Securing the Network from Within (Part 2)

by Don Parker [Published on 15 Feb. 2006 / Last Updated on 15 Feb. 2006]

In Part 1 of this article series we went over some of the physical threats confronting networks. We will continue, in Part 2, to cover various other ways to help secure the workstation, and thereby further help harden the internal network from attack.

If you missed the first article in this series please go read Securing the Network from Within (Part 1).

Something more concrete

So far I have only talked of various methods in general to harden the operating system, and have as of yet not addressed anything really specific. What I shall now do is put things into context by detailing some steps to address a typical medium to large enterprise network from the workstation on outwards.

One of the first things to do again is to control physical access to your workstations. Next you should also make sure to have a BIOS password set so as to limit access to it. You should also have in place one of the standard security templates that will allow you to leverage the power of GPO’s for your W2K and XP environment. The amount of settings afforded to you via GPO is truly impressive, and can be customized for most every environment. I will not go any further on the subject of GPO as I don’t consider myself an expert in them. There is an excellent article on them in Microsoft’s Technet Magazine. In it Derek Melber details what he considers to be the Top 10 GPO settings that you should take advantage of. Derek’s number four GPO setting is one that I rarely ever see used, and as he says will slow down an attackers brute force attempts to log into the computer.

Going hand in glove with a GPO lockdown of the workstation is the need to have a corporate software baseline. This baseline of approved corporate network software should then be complimented with further software installation requiring sys admin privileges. This is not a perfect solution as there are ways around this, but it is another hurdle for the trusted insider to work around. Also, offering your employee’s an image of the software baseline will also help secure your network when, and if, they connect their laptops to it. Too many times work laptops are the vector for infection and malware outbreaks. There have been examples of some companies targeted for corporate espionage where the employee was targeted at home. This is a tried and true method of infiltration to the hardened corporate network as often company employees do not have the same level of protection on their home computer. That is why it is rather important to offer your employees a company software baseline image for their home use. If nothing else then perhaps some a/v and f/w solution should be offered. If you are in a big company then likely your licensing allows for this.

Another technology that should be applied to the workstation is that of a host intrusion protection system, or HIPS. Having a HIPS in place can protect against a plethora of client side exploits which may not be patched as quickly as they should. Quite often Microsoft patches have to be tested out first prior to application in case they break some functionality on the network. This technology will also protect the workstation for the all too common buffer overflow, format string, and canonicalization attacks. A trusted insider can, with a little knowledge, quickly find out via SNMP exchanges what servers have been patched or not. Should you doubt this, then simply think of the uptime query issued to a server. That would give you a good indication of whether or not it has been patched for a specific exploit. If its uptime is longer then the newly released exploit then you can surmise it has not been patched due to it requiring a reboot for the exploit patch to take effect.

With the above noted said, it is also time to look at overall network architecture design. For the medium to large enterprise network it only makes sense to segment it into logical divisions. This can be done using routers to not only segment various departments, but also it can be used to control resource access. A tangible side benefit of this segmentation via routers is that of malware containment. If for whatever reason a worm makes its way into say the marketing department it would be contained there. That would be because all routers in your network are not forwarding NetBIOS traffic. This is one of the ways that worms propagate. Only ports that are deemed absolutely necessary should be open to allow intranet access. This point gets hammered home time, and again when a new worms tears a hole through a flat network. By making simple changes such as this you are able to contain these malware outbreaks. That at least will afford you the opportunity to clean up the mess without having to take down the entire network. Such a drastic solution to clean up will quickly have the dollar cost of the malware outbreak add up.

Beyond using routers for department segmentation it is a good idea to hang an IDS off of the switch behind it. This will also give you a heads up into any illicit activity on a department to department basis. That way it is also easier to spot any trouble departments that may be in need of further security measures. Another excellent way to also manage your network is to incorporate weekly, monthly, or as you see fit, traffic mining. You really should do so on a regular basis, log all network traffic and then sift through it looking for packets that don’t belong. That way you can also find programs that have somehow made their way into your network. The ever-present issue of P2P and IRC traffic for one can be found via this traffic analysis.

Should your in-house staff not have the skills to do this then contract out for it or get your staff trained in it. There are normally always nuggets of interesting traffic that can be ferreted out via network traffic analysis or data mining as it is also called. P2P and IRC are ways that the normally well hardened network can be breached by a well meaning employee. There have been many times that I have done data mining for a client, and ended up telling them of issues which resulted from the use of P2P and IRC. These protocols should be strictly disallowed for internal network use.

It is also good practice to also observe normal hardening for the switches in your network. All MAC addresses should be statically mapped to prevent the normal ARP attacks. Further to this should be proper hardening at the router as well. There is no need to have any bogon range allowed in or out of your network. We as network security professionals and system administrators need to remember that we provide a service. That service is to give the end user a simple and easy way to conduct business via their computer. Complicating this task for them will only lead to them attempting to circumvent those security policies and or result in reduced productivity. Blaming the end user for all network problems is not only unacceptable, it is the very reason we are employed ie: to keep things simple and secure.

I sincerely hope you enjoyed this article. Once again I would remind you that I have not attempted to provide highly detailed advice, but rather a generic overview of how you can help secure your network from the operating system on outwards. Till next time!

If you missed the first article in this series please go read Securing the Network from Within (Part 1).

See Also

Featured Links