illurity-logo
Log in

Site menu:

Categories

Tags

Site search

November 2018
M T W T F S S
« Dec    
 1234
567891011
12131415161718
19202122232425
2627282930  

Links:

Archives

Sanctioning Services

(The following was prepared in response to a recent invitation to describe “two dangerous but common security mistakes companies make”)

Rather than looking at this in terms of mistakes, I’d rather take this as a chance to describe two simple things network administrators can do to have an immediate positive impact on data security:

1) Don’t get frustrated with the perceived ineffectiveness of training. Commit yourself to remain the tireless herald of best practices; every individual who adopts even a single good behavior or habit helps the fight, and can spread the knowledge.

2) Since we’re all well aware that malware today is economically motivated big business, we should be looking at simple and broadly implementable ways to incapacitate pieces of the widespread deviant use of technology that underlies their business model. While a Fortune 500 company might be able to implement the latest multi-core deep-packet inspection and NAC technologies, most home-office and SMB networks cannot, yet the irony is that because the latter group is typically unmanaged (i.e. lacking an IT staff or well-fortified layers of defense), they are the ones who are most susceptible to being ensnared by today’s biggest threat: the proliferation of botnets. And what, economically, is it that drives botnets? Five major things:

a) the ability to capture credentials or other resalable confidential information
b) the ability to send spam to sell products, stocks, etc., or as a lure to sites with some kind of malicious payload
c) the ability to host DNS and HTTP sites (fast flux networks) to serve up the content visited by victims of “b” above
d) the ability to launch a DDoS attack for extortion or against an enemy (e.g. anti-spam/virus company, or political)
e) the ability to propagate itself so that the army becomes stronger and more able to do “a” through “d”

Assuming that failure to prevent infection had occurred, there is still the opportunity, even with inelaborate networking equipment, to disable 3 of the 5 items above. More importantly, it can almost always be done with no noticeable or deleterious effects on users. How? Sanctioned services.

The idea of sanctioned services is effective but simple: Only known, approved hosts should be talking certain protocols, all other hosts using these protocols should be considered anomalous. For example, if your network has an SMTP server, only that server should be allowed to send SMTP through the gateway; any other ‘unsanctioned’ outbound SMTP activity should be dropped and logged, and should be an immediate red-flag that the host might be infected with a spambot. Other examples of easily detectable, often suspicious traffic that should similarly sanctioned are inbound (Internet-to-internal host) HTTP and DNS, and outbound (internal host-to-Internet) NetBIOS, SMB, and RPC traffic. Who can effect this? Anyone who controls a gateway – business or residential.

In today’s age of UTM, NAC, deep-packet inspection, and next-generation firewalls this technique might seem antiquated – but that doesn’t make it any less effective.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

You must be logged in to post a comment.