by Chris McNab, author of Network Security Assessment
03/25/2004
I run a lot of penetration testing exercises against client networks and systems. A lot of the time, testing is relatively straightforward, as the network administrator is not filtering ICMP traffic, and my network scans are not proactively blocked. I love this type of testing, as it’s easy and quick to undertake.
What I don’t like, however, is when security-conscious administrators lay down a number of hurdles between me and the target systems. In these situations, a test that would usually take two days to undertake now takes a week’s worth of my time! By laying down such hurdles, you can force attackers (and security consultants) to go to much more effort in trying to map your networks, identify services, and applications, and effectively attack and compromise them.
This article is a breakdown of my top ten tips for all network administrators, to protect your networks from opportunistic threats and make it hard for the more determined attackers to get anywhere fast.
1. Filter Inbound ICMP ping
Messages
When I undertake testing work against Internet-based networks and systems of clients, I always start out with an ICMP ping
-sweep to identify obvious, poorly protected servers that I should investigate further. In a /24
subnet with 254 potential server addresses, it’s always nice to narrow things down to the handful of accessible machines quickly.
If you filter such ICMP echo
request (type 8, code 0) traffic at your border routers, or firewalls, potential attackers are forced into port scanning all of the IP addresses in your subnet, which will dramatically increase the amount of time spent scanning your network. Most opportunistic attackers will also be deterred by this very simple change to your network.
2. Configure Firewalls to Use SYN Flood Protection
If you use nmap
or similar port scanning tools in their default configuration, they send out thousands of TCP SYN packets to various ports in order to solicit responses, and to identify accessible network services. A second, highly effective hurdle that works well with filtering of inbound ICMP ping
messages is to configure your firewalls to perform SYN flood protection (supported in WatchGuard, Check Point, NetScreen, and many others).
SYN flood protection drops SYN packets from sources that have sent too many, traditionally resembling a denial-of-service attack. However, due to the way that port-scanning tools send thousands of SYN packets are very high speeds, these packets are often dropped by SYN flood-protection mechanisms.
Attackers can still port-scan and map your network and its services, but tools such as nmap
and SuperScan must be reconfigured to increase the delay between sending SYN packets.
3. Filter Outbound ICMP Type 3 Messages
ICMP type 3 (unreachable) messages are used during a UDP port scan to identify closed UDP ports, and therefore work out which UDP ports are open (as no ICMP “destination port unreachable” messages are seen for the open ports). The messages are also used by other security testing tools, including firewalk
, to assess policies and rulesets of border routers and firewalls.
By filtering outbound ICMP type 3 messages, UDP port scanning is very difficult to undertake, and peripheral network testing techniques are also impeded.
4. Place All Publicly Accessible Internet Servers in a DMZ
This is an obvious rule of thumb, I know, but I am still surprised when I test a network and it soon becomes apparent that certain publicly accessible servers are not placed in a DMZ configuration. To reiterate the rule, any publicly accessible Internet server (whether a mail, FTP, or web server) should be placed in a DMZ, in order to protect both the DMZ systems from the Internet, and the internal network systems from the DMZ.
5. Install Microsoft URLScan on Your IIS Web Servers
URLScan is a great free filtering tool by Microsoft. It prevents all of the obvious publicly known IIS web server attacks against your web servers from being effective by filtering access to unnecessary features and ISAPI extensions. Even if your web server is vulnerable to issues into the future, the filtering that URLScan provides will protect you and buy you time to patch the server if the issue is serious.
6. Allow Remote Access to User Services Only Through Authenticated VPN Connections
Public access to Microsoft Outlook Web Access, POP3 email, and other user services only presents issues on three major fronts:
- Vulnerabilities (overflows, authentication bugs) being identified in the services.
- Lack of protection from network sniffing, to compromise authentication data.
- Lack of auditing and lock-out using these services, resulting in brute-force opportunities.
In network environments where security is important, access to user services should only be granted through authenticated VPN connections.
7. Check Your Accessible Servers for Open Proxies or Mail Relays
Reverse proxies used in enterprise web environments, web servers themselves, mail servers, and proxy servers are often misconfigured, allowing for mail, web, or other traffic to be sent to arbitrary internal or Internet-based services.
Useful tools to test for open proxies include:
8. Ensure That Remote Users Are Vigilant
Determined attackers like to identify and exploit the weak link in any chain. In large network environments, it is commonplace for home users to have access, via VPN or other connections, to sensitive internal systems and data. It is important that both personal firewall and anti-virus systems are properly configured and up to date, but more important that remote users are vigilant, and do not double-click mail attachments that could contain specially crafted Trojan code.
9. Use Strong Authentication Mechanisms for Administrative Users
An effective way of protecting your administrator passwords from being compromised by attackers, and then used to completely control the internal Windows domain or active directory, is to investigate the use of two-factor authentication systems for administrative users, such as RSA SecurID or Secure Computing SafeWord. By using two-factor authentication, both brute force attacks and authentication sniffing and replay attacks (such as SMBRelay and others) are negated.
10. Check into Security Sites Every Couple of Days
Keeping up to date with the latest threats and tools is a must. I personally check into most of the mainstream security web sites every couple of days, browsing through the mailing lists, forums, and articles. Security sites to check in with include:
Chris McNab is the technical director of Matta, a vendor-independent security consulting outfit based in the United Kingdom.