1 guide to network defense and countermeasures chapter 11
TRANSCRIPT
1
Guide to Network Defense and Countermeasures
Chapter 11
2
Chapter 11 - Strengthening Defense through Ongoing Management
Strengthen control by managing security events
Heighten analysis by auditing network security procedures
Strengthen detection by managing your intrusion detection system
3
Chapter 11 - Strengthening Defense through Ongoing Management
Enhance a defense by changing your Defense in Depth configuration
Strengthen network performance by keeping pace with changing needs
Heighten your own knowledge base by keeping on top of industry trends
4
A security event management program gathers and consolidates events from multiple sources for analysis and security improvement Network protection needs to be conducted on an
ongoing basis in order to keep up with new vulnerabilities and increase security defense
One way to improve defenses is through ongoing event monitoring - reviewing alert and event logs produced by security devices and operating systems, and periodically testing the network to identify weak points
Strengthening Control: Security Event Management
5
6
Security event management program (cont.): The goal of event monitoring is to strengthen
defenses by gathering information, changing procedures, and improving the network
Monitor the following events: logins; account creation; handling of e-mail attachments; backup and other maintenance utilities; anti-virus scanning and control; procedures for granting remote access
Develop a team approach to security, make use of automated responses, coordinate data from multiple sources, and keep aware of new network threats
Strengthening Control: Security Event Management
7
Managing data from multiple sensors requires database software that will sort through the events, and provide systematic views of data
Sensor data management options: Centralized data collection allows data from different
locations to be consolidated and flow through a central security location; benefits include: less cost and administration due to fewer systems to maintain, greater efficiency; drawback: finding a way to securely transmit data from collection points to the centralized management console
Strengthening Control: Security Event Management
8
9
Sensor data management options: Distributed data collection allows data from security
devices such as firewalls and IDSs to go to a management console in its own local network; Security managers in each network must review the data separately, analyze it and respond as needed
Distributed data collection set up requires the organization to maintain separate security managers as well as separate management console software; this arrangement saves bandwidth, but still requires offices to communicate with each other about security incidents
Strengthening Control: Security Event Management
10
11
Evaluating IDS signatures provides evidence that indicates whether IDS signatures are working well enough or if they need updating A variety of IDS vendors are available, each with their
own set of signatures for suspicious events Neohapsis has proposed the Open Security
Evaluation Criteria (OSEC) for reviewing signatures, which includes a core set of tests for: device integrity checking; signature baseline; state test; discard test; engine flex; evasion list; in line/tap test
Check vendor Web sites often for new signatures
Strengthening Control: Security Event Management
12
Managing change should be done in a systematic way so as to minimize impact Change management involves the modification of
equipment, systems, software, or procedures in a sequential and preplanned way; the process should include an assessment of the impact of a change
Consider implementing change management in the following ways: significant changes to firewall or IDS rules; new VPN gateways; changes to access control lists; new password systems or procedures
Strengthening Control: Security Event Management
13
14
Security auditing is the process of testing the effectiveness of a network defense system Auditing can be performed by actively testing the
network defenses by attempting break-ins; as well, recording and analyzing events such as logins, logouts, and file access helps; be sure to examine the security procedures of the organization too
To actively test the network, put together data from many disparate sources, such as: packet filters; application logs; router logs; firewall logs; event monitors; HIDS, NIDS
Strengthening Analysis:Security Auditing
15
Security auditing (cont.): One way to consolidate data generated by disparate
data sources, is to transfer, or push the information to a central database; store at least the: time; data; application; OS; user; process ID; and log entry
With multiple security components in place, so much data will accumulate from log files that it must be managed before it consumes available storage space; choose a time period for how long detailed information from IDS logs is retained (ninety days is common), then archive it to long-term storage
Strengthening Analysis:Security Auditing
16
Security auditing (cont.): Operational auditing involves in-house staff examining
system logs to see if needed information is being audited; staff should look for: accounts with weak or no passwords; accounts still assigned to departed employees; and new accounts
Independent auditing involves hiring an outside firm to inspect audit logs to check effectiveness of data collection; such an audit might examine: where security equipment is physically located; how well it is protected from unauthorized users; and how thoroughly data is erased when you dispose of it
Strengthening Analysis:Security Auditing
17
Strengthen the IDS to keep it running smoothly and efficiently
Maintaining the current system is one way to make it stronger; do this by: Backing up firewalls and IDSs in case of disaster; as
well, keep backup of routers, bastion hosts, servers, and special-purpose devices
Manage accounts by reviewing them every few months and making sure no accounts have been added by hackers, inactivating departed employee accounts, and ensuring that passwords are safe
Strengthening Detection:Managing the IDS
18
Maintaining the current system (cont.): Managing the IDS rules by scaling back on their
number and try to eliminate unnecessary rules Manage users by having an awareness program
where employees, contractors and partners all understand the company’s security policy; use lectures and booklets to help disseminate data
Changing or adding software and/or hardware are other ways to strengthen the IDS
Strengthening Detection:Managing the IDS
19
Defense in Depth calls for security through a variety of defensive techniques that work together to block different attacks Defense in Depth as it applies to network services
calls for the maintenance of: availability; integrity; authentication; confidentiality; non-repudiation
Active Defense in Depth is a particularly strong implementation of Defense of Depth Security personnel expect that attacks will occur and
try to anticipate them; this calls for multiple levels of protection
Strengthening Defense:Improving Defense in Depth
20
21
To improve security, add security layers Additional layers include firewalls, encryption, virus
protection, authentication, intrusion detection, access control, SSL and IPSec, and auditing
In addition, defensive zones were created to protect end-users and communications between zones
Breaking communication needs into separate systems and relying on multiple security methods, allows organizations to achieve effective external security
Strengthening Defense:Improving Defense in Depth
22
Ideally, an IDS will capture all the packets that reach it, send alarms on all suspicious packets, and allow legitimate packets through; however, performance can be hampered by: A lack of RAM; the IDS should have more that the
minimum RAM amount to maintain state information A lack of bandwidth; an IDS should be capable of
handling 50 percent of bandwidth utilization without losing the capacity to detect
A lack of storage; sufficient storage space is typically a gigabyte or more
Strengthening Performance: Keeping Pace with Network Needs
23
24
Remain effective in ongoing security efforts by growing your own knowledge and maintaining industry contacts Visit Web sites that gather news headlines on virus
outbreaks and security breaches Mailing lists often provide you with up-to-date
information about security issues and vulnerabilities Newsletters and trade publications that cover
security often contain reviews of hardware /software Many certifications need to be renewed periodically
Maintain Your Own Knowledge Base
25
Chapter Summary
This chapter discussed aspects of conducting ongoing maintenance of network security systems, and IDSs in particular. There is a need for security event management - accumulating data from a wide range of security devices by means of a coordinated program. Such a program includes event monitoring of alert and event logs produced by security devices and operating systems. It also involved the collection of data from multiple sensors either through a centralized or a distributed system. It requires you to review the attack signatures your IDS uses to make sure they are up-to-date
26
Chapter Summary
Another aspect of event management is the need to make a change in a procedure in a systematic and thought-out way. Change management describes the modification of systems or procedures in a way that includes the approval of appropriate management and that notifies staff of the impending change
Security auditing tests the effectiveness of network defenses after you have established them. In an operational audit your own staff examines the system logs and looks for vulnerabilities such as weak passwords or unnecessary user accounts. An independent audit is performed by an outside firm you hire to come in and inspect your logs
27
Chapter Summary
Another aspect of ongoing security maintenance is the management of the IDS to keep it running smoothly. First, you need to maintain your current IDS by making backups, managing user accounts, and cutting back on any unnecessary rules that the IDS uses. You can also strengthen overall intrusion detection by instituting an awareness program in which employees, contractors, and business partners all understand and observe your security policy. You can also strengthen the IDS by adding software or hardware as needed
28
Chapter Summary
By strengthening your network’s Defense of Depth configuration, you improve network defense overall and ensure availability and integrity of information. You also provide for non-repudiation: the use of authentication to prevent the parties involved in an electronic transaction from denying that it took place in order to escape paying for goods and services. Active Defense of Depth calls for actively trying to anticipate and thwart attempts before they occur. This can be done through training or through adding layers of security
29
Chapter Summary
Next, the text discussed the importance of keeping pace with your network’s needs by providing sufficient memory for the IDS to process long-term attacks by maintaining a state of a connection with a potential hacker. You also need to provide the IDS with sufficient storage space for log and alert files. You also need to dispose of files thoroughly by shredding them electronically
30
Chapter Summary
Finally, the importance of maintaining your own knowledge and expertise along with your ongoing maintenance of security devices. By visiting selected Web sites, you can keep abreast of security breaches and virus outbreaks. By joining mailing lists or posting on newsgroups, you gain a resource for getting answers and opinions on issues you confront. By subscribing to online or print publications, you get reviews of new equipment as well as articles that describe how to use them. Finally, you need to keep your security certifications up-to-date in order to maintain your own level of expertise, as well as the experience level of the organization as a whole