Network security(General Mitigation Techniques)


Host and Server Based Security:
Device Hardening:
When a new operating system is installed on a computer, the security settings are set to the default values. In most cases, this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems:
Default usernames and passwords should be changed immediately.
Access to system resources should be restricted to only the individuals that are authorized to use those resources.
Any unnecessary services and applications should be turned off and uninstalled, when possible.
It is critical to protect network hosts, such as workstation PCs and servers. These hosts need to be secured as they are added to the network, and should be updated with security patches as these updates become available. Additional steps can be taken to secure these hosts. Antivirus, firewall, and intrusion detection are valuable tools that can be used to secure network hosts. Because many business resources may be contained on a single file server, it is especially important for servers to be accessible and available.
Antivirus Software:
Install host antivirus software to protect against known viruses. Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading in the network.
Antivirus software does this in two ways:
It scans files, comparing their contents to known viruses in a virus dictionary. Matches are flagged in a manner defined by the end user.
It monitors suspicious processes running on a host that might indicate infection. This monitoring may include data captures, port monitoring, and other methods.
Most commercial antivirus software uses both of these approaches.
Update antivirus software vigilantly.
Personal Firewall:
Personal computers connected to the Internet through a dialup connection, DSL, or cable modems are as vulnerable as corporate networks. Personal firewalls reside on the PC of the user and attempt to prevent attacks. Personal firewalls are not designed for LAN implementations, such as appliance-based or server-based firewalls, and they may prevent network access if installed with other networking clients, services, protocols, or adapters.
Some personal firewall software vendors include McAfee, Norton, Symantec, and Zone Labs.
Operating System Patches:
The most effective way to mitigate a worm and its variants is to download security updates from the operating system vendor and patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network, and even more troublesome if these systems are remotely connected to the network via a virtual private network (VPN) or remote access server (RAS). Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on deployed client systems) that is deployed on new or upgraded systems. These images may not contain the latest patches, and the process of continually remaking the image to integrate the latest patch may quickly become administratively time-consuming. Pushing patches out to all systems requires that those systems be connected in some way to the network, which may not be possible.
One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.
In addition to performing security updates from the OS vendor, determining which devices are exploitable can be simplified by the use of security auditing tools that look for vulnerabilities.
Intrusion Detection and Prevention
Intrusion detection systems (IDS) detect attacks against a network and send logs to a management console. Intrusion prevention systems (IPS) prevent attacks against the network and should provide the following active defense mechanisms in addition to detection:
Prevention-Stops the detected attack from executing.
Reaction-Immunizes the system from future attacks from a malicious source.
Either technology can be implemented at a network level or host level, or both for maximum protection.
Host-based Intrusion Detection Systems:
Host-based intrusion is typically implemented as inline or passive technology, depending on the vendor.
Passive technology, which was the first generation technology, is called a host-based intrusion detection system (HIDS). HIDS sends logs to a management console after the attack has occurred and the damage is done.
Inline technology, called a host-based intrusion prevention system (HIPS), actually stops the attack, prevents damage, and blocks the propagation of worms and viruses.
Active detection can be set to shut down the network connection or to stop impacted services automatically. Corrective action can be taken immediately. Cisco provides HIPS using the Cisco Security Agent software.
HIPS software must be installed on each host, either the server or desktop, to monitor activity performed on and against the host. This software is referred to as agent software. The agent software performs the intrusion detection analysis and prevention. Agent software also sends logs and alerts to a centralized management/policy server.
The advantage of HIPS is that it can monitor operating system processes and protect critical system resources, including files that may exist only on that specific host. This means it can notify network managers when some external process tries to modify a system file in a way that may include a hidden back door program.
The figure illustrates a typical HIPS deployment. Agents are installed on publicly accessible servers and corporate mail and application servers. The agent reports events to a central console server located inside the corporate firewall. As an alternative, agents on the host can send logs as e-mail to an administrator.
Common Security Appliances and Applications:
Security is a top consideration whenever planning a network. In the past, the one device that would come to mind for network security was the firewall. A firewall by itself is no longer adequate for securing a network. An integrated approach involving firewall, intrusion prevention, and VPN is necessary.
An integrated approach to security, and the necessary devices to make it happen, follows these building blocks:
Threat control-Regulates network access, isolates infected systems, prevents intrusions, and protects assets by counteracting malicious traffic, such as worms and viruses. Devices that provide threat control solutions are:
Cisco ASA 5500 Series Adaptive Security Appliances
Integrated Services Routers (ISR)
Network Admission Control
Cisco Security Agent for Desktops
Cisco Intrusion Prevention Systems
Secure communications-Secures network endpoints with VPN. The devices that allow an organization to deploy VPN are Cisco ISR routers with Cisco IOS VPN solution, and the Cisco 5500 ASA and Cisco Catalyst 6500 switches.
Network admission control (NAC)-Provides a roles-based method of preventing unauthorized access to a network. Cisco offers a NAC appliance.
Cisco IOS Software on Cisco Integrated Services Routers (ISRs)
Cisco provides many of the required security measures for customers within the Cisco IOS software. Cisco IOS software provides built-in Cisco IOS Firewall, IPsec, SSL VPN, and IPS services.
Cisco ASA 5500 Series Adaptive Security Appliance
At one time, the PIX firewall was the one device that a secure network would deploy. The PIX has evolved into a platform that integrates many different security features, called the Cisco Adaptive Security Appliance (ASA). The Cisco ASA integrates firewall, voice security, SSL and IPsec VPN, IPS, and content security services in one device.
Cisco IPS 4200 Series Sensors
For larger networks, an inline intrusion prevention system is provided by the Cisco IPS 4200 series sensors. This sensor identifies, classifies, and stops malicious traffic on the network.
Cisco NAC Appliance
The Cisco NAC appliance uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.
Cisco Security Agent (CSA)
Cisco Security Agent software provides threat protection capabilities for server, desktop, and point-of-service (POS) computing systems. CSA defends these systems against targeted attacks, spyware, rootkits, and day-zero attacks.
In-depth coverage of these appliances is beyond the scope of this course. Refer to the CCNP: Implementing Secure Converged Wide-area Networks and the Network Security 1 and 2 courses for more information.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog