Chapter 15 – Securing Your Network

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Microsoft Corporation

Published: June 2003

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: This chapter presents an overview of the top network level threats and provides associated countermeasures. The chapter covers security issues and configuration settings to be applied to routers, firewalls and switches.

Contents

In This Chapter
Overview
How to Use This Chapter
Threats and Countermeasures
Methodology
Router Considerations
Firewall Considerations
Switch Considerations
Additional Considerations
Snapshot of a Secure Network
Summary
Additional Resources

In This Chapter

  • Securing your network
  • Identifying network threats and describing countermeasures
  • Showing secure router, firewall, and switch configurations
  • Providing a snapshot of a secure network

Overview

The network is the entry point to your application. It provides the first gatekeepers that control access to the various servers in your environment. Servers are protected with their own operating system gatekeepers, but it is important not to allow them to be deluged with attacks from the network layer. It is equally important to ensure that network gatekeepers cannot be replaced or reconfigured by imposters. In a nutshell, network security involves protecting network devices and the data that they forward.

The basic components of a network, which act as the front-line gatekeepers, are the router, the firewall, and the switch. Figure 15.1 shows these core components.

Ff648651.f15thcm01(en-us,PandP.10).gif

Figure 15.1

Network components: router, firewall, and switch

How to Use This Chapter

This chapter provides a methodology and steps for securing a network. The methodology can be adapted for your own scenario. The steps put the methodology into practice.

To get most out of this chapter:

  • Read Chapter 2, "Threats and Countermeasures." This will give you a better understanding of potential threats to Web applications.
  • Use the snapshot. Table 15.3, which is at the end of this chapter, provides a snapshot of a secure network. Use this table as a reference when configuring your network.
  • Use the Checklist. Use "Checklist: Securing Your Network" in the "Checklist" section of this guide, to quickly evaluate and scope the required steps. The checklist will also help you complete the individual steps.
  • Use vendor details to implement the guidance. The guidance in this chapter is not specific to specific network hardware or software vendors. Consult your vendor's documentation for specific instructions on how to implement the countermeasures given in this chapter.

Threats and Countermeasures

An attacker looks for poorly configured network devices to exploit. Common vulnerabilities include weak default installation settings, wide-open access controls, and unpatched devices. The following are high-level network threats:

  • Information gathering
  • Sniffing
  • Spoofing
  • Session hijacking
  • Denial of service

With knowledge of the threats that can affect the network, you can apply effective countermeasures.

Information Gathering

Information gathering can reveal detailed information about network topology, system configuration, and network devices. An attacker uses this information to mount pointed attacks at the discovered vulnerabilities.

Vulnerabilities

Common vulnerabilities that make your network susceptible to an attack include:

  • The inherently insecure nature of the TCP/IP protocol suite
  • Configuration information provided by banners
  • Exposed services that should be blocked

Attacks

Common information-gathering attacks include:

  • Using Tracert to detect network topology
  • Using Telnet to open ports for banner grabbing
  • Using port scans to detect open ports
  • Using broadcast requests to enumerate hosts on a subnet

Countermeasures

You can employ the following countermeasures:

  • Use generic service banners that do not give away configuration information such as software versions or names.
  • Use firewalls to mask services that should not be publicly exposed.

Sniffing

Sniffing, also called eavesdropping, is the act of monitoring network traffic for data, such as clear-text passwords or configuration information. With a simple packet sniffer, all plaintext traffic can be read easily. Also, lightweight hashing algorithms can be cracked and the payload that was thought to be safe can be deciphered.

Vulnerabilities

Common vulnerabilities that make your network susceptible to data sniffing include:

  • Weak physical security
  • Lack of encryption when sending sensitive data
  • Services that communicate in plain text or weak encryption or hashing

Attacks

The attacker places packet sniffing tools on the network to capture all traffic.

Countermeasures

Countermeasures include the following:

  • Strong physical security that prevents rogue devices from being placed on the network
  • Encrypted credentials and application traffic over the network

Spoofing

Spoofing, also called identity obfuscation, is a means to hide one's true identity on the network. A fake source address is used that does not represent the actual packet originator's address. Spoofing can be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.

Vulnerabilities

Common vulnerabilities that make your network susceptible to spoofing include:

  • The inherently insecure nature of the TCP/IP protocol suite
  • Lack of ingress and egress filtering. Ingress filtering is the filtering of any IP packets with untrusted source addresses before they have a chance to enter and affect your system or network. Egress filtering is the process of filtering outbound traffic from your network.

Attacks

An attacker can use several tools to modify outgoing packets so that they appear to originate from an alternate network or host.

Countermeasures

You can use ingress and egress filtering on perimeter routers.

Session Hijacking

With session hijacking, also known as man in the middle attacks, the attacker uses an application that masquerades as either the client or the server. This results in either the server or the client being tricked into thinking that the upstream host is the legitimate host. However, the upstream host is actually an attacker's host that is manipulating the network so that it appears to be the desired destination. Session hijacking can be used to obtain logon information that can then be used to gain access to a system or to confidential information.

Vulnerabilities

Common vulnerabilities that make your network susceptible to session hijacking include:

  • Weak physical security
  • The inherent insecurity of the TCP/IP protocol suite
  • Unencrypted communication

Attacks

An attacker can use several tools to combine spoofing, routing changes, and packet manipulation.

Countermeasures

Countermeasures include the following:

  • Session encryption
  • Stateful inspection at the firewall

Denial of Service

A denial of service attack is the act of denying legitimate users access to a server or services. Network-layer denial of service attacks usually try to deny service by flooding the network with traffic, which consumes the available bandwidth and resources.

Vulnerabilities

Vulnerabilities that increase the opportunities for denial of service include:

  • The inherent insecurity of the TCP/IP protocol suite
  • Weak router and switch configuration
  • Unencrypted communication
  • Service software bugs

Attacks

  • Common denial of service attacks include:
  • Brute force packet floods, such as cascading broadcast attacks
  • SYN flood attacks
  • Service exploits, such as buffer overflows

Countermeasures

Countermeasures include:

  • Filtering broadcast requests
  • Filtering Internet Control Message Protocol (ICMP) requests
  • Patching and updating of service software

Methodology

Security begins with an understanding of how the system or network that needs to be secured works. This chapter breaks down network security by devices, which allows you to focus on single points of configuration.

In keeping with this guide's philosophy, this chapter uses the approach of analyzing potential threats; without these analyses, it's impossible to properly apply security.

The network infrastructure can be broken into the following three layers: access, distribution, and core. These layers contain all of the hardware necessary to control access to and from internal and external resources. The chapter focuses on the software that drives the network hardware that is responsible for delivering ASP.NET applications. The recommendations apply to an Internet or intranet-facing Web zone and therefore might not apply to your internal or corporate network.

The following are the core network components:

  • Router
  • Firewall
  • Switch

Router

The router is the outermost security gate. It is responsible for forwarding IP packets to the networks to which it is connected. These packets can be inbound requests from Internet clients to your Web server, request responses, or outgoing requests from internal clients. The router should be used to block unauthorized or undesired traffic between networks. The router itself must also be secured against reconfiguration by using secure administration interfaces and ensuring that it has the latest software patches and updates applied.

Firewall

The role of the firewall is to block all unnecessary ports and to allow traffic only from known ports. The firewall must be capable of monitoring incoming requests to prevent known attacks from reaching the Web server. Coupled with intrusion detection, the firewall is a useful tool for preventing attacks and detecting intrusion attempts, or in worst-case scenarios, the source of an attack.

Like the router, the firewall runs on an operating system that must be patched regularly. Its administration interfaces must be secured and unused services must be disabled or removed.

Switch

The switch has a minimal role in a secure network environment. Switches are designed to improve network performance to ease administration. For this reason, you can easily configure a switch by sending specially formatted packets to it. For more information, see "Switch Considerations" later in this chapter.

Router Considerations

The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).

If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers.

The configuration categories for the router are:

  • Patches and updates
  • Protocols
  • Administrative access
  • Services
  • Auditing and logging
  • Intrusion detection

Patches and Updates

Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found — and they inevitably will be found — good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.

Protocols

Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should:

  • Use ingress and egress filtering.
  • Screen ICMP traffic from the internal network.

Use Ingress and Egress Filtering

Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.

This type of filtering also enables the originator to be easily traced to its true source since the attacker would have to use a valid — and legitimately reachable — source address. For more information, see "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at http://www.rfc-editor.org/rfc/rfc2267.txt.

Screen ICMP Traffic from the Internal Network

ICMP is a stateless protocol that sits on top of IP and allows host availability information to be verified from one host to another. Commonly used ICMP messages are shown in Table 15.1.

Table 15.1   Commonly Used ICMP Messages

Message Description
Echo request Determines whether an IP node (a host or a router) is available on the network
Echo reply Replies to an ICMP echo request
Destination unreachable Informs the host that a datagram cannot be delivered
Source quench Informs the host to lower the rate at which it sends datagrams because of congestion
Redirect Informs the host of a preferred route
Time exceeded Indicates that the time to live (TTL) of an IP datagram has expired

Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods. Other ICMP vulnerabilities exist that justify blocking this protocol. While ICMP can be used for troubleshooting, it can also be used for network discovery and mapping. Therefore, control the use of ICMP. If you must enable it, use it in echo-reply mode only.

Prevent TTL Expired Messages with Values of 1 or 0

Trace routing uses TTL values of 1 and 0 to count routing hops between a client and a server. Trace routing is a means to collect network topology information. By blocking packets of this type, you prevent an attacker from learning details about your network from trace routes.

Do Not Receive or Forward Directed Broadcast Traffic

Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. For example, by blocking specific source addresses, you prevent malicious echo requests from causing cascading ping floods. Source addresses that should be filtered are shown in Table 15.2.

Table 15.2   Source Addresses That Should be Filtered

Source address Description
0.0.0.0/8 Historical broadcast
10.0.0.0/8 RFC 1918 private network
127.0.0.0/8 Loopback
169.254.0.0/16 Link local networks
172.16.0.0/12 RFC 1918 private network
192.0.2.0/24 TEST-NET
192.168.0.0/16 RFC 1918 private network
224.0.0.0/4 Class D multicast
240.0.0.0/5 Class E reserved
248.0.0.0/5 Unallocated
255.255.255.255/32 Broadcast

For more information on broadcast suppression using Cisco routers, see "Configuring Broadcast Suppression" on the Cisco Web site at http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html.

Administrative Access

From where will the router be accessed for administration purposes? Decide over which interfaces and ports an administration connection is allowed and from which network or host the administration is to be performed. Restrict access to those specific locations. Do not leave an Internet-facing administration interface available without encryption and countermeasures to prevent hijacking. In addition:

  • Disable unused interfaces.
  • Apply strong password policies.
  • Use static routing.
  • Audit Web facing administration interfaces.

Disable Unused Interfaces

Only required interfaces should be enabled on the router. An unused interface is not monitored or controlled, and it is probably not updated. This might expose you to unknown attacks on those interfaces.

Apply Strong Password Policies

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if "p4ssw0rd" is used as a password, it can be cracked. Always use uppercase and lowercase, number, and symbol combinations when creating passwords.

Use Static Routing

Static routing prevents specially formed packets from changing routing tables on your router. An attacker might try to change routes to cause denial of service or to forward requests to a rogue server. By using static routes, an administrative interface must first be compromised to make routing changes.

Audit Web Facing Administration Interfaces

Also determine whether internal access can be configured. When possible, shut down the external administration interface and use internal access methods with ACLs.

Services

On a deployed router, every open port is associated with a listening service. To reduce the attack surface area, default services that are not required should be shut down. Examples include bootps and Finger, which are rarely required. You should also scan your router to detect which ports are open.

Auditing and Logging

By default, a router logs all deny actions; this default behavior should not be changed. Also secure log files in a central location. Modern routers have an array of logging features that include the ability to set severities based on the data logged. An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing.

Intrusion Detection

With restrictions in place at the router to prevent TCP/IP attacks, the router should be able to identify when an attack is taking place and notify asystem administrator of the attack.

Attackers learn what your security priorities are and attempt to work around them. Intrusion Detection Systems (IDSs) can show where the perpetrator is attempting attacks.

Firewall Considerations

A firewall should exist anywhere you interact with an untrusted network, especially the Internet. It is also recommended that you separate your Web servers from downstream application and database servers with an internal firewall.

After the router, with its broad filters and gatekeepers, the firewall is the next point of attack. In many (if not most) cases, you do not have administrative access to the upstream router. Many of the filters and ACLs that apply to the router can also be implemented at the firewall. The configuration categories for the firewall include:

  • Patches and updates
  • Filters
  • Auditing and logging
  • Perimeter networks
  • Intrusion detection

Patches and Updates

Subscribe to alert services provided by the manufacturer of your firewall and operating system to stay current with both security issues and service patches.

Filters

Filtering published ports on a firewall can be an effective and efficient method of blocking malicious packets and payloads. Filters range from simple packet filters that restrict traffic at the network layer based on source and destination IP addresses and port numbers, to complex application filters that inspect application-specific payloads. A defense in depth approach that uses layered filters is a very effective way to block attacks. There are six common types of firewall filters:

  • Packet filters

    These can filter packets based on protocol, source or destination port number and source or destination address, or computer name. IP packet filters are static, and communication through a specific port is either allowed or blocked. Blocked packets are usually logged, and a secure packet filter denies by default.

    At the network layer, the payload is unknown and might be dangerous. More intelligent types of filtering must be configured to inspect the payload and make decisions based on access control rules.

  • Circuit-level filters

    These inspect sessions rather than payload data. An inbound or outbound client makes a request directly against the firewall/gateway, and in turn the gateway initiates a connection to the server and acts as a broker between the two connections. With knowledge of application connection rules, circuit level filters ensure valid interactions. They do not inspect the actual payload, but they do count frames to ensure packet integrity and prevent session hijacking and replaying.

  • Application filters

    Smart application filters can analyze a data stream for an application and provide application-specific processing, including inspecting, screening or blocking, redirecting, and even modifying the data as it passes through the firewall. Application filters protect against attacks such as the following:

    • Unsafe SMTP commands
    • Attacks against internal DNS servers.
    • HTTP-based attacks (for example, Code Red and Nimda, which use application-specific knowledge)

    For example, an application filter can block an HTTP DELETE, but allow an HTTP GET. The capabilities of content screening, including virus detection, lexical analysis, and site categorization, make application filters very effective in Web scenarios both as security measures and in enforcement of business rules.

  • Statefulinspection

    Application filters are limited to knowledge of the payload of a packet and therefore make filtering decisions based only on the payload. Stateful inspection uses both the payload and its context to determine filtering rules. Using the payload and the packet contents allow stateful inspection rules to ensure session and communication integrity. The inspection of packets, their payload, and sequence limits the scalability of stateful inspection.

  • Custom application filters

    These filters ensure the integrity of application server/client communication.

When you use filters at multiple levels of the network stack, it helps make your environment more secure. For example, a packet filter can be used to block IP traffic destined for any port other than port 80, and an application filter might further restrict traffic based on the nature of the HTTP verb. For example, it might block HTTP DELETE verbs.

Logging and Auditing

Logging all incoming and outgoing requests — regardless of firewall rules — allows you to detect intrusion attempts or, even worse, successful attacks that were previously undetected. Historically, network administrators sometimes had to analyze audit logs to determine how an attack succeeded. In those cases, administrators were able to apply solutions to the vulnerabilities, learn how they were compromised, and discover other vulnerabilities that existed.

Apply the following policies for logging and log auditing.

  • Log all traffic that passes through the firewall.
  • Maintain healthy log cycling that allows quick data analysis. The more data you have, the larger the log file size.
  • Make sure the firewall clock is synchronized with the other network hardware.

Perimeter Networks

A firewall should exist anywhere your servers interact with an untrusted network. If your Web servers connect to a back-end network, such as a bank of database servers or corporate network, a screen should exist to isolate the two networks. While the Web zone has the greatest degree of exposure, a compromise in the Web zone should not result in the compromise of downstream networks.

By default, the perimeter network should block all outbound connections except those that are expected.

Advantages of a Perimeter Network

The perimeter network provides the following advantages:

  • Hosts are not directly exposed to untrusted networks.
  • Exposed or published services are the only point of external attack.
  • Security rules can be enforced for access between networks.

Disadvantages of a Perimeter Network

The disadvantages of a perimeter network include:

  • Network complexity
  • IP address allocation and management
  • Requirement that the application architecture accommodate the perimeter network design

Switch Considerations

A switch is responsible for forwarding packets directly to a host or network segment, rather than sharing the data with the entire network. Therefore, traffic is not shared between switched segments. This is a preventive measure against packet sniffing between networks. An attacker can circumvent this security by reconfiguring switching rules using easily accessed administrative interfaces, including known account names and passwords and SNMP packets.

The following configuration categories are used to ensure secure switch configuration:

  • Patches and updates
  • Virtual Local Area Networks (VLANs)
  • Insecure defaults
  • Services
  • Encryption

Patches and Updates

Patches and updates must be tested and installed as soon as they are available.

VLANs

Virtual LANs allow you to separate network segments and apply access control based on security rules. However, a VLAN enhances network performance, but doesn't necessarily provide security. Limit the use of VLANs to the perimeter network (behind the firewall) since many insecure interfaces exist for ease of administration. For more information about VLANs, see the article "Configuring VLANS" on the Cisco Web site.

Insecure Defaults

To make sure that insecure defaults are secured, change all factory default passwords and SNMP community strings to prevent network enumeration or total control of the switch. Also investigate and identify potentially undocumented accounts and change the default names and passwords. These types of accounts are often found on well-known switch types and are well publicized and known by attackers.

Services

Make sure that all unused services are disabled. Also make sure that Trivial File Transfer Protocol (TFTP) is disabled, Internet-facing administration points are removed, and ACLs are configured to limit administrative access.

Encryption

Although it is not traditionally implemented at the switch, data encryption over the wire ensures that sniffed packets are useless in cases where a monitor is placed on the same switched segment or where the switch is compromised, allowing sniffing across segments.

Additional Considerations

The following considerations can further improve network security:

  • Ensure that clocks are synchronized on all network devices. Set the network time and have all sources synchronized to a known, reliable time source.
  • Use Terminal Access Controller Access Control System (TACACS) or Remote Authentication Dial-In User Service (RADIUS) authentication for highly secure environments as a means of limiting administrative access to the network.
  • Define an IP network that can be easily secured using ACLs at subnets or network boundaries whenever possible.

Snapshot of a Secure Network

Table 15.3 provides a snapshot of the characteristics of a secure network. The security settings are abstracted from industry security experts and real-world applications in secure deployments. You can use the snapshot as a reference point when evaluating your own solution.

Table 15.3   Snapshot of a Secure Network

Component Characteristic
Router  
Patches and Updates Router operating system is patched with up-to-date software.
Protocols Unused protocols and ports are blocked.

Ingress and egress filtering is implemented.

ICMP traffic is screened from the internal network.

TTL expired messages with values of 1 or 0 are blocked (route tracing is disabled).

Directed broadcast traffic is not forwarded.

Large ping packets are screened.

Routing Information Protocol (RIP) packets, if used, are blocked at the outermost router.

Administrative access Unused management interfaces on the router are disabled.

A strong administration password policy is enforced.

Static routing is used.

Web-facing administration is disabled.

Services Unused services are disabled (for example bootps and Finger).
Auditing and logging Logging is enabled for all denied traffic.

Logs are centrally stored and secured.

Auditing against the logs for unusual patterns is in place.

Intrusion detection IDS is in place to identify and notify of an active attack.
Firewall  
Patches and updates Firewall software and OS are patched with latest security updates.
Filters Packet filtering policy blocks all but required traffic in both directions.

Application-specific filters are in place to restrict unnecessary traffic.

Logging and auditing All permitted traffic is logged.

Denied traffic is logged.

Logs are cycled with a frequency that allows quick data analysis.

All devices on the network are synchronized to a common time source.

Perimeter networks Perimeter network is in place if multiple networks require access to servers.

Firewall is placed between untrusted networks.

Switch  
Patches and updates Latest security patches are tested and installed or the threat from known vulnerabilities is mitigated.
VLANs Make sure VLANs are not overused or overly trusted.
Insecure defaults All factory passwords are changed.

Minimal administrative interfaces are available.

Access controls are configured to secure SNMP community strings.

Services Unused services are disabled.
Encryption Switched traffic is encrypted.
Other  
Log synchronization All clocks on devices with logging capabilities are synchronized.
Administrative access to the network TACACS or RADIUS is used to authenticate administrative users.
Network ACLs The network is structured so ACLs can be placed on hosts and networks.

Summary

Network security involves protecting network devices and the data that they forward to provide additional security for host servers. The primary network components that require secure configuration are the router, firewall, and switch.

This chapter has highlighted the top threats to your network infrastructure and has presented security recommendations and secure configurations that enable you to address these threats.

Additional Resources

For more information, see the following articles:

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.