Protecting the Network with Homogeneous servers

Protecting the Network with Homogeneous servers
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Protecting the Network with Homogeneous servers qazmlp1209 07-24-2006
Posted by on July 24, 2006, 5:02 am
If you were  Registered and logged in, you could reply and use other advanced thread options
We have a case where all of our machines are homogeneous w.r.t. the
security configuration. All of them are part of the VPN network.
If an attacker can attack one machine, he can attack the rest of the
machines also very easily and quickly, due to the homogeneity among
these machines.

Are there standard solutions already available to deal such kind of
scenarios? Is automatic detection of security breaching and dynamic
changing of the security settings recommended in such cases?


Posted by Tom St Denis on July 24, 2006, 9:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options

qazmlp1209@rediffmail.com wrote:
> We have a case where all of our machines are homogeneous w.r.t. the
> security configuration. All of them are part of the VPN network.
> If an attacker can attack one machine, he can attack the rest of the
> machines also very easily and quickly, due to the homogeneity among
> these machines.
>
> Are there standard solutions already available to deal such kind of
> scenarios? Is automatic detection of security breaching and dynamic
> changing of the security settings recommended in such cases?

IDS software exists for that problem. But also the usual advice is
worth repeating

1. Turn off services you don't need
2. Patch, update, keep up to date about security problems
3. Don't use the same root password for all of your boxes
4. Don't run Windows
5. Keep backups
6. Use privilege separation where possible

Some UNIX specific tricks that annoy script kiddies

1. Remove the "root" user and rename it something they won't guess
2. Put honeypots on your box
3. Use iptables [in conjunction with #2] to block IPs that scan you
4. Put SSH on a non-standard port
5. With #4, rotate which port SSH is on daily, hourly, whatever [*,
**]
6. A decoy box is always worth having

[*] Cron jobs are wonderful things.

[**] You can use something as trivial as ssh.port = (hmac(key,
time/300) % 1000) + 1000 to move your ssh around over time.

Tom


Posted by Simon Johnson on August 1, 2006, 3:40 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

qazmlp1209@rediffmail.com wrote:
> We have a case where all of our machines are homogeneous w.r.t. the
> security configuration. All of them are part of the VPN network.
> If an attacker can attack one machine, he can attack the rest of the
> machines also very easily and quickly, due to the homogeneity among
> these machines.
>
> Are there standard solutions already available to deal such kind of
> scenarios? Is automatic detection of security breaching and dynamic
> changing of the security settings recommended in such cases?

No, there are none that I am aware of. The closest thing I can think of
the NSA hardening guide for Windows XP [1] but this focuses on
individual computers and not network architecture. It's probably a good
idea to follow these guidelines anyway.

The point you make is very lucid. The way corporate networks are
constructed is loosely coupled to the type of business they're used in.


Therefore, standardisation of such designs (with security designed in
from the ground up) would be very effective way of improving security
for everybody. If anybody who reads this group is in a position to
write and put forward such a standard, I urge you to do so.

Coming on to your question, you're right. It's not a nice position to
be in where anyone who VPNs in can attack any machine also connected to
the VPN. In most of the cases I've seen you can get away with enforcing
complete seperation of clients on the VPN. In a nutshell, make sure
they can't send any data to each other.

This leaves your other assets such as your servers as the central point
for attack. This is not a bad thing really as it reduces the problem
from "Guard everything" to "Guard this collection of machines." You
will find the latter problem considerably easier to solve.

The usual solutions work well for this: IDS, Firewalls, Anti-virus,
reducing the number of services running on each server, not running
services as the root user etc.

One thing I will mention. Do not underestimate the human dimension to
security. Who can get access to the servers? Are there too many people
who have access? Who knows the root password? Are there too many people
in this loop. Always try to trust as few people as possible. If
somebody doesn't need privilege then don't give it to them.

People often miss this dimension completely. I can tell you a very
short story about one of my gutsier/stupider friends from Sixth Form
[2]. He managed to get root access to the entire network. Quite a feat,
however wreckless it might be.

However, he did not achieve this through any cryptoanalytic subterfuge
but from doing things the old fashioned way: waiting until the
administrators went out for lunch and installing a trojan on the
server.

Physical access is *just* as important in these things as getting the
software element right.

You have to understand that to some extent, you're fighting an
impossible battle. You will be broken in to at some point. This is not
a failure on your part. A company exists to make money - it does not
exist to be a shining a becon of computer security.

Necessary trade-offs will be made and it's important that you make your
superiors aware that trade-offs have to be made somewhere. Too often
the security guy is the fall guy when things go wrong.

Once you've got your infrastructure in place, get someone to
penetration test it. This expert evaluation will likely throw light on
things you haven't considered.

My parting word of advice is to log absolutely everything. This will
make determining the depth of an attack much easier when you do have a
security failure.

Remember, the key to desgining anything is to make it simple but no
simpler.

Simon.

[1] - http://nsa2.www.conxion.com/winxp/

[2] - Sixth Form, for those who aren't up to speed with the British
education system, is the period of education between High School and
University. High Schools starts at 11 and runs to 16. Sixth Form from
16-18 and University from 18 onwards.


Posted by NeoPhyte_Rep on December 28, 2006, 5:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Simon Johnson wrote:
> qazmlp1209@rediffmail.com wrote:
>> We have a case where all of our machines are homogeneous w.r.t. the
>> security configuration. All of them are part of the VPN network.
>> If an attacker can attack one machine, he can attack the rest of the
>> machines also very easily and quickly, due to the homogeneity among
>> these machines.
>>
>> Are there standard solutions already available to deal such kind of
>> scenarios? Is automatic detection of security breaching and dynamic
>> changing of the security settings recommended in such cases?
>
> No, there are none that I am aware of. The closest thing I can think of
> the NSA hardening guide for Windows XP [1] but this focuses on
> individual computers and not network architecture. It's probably a good
> idea to follow these guidelines anyway.
>
> <snip>
>
> Simon.
>
> [1] - http://nsa2.www.conxion.com/winxp/
>
Get it from the original source:
http://www.nsa.gov/snac/os/winxp/C44-026-02.pdf

Similar ThreadsPosted
Network Restructuring (Network Design and Equipment) May 16, 2006, 9:38 am
Password protecting? May 12, 2005, 10:37 pm
Protecting Folder November 7, 2008, 8:52 pm
Protecting the Operating System September 23, 2006, 2:15 am
Question from a newbie -- protecting files July 20, 2005, 3:01 pm
Passphraselessly protecting dictionary relations May 10, 2007, 4:13 am
Any TLS 1.1 servers out there? October 12, 2006, 11:08 am
HIDS on Windows Servers February 25, 2008, 11:38 am
Software to wipe disk drives on servers and pc January 30, 2008, 4:11 pm
FYI: Avira reacted about "Shutdown Windows' servers" as malware August 7, 2006, 10:21 am

The site map in XML format XML site map

Contact Us | Privacy Policy