Guard the Castle: Protect Your Network

From YWAMKnowledgeBase

In the last article we have seen that we can't buy-and-forget a computer, we have to maintain it; and that anomalies, which causes a such maintenance, are (maybe) easier to detect at a car than at a computer. Installing updates is one important part of this maintenance, running a anti-virus and a firewall yet another one. However, if you're responsible for the whole network of your base, it is even more critical.

A network consists of 3 categories of devices:

  1. Clients (Computers with a person sitting in front of them)
  2. Servers (Computers that run 24/7 in order to allow others to access him. E.g. Fileserver, Webserver, ...)
  3. Hardware Devices (Small computers that don't even have a keyboard. Such as Routers, Switches, Modem, ...)

For each category, we will discuss, why this has to be secured and suggestions how to do it.

  1. You, as a network administrator, have to ensure that all clients follow the advice given of the referenced article. If they don't do that, if only one person doesn't do that, he puts the whole network in danger. If only one person gets "bombed" (i.e., infected by a virus), the attacker has access to the inside of the network, which means that: he can access the servers, he can infect other clients, he may even be able to listen what other clients are talking, and intervene without their knowledge. (That's why SSL should be used for critical applications. Without any "security exceptions".) So how can you ensure this?
    • First, set up a network policy. Set up hard facts a computer has to fulfil in order to get access to your network / internet, e.g. "Antivirus has to be installed and kept up-to-date.".
    • Check every new computer for these hard facts before he can access the network / internet. (MAC-Filtering may be a option here. Or set up the DHCP-Server so that he only responds to known MACs.) They will have to show up, you can check their computer, and explain why the policy is used at your base.
    • If you cannot check every computer (e.g. a mass event where you want to give access to the internet to everyone), try to separate these participants' computer from the internal network (VLAN or Firewall), or even from one another (DMZ or similar).
    • Actively check if the policy is complied to or not. You could schedule the clients to be checked once a year. For private clients, you could block their internet access so that they will show up again in your office (if they need internet again).
    • Check for security vulnerabilities / open ports of the clients. A network scanner (e.g. nmap) will greatly simplify this task. Note that open ports could also be a hint of a virus waiting for commands.
    • Check if someone has managed to get inside the network. You can do this by a IDS (Intrusion detection System). Also, be suspicious if some unexpected behavior appears in your network.
  2. As servers are always on, and sometimes can be directly accessed by the internet, they are more likely to be the target than a client. So updates, firewall + anti-virus are a must. Even more, you should keep yourself informed about upcoming updates or other discovered methods attack methods (by subscribing to http://h-online.com/, for example). Furthermore:
    • Keep logs about what happens to the server (e.g. IPs that log in, Requests to the Server, ...) and check these logs in regular intervals. There are many attacks that are easy to detect, and almost certainly do not damage your server; but nevertheless it is important to know that your server has been attacked. If a certain IP attacks you several times, block them in your firewall (if possible, the hardware device firewall before the server is reached), and notify the owner of the IP - most of the time it is not the hacker's IP, but another computer that is hacked.
    • Document any important incident. (When, how, why, what has been done to prevent this.)
    • Be careful when changing the configuration. Almost every configuration switch has security implication. Document changes (When, who, what, for what purpose.)
    • Backup your server.
    • If you have the impression, somebody has logged into the server without having the permission to do so, reinstall the server from zero by changing the passwords. There are many ways the attacker can open himself hidden doors once he is inside the computer.
  3. Even Hardware Devices can be vulnerable. Keep yourself informed and install firmware updates if necessary.
    Note that the highest level of access to any device is physical access. If somebody can touch the machine, you can't really hinder him to bypass the passwords. In the case of hardware devices, he just has to press the configuration reset button, enter the default password, install a modified firmware that for instance redirects all downloads of an executable to his own server) and then getting it work again in the network. 10 Minutes later, every seem to be fine, except ... the Open Office Installer is only 4 MB big now. (A great way to save bandwith!). In the case of the server, he can boot from CD-ROM and change the content of the harddrive. You can't do anything against it, even a protected BIOS only slows him down, so you have to prevent physical access. So:
    • Lock the room where the server are in. (Normally, you'd call this room server room, but at YWAM, I'm not sure. Ever seen real server rooms?) Nobody except the IT guys should have keys for that room.
    • Try to install the switches etc. in a locked case (so that the normal user can't even put in new cables); alternatively, install them so at the ceiling to that they are not reachable without a ladder.

If guarding a computer secure may be compared to maintaining a car, guarding a network is like guarding a castle. Some rooms (here: servers) are high-critical, but all rooms, all entrances have to be watched. If you define your role as administrator to "keep everything up and running", don't let it be the equivalent of "As long as my computer works, I don't have to change anything." Be alert. Ameliorate your network security from year to year.

P.S. If you say: "We are only a YWAM base, why would anybody attack us?", I want to answer: "What makes you think there will be no technical attacks, only spiritual ones?" I have the impression, most attacks are just to gain control over as many computers as possible, so send spam for example. And as they are seeking a big prey, they will likely come and go very quickly. The remaining attacks, however, are well-instructed and bad-intentioned. It may be possible that a "bad" guy hires a "bad" hacker to do "bad" things. And don't think erasing your disk would be the worst case. This second type of attacks are very targeted. If their goal is to gain internal information, they will copy the data they find and then disappear, in order to avoid being noticed. Try to do your best, God is with you.