Top Ten Tips to Make Attackers Lives Hellby Chris McNab, author of Network Security Assessment
I run a lot of penetration testing exercises against client networks and systems. A lot of the time, testing is relatively straightforward, as the network administrator is not filtering ICMP traffic, and my network scans are not proactively blocked. I love this type of testing, as it's easy and quick to undertake.
What I don't like, however, is when security-conscious administrators lay down a number of hurdles between me and the target systems. In these situations, a test that would usually take two days to undertake now takes a week's worth of my time! By laying down such hurdles, you can force attackers (and security consultants) to go to much more effort in trying to map your networks, identify services, and applications, and effectively attack and compromise them.
This article is a breakdown of my top ten tips for all network administrators, to protect your networks from opportunistic threats and make it hard for the more determined attackers to get anywhere fast.
When I undertake testing work against Internet-based networks and systems of clients, I always start
out with an ICMP
ping-sweep to identify obvious, poorly protected servers that I should investigate
further. In a
/24 subnet with 254 potential server addresses, it's always nice to narrow things down to
the handful of accessible machines quickly.
If you filter such ICMP
echo request (type 8, code 0) traffic at your border routers, or firewalls,
potential attackers are forced into port scanning all of the IP addresses in your subnet, which will
dramatically increase the amount of time spent scanning your network. Most opportunistic attackers
will also be deterred by this very simple change to your network.
If you use
nmap or similar port scanning tools in their default
configuration, they send out thousands of TCP SYN packets to various ports in order to solicit
responses, and to identify accessible network services. A second, highly effective hurdle that works well
with filtering of inbound ICMP
ping messages is to configure your firewalls to perform SYN flood
protection (supported in WatchGuard, Check Point, NetScreen, and many others).
SYN flood protection drops SYN packets from sources that have sent too many, traditionally resembling a denial-of-service attack. However, due to the way that port-scanning tools send thousands of SYN packets are very high speeds, these packets are often dropped by SYN flood-protection mechanisms.
Attackers can still port-scan and map your network and its services, but tools such as
nmap and SuperScan must be reconfigured to increase the delay
between sending SYN packets.
ICMP type 3 (unreachable) messages are used during a UDP port scan to identify closed UDP ports,
and therefore work out which UDP ports are open (as no ICMP "destination port unreachable" messages are seen for the open ports). The messages are also used by other security testing tools,
firewalk, to assess policies and rulesets of border routers and firewalls.
By filtering outbound ICMP type 3 messages, UDP port scanning is very difficult to undertake, and peripheral network testing techniques are also impeded.
This is an obvious rule of thumb, I know, but I am still surprised when I test a network and it soon becomes apparent that certain publicly accessible servers are not placed in a DMZ configuration. To reiterate the rule, any publicly accessible Internet server (whether a mail, FTP, or web server) should be placed in a DMZ, in order to protect both the DMZ systems from the Internet, and the internal network systems from the DMZ.
URLScan is a great free filtering tool by Microsoft. It prevents all of the obvious publicly known IIS web server attacks against your web servers from being effective by filtering access to unnecessary features and ISAPI extensions. Even if your web server is vulnerable to issues into the future, the filtering that URLScan provides will protect you and buy you time to patch the server if the issue is serious.
Public access to Microsoft Outlook Web Access, POP3 email, and other user services only presents issues on three major fronts:
In network environments where security is important, access to user services should only be granted through authenticated VPN connections.
Reverse proxies used in enterprise web environments, web servers themselves, mail servers, and proxy servers are often misconfigured, allowing for mail, web, or other traffic to be sent to arbitrary internal or Internet-based services.
Useful tools to test for open proxies include:
Determined attackers like to identify and exploit the weak link in any chain. In large network environments, it is commonplace for home users to have access, via VPN or other connections, to sensitive internal systems and data. It is important that both personal firewall and anti-virus systems are properly configured and up to date, but more important that remote users are vigilant, and do not double-click mail attachments that could contain specially crafted Trojan code.
An effective way of protecting your administrator passwords from being compromised by attackers, and then used to completely control the internal Windows domain or active directory, is to investigate the use of two-factor authentication systems for administrative users, such as RSA SecurID or Secure Computing SafeWord. By using two-factor authentication, both brute force attacks and authentication sniffing and replay attacks (such as SMBRelay and others) are negated.
Keeping up to date with the latest threats and tools is a must. I personally check into most of the mainstream security web sites every couple of days, browsing through the mailing lists, forums, and articles. Security sites to check in with include:
Chris McNab is the technical director of Matta, a vendor-independent security consulting outfit based in the United Kingdom.
O'Reilly & Associates published Network Security Assessment in January 2004.
Chapter 4, "IP Network Scanning," is available free online.
For more information, or to order the book, click here.
Return to ONLamp.com Security DevCenter.
Copyright © 2009 O'Reilly Media, Inc.