What would you consider the most effective perimeter and network defense methods available to safeguard network assets?
Your answer should include at least one practical example of each type of defense and potential type of attack.
Firewalls are a fundamental component of any perimeter defense. There are many misconceptions about firewalls. Most firewalls are not just pieces of hardware. Firewalls are collections of components. A firewall resides between two networks acting like a gateway. Some basic requirements of a well configured firewall are as follows:
•It must work as a gatekeeper that grants and denies incoming and outgoing traffic.
•It must prevent all unauthorized traffic from entering the network.
•It must be configured correctly to be immune from attacks.
Intrusion detection systems (IDS)are designed to provide the network more sophisticated protection than that offered by firewalls.Intrusioncan be defined as any unauthorized attempt to access a system.Intrusion detectionis the art of detecting unauthorized attempts to access a system or network. The two main categories of IDS are network-based IDS and host-based IDS
A network-based IDSruns on the network, monitoring activity and reporting any activity that arouses suspicion. A network-based IDS usually employs a dedicated network server or a device with a network adapter configured for promiscuous mode to monitor and analyze all traffic in real time as it travels across the network. The network-based IDSs monitor packets on the network wire and attempt to discern the legitimate traffic from the malicious. Network-based IDSs are operating system independent. They are centralized and therefore have very low maintenance requirements. They are positioned to monitor outside intrusions, but, in addition, they can detect network-based patterns originating from within the segment they are protecting.
Host-based IDSsreside on the host and are capable of automatically monitoring and denying services if suspicious activity is detected. They monitor activity in the individual host, as opposed to the network. A host-based IDS, in many cases, is more complex than a network-based system because a host-based system monitors several things in addition to network traffic specific to the host on which the system is running. A host-based IDS can be configured to monitor the following:
•Ports used by the system for incoming connections
•Processes running on the system and how the list compares to the baseline
•Checksums of important system files to see whether any of them have been compromised.
In addition to active network traffic analysis on the host itself, some newer host-based IDSs can filter content and protect against viruses.
3.Network Attacks Overview
Network attacks continue to be a concern for organizations as they continue to rely on information technology. The most common forms of attacks are footprinting and scanning.
Footprintingis the process of systematically identifying the network and its security controls. For example, an attacker might look at the source code of your Web site and, based on that information, get other information such as what language was used to write code and create various elements of the program. Information is readily available by doing a DNS query and getting the IP address.
Scanningis the process that attackers use to gather information about how a system or network might be configured. They can use port scanners that are readily available for anyone to download from the Internet free of charge. They can also use troubleshooting commands such as pings and traceroute to get information regarding what computers are "live" on the network.
4.Denial of Service Attacks
ADenial of Service (DoS)attack prevents access to resources by users authorized to access those resources. Several different types of attacks can occur in this category. These attacks can deny access to information, applications, systems, or communications. DoS does not cause "harm" to the resource but can bring about negative consequences. For example, if the Amazon.com Web site was successfully attacked, Amazon would lose money from its Web site not being available for purchases. SeeThe US Cert Websitefor more information about DoS and other security threats.
Distributed Denial of Service (DDoS)uses multiple computers to attack a single computer. An attack can load an attack program onto many computers that use DSL or cable modems. The program stays dormant until a master computer instructs it to attack a particular system. The master computer can be another unsuspecting user or computer.
5.Session and Spoofing Attacks
Aspoofing attackis an attempt by someone or something to masquerade as someone else. A very common spoofing attack that was popular for many years involved a programmer writing a fake log-on program. No matter what you typed, the program would indicate an invalid login. The spoofing program would write the user ID and password onto a disk file that could be used later by a hacker.
Aman-in-the-middle attackis commonly used to gather information in transit between two hosts. A third system is placed between two hosts already communicating or currently in the process of setting up a communication channel. The attacker establishes a session with each of the victims and represents what appears to be a valid end point of communication to each. This gives the attacker the ability to intercept the data, record it, and then pass it on to the second victim. Remember, the attacker can choose to alter the information rather than pass it.