Blog

Low Hanging Fruit: Network Security

By Mike Rothman

During my first two weeks at Securosis, I’ve gotten soundly thrashed for being too “touchy-feely.” You know, talking about how you need to get your mindset right and set the right priorities for success in 2010. So I figure I’ll get down in the weeds a bit and highlight a couple of tactics that anyone can use to ensure their existing equipment is optimized.

I’ve got a couple main patches in my coverage area, including network and endpoint security, as well as security management. So over the next few days I’ll highlight some quick things in each area.

Let’s start with the network, since it’s really the foundation of everything, but don’t tell Rich and Adrian I said that – they spend more time in the upper layers of the stack. Also a little disclaimer in that some of these tactics may be politically unsavory, especially if you work in a large enterprise, so use some common sense before walking around with the meat cleaver.

Prune your firewall

Your firewall likely resembles my hair after about 6 weeks between haircuts: a bit unruly and you are likely to find things from 3-4 years ago. Right, the first thing you can do is go through your firewall rules and make sure they are:

  1. Authorized: You’ll probably find some really bizarre things if you look. Like the guy that needed some custom port in use for the poorly architected application. Or the port opened so the CFO can chat with his contacts in Thailand. Anyhow, make sure that every exception is legit and accounted for.
  2. Still needed: A bunch of your exceptions may be for applications or people no longer with the company. Amazingly enough, no one went back and cleaned them up. Do that.

One of the best ways to figure out what rules are still important is to just turn them off. Yes, all of them. If someone doesn’t call in the next week, you can safely assume that rule wasn’t that important. It’s kind of like declaring firewall rule bankruptcy, but this one won’t stay on your record for 7 years.

Once you’ve pruned the rules, make sure to test what’s left. It would be really bad to change the firewall and leave a hole big enough to drive a truck through. So whip out your trust vulnerability scanner, or better yet an automated pen testing tool, and try to bust it up.

Consolidate (where possible)

The more devices, the more opportunities you have to screw something up. So take a critical look at that topology picture and see if there are better ways to arrange things. It’s not like your perimeter gear is running full bore, so maybe you can look at other DMZ architectures to simplify things a bit, get rid of some of those boxes (or move them somewhere else), and make things less prone to error.

And you may even save some money on maintenance, which you can spend on important things – like a cappuccino machine.

Segregate (where possible)

No, I’m not advising that we go back to a really distasteful time in our world, but talking about our understanding that some traffic just shouldn’t be mixed with others. If you worry about PCI, you already do some level of segregation because your credit card data must reside on a different network segment. But expand your view beyond just PCI, and get a feel for whether there are other groups that should be separate from the general purpose network. Maybe it’s your advanced research folks or the HR department or maybe your CXO (who has that nasty habit of watching movies at work).

This may not be something you can get done right away because the network folks need to buy into it. But the technology is there, or it’s time to upgrade those switches from 1998.

Hack yourself

As mentioned above, when you change anything (especially on perimeter facing devices), it’s always a good idea to try to break the device to make sure you didn’t trigger the law of unintended consequences and open the red carpet to Eastern Europe. This idea of hacking yourself (which I use the fancy term “security assurance” for) is a critical part of your defenses. Yes, it’s time to go get an automated pen testing tool. Your vulnerability scanners are well and good. They tell you what is vulnerable. They don’t tell you want can be exploited.

So tool around with Metasploit, play with Core or CANVAS, or do some brute force work. Whatever it is, just do it. The bad guys test your defenses every day – you need to know what they’re finding.

Revisit change control

Yeah, I know it’s not sexy. But you spend a large portion of your day making changes, patching things, and fulfilling work orders. You probably have other folks (just like you) who do the same thing. Day in and day out. If you aren’t careful, things can get a bit unwieldy with this guy opening up that port, and that guy turning off an IPS rule. If you’ve got more than one hand in your devices on any given day, you need a formal process.

Think back to the last incident you had involving a network security device. Odds are high the last issue was triggered by a configuration problem caused by some kind of patch or upgrade process. If it can happen to the FAA, it can happen to you. But that’s pretty silly when you can make sure your admins know exactly what the process is to change something.

So revisit the document that specifies who makes what changes when. Make sure everyone is on the same page. Make sure you have a plan to rollback when an upgrade goes awry. Yes, test the new board before you plug it into the production network. Yes, having the changes documented, the help desk aware, and the SWAT team on notice are also key to making sure you keep your job after you reset the system.

Filter outbound traffic

If you work for a company of scale, you have compromised machines. Do you know which ones? Monitoring your network traffic is certainly one way to figure out when something a bit non-kosher happens, but may not be an option for a quick fix.

But applying rules you have running on your firewalls and IPS devices to your outbound traffic leverages the stuff you already have. Yes, they don’t catch insider attacks or some weird encapsulated stuff, but what you find will surprise you (and the CIO). Ultimately, it’s about trying to figure out what’s broken, and this is a quick way to do it.

I’ll be digging into all these topics in more depth over the next few months, but I figure this will keep some of you busy for a little while. And if you already do all this stuff, it’s time for some more advanced kung fu. In the meantime, enjoy a cup of Joe – Rich is buying.

No Related Posts
Comments

Must Emphasize Change Control.

I don’t run a large shop, but we’re scattered and focused on different issues.

We implemented Very Lightweight Change Control and we would never go back.

VLCC:

- Set some rules.  Major non-emergency changes must file a Change Request one week in advance.  No CR - you get to roll the change back immediately.

- CR is via a stupid simple web-based form that emails the request to all sys admins, and to me (local IT manager) for approval.  No approval, no change.  Even if I forget to approve.

- The form asks for title, who’s making the change, the system(s) affected, a brief description of the change to send to users, a detailed explanation for other sys admins and me, proposed start time, proposed “pull the plug and go back to previous config” time, user communication plan (typically several emails several days in advance), and a section on the Risks of the change.

- When I approve by email, our web maintainer adds the approved CR to a running list on an internal web site.  (This part should be more automated).

You would have thought I was proposing shooting puppies when I announced this, but now everyone has gotten with the program and we’ve come to depend on it.  I’ve forced a rollback a handful of times in the past 4 years.

We’re too small to have a “change control committee”, and most of our users wouldn’t know what our change impact would be if we told them.

I could go on at length about all the problems this process and documentation has solved, but the bottom line is we would never go back to the old way.

By Rocky


Great post! First lengthy post that kept me reading while my blood coffee level is low. Looking forward to the sequals.

By Matt Johansen


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.