Consider this scenario. An attacker has penetrated your firewall. What is to stop him/her from compromising your entire network? This is the rationale for defense in depth. The point is to secure each device in the network, precluding an attacker from hopping from one device to another with utter abandon.
Lockdown the border now
Let’s start with your network’s border device. It could be a firewall or a router. You can use access lists to block the following traffic inbound:
- Routing updates - Verify if your network should receive routing updates from IGRPs (Interior Gateway Routing Protocols) like RIP, OSPF, or EIGRP. (This will depend on your network design.)
- Now, do the same for protocols such as MPLS and BGP. Routing updates can really eat up bandwidth, so minimizing them may ease some network congestion.
- Private addresses– Your network should not be receiving requests with a private source address since private addresses are used on private networks. Of course, this includes the typical private unicast network addresses in 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. But don’t forget to block the following:
- 0.0.0.0/8 - For broadcast messages to "this" network
- 127.0.0.0/8 – For a loopback address to the host
- 169.0.0.0/8 – Used when a device expects to receive a DHCP address but fails to receive one
- 224.0.0.0/3 – Multicast addresses and beyond to experimental addresses
One or more DMZ’s can be used to create a “border within a border” for the network. Separate all the devices that exchange data directly with the outside world such as web servers, mail servers, etc., and install a firewall between them and your main network. This isolation will help protect the bulk of the network from attacks, viruses, Trojans..… the list goes on.
Lots of devices to secure?
From the border device, traffic shoots between all sorts of devices within your network. Each type of device has different security capabilities and vulnerabilities. Above all, know your devices. A good example is the behavior of some switches.
By default, they negotiate a trunk port. Without further configuration, a trunk port passes data from any VLAN. (Remedy this by defining all the interfaces as trunk or non-trunk ports.)
An advantage of firewalls is that most traffic is blocked by default. This is great for security, though a little inconvenient for those of us who like to “ping” to check connectivity. Routers, switches, and servers, on the other hand, tend to require a large amount of configuration for security hardening. Take advantage of any automated security subroutines or scripts provided by the manufacturer. These disable unneeded services, restrict private and public addresses, and shut down unneeded interfaces. Canned routines can save a great deal of time, and at least provide a minimum level of security for you to build on.
There is special consideration for authentication servers, firewalls, and IPS/IDS devices. Most can be configured as either fail-open or fail-closed. Fail-open means that if the device fails, all traffic is permitted. In that case, credentials are no longer checked and traffic is not blocked. With fail-close, connectivity is broken. If your organization’s policy deems security more important, use fail-close. However, if service availability is more important, use fail-open.
Router Security
Routers comes with many types of security capabilities including firewall software, and IPS/IDS modules, among others. The heart of all router security, however, is the powerful access list (ACL). ACLs let you tailor your security to your specific data and traffic needs, interface by interface, for Layer 3 and 4.
There are other settings that apply to a specific interface, not the entire device. Consider blocking the following:
- IP redirects - ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination. A router should send redirects only to hosts in the local subnet.
- IP directed broadcast - A directed broadcast is sent as a unicast packet until it arrives at the target subnet, where it becomes a link-layer broadcast. It is a good idea to block packets sent to the broadcast address of another subnet.
- Proxy ARPs – This allows ARP requests to span multiple LAN segments. Before first-hop redundancy protocols such as Virtual Router Redundancy Protocol (VRRP) and Hot Standby Router Protocol (HSRP), proxy ARPs were important to maintain connectivity. Now, not so much except in Mobile-IP, where Proxy ARP is used in forwarding.
- IP Unreachables - A router replies with these ICMP packets when it receives a nonbroadcast packet that uses an unknown protocol or if the router has no route to the destination address. IP Unreachables disclose too much information about your network to potential attackers.
Switch security
Whenever possible, use VLANs. It’s the easy way to have different networks for management and data traffic. That is true also for servers. If fact, most servers require separate networks. Some switches offer private VLANs, limiting traffic between devices even more.
Configure port security
This protects against eavesdropping and other attacks. For high-security environments, you can even configure a port to accept only a specific MAC address connection. But think hard before employing static MAC assignment. It makes office moves, hardware upgrades, and BYOD a continual series of nightmares for the network administrator.
Spanning Tree Protocol (STP), in its various flavors, are critical to proper switch operation. And users attaching home routers and switches to the network can wreak havoc with STP. Make sure that your switch ports are configured with STP extensions such as root and BPDU guard. Check out the capabilities of your network’s switches.
Are we there yet?
Defense in depth secures each device in the network, not just the border. This approach provides strong and resilient security that can be adopted piecemeal as technology and business requirements change.
Please get in touch with your security related questions, we’d be delighted to help. Email : info@titanhq.com