Identifying
the Critical Infrastructure and Services
As part of the network analysis, security administrators
should identify the critical components both in terms of networks and service.
After all, the network exists only to get people and machines to application
services! On the network map, place symbols near the endpoints of critical
services remembering the function of IDS and the Cisco SAFE axioms:
-
Routers are targets As an active element
in the network, hackers can direct attacks towards routers to disrupt a large
number or services and network connections with one strike. For instance, in
July of 2003, a vulnerability in Cisco IOS (CERT Advisory CA-2003-15) was
discovered affecting Cisco devices. By sending specially crafted IPv4 packets to
an interface on a vulnerable device, an intruder could cause the device to stop
processing packets destined to that interface. By targeting routers with this
vulnerability, a hacker could effectively shut down a Cisco-based network. Cisco
quickly released fix code for the vulnerability.
-
Switches are targets Similar to routers,
switches serve as an active element in the network. Disrupting their
functionality through a DoS attack or by manipulating their configuration could
impact large groups of people. Some Cisco switches were affected by the
vulnerability as discussed earlier.
-
Hosts are targets One of
the most dangerous evolutions in hacking involves using compromised hosts as
unwitting attackers in a large scale Distributed DoS (DDoS) attack. This type of
attack was used in the well-known Nimda worm. Oftentimes, hosts are used in
"blended threats" where a combination of worms, Trojan horses, and other
malicious code is instantiated on hosts for use in a secondary attack such as a
DDoS.
-
Networks are targets Networks are only
functional with the cooperative interaction of many router, switches, and other
active elements. Large-scale attacks or blended threats can disrupt networks as
a whole. A good example occurred when the Slammer Worm was unleashed (CERT
Advisory CA-2003-04) and many Internet-connected networks ground to a halt under
the load of UDP worm traffic.
-
Applications are targets Application
functionality is the primary reason networks exist—we all connect to the network
to access some form of application. It may be a file share or a web site or
perhaps a database to which we seek access. Regardless, applications are a
traditional favorite of hackers since they contain vital information and can,
when compromised, affect such a large community.
In a well-developed network and systems architecture, services
should be aggregated in high bandwidth, manageable farms. Often, these are in
DMZs, extranets, or intranets. Regardless, it is most likely that the map will
highlight the following locations as critical:
Because wireless access points can involve encryption such as WEP,
they, and VPNs in general, present a challenge for IDS systems. The encryption
prevents IDS sensors from gaining cleartext access to the payload, and in some
instances, the packet header and payload. Since IDS cannot decrypt these
datastreams, the traffic passes without IDS inspection. This is precisely why it
is beneficial to place IDS at the point of decryption in networks so that you
may gain insight into the traffic passing through the tunnel.
In most instances, the critical network and services
locations will be near existing security infrastructures such as firewalls. Once
the critical infrastructure has been mapped, it's time to select the placement
of sensors.
Sections
Comments (0 posted)
Syndication
