There are a number of ways to minimize the impact of a security event. In this video, you’ll learn about IPS signature management, file integrity monitoring, managing access control lists, and much more.
<< Previous Video: Device Hardening Next: Switch Port Protection >>
There are a number of things you can do to prevent security issues on your network. In this video, we’ll examine some of these mitigation techniques. If you have an intrusion prevention system on your network, then you’re probably familiar with the management of those signatures. There are many different signatures, and each one will have a different disposition.
You get to decide what happens if any of these signatures happen to match the traffic going through your network. Do you block the traffic or allow the traffic? Do you also send an alert? Or does the message simply show up in your logs? There are thousands of different rules in an IPS. And you’ll need to determine what the outcome is for every single one of those rules. You can certainly go through every single rule and determine what the distribution might be for that particular rule. But this will take a lot of time to go through thousands and thousands of different IPS rules.
Instead, we generally group these rules together by different functions and then define the disposition for this larger group. And you’ll probably be making changes to these dispositions as you become more comfortable with the IPS. There may be a number of false positives. You may get a lot of alert noise. And you may need to hone down exactly what you need immediate notification and what type of notifications might arrive in an email or a larger report.
Here’s a list of rules in my IPS that are associated with malware. By default, you’ll notice that all of these rules are disabled. Many intrusion prevention systems will disable rules by default in order to maintain the performance of that particular system. On older, more traditional intrusion prevention systems, the more rules you enable, the more resources were required by the IPS. Newer intrusion prevention systems, especially those integrated into a next-generation firewall, have optimized rule sets and use the hardware of those systems so you can enable all of the rules on that IPS without worrying about performance or throughput issues.
As we mentioned in the previous video, we want to have all of our infrastructure devices hardened against any security issues. There are usually default configurations and default usernames and passwords. We want to be sure that all of our systems are not using the defaults. Fortunately, manufacturers of these switches, routers, firewalls, and other devices will often provide a hardening guide, so you can use their recommendations to make sure that your system is as secure as possible. You might also find a number of guides online that go beyond the manufacturer’s requirements so that you can really tighten down the security of these devices.
If you’re configuring a network switch, one of those configuration settings for an interface that you’re connecting to someone’s laptop or desktop computer will be assigned to a particular VLAN. If you don’t specifically assign an interface to a VLAN, then that interface will use the default VLAN.
But there’s another type of VLAN called the native VLAN. This is used when you’re trunking different switches together. If you’re sending traffic across a trunk and that particular traffic belongs to the native VLAN, then a .1Q header will not be added to any of that traffic as it goes across the trunk.
You might also hear these referred to as nontrunked frames. If you look at the default configuration of a Cisco switch, for example, the native VLAN is defaulted to VLAN 1. One of the challenges with this is that a number of Cisco management protocols are also using VLAN 1 to communicate. And so you may have management protocols and other type of user traffic using exactly the same length without having any type of a 802.1Q header.
To separate out any of your user traffic from your network management traffic, you may want to change the native VLAN number to be some other value. For example, you could use VLAN 999 as the native VLAN. And your management traffic will still continue to run over VLAN 1.
When you first install a switch or a router or some other network device, you know that you’re given access to that system as the administrator, or the root access to that system. This means that you have complete access to perform any configurations on that device. If you need to make a configuration change to that device or upgrade any of the software, the administrator login or root login gives you complete control.
This obviously means that you need to control who would have access to these administrator logins. You may want to integrate this with an existing AAA server or enable two-factor authentication. Or you may want to make sure that the passwords that you’re using are strong passwords and not something that could be easily guessed. And as a good best practice, you want to make sure that that password is occasionally changed to make sure that you’re locking out anyone who may have previously gained access to that system.
There is usually a separate login into these devices that has limited access. So if you simply need to log in and check the status of the system, you may be using a different login than someone who needs to log in and make configuration changes.
On these devices, there’s some files that will be changing all the time. For example, the log files in a system will be constantly updated throughout the day. But there are some files on these systems that will never change. The operating system files and the internal files of these systems will probably never be updated.
Since many security breaches can start by someone changing one of these files that normally would never change, you may want to enable file integrity monitoring, or FIM. This means that you can scan either in real-time or on demand to see if any of these files may have been changed.
In Windows, you might want to run SFC. This is the System File Checker that will look at the Windows files and make sure that all of those files are exactly what they should be. In Linux, there’s an agent you can add from Tripwire. And if any of your system files change, the Linux Tripwire agent will tell you that those have been modified. There’s also a number of host-based IPS options that can monitor any of your systems and let you know if any of those important files may have changed.
The only people who should be logging in to your switches and routers are probably your network management team, your security team, and maybe access when you happen to be at home. You may be able to set up access control lists, or ACLs, so that anywhere else on the network would not have access to those particular infrastructure devices. You can set up your ACL so that only the people who are on the network management or network security subnets would have access to the management interface of those devices. All other traffic that would be inbound to those devices would be dropped before anyone had a chance to log in.
This is a little bit different than setting ACLs for how an application might work. These are ACLs that you’re configuring on a router or another infrastructure device that would drop the traffic on the network as it’s traversing a particular interface. This would mean that you would have to be on one of the approved IP addresses to gain access to those management interfaces.
Some organizations use honeypots as a way to attract the bad guys and have them stuck in their own virtual world of trying to hack systems that in reality don’t really exist. Since a lot of the inbound traffic from the bad guys is a script or some other automated process, you can have that inbound automated process talking to your honeypot automated processes to see exactly what they might do if they were to hit an actual machine.
Sometimes a honeypot is a single device. But you could set a virtual world of multiple devices and networks together into a honeynet. You can find out more information about honeypots at projecthoneypot.org. Or you can download and run Honeyd on your own systems.
This is a constant battle to try to make sure that your honeypots look as real as possible. The bad guys are very good at determining whether they’re accessing a real system or whether it may be a honeypot. So you want to be sure that you’re running the latest types of honeypots on your systems so that you know you’re going to be able to attract the bad guys.
One of the ultimate ways to protect against somebody hacking into your system is for you to try hacking into your system yourself. And you can do this by performing penetration testing. You’re going to simulate attack with actual exploits to see if you can take advantage of some vulnerabilities. This, of course, is the next step above doing vulnerability scanning. A vulnerability scanning may tell you where a vulnerability might exist, but it won’t actually try to take advantage of it. With penetration testing, we’re trying to see if we really can gain access to the system. And we would see exactly what the bad guys would see if they were running the same exploit.
In some environments, you’re required to periodically perform a penetration test. This maybe something that you’re able to do internally, or it may be required that you bring a third party in to perform these pen tests. A good overview of penetration testing can be found in the National Institute of Standards and Technology report, that is, the Technical Guide to Information Security Testing and Assessment. And you can find that guide at professormesser.link/800115.