Tele and Crypto

profileDrunkenCheetha
Chap6.pdf

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 1/31

Chapter 6. Network Security Management COMPUTER NETWORK SECURITY is not a final solution or a task to be completed. Security is a continuous journey. Safeguards and infrastruc- tures that worked before might offer little or no protection against future attacks. You must constantly develop and deploy new defenses against new exploits. This vigilance is the essence of network security management.

Network security management strives to maintain established security, adjust the infrastructure to future threats, and respond to breaches in a timely manner. Using a variety of techniques and tools, including incident response, host security, backup and recovery, checklists, and security as- sessment, network security management is a complex, but essential com- ponent of long-term, reliable security.

Chapter 6 Topics

This chapter will cover the following topics and concepts:

What best practices for network security management are

What fail-secure, fail-open, or fail-close options are

What the important elements of physical security are

Why is it essential to watch for compromise

What incident response is

How to trap intruders and violators

What containment is

How to impose compartmentalization

How to use honeypots, honeynets, and padded cells

PREV 5. Network Security Implementation⏮

NEXT 7. Exploring the Depths of Firewalls ⏭🔎

 Network Security, Firewalls, and VPNs

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 2/31

What some essential host security controls are

How to properly implement backup and recovery

What the importance of user training and awareness is

What some important network security management tools are

How to create and use a security checklist

What the basics of network security troubleshooting are

What compliance auditing is

What security assessment is

What a configuration scan is

What vulnerability scanning is

What the purpose of penetration testing is

Why post-mortem assessment review is important

Chapter 6 Goals

Upon completion of this chapter, you will be able to:

List examples of network security "best practices."

Describe the importance of physical security.

Compose a procedure for incident response.

Enumerate key components of an effective network security installation.

Describe the methods of network security assessment.

Network Security Management Best Practices Network security management "best practices" are recommendations, guidelines, or standard operating procedures for obtaining reasonable se- curity on a real-world budget. Best practices are usually not specific rec- ommendations for products or tools; instead, they are recommendations for philosophies, stances, or concepts to use. The following items are sug- gested "best practices." These might not apply to every environment, al- though you should consider, adapt, or adopt each when appropriate.

The foundation of any security endeavor and the start of security best practices is having a written plan. A written security policy has no substi- tute. Any other method, any other process, and other attempted proce- dure for defining, implementing, and managing security will fail. Only a written security policy has the potential to succeed.

To have a plan, you must thoroughly understand your organization's in- frastructure, its mission and goals, and the processes necessary to pro- duce its products and services. This means understanding what technolo- gy your co-workers need and use, what assets are involved, what re- sources are consumed, where everything resides, and how users access the infrastructure. Consider larger and more complex environments in light of the typical IT infrastructure.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 3/31

A written security policy establishes a documentation trail that everyone in the organization can subscribe to. To write a comprehensive security policy, you must first thoroughly inventory and examine every component of the IT infrastructure. Only once you fully understand the environment can you create a comprehensive and effective security policy.

To create a useful and relevant security policy, perform a risk assessment. The process of understanding assets, vulnerabilities, threats, and likeli- hoods is the heart of risk assessment. You learned about some of the basic formulas of risk assessment in Chapter 2.

Once you have designed and deployed a written security policy, regularly review the policy. Investigate whether the overall quality and reliability of the existing security is sufficient or in need of improvement. Verify that assets are still properly protected. Evaluate whether prevention, deter- rence, and response have been adequate and effective. Wherever you dis- cover a deficiency, act to improve and rectify the situation immediately.

Security cannot succeed without the solid endorsement and support of se- nior management. Executives should support the security policy, follow the limitations themselves, and stand behind the decisions made by you and the IT staff. When the security staff and the executives are focused on the same goal, solutions will follow. When these two groups are not work- ing in concert, time, money, and effort go to waste, and network security fails.

Establish a no-exceptions policy. Every device connecting to the company network must be in full compliance with the security policy and current with approved patches and updates. Block any device not in compliance with these restrictions from interacting with the network. This effectively is the function of a NAC (network access/admission control) service. But it should also be a written element of the security policy. Define "no ex- ceptions" in writing, and then use technology to enforce this element of the plan.

Maintain physical security control over all personnel access to IT equip- ment. Block access to all servers or networking equipment to all non-ad- ministrative users. Limit access to client systems to authorized personnel within each department. Ensure that departments are separated by locked doors. Limit visitor, consultant, and other authorized non-employee ac- cess primarily through a mandatory escort system. More suggestions about physical security are included in a later section in this chapter.

Limit and filter Internet connectivity. In spite of many users' desire for an unrestricted, unmonitored Internet connection for personal use, the In- ternet poses a significant risk for most organizations. An unrestricted or unfiltered Internet connection is a pathway for malicious code, social en- gineering attacks, and intrusion attempts. If an Internet service, protocol, domain, or IP address is not essential to a necessary business task, block it. Computer access to the organization's network and assets is for work tasks, not personal activities.

Install antivirus scanners, anti-malware scanners, and firewalls on every host. Every portable device, every desktop workstation, and every server should have these malicious code and malicious traffic protections. No system is immune to malware and malicious communications; basic fil- ters and barriers to known issues prevent easily avoidable compromises and downtime. Antivirus and other host essentials are discussed further later in this chapter.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 4/31

Figure 6-1. An example of defense in depth around an asset.

Do not rely upon single or individual defenses. Attempt to interlock and layer defenses. Implement defense-in-depth or a multiple-layered defense wherever possible (Figure 6-1). By following a defense-in-depth design concept, you will protect each asset with numerous safeguards. As one de- fense tool interlocks with another, they overlap—like medieval armor plate—and improve the overall security. The strengths and benefits of one countermeasure can supplement or compensate for the weaknesses and limitations of another.

When possible, avoid remote access. Limit access to local direct connec- tions only. When remote access is necessary, require a virtual private net- work (VPN). Once you allow remote connectivity, you allow the possibility of remote hacking. Remote hacking attempts to breach security without the need to be physically at or within the target's facilities. Requiring VPNs for all remote connections reduces this threat by preventing open connections or communications vulnerable to eavesdropping.

Any device that is portable or easily accessible by a non-employee should use whole hard drive encryption or at least file encryption. While not absolutely foolproof, encrypting an entire hard drive makes accessing the data on a portable device much more complex. If a system is stolen when powered off, the hard drive's encryption typically presents an insur- mountable barrier. If the equipment is running when stolen, a hacker might bypass the hard drive encryption by hacking the encryption key out of active memory. However, this is an unlikely attack.

Require encryption of all internal network communications. Use Internet Protocol Security (IPSec) to secure all intranet communications. This is often an easy and cost-effective means to quickly reduce the risk of eaves- dropping, man-in-the-middle, replay, and many other forms of network attacks. Well-encrypted data is much less likely to fall into the hands of hackers, thieves, and unauthorized personnel.

Harden both internal hosts as well as border devices. Do not focus exclu- sively on one area or issue of security to the exclusion of all others. Pro- vide consistent and thorough security throughout the IT infrastructure. All networked devices are at risk, perhaps from different threats, but still at risk.

Always test new code before deployment onto a production system. No matter what the source of new code, you must test it. Even if an internal

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 5/31

programmer wrote the code, you must test it. Even if the code addresses a mission-critical issue, you must test it. Test all new code without excep- tions. Any and all untested code is unauthorized and you should block it from all production systems.

Implement multi-factor authentication whenever possible. Single-factor authentication, especially password-based authentication, is no longer a truly secure or sufficient method of protecting the logon process. Adding at least one additional factor significantly increases the authentication se- curity of the environment. Once multi-factor authentication begins, allow no exceptions that fall back on single-factor solutions. Otherwise, intru- sion efforts will focus on the single-factor pathway.

Backup, backup, backup. Backups are the best form of insurance against data loss. Don't store backups on the same system or even in the same lo- cale as your other assets. Store backups on separate storage devices. While you can store backups both onsite and offsite, offsite is the pre- ferred secure location in the event of natural or manmade disasters. Back- up and recovery are covered in more detail later in this chapter.

If an asset is worth the time and effort to secure, then it's worth monitor- ing as well. Lock each asset as necessary, and then watch for attempted breaches of that security. No perfect security solutions exist; thus, to im- prove security, prepare to respond immediately when you detect breaches. Lock, then watch. Failing to watch a secured asset means that when a compromise occurs, you won't notice immediately. Watching for compro- mise is discussed further later in this chapter.

Have an intrusion and incident response plan. Bad things and failures will happen. Breaches will take place. Be prepared. Evaluate and examine the realistic threats facing your assets. But plan for the worst. Define pro- cedures to respond to any situation. Incident response is addressed fur- ther later in this chapter.

Do not overlook making a business continuity plan and a disaster recovery plan. Above and beyond security breaches are business-termi- nating events in the form of natural and manmade disasters. Building col- lapse, flooding, earthquakes, hurricanes, fire, sabotage, blackouts, mal- ware infection, criminal activities, and so on can end your organization's operations. If alternate means of accomplishing mission-critical tasks are not available, your organization will cease to exist. Plan to recover from disasters and do business in the future.

KISS—Keep It Simple: Security. Security is complex enough without pur- posefully imposing additional complexity. Focus on designing security that the average user can comply with easily and simply. The more arcane and cryptic procedures become, the greater chance that users will misun- derstand, fail to comply, or purposefully subvert. Simplicity encourages compliance.

Focus on balancing security and usability. Security does not need to make all work difficult. Likewise, essential work functions need not compromise security. Finding a balance between these two extremes is important. The focus should be on reducing risk to the infrastructure, while enabling users to perform authorized work with a minimum of hassle.

Prioritize. Security concerns will always seem to be ready to overwhelm available time, effort, or budget. Focus on the big impact and big result is- sues first, rather than attempting to swat every minor annoyance that arises. Security is constantly changing; the goal is to maintain reasonable rather than perfect security. (Remember, this is an unattainable goal anyway!)

Always be fully and truly aware of the state of the organizational security. Don't make assumptions. If you are not positive that an aspect of the or-

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 6/31

ganization is secure, find out. Assuming security exists leads to a false sense of safety. A lack of knowledge about the security status can lead to complacency. By assuming nothing is wrong, you feel no urgency to inves- tigate and rectify problems. Do not fall into the "I thought it was protect- ed" trap; if you do not know or are not sure, take the time to investigate and be sure.

Look for the weakest link. Every system or structure has a weak point and a security structure is no different. It might be power; it could be humans; it might be a coding issue; it could be processing capacity, or any number of other potential culprits. In any case, some weakest link exists in the se- curity chain. Think like a hacker and look for it. Find it. Improve it. Then, go looking for the next weakest link.

Focus on known, real, probable threats rather than on unknown, imag- ined, or possible threats. You don't have enough time, energy, or budget to protect against everything. Perform a risk assessment and focus on cur- rent, significant issues.

Develop a standardized, procedural-based process for hardening new sys- tems. You should subject every new piece of host equipment, including switches, routers, firewalls, servers, and clients to a rigorous and thor- ough hardening process before it is deployed onto the production net- work. In fact, having a dedicated isolated new system-testing network will protect both the existing production network from new systems, as well as protect new systems from threats from the existing production network.

Develop and implement an efficient patch management system. You need to analyze, evaluate, and install promptly every new patch released from your vendors, whether for hardware or software. Never short-circuit the test-all-code-before deployment policy and never implement code based on fear. Instead, have a focused and efficient process for testing and approving new updates so that they can be rolled out to production sys- tems quickly. Keep every system current on patches; remember, however, that pushing out a patch too soon and without proper testing is just as bad as delaying patch approval because you lack the time to examine it.

User training and behavior modification is essential. Technology cannot solve or remedy all security concerns. Technology cannot compensate for the human factor. Be sure to train all authorized personnel on general se- curity concepts as well as task-specific security concerns. Train users on what policy expects, define what policy prohibits, and encourage buy-in and support of the overall organizational security effort. User training is addressed further later in this chapter.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 7/31

Figure 6-2. National Institute of Standards and Technology (NIST): National Vulnerability Database.

Stay current on security and vulnerability research. You can't protect against existing, new, and upcoming threats unless you know what they are. You need to seek out this information, because most general news sources, even those focusing on technology, don't address most of the se- curity vulnerabilities, exploits, or compromises that arise daily. Find good resources-related security and vulnerability research (Figure 6-2) and consult it religiously. Knowledge is often one of the best weapons in the fight for security.

Develop a security checklist. Review it for completeness and accuracy pe- riodically, such as every quarter. Confirm every element on the checklist on a regular and frequent basis, such as once a week or once a day. You can automate this to an extent, but checking often requires human effort to test and confirm that every security mechanism is in place, active, armed, and effective. Security checklists are discussed further later in this chapter.

Perform regular self-assessments. Numerous security groups and govern- ment/military agencies post security implementation guidelines, manu- als, and checklists. Commonly known as Security Technical Imple- mentation Guides (STIGs), you can use these documents to review and assess your organization's status and state of security. A self-assess- ment attempts to take an external, unique, or independent viewpoint in evaluating security. This is why using external security guidelines, stan- dards, and measurements can reveal oversights in an existing security in- frastructure.

Perform internal compliance audits. Thinking you are secure isn't enough; the law in many industries such as financial and medical now re- quire compliance. Ensuring that you are in full compliance with all federal and state laws and regulations is not only good security management; it will keep your company officials out of jail. Using external auditors is of- ten a poor substitute for internal self-verification.

Implement the principle of least privilege. All users, including ad- ministrators, only need the necessary privileges, access, and permissions to accomplish their assigned work. Any abilities beyond this minimum in- crease the potential for compromise and abuse.

Isolate and compartmentalize administrative privileges through the im- plementation of separation of duties. This is also known as split

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 8/31

knowledge. Administrators are given limited administrative power over a limited area of the IT infrastructure. No single administrator has full or total power over the entire environment. This limits the scope of potential abuse and harm both by disgruntled administrators, as well as by hackers who compromise administrative accounts.

Test all security measures for sufficiency. Perform verification scans of all deployed countermeasures to ensure their correct functioning. Improper installation or misconfiguration can render a well-meaning safeguard worthless. Test every new security control when you install it and every time you reconfigure it.

Perform regular vulnerability assessments. Use automated tools with up- dated databases of security tests and exploit simulations. These tools should confirm patches and updates, verify security configurations, and probe for known vulnerabilities and exploit weaknesses. Quickly resolve any issues discovered by the scans.

After you have improved and fine-tuned your security infrastructure, put it to the ultimate test: perform penetration testing. Hire or develop an ethical hacking team to test the strength and weaknesses of the IT security as well as the security of the facilities and the employees. Ethical hackers use the same tools and attack techniques as criminals, but without the in- tention to cause actual damage. Professional security assessors can cus- tomize attacks, modify exploits, and react in real-time to fully stress secu- rity defenses.

Focus on the core security services when designing security: confidentiali- ty, integrity, availability. Failing to properly and adequately buttress these essential security services will result in damage, data loss, and downtime. Confidentiality is the prevention of unauthorized access, but supports au- thorized access. Integrity is the protection against unauthorized modifica- tions. Availability is the assurance that resources are accessible in a timely manner.

Consider designing security, especially physical security, around three central functions: deter, detect, and delay. Deterrence is the use of securi- ty to convince the potential attacker that the efforts to compromise a sys- tem are not worth it. The attack may be perceived as too hard or too com- plex, the attempt too easy to detect, and the consequences too severe. De- tection is to watch for the attempts at breaching security so as to respond promptly. Delay is to slow down the attack so that even successful breach- es give the defenders time to respond in order to apprehend or prevent further intrusion.

Another common trio of parameters for security design and implementa- tion is prevention, detection, and response. Prevention is the use of safe- guards to thwart exploitation or compromise. It is usually more efficient, easier, and cost effective to prevent intrusions and breaches rather than react to them. Immediate detection of attempted and successful security breaches is important. The longer the time span between a malicious ac- tion and authoritative response, the greater the likelihood the perpetrator will get away without consequence. Response means being prepared to contain damage, restrict further compromise, and effect repairs to return the system to normal.

Don't overlook the importance of authentication, authorization, and ac- counting. These services are essential to a secured infrastructure. You must control who is allowed into a facility and onto the network. Place limitations on what authorized users can do. Hold all entities—even upper level management—accountable for their actions, activities, and results.

Focus on establishing a philosophy of default deny rather than default permit. By blocking everything as a starting point, only those features,

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 9/31

services, protocols, ports, applications, users, and so on that you judge and deem safe and appropriate can be enabled by exception. A default- permit stance means you must create a never-ending stream of explicit denials as you detect new compromises or malicious events. Deny by de- fault, allow by exception is always the preferred security stance.

Implement white-list application control. A white list is a list of allowed exceptions against a background of default deny. By configuring a system with a white list, you block all executables unless they are on the list of al- lowed exceptions. A white list consists of the application name, its file name, and the file's hash value. This prevents spoofing by malicious or unapproved applications that simply rename the executable.

This collection of network security management "best practices" should serve as a starting point for the development of your effective security en- deavors. Other valid and useful guidelines exist, so don't assume this list of recommendations—or any other list from any other source—is exhaus- tive. You always have new lessons to learn, new challenges to face, and new wisdom to obtain.

Fail-Secure, Fail-Open, Fail-Close Options Failure is not an option, it's a certainty. At some point in the life of your organization, failure will happen. Will you be prepared to handle it prop- erly, and how much harm will the failure cause?

Failures can be hardware ceasing to operate properly due to an unknown flaw in materials or construction. Failures can be the accidental discharge of static that damages circuits. Failures can be atypical weather that floods the building. Failures can be malware infection that crashes a server. Fail- ures can be a zero-day exploit that compromises security from outside.

Failure means problems, downtime, loss, consequences. However, failures do not have to mean bankruptcy, going-out-of-business, jail time, or cat- astrophic loss. The difference between calamity and mere inconvenience is planning. As with most aspects of security, proper and extensive plan- ning can assist in designing an infrastructure that can avoid or effectively survive any issue or concern.

Planning for failure is planning how to respond to and recover from fail- ures. The goal is to fail into a state of security or safety rather than into a state of insecurity or chaos. This is known as fail-secure. A fail-secure state reverts to a condition where little or no harm, or at least no further harm, is likely to happen. Depending on the situation, a fail-secure state could be fail-open or fail-close.

To fail-open is to revert to a state of being open, available, or unlocked. In the case of the physical world, fail-open is important for the safety of per- sonnel. Fail-open doors allow people to leave a building easily. However, such easily opened doors might represent a weakness that an intruder could exploit to access secured internal areas. In the case of IT, fail-open is to revert to a state of unfiltered communication or data access.

To fail-close is to revert to a state of being closed, unavailable, or locked. In the case of the physical world, to fail-close is to prevent a doorway or container from being opened during an emergency or compromise. In the case of IT, fail-close blocks access to communications and other digital resources.

Either state, fail-open or fail-close, can be the fail-secure or fail-safe op- tion depending on the circumstances. In any case, you should carefully

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 10/31

consider and plan the type of default response you will use, especially dur- ing an emergency, intrusion, compromise, or system failure.

Physical Security There is no security without physical security. Logical protections can only protect against logical attacks. Physical protections protect against physical attacks. With just a few moments of physical contact, a hacker can overcome or bypass most logical security.

Physical security is the prevention of direct physical contact, access, or in- fluence of an unauthorized person to a sensitive component of an IT in- frastructure. Any well-designed network security solution will include physical security components. If you fail to address physical security ade- quately, you fail to understand the threats facing your organization.

Physical security includes a facility that resists forcible entry. Select, im- prove, or build facilities that prevent and deter unauthorized physical in- trusion. If physical breaking and entering is possible and potentially prof- itable for a thief, it's more likely to take place.

Physical security should include the monitoring of all personnel activity. Solid physical access control includes keeping track of when an employee enters and exits every secured or sensitive area. Good physical access con- trol blocks outsider access and enforces escorts for visitors.

Physical security should include card key entry, burglar alarms, motion detectors, and security cameras. Use the best available technology to both deter and detect physical security violations.

Watching for Compromise Everyone in your organization is part of the physical security effort. Every individual is responsible for staying within the security boundaries them- selves. They are also responsible for reporting violations or suspicious ac- tivity. Security is about locking and watching. Not every employee can as- sist in the process of locking things down, but they can and should all as- sist with watching for violations and suspicious behaviors.

Use all available technologies in addition to human eyes to look for securi- ty violations. Use auditing, IDS/IPS systems, security cameras, motion detectors, and so on when appropriate. Proper network security manage- ment includes proper design to watch for violations.

Violations can occur both in the physical world as well as within the logi- cal world of computers, networking, and the Internet. Don't assume that just because a violation causes no direct physical harm that the issue is not worth knowing about or pursuing. A crime is still a crime whether it's a physical crime or a logical one. Design and implement detection mecha- nisms to notice, log, and monitor suspicious or abnormal activities.

Incident Response Incident response is the planned reaction to negative situations or events. Inevitably, security breaches, or at least attempts to breach security, are going to occur. When those events affect the organization or its abilities to perform its tasks in any way, incident response is triggered. The goals of incident response are to minimize downtime, minimize loss, and restore the environment back to a secured normal state as quickly as possible.

Most incident response solutions include six primary steps or phases:

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 11/31

Preparation—Select and train IRT (incident response team) members, allocate resources

Detection—Confirm actual breaches

Containment—Restrain further escalation

Eradication—Resolve the compromise

Recovery—Return to normal operation

Follow-up—Review the process and improve future responses

An incident response plan is an important element of network security management.

Trapping Intruders and Violators Security often aims at prevention and deterrence. When an intrusion or security violation takes place in spite of the precautions, the next stage or level of security must respond. The next stage of security is detection. Knowing if and when a security violation occurs is essential to a timely and adequate response to a breach.

Once you detect a breach, you must immediately initiate a response. The first stage of response is containment. The goal of containment is to pre- vent further spread of a known malicious event. Containment is a mind- set, a plan of action, and an element of design. As a mind-set, contain- ment is the focus of first responders or members of the IRT. Their goal is to prevent any expansion or spread of the compromise to other systems.

Why Containment Is Important Using containment can be as simple as unplugging a network cable from a compromised system. This effectively cuts off any communication to and from the suspect host. You can also impose containment through dis- abling user accounts, stopping services, adding entries to filtering devices, and so on. Whatever the vector or source of the malicious event, its source or target should be cut off from causing continued harm.

The act of containment should interrupt or interfere with the continued spread or operation of the unwanted event. This type of initial response is often effective against malicious code, remote access, backdoor control, compromised user account, social engineering, and many other forms of network or system compromise.

Containment is often considered a form of response. Containment is the action taken by a first responder. However, even before you experience a security breach, you can employ another preventative measure similar to containment known as compartmentalization.

Imposing Compartmentalization Compartmentalization is the element of infrastructure design that takes into account the likelihood of a security breach by malicious code or other intruder. Compartmentalization distinctly separates a network into areas or zones of access. Often these zones are around departments or entities that commonly interact over the network. Any entity that does not com- monly interact is separated by default using network security access con- trol devices, such as routers, switches, and firewalls.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 12/31

The purpose of compartmentalization is to create small collectives of sys- tems that support work tasks while minimizing risk. The typical risk is that if one system is compromised, the breach can quickly lead to other systems being compromised. This is especially true of malicious code, which distributes rapidly. But it can also apply to remote hacker intrusion as they attempt to leap from system to system searching out valuable resources.

Network compartmentalization is similar to the bulkheads on ships. In the event of a hull leak, the bulkhead doors of the affected compartment close and seal. This prevents the entire ship from being sunk by a single breach. The same is true for computer network compartmentalization. When you detect a breach, you can sever the links between network com- partments to prevent any further malicious communication to or from the affected sections.

Using Honeypots, Honeynets, and Padded Cells Another specific intruder trap you can add to a security infrastructure is a honeypot. A honeypot is a hacker or intruder trap. A honeypot is a system or network that appears to contain valuable information, and appears to be part of legitimate organizational network, but, in fact, it's a specially designed trap. The purpose of a honeypot is to trap hackers/intruders, de- tect new attacks, or simply serve as a decoy to deflect attacks from reach- ing the actual primary network.

A honeypot can be a single system or a network of many systems con- structed to look, act, and operate like a real network environment, but that contains seemingly attractive but actually fake resources. For a hon- eypot to be effective, it must look and act just like a real target. Otherwise, hackers will quickly uncover the fake and search harder to find the real targets. A honeypot often includes extensive focus auditing and recording capabilities to thoroughly capture all activities that take place within it.

Honeypots can be single systems or multiple networked systems. A net- work of honeypots is sometimes called a honeynet. Both honeypots and honeynets are decoy systems that are always operating in the hopes of at- tracting would-be hackers and intruders. Another form of honeypot is the padded cell. The padded cell is turned on only after you detect an in- truder, and then lure the intruder into entering the padded cell.

Configure and situate honeypots so that they do not interfere with autho- rized users performing authorized activities. However, you need to posi- tion them along common pathways of access that an outsider or intruder might take, in much the same way a hunter will hide along a trail in the forest. A honeypot should be attractive and interesting enough to per- suade a hacker to attack it, but not too attractive as to trigger that voice in the back of the hacker's mind that says, "It's a trap."

A honeypot has value in two primary circumstances. First, if the organiza- tion's primary goal is to learn about new hacking exploits, then a honey- pot can serve as a laboratory for that purpose. Second, if the organiza- tion's primary goal is to prosecute criminals, then a honeypot may assist in the discovery, identification, and apprehension of suspects. However, if neither of these two purposes is a primary goal of the organization, then deploying a honeypot is generally not a worthwhile endeavor.

Essential Host Security Controls Every host needs protections from its users as well as from the network it communicates with. There are always risks, even within a private net-

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 13/31

work, from authorized users. Precautions include equipping host devices with reasonable defenses against known potential avenues of compromise.

Every host needs an antivirus scanner. While in a few operating systems malicious code is not as serious a threat as in others, hackers create mal- ware for every platform. You can no longer safely claim immunity based on your operating system selection alone.

An antivirus scanner needs to be current. The scanner engine, the core mechanisms for malware detection, should be less than a year old. Typi- cally, a deployed antivirus should have the current year in its name or as its build date. Any antivirus scanner more than a year old is too out of date with new and current scanning technologies, malicious embedding techniques, and cleanup or removal procedures.

An antivirus scanner needs to have its database of definitions updated at least once per day. This should be an automated process so that as soon as the vendor releases a new update, it is downloaded and applied. Using a scanner with an old database is just as bad as using an old scanner. An an- tivirus product only provides protection against known threats, so don't allow your antivirus software to develop amnesia from delayed updates.

An antivirus scanner must be configured to perform constant, consistent, and automatic scans. Monitor the memory, processing stack, and any oth- er active element of a computer system in real-time for symptoms of mali- cious code compromise. When malware reaches a host, it can infect that host and distribute its spawn in moments. Without real-time monitoring for infections, serious damage can take place long before a periodic scan notices the breach.

An antivirus scanner should be configured to perform complete, sys- temwide, low-level scans across all memory and storage devices on a peri- odic basis, every day or at least once a week. By scanning the entire sys- tem on a regular basis, you can detect and remove malware that was able to gain access through some unmonitored or covert channel.

In addition to an antivirus scanner, hosts should benefit from an anti- malware scanner. An anti-malware scanner is also known as a spyware or adware scanner. These are companion scanning products to antivirus software in that they find other forms of malicious, nuisance, or suspi- cious code that might not qualify as a virus or worm. Their targets include spyware, adware, keystroke loggers, rootkits, hacker tools, backdoors, Trojan horses, malicious/abnormal cookies, suspicious mobile code, bots, zombies, and so on. Don't let the names fool you. All of these things repre- sent the potential for real network damage.

Every host should be equipped with a software host firewall. A host fire- wall provides filtering services for data entering and leaving the local box. A host firewall can limit network connectivity for local applications as well as allow or deny access to resources from external entities. Please review

chapters 2, 7 through 10, and 13 for more details on the benefits of host

firewalls.

Most hosts can benefit from the added security of whole hard drive en- cryption. This ensures that all data on the drive is secured. Depending on the product and technology you employ, whole hard drive encryption can be unlocked through a boot password or the use of a hardware device, such as a USB drive or a Trusted Platform Module (TPM) chip. Whole hard drive encryption essentially prevents a hard drive from being stolen and easily read by another system.

Some forms of system and file damage occur from activities that are not malware related. Using a hash integrity checking mechanism to watch for

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 14/31

unauthorized file changes can assist in tracking down abnormal sources of compromise. Monitor every system file and device driver. Any change not associated with installation of a valid update is likely a symptom of mali- cious activity.

You should configure and review auditing on all hosts, not just servers. Malicious activities and communications can take place on any system. Configure every host to audit, monitor, and log local and network events. Then, using an intrusion detection system (IDS) or other form of security auditing tool, scan the log files for symptoms of concern. What you do not know can harm you, so arm yourself with as much knowledge as possible.

Backup and Recovery Backup, backup, backup. There is no excuse for lacking a backup solution. Backups are the only insurance against data loss. Failing to make a back- up is planning for failure and data loss. A single data loss incident, such as a failed hard drive, could be enough to cause the failure of an organiza- tion. Do not lose data because of carelessness; implement a backup process immediately.

Backups are not difficult. They just take a bit of planning. First, plan where you want to store the backups. The three main choices are online, offsite, or onsite.

Online or cloud backup storage is growing in popularity, availability, and cost effectiveness. Online backups offer access to your data from any In- ternet connection, making recovery possible from anywhere. However, online backups put your data on someone else's hardware and you are de- pendent on their security, confidentiality assurance, and reliability. Plus, backup transfer speeds are dependent on the local Internet link speed, which is usually much slower than most local media backup options.

Offsite and onsite storage employ the use of backup media. Backup media can be tapes, optical disks, hard drives, and solid state drives/cards. Phys- ical media require space for storage and are subject to the threats of phys- ical existence, namely theft, damage, and destruction. Offsite storage is the better option when faced with major catastrophes. This protects your backup media from damage by problems occurring at your primary work location. Onsite storage provides for quick recoveries around minor is- sues.

Mid- to large-sized organizations often elect a multi-staged backup solu- tion that provides both onsite and offsite storage benefits. One possible configuration is to use banks of re-writable high-speed optical storage de- vices to host a live online onsite backup. Then perform periodic backups from the optical storage set to portable media, such as tapes, for secure storage offsite.

This configuration provides for fast backup from the original systems to the optical media, then provides a convenient process for creating tape copies quickly. It also allows for fast restoration of data from the online onsite optical backup, while providing major disaster protection with the offsite secure storage of tapes.

As much as possible, automate the backup process to ensure that it hap- pens. If the act of backing up the network's data interferes with produc- tion, then install a secondary network to exclusively support data transfer for backups. This will require a second network interface in every system protected through the backup process.

The offsite storage location for backup media should be secure and rea- sonably protected from disasters, especially severe weather. If your orga- nization is large enough to have multiple locations, rather than the same

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 15/31

building or even buildings within a few blocks of each other, then offsite storage can switch from third party storage to internal storage at distant branch locations.

User Training and Awareness User training is an essential part of any security endeavor. Not every worker in an organization is automatically an IT or technology expert, nor should you expect them to be. Security training and awareness aims at providing all users with basic security knowledge as well as job-specific security information.

To hold users accountable for their actions, first clearly define the net- work security policy boundaries and limitations. Having a set of rules and restrictions without informing personnel of their existence won't enforce policy and can lead to employee grievances. Training and awareness is necessary to educate users on their responsibilities and the consequences for violating organizational policy.

Without adequate security education for users, maintaining a secured en- vironment is difficult, if not impossible. However, many organizations fail to support end-user training adequately. This results in users not under- standing the importance, need, and benefits of security. Additionally, it will result in an increase in violations, most of which are benign and acci- dental, but incidents that nonetheless you will need to investigate and re- solve.

A few common end-user security mistakes or problems caused by a lack of security training include:

Opening e-mail attachments from unknown sources or from a known source with an unexpected or unusual attachment

Preventing updates and patches from installing, even when ap- proved and recommended by the security staff

Installing unapproved software on work computers, including games, screensavers, utilities, instant messaging clients, and brows- er plug-ins

Installing software on work computers that you have not verified as safe and free from malicious code

Failing to make backups of personal data or work data on work computers

Using a modem or wireless connection from a desktop or notebook work computer while still connected to the company LAN

Using a password storage/tracking utility that does not encrypt its database

Walking away from computers while still logged in

Connecting unknown and unapproved devices to a work computer

Using portable media and storage devices on a work computer from an external source

Installing remote control or remote access software on work com- puters without obtaining approval

Using the same password on multiple systems

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 16/31

Leaving portable devices in locations outside of work where they could be easily stolen, such as in a car's backseat

These are just some examples of common security problems caused by untutored users. You can avoid or at least minimize most of these issues with reasonable user security education. However, it's also common for IT staff to make security mistakes, even though they are much more knowl- edgeable about technology. Just because someone is a "tech guy" or might be considered a computer geek does not necessarily imply he or she is se- curity smart as well.

Some mistakes made by technology experts (who really should know bet- ter) include:

Using the same password on multiple systems

Allowing new systems to go online before they are properly hard- ened and/or tested

Failing to keep current with available patches and upgrades, espe- cially those related to security

Using remote system and device management mechanisms that are convenient but not secure, such as telnet, http, and ftp

Discussing passwords over the phone, including changing pass- words based on over-the-phone requests

Failing to properly check identity, authority, and permission before giving out information or access to resources

Failing to implement a proper backup solution

Not verifying and testing backups are working properly

Assuming something is secured or properly configured without specifically checking and verifying

Allowing unnecessary and potentially insecure applications, ser- vices, and protocols to remain on a system

Using security and network devices with their default settings, such as firewalls, proxies, routers, and so on.

Failing to understand all of the security configuration options on a new software or hardware product

Putting new software or hardware into production before thorough- ly testing and gaining approval

Allowing anti-malware defenses to become out of date or go stale

Allowing sensitive information to be communicated without an en- crypted channel

Even a knowledgeable technical professional can learn how to be more se- cure through proper training and awareness education. Every single person throughout an organization has security responsibilities. These need to be defined, explained, and taught. Users will improve their behav- iors once they understand what the risks are, what is at stake, and how their behavior will affect them if they fail to support security.

The goal of security-related training is user behavior modification. Users need to take steps to change their regular activities from those that place themselves and their workplace at risk to those that avoid risk. Risk is

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 17/31

easy for most people to understand, but they need to be made aware of risk to trigger a change in their actions.

Good user training will cause an improvement in user compliance with the standards, policies, procedures, and guidelines of your organization. Often, the beginning of security training is awareness. Awareness is intro- ductory, foundational, and ubiquitous security information that applies to all employees. Awareness aims at establishing a common baseline of secu- rity understanding for the entire organization.

The principal means of awareness training is in a classroom setting. It should, however, include a wide variety of communications, including on- line videos, interactive Web sites, posters, e-mail reminders, regular memos or newsletters, wall banners, coffee mugs, post-it notes, manager review meetings, loudspeaker announcements, screen savers, mouse pads, and even voice mail messages. The point is to inform users about basic security essentials, then reinforce those basics while they are at work.

Awareness is important for all personnel, in all job positions, at every lev- el of access, from top to bottom of an organization. Everyone should un- derstand and comprehend basic security issues. These often focus on gen- eral responsibilities, liability, seeking to avoid waste and fraud, reduction of unauthorized activities, and looking out for abnormal or suspicious events.

It's important for employees to see through both words and deeds that se- curity is important. This means that even top executives must be held ac- countable to the same basic principles enforced throughout the general employee population. If employees see evidence of compromise or com- pliance avoidance by senior management, then they get the impression that the rules are not important enough for anyone to follow. You don't want employees to be frustrated and confused by a "Do as I say, not as I do" management model.

After awareness comes training. Training focuses on security issues and topics more closely related to specific job tasks. Training consists there- fore of job-specific security information. Security training of this type as- sists users in accomplishing their individual work tasks while staying within the boundaries of the security infrastructure.

Most organizations offer in-house awareness and training. This is com- mon because such training directly reduces incidents and the associated costs of handling and responding to internal accidental and ignorance- based breaches.

Beyond training is security education. This form of learning has a broader scope than just a job description or even the organization as a whole. The purpose of security education is to obtain extensive knowledge about se- curity and related subjects, even if they don't directly apply to current work responsibilities or tasks. Education is for the advancement of the in- dividual, perhaps to improve their career outlook.

Education is usually obtained outside of an organization. A company might perceive education as either a threat to employee retention or a benefit to keep employees happy. Most organizations want to improve the skills of their personnel. Either way, security education improves the knowledge and skill of the individual.

Security awareness, training, and education are beneficial for any security endeavor. Including and funding it in your organization's overall security solution will improve your odds of success.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 18/31

Network Security Management Tools The best network security management tools are neither commercial nor open-source products or solutions. Instead, the best network security management tools are quite simple and obvious. The best tools are:

A written security policy

Complete inventory of all hardware and software

Physical cabling layout and device location map

Logical organization, addressing, and subnetting map

Complete configuration documentation for every device

Change documentation and log

Backup and restoration procedures

Business continuity and disaster recovery strategy

Troubleshooting guidelines

Hardware and software documentation

Personal knowledge and skill

Access to online resources

Security management is not about having the most expensive products or the most automated configuration. Instead, good security management is rooted in a solid understanding of the infrastructure and having the tools to improve, respond, and repair as necessary. Focusing on the glitz of shiny products can even distract from the basics of security management.

Security management should always center on protecting assets, support- ing authorized activities, and responding to threats as you discover them. It may be more efficient or cost-effective to use off-the-shelf security man- agement products, but using them is no substitute for addressing the or- ganization's core security concerns.

Security Checklist Security is fragile. Hackers only need to discover a single flaw in your de- fenses to mount an attack. Changes to the infrastructure, whether physical or logical, could open new holes not previously present. Additionally, users and personnel may intentionally or accidentally breach security.

One method to maintain the efficacy of security is through regular verifi- cation and validation checks of every single countermeasure, safeguard, security control, deterrent, prevention, and defense. This requires an in- ventory of all security measures. This inventory can then become a checklist.

Physical security and logical security each need a separate list focusing on their respective areas of concern. A security guard or a security tech inves- tigates every physical security measure to ensure that it is still in effect, active, and un-modified. Such tasks at the level of logical security are best left to security techs with proper administrative access.

A security checklist shakedown should occur regularly and often, once a day at most to once a week at least. Every single item on the checklist should be physically visited and inspected. If any issues or concerns arise, document them and immediately bring them to the attention of the secu-

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 19/31

rity team. Employ remedial measures promptly and investigate to track down the root cause of the concern.

A physical security checklist should include every security control de- ployed for facility control, these include:

Checking every window lock

Checking every door lock

Checking every external wall

Inspecting access points to raised floor areas

Inspecting access points to drop ceilings

Ensuring that cabinets or containers are locked

Verifying that security cameras are pointed in the correct direction

Verifying that all light bulbs are of the correct type and are functioning

Checking motion detectors

Testing alarm systems

Interviewing security guards and confirming compliance with procedures

Depending on the industry and specialization, many more components can make up the physical security of organizations; this list is just a sam- ple of what the typical physical security checklist should contain. Look for any modification, destruction, or general failure of every element of physi- cal security. A single bad window lock or a door that does not fully close automatically can result in easy access for a burglar intent on computer mischief.

A logical security checklist should include every security control deployed for computer and network control. These include:

Checking authentication

Checking authorization and access control

Auditing systems

Verifying firewalls and other filters

Checking proxies and other communication management solutions

Verifying encryption, including key management

Updating antivirus software and scanners

Backing up and storing archival information securely

Many more elements exist in well-designed security infrastructure for an exhaustive logical security checklist. Again, this list is just a sample of some common elements found in most secure organizations. Poor config- urations, overlooked defaults, and out-of-date systems can leave gaps that a probing hacker will discover and exploit.

Never assume you are secure. Check and verify everything regularly. No one else will do it for you.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 20/31

Use the security checklist with the intention of maintaining effective secu- rity over time, in spite of change, accidents, and human nature. However, even a complete checklist cannot resolve problems caused by poor design and implementation. To ensure that your checklist is truly a benefit and not just re-organizing deck chairs on a sinking ship, consider the follow- ing common oversights or issues:

Do not assume that a service or protocol is secured by some other layer or service. Verify that the data traversing a network segment is encrypted or otherwise secured.

Know the limitations of security products. Each security mechanism addresses a single or small set of issues within a specific context. The presence of security in one location does not cause a magical blanket of security to exist in other locations. Be sure specific and relevant security solutions are in place where necessary. For exam- ple, use of IPSec for network encryption does not imply that data stored on clients is encrypted.

Do not rely on authentication at session initiation alone. Session hi- jacking is a serious threat on most commonly used protocols. Use solutions that support periodic mid-stream re-authentication, as well as communications encryption.

Assume programs are inherently insecure. Security is not often a priority or a requirement in programming. When possible, use se- cure programming quality assurance.

Plan for handling failures, errors, intrusions, and downtime. Focus on what to do when bad things occur. The goal should be a fast and efficient recovery. Failing to plan is planning to fail.

Assume you may become a victim of a denial of service (DoS) at- tack. Every communications system is vulnerable to DoS. Do not forget that physical damage can be an effective DoS.

Learn from your mistakes. When a problem is uncovered, when a design flaw is revealed, when a process is shown to be ineffective, lean in, take the hit, own up to the responsibility, and then deal with it. Improve the environment to resolve the issue. Review the process and learn from it.

A security checklist can be an effective tool in managing and maintaining network security. Make it a point to start your list now and use it in real- world review immediately.

Network Security Troubleshooting Security troubleshooting aims at recovering from problems related to the counter-measures themselves. Problems will occur with the defense mechanisms themselves. Downtime of a security control is as critical as downtime of a core business process or asset. Troubleshooting failures of security controls is an important part of network security management.

As with most concerns, prevention is always preferable to repair or re- sponse. By working to ensure that failures do not occur, or at least do not occur as often, maintaining effective security will be easier and less costly in terms of both budget and manpower.

Network security troubleshooting is often about triage—deciding which issues or problems are of the most imminent concern. The more a security component affects a mission-critical process, the more important rapid response and repair becomes. When security is down, the previously pro- tected assets are put at greater risk for compromise. Minimizing the

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 21/31

length of time consumed by the response is important to minimizing long- term losses.

One of the most effective preventative techniques in network security troubleshooting is installing patches and updates. As with patches and up- dates to production systems, always test the new code thoroughly before deployment. Once tested and approved for application, apply updates when downtime would cause the least number of problems. Always be prepared with a redundant option if the updating process itself causes fur- ther security control problems.

Possible complications from the application of patches and updates in- clude resetting to factory defaults, loss of some but not all configuration settings, and "bricking" (i.e., making it non-functional) the control. If the security control resets back to factory defaults, then it will need to be fully reconfigured. If a recent configuration backup is available, restoration might be a swift repair. Otherwise, manual resetting will be necessary. To facilitate this process, always have complete documentation of all settings of all security controls.

If you lose some but not all configuration settings, then the security con- trol is unlikely to operate as you expect. Restore or reconfigure the set- tings promptly. The update itself may have added or modified settings that need testing and verification for function and compatibility. If a new feature interferes with a business task, you might find it necessary to dis- able the feature or rollback the update.

If the update process causes a complete failure of the security control, the real possibility exists that the product is useless. This is known as bricking —turning a useful device into a worthless brick. In some cases, a hard re- set can revive a seemingly bricked device, while there may be more eso- teric repair and recovery options for other devices. If the vendor does not provide an unbricking solution, search the Internet for user groups or dis- cussion forums for a home-grown solution.

Configuration errors might be the cause of a security control malfunction. Configuration errors may be caused by human error, oversight, or igno- rance as well as by updates, power fluctuations, and physical damage. When a security control is improperly configured, it does not provide the expected security. Troubleshooting this situation can be as simple as re- verting to a previously saved configuration or manually reapplying the settings.

However, a more serious concern arises when configuration errors are not easily fixed. A recent patch or update may have rendered the product un- stable, or a patch or update might be needed to stabilize it. If the configu- ration error reappears after every power cycle, then the device might be defective, it might need additional memory (or need defective memory re- placed), or be attached to an uninterruptable power supply (UPS) to re- duce the number of unplanned power fluctuations.

Physical damage should be repaired expeditiously. If unrepairable, you may need to replace the device. Install preventative measures that will prevent the reoccurrence of the physical damage.

In some situations, the problems with security are not with the security components themselves, but with the overall infrastructure design. Per- form a re-assessment of the design on a periodic basis, such as once a year, to judge whether the current infrastructure continues to meet the se- curity needs of your organization. Since security changes over time, the security design might need to evolve to meet the demands of new risks, threats, and concerns.

Power faults can take place for many reasons. If the building's power grid is not reliable, if sags and spikes occur on a regular basis, the focus of the

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 22/31

long-term repair should be on improving the building's power distribu- tion systems. Short-term responses can include surge protectors, UPSs, and generators.

If a device encounters a power fluctuation due to overheating, investigate whether the room where the device is operating has adequate HVAC ser- vice. The average temperature for a room dedicated to housing computer equipment should be at or below 70 degrees Fahrenheit with moderate relative humidity to avoid generating static electricity. In rooms where people work with computers, the temperature should remain below 80 degrees Fahrenheit. Also, check the device to see if it has sufficient inter- nal airflow to maintain appropriate internal operating temperatures. Don't forget to check filters and vents for accumulation of dirt or dust.

Power faults can include power supply or power grid variances. In this sit- uation, the only responses are surge protectors, UPSs, and generators as customers are unable to affect the quality of the power company's electric- ity by themselves. If switching power suppliers is an option, investigate this to determine the reliability of other providers, as well as the expense and hassle of switching. Sometimes actively and publicly "shopping" pow- er suppliers can result in improved service from your present supplier.

Static electricity is also a concern. Electrostatic discharge (ESD) or static- electric discharge (SED) can easily damage equipment, including security equipment. The amount of electricity discharged between someone's fin- ger and a doorknob when you can see the spark jump is more than enough voltage to destroy most computer chips. Take precautions to prevent stat- ic damage.

Physical damage can be a concern requiring troubleshooting. Damage might be caused through intentional destruction, accidents, and Mother Nature. If the damage is superficial or cosmetic, the device can be re- turned to service. However, if the damage prevents the security device from operating properly, then in most cases you need to replace it. Ad- dress the cause of the physical damage to reduce the likelihood of a reoc- currence.

Network security troubleshooting focuses on whether an intruder can by- pass a security defense or restriction. A security control that can be by- passed is worthless. Once you discover that a security control can be by- passed, you need to investigate the method or mechanism of the bypass. Then if possible, remove or block the method of bypass. If the flaw is a de- sign or infrastructure concern, consider revising the design to remove the loophole.

From time to time hackers find flaws in the programming of a security control. Once an exploit is written, the security control can be rendered useless through taking advantage of the flawed code. Vigilance in review- ing vulnerability databases and research, paying attention to vendor infor- mation, and watching the log files of the organization's network should alert you when an exploit succeeds.

Defending against an exploitation focusing on a security control is the same as when one focuses on any other aspect of a network. If possible, reconfigure the control to minimize the effectiveness of the exploitation. Consider removing the component until you can implement a new de- fense. Apply a patch or update from the vendor as soon as it becomes available.

A final concern in relation to network security troubleshooting is hard- ware failure. While not a common occurrence, hardware can fail. Over the life of an organization, you are almost guaranteed downtime caused by hardware failure. When that hardware is a security control, the downtime is more severe in that it places the rest of the environment at greater risk.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 23/31

Manage hardware failure by having replacements on hand or being able to obtain them quickly. Reduce downtime through redundant infrastructure design. Monitoring ongoing performance metrics might enable the detec- tion of a future hardware failure as performance degrades. However, abrupt hardware failures are difficult to predict. Thus, being prepared with alternatives and replacement parts is often the best troubleshooting solution.

Compliance Auditing Compliance auditing is a type of assessment that judges how well an organization is accomplishing set goals or requirements. These goals and requirements can be internal or set by government, industry, and other regulatory agencies. Compliance auditing is an important part of main- taining a business, especially growing businesses, as it ensures that the or- ganization is following all necessary security guidelines.

Compliance auditing may be a legal requirement for some industries, such as financial and medical. Independent external auditors perform compli- ance audits to ensure that a target organization is fully abiding by the rules and regulations imposed by the government. This audit is a compre- hensive investigation and review of the ongoing business processes. The audit requires a review of the security policy, access controls, risk man- agement processes, and historical log files.

The focus of compliance audits varies based on industry, information type, and whether the organization is public or private. Auditors investi- gate an organization through documentation analysis, interviewing per- sonnel, and combing through audit logs. Compliance auditing can exam- ine recent security breaches, evaluate incident response, interview ex-em- ployees, judge user access levels, interview executives over critical security concerns, and more.

Organizations are usually distinctly aware when compliance auditing is a mandated periodic occurrence. In those cases, companies should prepare for audits by collecting the various types of information and creating the appropriate records as needed by the auditor. In fact, establishing a stan- dard practice of producing and archiving the necessary information is prudent. The goals of these actions are not to manipulate the data, but to provide adequate access to the facts and historical activities.

Organizations that do not have mandated compliance audits should con- sider self-imposed audits. The processes of thoroughly investigating the compliance level with the stated security policy can improve the long- term stability and security of every organization. The act of self-assess- ment and improvement is a common characteristic of most successful IT organizations.

Security Assessment Security assessment is the judging, testing, and evaluation of a deployed security solution. The state of the world, in terms of security, is constantly changing. The hacking community is actively developing new techniques, methodologies, and exploits to compromise targets. The defenses and strategies that worked yesterday might not be as effective tomorrow.

Security assessment is the ongoing process of evaluating security so that you can improve it. As discussed in previous sections of this book, security is established through the act of performing a risk assessment. The results of the assessment are formulated into a policy that guides the implemen- tation of the initial security infrastructure. From that point forward, secu- rity management takes over.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 24/31

Security management is the process of watching for breaches, tuning ex- isting security, and evaluating the need for improvements to security. It is this latter area of concern that is the focus of security assessment. Security assessment employs several techniques to appraise the effectiveness of deployed security.

Configuration Scans A configuration scan probes a system to determine the current state of configuration and settings. This scan determines which available vendor patches are installed or missing. This scan also evaluates numerous sys- tem configuration settings against a database of recommendations. De- pending on the tool you use to perform the configuration scan, you may find different levels of recommendations based on the function of the sys- tem or the general level of desired security.

One well-known example of a configuration scan tool is Microsoft Base- line Security Analyzer (MBSA). The MBSA scans a Windows system and produces an easy to read report (Figure 6-3). This tool provides a fast evaluation of the overall security stance of a single system.

NOTENOTE The MBSA tool does not seem to have a dedicated home page within the Microsoft Web site; however, it is easily locat- ed performing a Microsoft or general Internet search.

MBSA is a great tool for small offices and end users to employ to quickly check their systems for well-known patch and security setting configura- tion compliance. However, this is just a first step; it should not be the only tool you employ. You'll need other tools, especially non-Microsoft soft- ware, that focus on broader issues to obtain a complete and thorough con- figuration scan.

Figure 6-3. An MBSA scan report example.

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 25/31

Figure 6-4. A Nessus scan report example.

Vulnerability Scanning The next step or stage in security assessment is vulnerability scan- ning. Vulnerability scanning focuses on locating known exploitable weak- nesses or vulnerabilities in deployed systems. You perform this type of scanning by using an automated tool with an updatable database of ex- ploitations and test scripts. A vulnerability scan will reveal problems with configuration, installation, and product code. A scan of this type is only as reliable as the product itself and the currency of its testing database.

A popular and well-known vulnerability scanning product is Tenable Net- work Security's Nessus. Nessus is available in a free version for home use and a paid version for commercial use. Nessus is a powerful scanning en- gine with a massive database of exploitation plug-ins that offers excellent reporting capabilities (Figure 6-4).

NOTENOTE Nessus can be found online at http://www.nessus.org/.

Penetration Testing The third and final step or stage in security assessment is penetration testing. Also known as ethical hacking, this process is the application of hacking techniques, methodology, and tools in the hands of trusted ethi- cal security experts. The purpose of penetration testing is to evaluate the resiliency of current security infrastructure and recommend improve- ments. Penetration testing is performed by a team of professionals who can customize and adapt exploits on-the-fly.

Penetration testing typically consists of five main phases or steps: recon- naissance, scanning, enumeration, attacking, and post-attack activities. These were discussed in Chapter 4. The steps or components of criminal hacking and ethical hacking are the same. The difference is the goal and abiding by ethical restrictions and contractual boundaries.

Post-Mortem Assessment Review Even with adequate security assessment using the three main techniques (configuration scans, vulnerability scans, and penetration tests) you may

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 26/31

still have a need for one additional form of security assessment. This addi- tional form is the port-mortem assessment review.

A port-mortem assessment review is the self-evaluation performed by in- dividuals and organizations after each security assessment task. The pur- pose of a port-mortem is to learn from mistakes. This will improve the process in future events and avoid the reoccurrence of the same mistakes. It's true that "practice makes perfect." If you practice the same tasks re- peatedly, each time improving upon the previous performance, you'll eventually master the task.

Port-mortem reviews provide incremental improvements on a consistent basis along with the rare revolutionary improvement. A review of this type can include numerous elements of appraisal focus, including:

The process as a whole

Each performed step

The order of the steps

Whether steps might be missing

What other actions could be taken

Were participants properly trained

Were additional resources needed

Were resources wasted

Were additional people needed

Were too many people involved

Was reporting sufficient or insufficient

What was missing

What could be improved next time

Many other queries could be posed as long as the goal aims at improving future application of the assessment processes and tools. A post-mortem review is a beneficial process when used consistently.

CHAPTER SUMMARY Network security management focuses on vigilance. Vigilance to remain current in terms of technology. Vigilance to remain knowledgeable about new threats and exploits. Vigilance to respond promptly to downtime and compromise. Vigilance to restore, repair, and update security on a regu- lar, consistent basis.

A wide number of activities make up the realm of network security man- agement, including fail-secure responses, maintaining physical security, detecting compromise, preparing for incident response, trapping intrud- ers, host security components, backup procedures, user training, manage- ment tools, checklists, troubleshooting, compliance auditing, and security assessment.

KEY CONCEPTS AND TERMS Awareness

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 27/31

Backup

Business continuity plan

Compliance audit

Default deny

Default permit

Disaster recovery plan

Education

File encryption

Honeynet

Incident response plan

Mission-critical

Padded cell

Patch management

Principle of least privilege

Security Technical Implementation Guides (STIGS)

Separation of duties

Single-factor authentication

Training

Trusted Platform Module (TPM)

Vulnerability scanning

Whole hard drive encryption

CHAPTER 6 ASSESSMENT 1. All of the following are examples of network security management

best practices except:

1. Write a security policy

2. Obtain senior management endorsement

3. Filter Internet connectivity

4. Provide fast response time to customers

5. Implement defense-in-depth

2. All of the following are examples of network security management best practices except:

1. Avoid remote access

2. Purchase equipment from a single vendor

3. Use whole hard drive encryption

4. Implement IPSec

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 28/31

5. Harden internal and border devices

3. All of the following are examples of network security management best practices except:

1. Use multi-factor authentication

2. Backup

3. Have a business continuity plan

4. Prioritize

5. Spend each year's budget in full

4. A firewall host that fails and reverts to a state where all communica- tion between the Internet and the DMZ is cut off displays a type of defense known as:

1. Default permit

2. Explicit deny

3. Fail-close

4. Egress filtering

5. Security through obscurity

5. The purpose of physical security access control is to:

1. Grant access to external entities

2. Prevent external attacks from coming through the firewall

3. Provide teachable scenarios for training

4. Limit interaction between people and devices

5. Protect against authorized communications over external devices

6. A complete and comprehensive security approach needs to address or perform two main functions, the first is to secure assets and the second is:

1. Watch for violation attempts

2. Prevent downtime

3. Verify identity

4. Control access to resources

5. Design the infrastructure based on the organization's mission

7. Incident response is the planned reaction to negative situations or events. Which of the following is not a common step or phase in an incident response?

1. Containment

2. Recovery

3. Eradication

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 29/31

4. Detection

5. Assessment

8. All of the following are elements of an effective network security in- stallation except:

1. Backup and restoration

2. User training and awareness

3. Compliance auditing

4. Security checklist

5. Unplanned downtime

9. The task of compartmentalization is focused on assisting with what overarching security concern?

1. Limiting damage caused by intruders

2. Filtering traffic based on volume

3. Controlling access based on location

4. Supporting transactions through utilization

5. Assessing security

10. Which of the following types of security components are important to install on all hosts?

1. firewall

2. antivirus

3. whole hard drive encryption

4. spyware defenses

5. All of the above

11. What is the only protection against data loss?

1. Integrity checking

2. Encryption

3. Traffic filtering

4. Backup and recovery

5. Auditing

12. All of the following are common mistakes or security problems that should be addressed in awareness training except:

1. Opening e-mail attachments from unknown sources

2. Using resources from other subnets of which the host is not a member

3. Installing unapproved software on work computers

4. Failing to make backups of personal data

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 30/31

5. Walking away from a computer while still logged in

13. The best network security management tools include all of the fol- lowing except:

1. Complete inventory of equipment

2. Written security policy

3. Expensive commercial products

4. Logical organization map

5. Change documentation

14. The purpose of a security checklist is:

1. To keep an inventory of equipment in the event of a disaster

2. To create shopping list for replacement parts

3. To ensure that all security elements are still effective

4. To complete the security documentation for the organization

5. To assess the completeness of the infrastructure

15. Which of the following is not a potential hazard when installing patches or updates?

1. Resetting configuration back to factory defaults

2. Reducing security

3. Bricking the device

4. Installing untested code

5. Improving resiliency against exploits

16. Which of the following is a true statement in regards to compliance auditing?

1. Compliance auditing is a legally mandated task for every organization.

2. Compliance auditing ensures that all best practices are followed.

3. Compliance auditing creates a security policy.

4. Compliance auditing is an optional function for the financial and medical industries.

5. Compliance auditing verifies that industry specific regulations and laws are followed.

17. Which of the following is not typically considered a form of network security assessment in terms of how well existing security stands up to current threats?

1. Configuration scan

2. Compliance audit

3. Vulnerability assessment

11/9/2020 6. Network Security Management - Network Security, Firewalls, and VPNs

https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch06.html 31/31

Support / Sign Out © 2020 O'Reilly Media, Inc. Terms of Service / Privacy Policy

4. Ethical hacking

5. Penetration testing

18. Which of the following cannot be performed adequately using an automated tool?

1. Checking for current patches

2. Confirming configuration settings

3. Vulnerability assessment

4. Scanning for known weaknesses

5. Ethical hacking

19. What is the key factor that determines how valuable and relevant a vulnerability assessment's report is?

1. Timeliness of the database

2. Whether the product is open sourced

3. The platform hosting the scanning engine

4. The time of day the scan is performed

5. The available bandwidth on the network

20. What is the primary purpose of a post-mortem assessment review?

1. Reducing costs

2. Adding new tools and resources

3. Placing blame on an individual

4. Learning from mistakes

5. Extending the length of time consumed by a task

PREV 5. Network Security Implementation⏮

NEXT 7. Exploring the Depths of Firewalls ⏭