Network Hardening OSes and NOSes
Network Hardening OSes and NOSes
When discussing network hardening, there are a number of concerns that are separate from those realized while evaluating and hardening OSes and NOSes. The appropriate firmware and OS updates implemented on hardware must be evaluated, tested, and implemented. In addition, network configurations must be as tight as possible. This includes developing appropriate rule sets and not allowing unnecessary protocol or service access to other areas of the network. To keep access as restrictive as possible, administrators should follow the principle of least privilege, and not allow any services, protocols, or transports to operate that are not defined as critical or necessary to the operation of the networks. It may be appropriate to implement new technologies while in the network hardening process. Evaluation of Intrusion Detection Systems (IDSes), firewall products, and anti-virus solutions are also appropriate to hardening networks. Monitoring systems must be checked and adjusted to verify that the network portion of the system is secure. Administrators must remain vigilant and proactive in maintaining these entryways into their environments, to ensure that they have done everything possible to eliminate a breach or attack.
The following looks at the types of actions security professionals must take to limit or reduce attacks, accidental damage, or destruction through their networks. It also discusses recommendations for the appropriate application, timing, and installation of updates to the firmware being used and to the OS in the network device. Additionally, recommendations and best practices for the configuration of network devices and whether there is a need to disable or enable services and protocols within a network scope are explored. Finally, recommendations and procedures for establishing appropriate access control levels for devices and systems within a network are discussed.
Updates (Firmware)
Firmware updates, like software updates, are provided by the manufacturer of the hardware device being used. These updates generally fix incompatibility issues or device operation problems, and should be applied if the update involves a repair for an existing condition, or if it will make the equipment more secure, more functional, or extends its operational life. It is always necessary to install and test firmware updates in a non-production environment, to verify that the update contains the necessary repairs and benefits that are needed. After sufficient testing of the update and its functionality, it can be installed on other devices of the same type, as appropriate.
Configuration
Configuration of network devices (such as routers and switches) with default installation settings, leaves a system extremely vulnerable. It is of paramount importance that administrators understand the limitations of default settings. Ideally, configurations should be tested and assured prior to implementation of the devices on a live network. Often, basic device configurations are set for convenience and not for control and security. It is easier to operate some devices with just the default settings, but in many cases, there is a corresponding loss of security.
Improperly configured or improperly secured devices left with default configurations will draw attackers if connected to the Internet. It is important to understand the ramifications of the settings made on any network device connected to a foreign or uncontrolled network.
Enabling and Disabling Services and Protocols
When considering whether to enable and disable services and protocols in relation to network hardening, there are extra tasks that must be done to protect the network and its internal systems. As with the OSes and NOSes discussed earlier, it is important to evaluate the current needs and conditions of the network and infrastructure, and then begin to eliminate unnecessary services and protocols. This leads to a cleaner network structure, more capacity, and less vulnerability to attack.
It is obvious that unnecessary protocols should be eliminated. For most that means eliminating Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), and/or NetBIOS Extended User Interface (NetBEUI). It is also important to look at the specific operational protocols used in a network such as Internet Control Messaging Protocol (ICMP), Internet Group Management Protocol (IGMP), Service Advertising Protocol (SAP), and the Network Basic Input/Output System (NetBIOS) functionality associated with Server Message Block (SMB) transmissions in Windows-based systems.
While considering removal of non-essential protocols, it is important to look at every area of the network to determine what is actually occurring and running on the system. The appropriate tools are needed to do this, and the Internet contains a wealth of resources for tools and information to analyze and inspect systems.
A number of functional (and free) tools can be found at sites such as www.foundstone.com/ knowledge/free_tools.html. Among these, tools like SuperScan 3.0 are extremely useful in the evaluation process. If working in a mixed environment with UNIX and Linux machines or Netware machines, a tool such as Big Brother may be downloaded and evaluated (or in some cases used without charge) by visiting www.bb4.com. Another useful tool is Nmap, which is available at http://insecure.org/nmap/.These tools can be used to scan, monitor, and report on multiple platforms, giving a better view of what is present in a environment. In Linux-based systems, non-essential services can be controlled in different ways, depending on the distribution being worked with. This may include editing or making changes to xinetd.conf or inetd.conf, or use of the graphical Linuxconf or ntsysv utilities. It may also include the use of ipchains or iptables in various versions to restrict the options available for connection at a firewall.
Windows NT-based platforms allow the configuration of OS and network services from provided administrative tools. This can include a service applet in a control panel in NT versions, or a Microsoft Management Console (MMC) tool in a Windows XP/.NET/Vista environment. It may also be possible to check or modify configurations at the network adaptor properties and configuration pages. In either case, it is important to restrict access and thus limit vulnerability due to unused or unnecessary services or protocols.
Possibly related posts: (automatically generated)
Network Hardening OSes and NOSes
- Processes of OS and NOS Hardening continue...
- Network Access Control Databases
- Popular Commercial IDS Systems
- Data Repositories
- An ASP-Based Windows Server Script
- HTML Coding for different E-mail Reader Platforms
- Reservations and Exclusions
- Web Servers
- The HTML versus Text Format Decision
- The Address Resolution Protocol—Resolving IP Addresses to Hardware Addresses
- October 6th
My main complement is for the Photo Post PHP software which works very well, with excellent support.” Piers… … Simple Software Fault
Pup include("e;/ s00p00_imghautpage.php”); pup include("e;/ s00p02_navhorihome.php”); php include("e;/ s00p01_navhaute.php”); Thu. … Certified PHP
S software package includes a search engine optimizer and submission package, a HTML code review and optimization pack, an image optimizer, and a HTML form pack. … HTML Software
Featuring state-of-the-art cushioning and stability technology, Aria is the footwear of choice among top-ranked riders around the world. … Stability Technology
If your PC fails due to a virus infection after CA Internet Security Suite is properly installed, you can receive up to $1, 500 in technical service and hardware replacement. … Security Suite