It is critical to protect network hosts, such workstation PCs and servers.
These hosts need to be secured as they are added to the network and updated
with security patches as they become available. Additional steps can be taken
to secure these hosts. Anti-virus, firewall, and intrusion detection are
valuable tools that can be used to secure network hosts. Because many business
resources may be contained on a single file server, it is especially important
for servers to be accessible and available.
Device
Hardening
When a new operating system is installed on a computer, the
security settings are all set to the default values. In most cases this level
of security is inadequate. There are some simple steps that should be taken
that apply to most operating systems:
- Default usernames and passwords should be changed immediately.
- Access to the system resources should be restricted to only the individuals
that are authorized to use those resources.
- Any unnecessary services and applications should be turned off and
uninstalled when possible.
Personal Firewall
Personal computers connected to the
Internet through a dialup connection, DSL, or cable modems are as vulnerable as
corporate networks
. Personal
firewalls reside on the user’s PC and attempt to prevent these attacks.
Personal firewalls are not designed for LAN implementations such as
appliance-based or server-based firewalls, and they may prevent network access
if installed with other networking clients, services, protocols, or adapters.
Some personal firewall software vendors include McAfee, Norton, Symantec, and
Zone Labs.
Anti-virus Software
Install host antivirus software
to protect against known viruses. Antivirus software can detect most viruses
and many Trojan horse applications, and prevent them from spreading in the
network.
Operating System Patches
The most effective way to mitigate any
worm and its variants is to patch all vulnerable systems. This is difficult
with uncontrolled user systems in the local network, and even more troublesome
if these systems are remotely connected to the network via a virtual private
network (VPN) or remote access server (RAS). Administering numerous systems
involves the creation of a standard software image that is deployed on new or
upgraded systems. These images may not contain the latest patches, and the
process of continually remaking the image in order to integrate the latest
patch may quickly become administratively time-consuming. Pushing patches out
to all systems requires that those systems be connected in some way to the
network, which may not be possible. One solution to management of critical
security patches is to create a central patch server that all systems must
communicate with after a set period of time. Any patches that are not applied
to a host that is available on the patch server would be automatically
downloaded and installed without user intervention. However, determining which
devices are exploitable can be simplified by the use of security auditing tools
that look for vulnerabilities.
Intrusion Detection and
Prevention
Intrusion detection is the ability to detect attacks against
a network and send logs to a management console and provides the following
defense mechanism
.
- Detection – Identifies malicious attacks on network and host
resources.
On the other hand, Intrusion protection is the ability to prevent
attacks against the network and should provide the following active defense
mechanisms:
- Detection – Identifies malicious attacks on network and host
resources.
- Prevention – Stops the detected attack from executing.
- Reaction – Immunizes the system from future attacks from a malicious
source.
Either technology can be implemented as a network level, host level, or
both for maximum protection.
Host-based Intrusion Detection
Systems
Host-based intrusion is typically implemented as inline or
passive technology depending on the vendor. The passive technology, which was
the first generation technology is called host-based intrusion detection
(HIDS), which basically sends logs after the attack has occurred and the damage
is done. The inline technology is called host-based intrusion prevention
(HIPS), actually stops the attack and prevents damage and propagation of worms
and viruses.
Active detection can be set to shut down the network
connection or to stop the impacted services automatically. This has the benefit
of being able to quickly analyze an event and take corrective action. Cisco
provides HIPS using the Cisco Security Agent software.
Current host-based
intrusion prevention software requires agent software to be installed on each
host, either server or desktop, to monitor activity performed on and against
the host. The Agent software performs the intrusion detection analysis, and
prevention. The Agent software also sends logs and alerts to a centralized
management/policy server.
The advantage of HIPS is that it can monitor
operating system processes and protect critical system resources, including
files that may exist only on that specific host. This means it can notify
network managers when some external process tries to modify a system file in a
way that may include a hidden back door program.
Figure
illustrates a
typical HIPS deployment. Agents are installed on publicly accessible servers
and corporate mail and application servers. The Agents report events to a
central Console server (CiscoWorks VMS) located inside the corporate firewall
or can e-mail an administrator.