the firewall is to block all unnecessary ports and to allow traffic only from known ports. The firewall must be capable of monitoring incoming requests to prevent known attacks from reaching the Web server. Coupled with intrusion detection, the firewall is a useful tool for preventing attacks and detecting intrusion attempts, or in worst-case scenarios, the source of an attack.
Like the router, the firewall runs on an operating system that must be patched regularly. Its administration interfaces must be secured and unused services must be disabled or removed.
Switch
The switch has a minimal role in a secure network environment. Switches are designed to improve network performance to ease administration. For this reason, you can easily configure a switch by sending specially formatted packets to it. For more information, see "Switch Considerations" later in this module.
Router Considerations
The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).
If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers.
The configuration categories for the router are:
Patches and updates
Protocols
Administrative access
Services
Auditing and logging
Intrusion detection
Patches and Updates
Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found - and they inevitably will be found - good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.
Protocols
Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should:
Use ingress and egress filtering.
Screen ICMP traffic from the internal network.
Use Ingress and Egress Filtering
Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.
This type of filtering also enables the originator to be easily traced to its true source since the attacker would have to use a valid - and legitimately reachable - source address. For more information, see "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at https://www.rfc-editor.org/rfc/rfc2267.txt.
Screen ICMP Traffic from the Internal Network
ICMP is a stateless protocol that sits on top of IP and allows host availability information to be verified from one host to another. Commonly used ICMP messages are shown in Table 15.1.
Table 15.1 Commonly Used ICMP Messages
Message |
Description |
---|---|
Echo request |
Determines whether an IP node (a host or a router) is available on the network |
Echo reply |
Replies to an ICMP echo request |
Destination unreachable |
Informs the host that a datagram cannot be delivered |
Source quench |
Informs the host to lower the rate at which it sends datagrams because of congestion |
Redirect |
Informs the host of a preferred route |
Time exceeded |
Indicates that the time to live (TTL) of an IP datagram has expired |
Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods. Other ICMP vulnerabilities exist that justify blocking this protocol. While ICMP can be used for troubleshooting, it can also be used for network discovery and mapping. Therefore, control the use of ICMP. If you must enable it, use it in echo - reply mode only.
Prevent TTL Expired Messages with Values of 1 or 0
Trace routing uses TTL values of 1 and 0 to count routing hops between a client and a server. Trace routing is a means to collect network topology information. By blocking packets of this type, you prevent an attacker from learning details about your network from trace routes.
Do Not Receive or Forward Directed Broadcast Traffic
Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. For example, by blocking specific source addresses, you prevent malicious echo requests from causing cascading ping floods. Source addresses that should be filtered are shown in Table 15.2.
Table 15.2 Source Addresses That Should be Filtered
Source address |
Description |
---|---|
0.0.0.0/8 |
Historical broadcast |
10.0.0.0/8 |
RFC 1918 private network |
127.0.0.0/8 |
Loopback |
169.254.0.0/16 |
Link local networks |
172.16.0.0/12 |
RFC 1918 private network |
192.0.2.0/24 |
TEST-NET |
192.168.0.0/16 |
RFC 1918 private network |
224.0.0.0/4 |
Class D multicast |
240.0.0.0/5 |
Class E reserved |
248.0.0.0/5 |
Unallocated |
255.255.255.255/32 |
Broadcast |
For more information on broadcast suppression using Cisco routers, see "Configuring Broadcast Suppression" on the Cisco Web site at https://www.cisco.com/en/US/products/hw/switches/ps663/products_installation_and_configuration_guides_list.html.
Administrative Access
From where will the router be accessed for administration purposes? Decide over which interfaces and ports an administration connection is allowed and from which network or host the administration is to be performed. Restrict access to those specific locations. Do not leave an Internet-facing administration interface available without encryption and countermeasures to prevent hijacking. In addition:
Disable unused interfaces.
Apply strong password policies.
Use static routing.
Audit Web facing administration interfaces.
Disable Unused Interfaces
Only required interfaces should be enabled on the router. An unused interface is not monitored or controlled, and it is probably not updated. This might expose you to unknown attacks on those interfaces.
Apply Strong Password Policies
Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if "p4ssw0rd" is used as a password, it can be cracked. Always use uppercase and lowercase, number, and symbol combinations when creating passwords.
Use Static Routing
Static routing prevents specially formed packets from changing routing tables on your router. An attacker might try to change routes to cause denial of service or to forward requests to a rogue server. By using static routes, an administrative interface must first be compromised to make routing changes.
Audit Web Facing Administration Interfaces
Also determine whether internal access can be configured. When possible, shut down the external administration interface and use internal access methods with ACLs.
Services
On a deployed router, every open port is associated with a listening service. To reduce the attack surface area, default services that are not required should be shut down. Examples include bootps and Finger, which are rarely required. You should also scan your router to detect which ports are open.
Auditing and Logging
By default, a router logs all deny actions; this default behavior should not be changed. Also secure log files in a central location. Modern routers have an array of logging features that include the ability to set severities based on the data logged. An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing.
Intrusion Detection
With restrictions in place at the router to prevent TCP/IP attacks, the router should be able to identify when an attack is taking place and notify a system administrator of the attack.
Attackers learn what your security priorities are and attempt to work around them. Intrusion Detection Systems (IDSs) can show where the perpetrator is attempting attacks.
Firewall Considerations
A firewall should exist anywhere you interact with an untrusted network, especially the Internet. It is also recommended that you separate your Web servers from downstream application and database servers with an internal firewall.
After the router, with its broad filters and gatekeepers, the firewall is the next point of attack. In many (if not most) cases, you do not have administrative access to the upstream router. Many of the filters and ACLs that apply to the router can also be implemented at the firewall. The configuration categories for the firewall include:
Patches and updates
Filters
Logging and auditing
Perimeter networks
Patches and Updates
Subscribe to alert services provided by the manufacturer of your firewall and operating system to stay current with both security issues and service patches.
Filters
Filtering published ports on a firewall can be an effective and efficient method of blocking malicious packets and payloads. Filters range from simple packet filters that restrict traffic at the network layer based on source and destination IP addresses and port numbers, to complex application filters that inspect application-specific payloads. A defense in depth approach that uses layered filters is a very effective way to block attacks. There are six common types of firewall filters:
Packet filters
These can filter packets based on protocol, source or destination port number and source or destination address, or computer name. IP packet filters are static, and communication through a specific port is either allowed or blocked. Blocked packets are usually logged, and a secure packet filter denies by default.
At the network layer, the payload is unknown and might be dangerous. More intelligent types of filtering must be configured to inspect the payload and make decisions based on access control rules.
Circuit-level filters
These inspect sessions rather than payload data. An inbound or outbound client makes a request directly against the firewall/gateway, and in turn the gateway initiates a connection to the server and acts as a broker between the two connections. With knowledge of application connection rules, circuit level filters ensure valid interactions. They do not inspect the actual payload, but they do count frames to ensure packet integrity and prevent session hijacking and replaying.
Application filters
Smart application filters can analyze a data stream for an application and provide application-specific processing, including inspecting, screening or blocking, redirecting, and even modifying the data as it passes through the firewall. Application filters protect against attacks such as the following:
Unsafe SMTP commands
Attacks against internal DNS servers.
HTTP - based attacks (for example, Code Red and Nimda, which use application-specific knowledge)
For example, an application filter can block an HTTP DELETE, but allow an HTTP GET. The capabilities of content screening, including virus detection, lexical analysis, and site categorization, make application filters very effective in Web scenarios both as security measures and in enforcement of business rules.
Stateful inspection
Application filters are limited to knowledge of the payload of a packet and therefore make filtering decisions based only on the payload. Stateful inspection uses both the payload and its context to determine filtering rules. Using the payload and the packet contents allow stateful inspection rules to ensure session and communication integrity. The inspection of packets, their payload, and sequence limits the scalability of stateful inspection.
Custom application filters
These filters ensure the integrity of application server/client communication.
When you use filters at multiple levels of the network stack, it helps make your environment more secure. For example, a packet filter can be used to block IP traffic destined for any port other than port 80, and an application filter might further restrict traffic based on the nature of the HTTP verb. For example, it might block HTTP DELETE verbs.
Logging and Auditing
Logging all incoming and outgoing requests - regardless of firewall rules - allows you to detect intrusion attempts or, even worse, successful attacks that were previously undetected. Historically, network administrators sometimes had to analyze audit logs to determine how an attack succeeded. In those cases, administrators were able to apply solutions to the vulnerabilities, learn how they were compromised, and discover other vulnerabilities that existed.
Apply the following policies for logging and log auditing.
Log all traffic that passes through the firewall.
Maintain healthy log cycling that allows quick data analysis. The more data you have, the larger the log file size.
Make sure the firewall clock is synchronized with the other network hardware.
Perimeter Networks
A firewall should exist anywhere your servers interact with an untrusted network. If your Web servers connect to a back-end network, such as a bank of database servers or corporate network, a screen should exist to isolate the two networks. While the Web zone has the greatest degree of exposure, a compromise in the Web zone should not result in the compromise of downstream networks.
By default, the perimeter network should block all outbound connections except those that are expected.
Advantages of a Perimeter Network
The perimeter network provides the following advantages:
Hosts are not directly exposed to untrusted networks.
Exposed or published services are the only point of external attack.
Security rules can be enforced for access between networks.
Disadvantages of a Perimeter Network
The disadvantages of a perimeter network include:
Network complexity
IP address allocation and management
Requirement that the application architecture accommodate the perimeter network design
Switch Considerations
A switch is responsible for forwarding packets directly to a host or network segment, rather than sharing the data with the entire network. Therefore, traffic is not shared between switched segments. This is a preventive measure against packet sniffing between networks. An attacker can circumvent this security by reconfiguring switching rules using easily accessed administrative interfaces, including known account names and passwords and SNMP packets.
The following configuration categories are used to ensure secure switch configuration:
Patches and updates
Virtual Local Area Networks (VLANs)
Insecure defaults
Services
Encryption
Patches and Updates
Patches and updates must be tested and installed as soon as they are available.
VLANs
Virtual LANs allow you to separate network segments and apply access control based on security rules. However, a VLAN enhances network performance, but doesn't necessarily provide security. Limit the use of VLANs to the perimeter network (behind the firewall) since many insecure interfaces exist for ease of administration. For more information about VLANs, see the article "Configuring VLANS" on the Cisco Web site.
Insecure Defaults
To make sure that insecure defaults are secured, change all factory default passwords and SNMP community strings to prevent network enumeration or total control of the switch. Also investigate and identify potentially undocumented accounts and change the default names and passwords. These types of accounts are often found on well-known switch types and are well publicized and known by attackers.
Services
Make sure that all unused services are disabled. Also make sure that Trivial File Transfer Protocol (TFTP) is disabled, Internet-facing administration points are removed, and ACLs are configured to limit administrative access.
Encryption
Although it is not traditionally implemented at the switch, data encryption over the wire ensures that sniffed packets are useless in cases where a monitor is placed on the same switched segment or where the switch is compromised, allowing sniffing across segments.
Additional Considerations
The following considerations can further improve network security:
Ensure that clocks are synchronized on all network devices. Set the network time and have all sources synchronized to a known, reliable time source.
Use Terminal Access Controller Access Control System (TACACS) or Remote Authentication Dial-In User Service (RADIUS) authentication for highly secure environments as a means of limiting administrative access to the network.
Define an IP network that can be easily secured using ACLs at subnets or network boundaries whenever possible.
Snapshot of a Secure Network
Table 15.3 provides a snapshot of the characteristics of a secure network. The security settings are abstracted from industry security experts and real-world applications in secure deployments. You can use the snapshot as a reference point when evaluating your own solution.
Table 15.3: Snapshot of a Secure Network
Component |
Characteristic |
---|---|
Router |
|
Patches and Updates |
Router operating system is patched with up-to-date software. |
Protocols |
Unused protocols and ports are blocked. Ingress and egress filtering is implemented. ICMP traffic is screened from the internal network. TTL expired messages with values of 1 or 0 are blocked (route tracing is disabled). Directed broadcast traffic is not forwarded. Large ping packets are screened. Routing Information Protocol (RIP) packets, if used, are blocked at the outermost router. |
Administrative access |
Unused management interfaces on the router are disabled. A strong administration password policy is enforced. Static routing is used. Web-facing administration is disabled. |
Services |
Unused services are disabled (for example bootps and Finger). |
Auditing and logging |
Logging is enabled for all denied traffic. Logs are centrally stored and secured. Auditing against the logs for unusual patterns is in place. |
Intrusion detection |
IDS is in place to identify and notify of an active attack. |
Firewall |
|
Patches and updates |
Firewall software and OS are patched with latest security updates. |
Filters |
Packet filtering policy blocks all but required traffic in both directions. Application-specific filters are in place to restrict unnecessary traffic. |
Logging and auditing |
All permitted traffic is logged. Denied traffic is logged. Logs are cycled with a frequency that allows quick data analysis. All devices on the network are synchronized to a common time source. |
Perimeter networks |
Perimeter network is in place if multiple networks require access to servers. Firewall is placed between untrusted networks. |
Switch |
|
Patches and updates |
Latest security patches are tested and installed or the threat from known vulnerabilities is mitigated. |
VLANs |
Make sure VLANs are not overused or overly trusted. |
Insecure defaults |
All factory passwords are changed. Minimal administrative interfaces are available. Access controls are configured to secure SNMP community strings. |
Services |
Unused services are disabled. |
Encryption |
Switched traffic is encrypted. |
Other |
|
Log synchronization |
All clocks on devices with logging capabilities are synchronized. |
Administrative access to the network |
TACACS or RADIUS is used to authenticate administrative users. |
Network ACLs |
The network is structured so ACLs can be placed on hosts and networks. |
Summary
Network security involves protecting network devices and the data that they forward to provide additional security for host servers. The primary network components that require secure configuration are the router, firewall, and switch.
This module has highlighted the top threats to your network infrastructure and has presented security recommendations and secure configurations that enable you to address these threats.
Additional Resources
For more information, see the following articles:
"Network Ingress Filtering" at https://www.rfc-editor.org/rfc/rfc2267.txt.
"Improving Security on Cisco Routers" at https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
"Configuring Broadcast Suppression" at https://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/bcastsup.html
"Cisco IOS Intrusion Detection System Software App Overview" at https://www.cisco.com/en/US/products/hw/switches/ps708/
products_module_configuration_guide_chapter09186a0080394e25.html"Configuring VLANs" at https://www.cisco.com/en/US/products/hw/switches/ps663/
products_installation_and_configuration_guides_list.html
Download the Complete Solution