Securing the Network from Within (Part 1)
Introduction
There have been many excellent papers, and books written on securing computer networks. They all largely address how to harden your network from the router on down to the switch, then eventually to the actual workstation itself. In many document cases of compromised networks, the end goal of the hacker was to suborn the actual workstation itself. The router, and sometimes a server of some kind, was not actually the end state of the hacker. It was normally to gain a toehold on the internal network via a client side exploit. Whether that be an operating system exploit or other vulnerability is a moot point. To be able to gain access to the, all too often, soft underbelly of the internal network is quite often the goal of a network hack. Once a foothold has been established, it is then that the keylogger, packet sniffer, rootkit, and other types of programs to further or hide exploitation are then ferried over to the now compromised computer.
Much, as I mentioned above, the actual workstation is often the goal of a hack. Funny thing is though, I have often heard some computer security people say “but they cut right through our router and other security….”. Well that is the whole point of hardening from the operating system outwards. One should assume that eventually a determined attacker will make their way to the aforementioned workstation. With that in mind, one should begin to harden what is often seen as the weakest link in the network security chain; the workstation. This article will attempt to address this concept of “secure from within” with some recommendations. We must remember also that computer security, and complexity, really don’t get along. The more complex the security the more likely it is that it will not be followed by the end user. One final note before beginning this article is that the security measures described below are written with a medium to large enterprise network in mind.
The first steps
I would like to take the chance first to say that this article will not attempt to list each and every option available to harden your network from the o/s on out. There are far too many variables in play for me to do this, let alone various network architecture designs. The focus of the information from here on out tries to be a bit more general vice specific.
To begin with, one should realize that the very first step one should take in protecting the workstation is that of physical security. You do not need to allow everyone access to the workstation outside of normal working hours. Once a department is done work for the day, the door to that section should be locked. No reason to have anyone else drop into the accounting department from your telemarketing staff is there. You should also bear in mind the trustworthiness of the cleaning staff you probably have coming in after hours to vacuum and clean your office spaces. These people typically have unfettered access to the corporate work area with no one else around. Make sure the cleaning staff are properly vetted by the company you hired to do your cleaning.
We can see already with a couple of examples that physical access to the workstation is largely our biggest threat. Due to this you should always treat these workstations as if they have been exploited. This may sound rather paranoid, but it will help you in the possible redesign of your network architecture. Now there is a series of steps that should be taken in an attempt to harden access to the workstation. Such tried and true methods as having a BIOS password are greatly encouraged. This would by extension also make it far more difficult for someone to drop a live Linux distro into the CD tray, as they would be then prompted for the BIOS password. It is also rather important to restrict BIOS access, as you will hopefully have turned off USB support via the BIOS settings. There is little point in making changes in the BIOS if you allow someone else to simply change them after again.
The subject of USB stick based attacks has been receiving a great deal of attention as of late and deservedly so. These memory sticks can have pretty much anything you want on them, and they are of course very portable. That makes for a fairly stealthy attack as these can fit into anyone’s pocket. Disabling this type of support can also be enforced via GPO. Group policy objects are one of the best tools that you can use to help enforce security, policy, and standards on your Windows 2K/XP/K3 network. There is an excellent link to various types of network scenarios at this link provided by Microsoft. Microsoft have themselves published a lot of excellent information on ways to harden your network. Unlike much of the rhetoric you may hear about Microsoft’s security you would be well advised to peruse their security section. There are many, many excellent pieces of information there to be had. Why go for a third party software solution if Microsoft already has one for you.
Through the use of various GPO’s you should restrict access to the places that you do not want a user to access to. Area’s such as the registry, cmd.exe, control panel, can greatly help you in your task of hardening the operating system. These measures are not foolproof due to the proliferation of live Linux distributions. You should also bear in mind that administrative controls such as GPO’s for one can be bypassed at times. A perfect example of this would be the system administrator blocking access to regedit via the cmd.exe but forgetting about regedt32.
This is where the link in the second above paragraph comes in handy. You will need to segment your network into various groups, and then decide with management what those groups of users should have access to. Take for instance the management group, which could be composed of the company’s executives. One measure that should be implemented is the use of PKI for all emails coming from the management group. This is by definition probably some of the most sensitive data flying around on your network. You certainly don’t want someone to be able to intercept and then read those emails do you, as Base64 is hardly an encryption scheme. It may appear to you as a mass of undecipherable characters, however it is easily and quickly converted.
You may have just moved into a new job and inherited a network design not your own, however that should not stop you from recommending a new architecture to your management team. Redesigning your network can yield great dividends. One such dividend we will see later is malware containment through some thoughtful network design considerations. We will break this two part article series at this point. See you in part II!
0 Comments:
Post a Comment
<< Home