1 Guide to Network Defense and Countermeasures Chapter 11

1

Guide to Network Defense and Countermeasures

Chapter 11

2

Chapter 11 - Strengthening Defense through Ongoing Management

Strengthen control by managing security events

Heighten analysis by auditing network security procedures

Strengthen detection by managing your intrusion detection system

3

Chapter 11 - Strengthening Defense through Ongoing Management

Enhance a defense by changing your Defense in Depth configuration

Strengthen network performance by keeping pace with changing needs

Heighten your own knowledge base by keeping on top of industry trends

4

A security event management program gathers and consolidates events from multiple sources for analysis and security improvement Network protection needs to be conducted on an

ongoing basis in order to keep up with new vulnerabilities and increase security defense

One way to improve defenses is through ongoing event monitoring - reviewing alert and event logs produced by security devices and operating systems, and periodically testing the network to identify weak points

Strengthening Control: Security Event Management

5

6

Security event management program (cont.): The goal of event monitoring is to strengthen

defenses by gathering information, changing procedures, and improving the network

Monitor the following events: logins; account creation; handling of e-mail attachments; backup and other maintenance utilities; anti-virus scanning and control; procedures for granting remote access

Develop a team approach to security, make use of automated responses, coordinate data from multiple sources, and keep aware of new network threats


7

Managing data from multiple sensors requires database software that will sort through the events, and provide systematic views of data

Sensor data management options: Centralized data collection allows data from different

locations to be consolidated and flow through a central security location; benefits include: less cost and administration due to fewer systems to maintain, greater efficiency; drawback: finding a way to securely transmit data from collection points to the centralized management console


8

9

Sensor data management options: Distributed data collection allows data from security

devices such as firewalls and IDSs to go to a management console in its own local network; Security managers in each network must review the data separately, analyze it and respond as needed

Distributed data collection set up requires the organization to maintain separate security managers as well as separate management console software; this arrangement saves bandwidth, but still requires offices to communicate with each other about security incidents


10

11

Evaluating IDS signatures provides evidence that indicates whether IDS signatures are working well enough or if they need updating A variety of IDS vendors are available, each with their

own set of signatures for suspicious events Neohapsis has proposed the Open Security

Evaluation Criteria (OSEC) for reviewing signatures, which includes a core set of tests for: device integrity checking; signature baseline; state test; discard test; engine flex; evasion list; in line/tap test

Check vendor Web sites often for new signatures


12

Managing change should be done in a systematic way so as to minimize impact Change management involves the modification of

equipment, systems, software, or procedures in a sequential and preplanned way; the process should include an assessment of the impact of a change

Consider implementing change management in the following ways: significant changes to firewall or IDS rules; new VPN gateways; changes to access control lists; new password systems or procedures


13

14

Security auditing is the process of testing the effectiveness of a network defense system Auditing can be performed by actively testing the

network defenses by attempting break-ins; as well, recording and analyzing events such as logins, logouts, and file access helps; be sure to examine the security procedures of the organization too

To actively test the network, put together data from many disparate sources, such as: packet filters; application logs; router logs; firewall logs; event monitors; HIDS, NIDS

Strengthening Analysis:Security Auditing

15

Security auditing (cont.): One way to consolidate data generated by disparate

data sources, is to transfer, or push the information to a central database; store at least the: time; data; application; OS; user; process ID; and log entry

With multiple security components in place, so much data will accumulate from log files that it must be managed before it consumes available storage space; choose a time period for how long detailed information from IDS logs is retained (ninety days is common), then archive it to long-term storage


16

Security auditing (cont.): Operational auditing involves in-house staff examining

system logs to see if needed information is being audited; staff should look for: accounts with weak or no passwords; accounts still assigned to departed employees; and new accounts

Independent auditing involves hiring an outside firm to inspect audit logs to check effectiveness of data collection; such an audit might examine: where security equipment is physically located; how well it is protected from unauthorized users; and how thoroughly data is erased when you dispose of it


17

Strengthen the IDS to keep it running smoothly and efficiently

Maintaining the current system is one way to make it stronger; do this by: Backing up firewalls and IDSs in case of disaster; as

well, keep backup of routers, bastion hosts, servers, and special-purpose devices

Manage accounts by reviewing them every few months and making sure no accounts have been added by hackers, inactivating departed employee accounts, and ensuring that passwords are safe

Strengthening Detection:Managing the IDS

18

Maintaining the current system (cont.): Managing the IDS rules by scaling back on their

number and try to eliminate unnecessary rules Manage users by having an awareness program

where employees, contractors and partners all understand the company’s security policy; use lectures and booklets to help disseminate data

Changing or adding software and/or hardware are other ways to strengthen the IDS

Strengthening Detection:Managing the IDS

19

Defense in Depth calls for security through a variety of defensive techniques that work together to block different attacks Defense in Depth as it applies to network services

calls for the maintenance of: availability; integrity; authentication; confidentiality; non-repudiation

Active Defense in Depth is a particularly strong implementation of Defense of Depth Security personnel expect that attacks will occur and

try to anticipate them; this calls for multiple levels of protection

Strengthening Defense:Improving Defense in Depth

20

21

To improve security, add security layers Additional layers include firewalls, encryption, virus

protection, authentication, intrusion detection, access control, SSL and IPSec, and auditing

In addition, defensive zones were created to protect end-users and communications between zones

Breaking communication needs into separate systems and relying on multiple security methods, allows organizations to achieve effective external security

Strengthening Defense:Improving Defense in Depth

22

Ideally, an IDS will capture all the packets that reach it, send alarms on all suspicious packets, and allow legitimate packets through; however, performance can be hampered by: A lack of RAM; the IDS should have more that the

minimum RAM amount to maintain state information A lack of bandwidth; an IDS should be capable of

handling 50 percent of bandwidth utilization without losing the capacity to detect

A lack of storage; sufficient storage space is typically a gigabyte or more

Strengthening Performance: Keeping Pace with Network Needs

23

24

Remain effective in ongoing security efforts by growing your own knowledge and maintaining industry contacts Visit Web sites that gather news headlines on virus

outbreaks and security breaches Mailing lists often provide you with up-to-date

information about security issues and vulnerabilities Newsletters and trade publications that cover

security often contain reviews of hardware /software Many certifications need to be renewed periodically

Maintain Your Own Knowledge Base

25

Chapter Summary

This chapter discussed aspects of conducting ongoing maintenance of network security systems, and IDSs in particular. There is a need for security event management - accumulating data from a wide range of security devices by means of a coordinated program. Such a program includes event monitoring of alert and event logs produced by security devices and operating systems. It also involved the collection of data from multiple sensors either through a centralized or a distributed system. It requires you to review the attack signatures your IDS uses to make sure they are up-to-date

26

Chapter Summary

Another aspect of event management is the need to make a change in a procedure in a systematic and thought-out way. Change management describes the modification of systems or procedures in a way that includes the approval of appropriate management and that notifies staff of the impending change

Security auditing tests the effectiveness of network defenses after you have established them. In an operational audit your own staff examines the system logs and looks for vulnerabilities such as weak passwords or unnecessary user accounts. An independent audit is performed by an outside firm you hire to come in and inspect your logs

27

Chapter Summary

Another aspect of ongoing security maintenance is the management of the IDS to keep it running smoothly. First, you need to maintain your current IDS by making backups, managing user accounts, and cutting back on any unnecessary rules that the IDS uses. You can also strengthen overall intrusion detection by instituting an awareness program in which employees, contractors, and business partners all understand and observe your security policy. You can also strengthen the IDS by adding software or hardware as needed

28

Chapter Summary

By strengthening your network’s Defense of Depth configuration, you improve network defense overall and ensure availability and integrity of information. You also provide for non-repudiation: the use of authentication to prevent the parties involved in an electronic transaction from denying that it took place in order to escape paying for goods and services. Active Defense of Depth calls for actively trying to anticipate and thwart attempts before they occur. This can be done through training or through adding layers of security

29

Chapter Summary

Next, the text discussed the importance of keeping pace with your network’s needs by providing sufficient memory for the IDS to process long-term attacks by maintaining a state of a connection with a potential hacker. You also need to provide the IDS with sufficient storage space for log and alert files. You also need to dispose of files thoroughly by shredding them electronically

30

Chapter Summary

Finally, the importance of maintaining your own knowledge and expertise along with your ongoing maintenance of security devices. By visiting selected Web sites, you can keep abreast of security breaches and virus outbreaks. By joining mailing lists or posting on newsgroups, you gain a resource for getting answers and opinions on issues you confront. By subscribing to online or print publications, you get reviews of new equipment as well as articles that describe how to use them. Finally, you need to keep your security certifications up-to-date in order to maintain your own level of expertise, as well as the experience level of the organization as a whole

Documents

1 Guide to Network Defense and Countermeasures Chapter 11