View Evan Greenwood's profile on LinkedIn
Information Security
Border security   Internal security   Intrusion detection/prevention   Summary
Contact me

Today's computing environment is a hostile place.  With modern multi vector attacks on our security it's important that our security is active on several layers.   Gone are the days when putting your network behind a firewall is sufficient.

Unfortunately, one of the biggest security risks in your company sits behind the keyboard! As such your first port of call for securing your network needs to be corporate policy on use of the company network.  As a technologist, we are partially charged with saving the user from themselves.  Of course there are numerous external threats from which we must protect the network.

Securing the border

Securing the border is the first step in protecting yourself from external threats.  If you don't manage your own inbound email or website, this may be as simple as an ADSL router which doesn't allow inbound connections.  If you do need inbound connections things tend to be a little more complex, naturally.

As mentioned earlier, security needs to be multi-layered, & so to does your firewall.  Traditionally this has been implemented by two separate firewalls providing a DMZ.  The web servers & email relays are then placed in the DMZ.  The external firewall's responsibility is to inspect inbound connection requests, redirecting them to either the web server or email server depending on the packet header information.  Depending on requirements, the remaining packets are either redirected to the internal firewall or dropped.  The external firewall will also managed outbound connections.   For example, it will probably only allow outbound email connections (port 25) from the email relay in the DMZ.  Outbound web requests (port 80, 443 to for example) would only be accepted from the internal firewall.

The internal firewall tends to be a little more complex.  It will most likely maintain many more rules.  For example, administrators on the internal network will need to be able to connect to the email server to manage it.  In the case of Microsoft Windows servers this may require Terminal Services access (port 3389 by default), or with Linux, Secure Shell (SSH, port 22 by default).  However, because you may have multiple servers in the DMZ, simple port forwarding used on the external firewall is simply not sufficient.  A technique called "Network Address Translation" is used here.   Basically this means that within the DMZ a server will have a particular IP address on a separate network from the corporate network, and it will be known by a different IP address internally.  When the firewall receives packets destined for the internal IP address it rewrites the packet header & forwards them.

This is a rather simplified overview of the firewall operation, & firewalling is anything but simple.  One part of firewalls is simple, however.   This is the policy of "Drop by default".  Simply this means "If I don't know what a packet is for, drop it.".

There a three types of firewall: Filtering, Stateful & Application layer.  Filtering firewalls manage packets simply by examining the packet to see if it fits a predetermined criteria, dealing with it in the predetermined way otherwise dropping it.  Stateful firewalls are concerned with how a packet fits within the flow of traffic & can determine if the packet is the start of a new connection or part of an existing one.  This can then become part of the criteria determining if the packet is accepted or dropped.  Application layer firewalls, however, are much smarter (and require more processing time).   The "understand" the packets & perform deep packet inspection.  They look inside the packet to see if is doing what the header claims, or whether a packet is trying to sneak through on a non-standard port.

The Linux Netfilter (part of the Linux Kernel) is an example of a stateful firewall, & it is very widely used.  Because it is very mature & has a wide user base, it makes a good choice for a stateful firewall - but requires specialist management.  Application layer firewalls are also available for Linux.  Microsoft ISA server, however, is probably the most widely know application layer firewall & is well suited if you have a predominantly Microsoft environment & expertise.

Unless you have considerable internal firewall expertise you should consider outsourcing this critical service.

Internal security

Once inside the network it is important that security is not forgotten.  A significant part of this security should be driven by corporate policy & backed up by technology.  Every choice made to determine what activity is or is not acceptable internally should be based on "What risk does this pose, and does the potential return justify this risk?".  A classic example of this is: Do the internal users require local administration rights on the desktop?   The risk of local administration rights is enormous.  Remember, that for most viruses they can only work within the security context of running user.   If that user has local administration rights on the machine, the virus has a free-for-all.  What are the benefits?  None, really.  If the machine needs an application installed then the network administrator can perform this.

Remember the now infamous Sony rootkit?  This was basically a small application and installed itself on the computer when you ran a Sony DVD that purportedly "Protected" copyright.  Because of the requirements of a rootkit, if the account running the DVD did not have local administration rights the rootkit could not have installed itself!

There are many ways to circumvent issues encountered due to the lack of local administration rights on a machine.  These can be put in place at install, especially when a Standard Operating Environment is deployed across the company.

An effective anti-virus/anti-spyware solution is essential for continued internal network integrity.  Preferably this should be a corporate solution allowing for centralized management across the corporation.  Anti-virus solutions tend to fall into two major groups: Signature based and "Sandbox" type.   Signature based is the traditional Symantec Antivirus or McAfee style that compares data against a database of know virus signatures.  When a match is found, the data is deleted, quarantined or repaired.  The disadvantage is that the solution needs to be aware of the virus to detect it.  It does not offer a defense against the so called "Zero Day" attacks.  Sandbox technology, on the other hand, places the data into an isolated memory space to see what it does.   How the data behaves will determine whether it is a virus or not, usually comparing observed activities against known patterns.  It is easy to see that sandbox technology offers limited protection against zero day attacks.  Both solutions offer realtime protection - that is, they will scan files as you attempt to open them.

Again, a multi layered defense is the best approach.  Protect yourself against viruses at the border with virus scanning on your email gateway and web proxy.   This allows you to detect viruses as they enter your company.  Ideally deploy both signature and sandbox style solutions here.  Deploy anti-virus software on your servers.  And deploy anti-virus on your most vulnerable weakness: the user workstation.

At a network level there is work to be done securing the environment.  The rapid spread of the Slammer virus demonstrated to us the importance of separating your network into Virtual Lans (VLANs).  Investing in good network monitoring tools is also essential to identify the host spreading the virus.  In the case of Slammer, I found it quite possible to identify which machines had been infected by monitoring the network looking for certain patterns as the virus "probed" for vulnerable machines.

Intrusion detection/prevention systems

Intrusion Detection Systems (IDS) is the next step in securing the network, Intrusion Prevention Systems (IPS) being the evolution of IDS.  Both systems are either host of network based.  Network Intrusion Detection Systems monitor network traffic looking for patterns that are potentially malicious where as Host Intrusion Detection Systems monitor system calls or logs.  Intrusion Prevention Systems, as the name might suggest, can then react in real time to block those activities identified.   Many argue that IPS is an extension of IDS.


Because of the size of this topic it seemed appropriate to provide a summary of security approaches.

While network security can be very expensive and time consuming, there are a number of very simple things that can be done and cost very little which will go along way to providing a more secure environment.  For the security sensitive, there is much that can be done (and spent) that will make your network as secure as the very best.  Along the way there is a happy middle ground which will make your network safe against 99% of threats that are out there or likely to be seen in the foreseeable future.

Please contact me to consult on what you can do to better secure your network.

Visit here for expert computer work!