Tony Rich

B.S. Computer Science
Network Engineer at Thompson Coburn

Back to the Basics: Thinking critically about network security

By: Tony Rich

One of the hardest things to do as a security-minded professional is to sort through the sea of information, professional services, and security software and hardware in order to determine what is actually useful and what is chaff. Every sales engineer (read: social engineer) will tell you their product is a must-have. While several of these products prove to be useful, many network engineers are purchasing them, and then neglecting some basic network hardening techniques; renting a security guard, but keeping your door unlocked doesn't improve the situation - that is just the illusion of security.

First of all, a lot of these security products turn into management nightmares. If a particular IDS, honeynet, or proxy requires a dedicated administrator, then perhaps the juice isn't worth the squeeze. In an environment where budgets are shrinking, every administrator is looking for more bang for the buck. Also, many of these products add a certain degree of complication to the system, and it is much easier to miss a vulnerability in an unnecessarily complex network. "Computer systems can fail because of incorrect or incomplete system specifications, hardware failure, hardware design errors, software coding errors, software design errors, and human error such as incorrect equipment operation or maintenance. Particularly with complex, normally highly reliable systems, a failure may be caused by some unusual combination of problems from several of these categories"1 Why add to the complexity of such a frail system unless absolutely necessary?

One thing that security pundits understand very well is that the entry points to any network are vulnerable. Redundant Internet connections with redundant firewalls, dial-up access, VPN access, Citrix presentation servers, and web-facing applications all provide a potential attacker with the opportunity they are looking for - access. By locking down publicly available services to only what is necessary, a network administrator can accomplish a number of things. First, security is directly improved: if VPN access is disabled, a vulnerability in Microsoft's ISA Server won't cripple the network. Also, network management and changes are easier. With a complicated network structure, it is difficult to definitively answer the question "If I make this change, what will be affected?" Finally, troubleshooting becomes much clearer. The fewer the number of moving parts, the less there is to consider when determining what is broken.In general, security professionals understand perimeter security, but tend to wear blinders when it comes to an inside threat. According to one article, 52 percent of chief information security officers "acknowledged having a 'Moat & Castle' approach to their overall network security"2 This means that an attacker only has to focus their resources on getting through the perimeter; once inside there is no more resistance. Just imagine if that attacker didn't have to subvert the perimeter security. What if they were an employee? According to law enforcement agencies, 30 to 40 percent of corporate intrusions are from disgruntled employees.3

There are many common practices that security administrators can adhere to in order to protect their networks. Start by enabling RADIUS authentication for routers and switches - and review the access logs! Follow this up by removing or limiting as many system accounts on servers as possible. If there is a system account on a particular server that everyone knows the password for, then that is a good opportunity for any employee to do what they like as an anonymous user.

Another important step that is very useful, but often not followed, is applying security patches and other updates. This includes OS patches, software updates, and firmware revisions to all devices - computers, switches, routers, firewalls, etc. There are a couple of reasons that people tend to avoid following this simple security measure. Most probably, they are afraid of disrupting the status quo. By applying the new update there is the risk that some critical infrastructure equipment won't function properly when it comes back up. It is easier to run on an older version that is proven stable than to upgrade and take the chance of braking something. Also, some administrators fail to update software and firmware due to a lack of time. We are expected to do more and more, leaving very little time to perform these tasks. Keeping versions up to date is probably the second most important security task administrators can perform, next to log monitoring. It is necessary to make time for this basic, but critical task.

Reviewing logs is the single most important day-to-day activity network administrators can perform to ensure the proper functioning and use of their networks. Leverage tools like SNMP Network Management Systems and Syslog collectors in order to consolidate log information; follow this up by writing scripts to digest that information and produce a report with appropriate verbosity. This will consolidate information on all systems at one central location and thus speed up the review process. By making this task easier and quicker, log information is more likely to be reviewed and checked for inconsistencies or anomalies. It is understandable why most people don't review log information. According to Preventsys and Qualys, "46 percent of security officers spend more than a third of their day, and in some cases as much as 7 hours, analyzing reports generated from their various security point solutions"2 The key is keeping the information streamlined and automating as much of the process as possible.

It is easy for anyone to overlook some security vulnerabilities. That is why it is important to bring in an objective third party who can evaluate system security by performing a "pen test". Penetration testing is "a method of evaluating the security of a computer system or network by simulating an attack by a malicious cracker. The process involves an active analysis of the system for any weakness, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution"4

In reality, there are two aspects of penetration testing: technical and social. The technical attack involves subverting systems or networks by exploiting a flaw or vulnerability in the "nuts & bolts" of the system. Conversely, a social attack is focused on obtaining "unauthorized access [to] computing resources or network[s] by exploiting human weaknesses"4. Most companies perform only a technical analysis for a few reasons. First of all, they may not understand the threat that is posed by social attack vectors. Also, a social attack is hard to quantify. It is difficult to actually determine the precise threat level, while technical analysis produces easily quantifiable metrics and concrete vulnerabilities. Despite the illusive nature of social attack analysis, it is an integral part of the vulnerability scanning process. Most people are predisposed to being helpful, and will tend to assist anyone who asks. Only through diligent user training and orientation will a security professional ensure even a modicum of defense.

This brings up a good point; every employee should be able to comprehend the physical security measures in place, the importance of keeping company information confidential, and how to respond to attempted security breaches. The only way to ensure that each employee knows how to follow the guidelines put in place is through continual training and education. An occasional memo or yearly session isn't going to be enough to keep security a top priority in their minds.

Security professionals who proclaim that their network is as secure as it can get are living in a fantasy world where wishful thinking has surpassed reason and the fallacy of a completely hardened network hangs over their heads like the Sword of Damocles. They put IDS/IPS and other solutions in place and have a false sense that, even if things go wrong, one of these systems will prevent the attack or at least alert an administrator. Technology is a great tool for an administrator to use, but is by no means a replacement for human intelligence.

Everything outlined above is within the purview of the security team at any company. The important part is not backing down when security measures are met with resistance. Taking a security stance is often an unpopular choice; users want more access and less complication. Managers want cheaper solutions to security concerns. Administrators are feeling beat up over their security posture. Despite all of this, it is important to be vigilant. At times, we are salmon swimming against the current of corporate culture. However, the responsibility to ensure that strong security measures are put in place and enforced is bestowed on the security team. Just remember, the human element of security is the most important. Administrators must think critically about how best to spend their budget and utilize their available work force. It is paramount that each administrator determine which utilities are worth implementing and which are not in their environment. Network administrators must educate all employees and show them how to spot and respond to security concerns. Only through continued effort and dedication will the networks remain secure.

Works Cited

  1. www-ee.stanford.edu/~hellman/Breakthrough/book/chapters/borning.html
  2. www.esafe.com/home/csrt/statistics/statistics_2005.asp
  3. www.teledesignsecurity.com/penetration.asp
  4. www.darknet.org.uk/2006/03/should-social-engineering-a-part-of-penetration-testing/

Picture of Tony

Tony Rich graduated in May of 2005 from the University of Missouri - Rolla with a BS in Computer Science. He is a Network Engineer and security professional, working in St. Louis, Missouri. In addition to writing technical articles, he contributes articles on chess to various sources and has functioned as the editor of the Missouri Chess Bulletin. You can find out more about him and find other articles at www.tonyrich.org.

Click here to check out
The STL Mtn Bike, Hike & Adventure Group!

Valid XHTML 1.0! Valid CSS! Powered by PHP

CSS from bluerobot.com | This page last modified 04/10/06
Copyright © Tony Rich 2003 | Contact Me