Vendor Accent

The common sense of network security

Shardul Singh writes how network security can be better implemented by paying attention to commonsensical notions.

In the past decade, network security awareness has significantly improved among CIOs and network administrators. Major credit for this awareness goes to security product vendors who are in touch with top management and network administrators of various organizations and communicating the message through product launch, road shows and IT certifications.

However, since most of such events are motivated with the agenda of selling products, the common sense of network security is often overlooked. As a result, organizations rely too much on the boxes such as Firewalls, Intrusion Prevention Systems (IPS), Virtual Private Network (VPN) servers etc and ignore that regular maintenance and proper management of these as well as other network devices is equally important. Let me elaborate the point with an analogy; what if a person starts relying only on vaccines, capsules, vitamins etc for good health and overlook the importance of proper diet and exercise plans? Well, answer to the question is unambiguous, good health can not be achieved by medical supplements, only.

Root cause analysis of network problems

There is a popular saying,”It is like a game of golf, a game that is played, but never won. So if you cheat and take shortcuts you cheat yourself.” This exactly applies to network security as well. If perimeter security devices have been deployed, it doesn’t guarantee security of network. Majority of network issues occur due to problems at physical layer and outdated OS/configurations on network devices.

One thing which I have frequently observed during Network Security Audits is that organizations do not give required emphasis on proper house-keeping and regular health-check of their network and network devices. Often, you would find that there is no process defined for regular patch/OS upgrade for switches, routers, firewalls etc. or network administrators do not visit vendors’ Web site to check known vulnerabilities and upgrades.

When we go through the Root Cause Analysis (RCA) of network problem tickets and change requests, we realize that the majority of issues cause from below mentioned (not so technical) vulnerabilities:

• Unavailability of Network Design Guidelines

It is praiseworthy that the organizations have started documenting the policy for IT infrastructure security. However, most of the organizations still do not have a document on Network Design Guidelines. As a result, as the organization and network grows it becomes more and more chaotic. IT staff does not have a clear understanding on which servers should be kept in De-militarized Zone (DMZ) and which should be on internal private network. The moment an insufficiently hardened server having inbound connectivity to public network gets installed on organizations’ internal private network, whole network becomes vulnerable to internal as well as external attacks. These attacks may impact the network security in the form of information leakage, Denial of Service (DoS) attacks, privilege escalation through trust exploitation, bandwidth misuse and mis-configurations such as IP conflicts, DNS zone-transfer etc.

In case organization has extranet providing connectivity to partner organizations, third party employees or remote access connectivity for Tele-workers without network design guidelines, impact could be far more severe. Proprietary information may easily leak to partners and unauthorized users. For example, employees of Partner Company can misuse inbound connections in the network for Internet use through Intranet access, deployment of exploits and root kits and virus spread.

Some of the newer challenges are related to Wireless and Voice over IP network. Improper designs will help an attacker to hide rogue access points and use International call forwarding feature without detection.

• Unavailability of Patch Management Process for Network Devices

Patch Management and Operation System (OS) upgrades are commonly misunderstood as a process for servers and desktops, only. However, it is far more critical for network devices as unavailability of any of these boxes may cause connectivity disruption for thousands of desktops and servers. I agree that the frequency of release of new advisories for network devices is comparatively less than server and desktop security advisories. Still a quick visit to the below mentioned URL will give you a glimpse that Cisco itself has released more than 25 security advisories in the year 2007 till now. Taking into consideration that half a year 2007 is still left and there are many other network device vendors too, a significant number of network advisories are being published every year.

Keep a watch over your organizations network support team if they are following these advisories, regularly. Otherwise, outcome is obvious, attack against known vulnerabilities, unwanted network services and obsolete version of protocols running on the devices.

• Absence of regular Health-Check schedule for devices

Many a times, organizations have a well-defined policy in place, but when it comes to regular monitoring of compliance of individual devices whole responsibility is left for the internal auditors. Typically, internal auditors neither have enough time to audit complete infrastructure nor expertise to understand the in-depth technicalities of different network solutions.

Most of the non-compliances arising from outdated OS/Patches, outdated configuration, and redundant access-control list (ACL) entries, redundant user IDs, mismatch of network passwords and community strings arise because organizations do not enforce a process for regular Health-Check of each device. Ideally, there should be a quarterly or semiannual health-check schedule covering every single device on the network.

• Lack of clarity on preferred Vendors/Products

Another common problem that network administrators face is that many a time organization keeps on switching vendors. What happens is that vendors/top management does not involve network administrators in decision making whereas they are the best person to recommend on compatibility of new product with the existing infrastructure or scalability requirements. Techies can really help in identification of right product, solution or vendor depending on their past experience and current requirements. Additionally, preparing an organization level guideline on preferred vendor and products will standardize the network design.

• Unavailability of cabling-layout

It is a known fact that most of network problems are related to Physical Layer i.e. cabling and connectors, still detailed and updated cabling diagram of racks, uplinks, backbone, redundant ducts etc. is usually unavailable with network administrators. Root cause of high-downtime during cable damages, service disruption during new link commissioning and port mismatch during commissioning of new network devices is mostly unavailability of cabling-layout.

• Unavailability of updated Network-Diagrams

Similar to previous vulnerability, network Diagrams are usually prepared at the time of a new site commissioning or project initiation. Later on, people forget to update the changes and one fine day problem becomes so large that long downtime and proper tracing of every link become the only last option, left. Even, at times you will find that support engineers from your Internet Service Provider (ISP) doesn’t know the circuit IDs for link commissioned at your premises and during troubleshooting of a link other links also got disturbed.

Apart from downtime, other common problems arising from unavailability of updated network diagrams are routing loops, inefficient routing path configuration, mis-configurations during change implementations and undetected rogue devices.

• Overloaded power-supply

A failover firewall or for the matter any device will be of no use if the power-strip get short-circuited or tripped. Therefore, plan power requirements properly. Apart from redundant devices and inventory, do plan for redundant power. Redundant power not only in terms of source i.e. UPS but also number of power sockets available and maximum load capacity of any power-strip.

• Insufficient Rack-Space

Ask a network administrator which activity consumes his maximum amount of time, and I will not be surprised if he replies that it goes to patch cords management in racks. Generally, racks are ordered based on device size mentioned in device specifications. So purchase department can easily order a 24U rack for 16 48-port switches each having 1U size. What they usually do not realize is that 48 patch cords coming out of a 1U switch can easily block 3U space, and such congested racks are prone for cabling issues. Additionally, high amount of heat is generated due to lack of space in-between devices and there is a high probability of device failure or high error rates.

• Improper Grounding of racks

As excess charge flow is harmful for home-appliances, it is also harmful for IT Infrastructure. So ensure that every rack is properly grounded and there is no charge flowing in neutral wires of rack.

• Unavailability of regular automated vulnerability scans on the network

A common-tool used by script-kiddies and inside attackers is a network vulnerability scanner such as Nessus. A regular scan of vulnerabilities on all critical devices will help administrators to identify vulnerabilities before an attacker exploits it. Moreover, it will save a lot of manual labor during regular Health-Check of devices and help them to identify any left over mis-configurations.

• Insufficient Service Level Agreements (SLAs)

SLAs may be of two forms: first, which is applicable to vendors such as SLAs provided by ISPs to the organizations, second is applicable to IT staff itself towards internal projects of the organization.

The most common problem with first type of SLAs is that vendors avoid giving back-to-back SLAs meaning that if your vendor or ISP is dependent on another vendor they try to avoid taking responsibility for their vendor. In such scenarios, if a problem occurs your ISP may disown the problem and simply respond that they cannot do anything as the problem is not in their network but somewhere in backend.

In the second type of SLAs, problem is that network team is always under tremendous pressure from projects and management to commission the network as earliest as possible. Due to this, network team may design a semi-optimal network or change request may be approved without proper review. Ambiguity on these SLAs also leads to frequent escalations and low morale of network team.

In a nutshell

Best thing about common-sense tips are that these do not require a lot of analysis, return on investment (ROI) calculation or business case preparation to prove the underlying benefits. Certainly, internal IT-infrastructure is a cost to company but it is advisable not to further increase that cost in terms of high down-time, high number of problem tickets, outdated devices, insurance premiums and Network Attacks.

Recommended solutions for all the vulnerabilities are also well evident in the vulnerability name, itself. Just by converting unavailability into availability and insufficiency into sufficiency, you can convert your organization’s network into a far more secure and stable network. Notice that the key to success is in exercising these good practices on a day-to-day basis.

The author is Security Consultant, Information Risk Management Competency, Global Consulting Practice (GCP), Tata Consultancy Services Ltd shardul.singh@tcs.com / singhshardul.blogspot.com