By Manish Tanwar
World Informatix Cyber Security
Now-a-days, hacking and data breach is not mere drive-by hacking as in the old days but it is becoming serious crime with even black hat hackers are offering hacking as ‘service’. Malicious hackers breach organization for a variety of reasons including for personal profit (Bangladesh Bank Heist), while others hack target organization because competitor organization want to get the data or ruin the market reputation of an organization, a few hacks for social cause (Hacktivisim). So, it is important to deploy strong security measures to make sure your network boundary is securely defended. If attacker manages to beat your network perimeter defenses and break into your system, they must not be able to pivot the network and find critical assets. Network boundary defense must be configured in such a way, either network security policies drop/deny identified malicious requests or make it harder for hackers to further exploit network access.
For a group or individual hacker who is targeting organization using APT (Advance persistent threat), network boundary defense policies matter a lot. Firewall and routers are the main key devices to configure network policies between organization sensitive network and external world. Due to cloud networking, internal devices are getting exposed to external world more and more and hence hackers are getting closer to the target. It is really matter of concern, how should the network traffic be configured to handle and minimize the risk of security breach.
A very Common network diagram is given below
The network architecture diagram provides an overview for network devices connectivity to internet. An attacker always try to get into the system which connects to internet as well as internal network from where he can conduct attacks on internal devices easily. Attacker uses the compromised machine as a base, pivot to the intranet devices to get the sensitive information. In such a scenario, a multi layered defense can play an important role in detection or prevention of further exploitation.
To defend the network against malicious attacks, there are some security enhancing schemes recommended by SANS which should be consider during security implementation for network boundary defense.
- Deny the data flow to known malicious IPs or limit the data flow to trusted sites. Conduct a test to confirm this security scheme periodically by using bogon IPs as packet sender source.
- Network border should have a packet monitoring device which can log packet info/header traveling from one network to another. These logged packets should be forwarded to SIEM (security information event management) system for event correlations for all the network devices.
- Network based intrusion detection system (IDS) deployment for internet systems as well as for DMZ systems and network can help in detection of malicious payloads and attack vectors. If any system generates unusual traffic, IDS will check whether system has been compromised or not.
- Deployment of intrusion prevention system (IPS) complements the IDS configured in the network and blocks the malicious requests and attack vectors.
- In Network border security implementation, Filter out traffic using authenticated application layer proxy which is going outside (internal network to internet). Configure application layer proxy in such way so that it can filter out blocked URLs, IPs, domain names. Proxy server should be able to decrypting the network traffic and logging of TCP sessions.
- Two-factor authentication implementation for remote login access such as VPN, dial-up and other internal system logins can make a significant difference and enhance network order security.
- All enterprise devices which are used for remote login should be managed by the enterprise along with remote control of configuration as well as patch management. Third party devices should be scanned before allowing access.
- Perform periodic check for back-channel connection that bypass DMZ, VPN connections, dual-homes hosts connected to enterprise network and to other network via wireless, dial-up modems or other mechanisms.
- Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity.
- To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions.
Above mentioned actions are common best practices to enhance the network boundary security. These security measures help a lot for detection/prevention (with the help of deployed IDS/IPS) of common attack techniques as well as in incident response (using logged data by network proxies).
One must always try to figure out best practices and should implement throughout the network. Security is not a single thing and can’t be secure just by implementation of few measures. Secure network requires ‘keep enhancing’ security measurement techniques and only ‘active security implementation schemes’ makes hacker life hard.