Sally Frederick Tudor, CNS
August 2, 2010
I. Network Security Axioms: “Everything is a Target!”
a. An attacker could find an application or OS vulnerability on your system, exploit it to gain access to your root privileges, and then simply take the server offline or modify its content.
b. They could send your web server some type of directed denial of service (DoS), such as a TCP SYN flood, designed to exhaust resources on the server and cause it to be nonresponsive.
c. The attacker could send at your Internet connection a DDoS attack designed to consume all available bandwidth and thus prevent legitimate users from accessing the server.
d. An attacker could send to a router or firewall crafted packets designed to cause theses devices to process useless data at the expense of legitimate traffic.
e. They could compromise your Domain Name System (DNS) server or the DNS server of your Internet service provider (ISP), and change the name record to point to another server hosting bogus content.
f. The attacker may compromise another server on the same subnet as your web server and launch an Address Resolution Protocol (ARP) spoofing attack that either denies service to all web requests or acts as a man-in-the-middle (MITM) attack that modifies content before it leaves for its intended host.
g. Or the Ethernet switch could be compromised by providing network connectivity to the server and disable the port.
h. Inject or modify routing information with your ISP to cause queries to your IP subnet to be directed to another location.
The list of options that an attacker has goes on infinitum!
Most important of all is User Education! Research has shown that 80% of the Security Breaches reported used Social Engineering. Social Engineering is where the hacker uses persuasion or manipulates the user or employee into giving them personal information to attack or hack the network.
Also, besides running Anti-Virus software, it is equally important to run Anti-Spyware, Anti-Adware, Host Firewall, Network Firewall, NIDS, File system Crypto, Network Crypto, NAT, and Routers with ACL.
The most important step in trying to get help from your ISP to stop a DDoS attack is to have a plan to deal with this eventuality. It should include answers to the questions:
a. How fast can your DNS propagate a new IP address for the DNS name under attack?
b. Do you currently have redundant systems that you can make a simple cutover instead of losing legitimate flows?
c. What happens if the IP address under attack is your primary router port or other critical infrastructure device: Do you have contingency plans to deal with this?
For hardware connectivity for a VPN with IPsec protocol with 20 branch offices, I would recommend the Hub-and-Spoke topology, which is the most common, scalable, deployable, and cost-effective option. You would need 1 VPN server, 20 VPN clients, 20 routers, 20 switches, 20 firewalls, 20 hubs, and 20 IDS. All traffic would be sent through the hub, and routing could either be dynamic or static.
The Ten Steps to designing a Security System are:
1. Review completed security policy documents.
2. Analyze the current network against the security policy.
3. Select technologies and evaluate product capabilities.
4. Design an ideal rough draft of the security system.
5. Test key components in a lab.
6. Evaluate and revise design/policy.
7. Finalize the design.
8. Implement the security system in one critical area.
9. Roll out to other areas.
10. Design/Policy validation.
You really shouldn’t rely on vendor-supplied data for security technology, because their information may be biased towards their products and they don’t know all the other Security measures that an Information System Security person would. Don’t be your vendor’s beta test site unless you know you are and really want to be, and if you do make sure you have backup systems in your design to mitigate the attacks this new capability is focused on.
Sally Frederick Tudor, CNS