Dec 17 2012

5 Essentials changes to harden Network Infrastructure

Category: Network securityDISC @ 4:09 pm

First principle to understand vulnerability assessment, one can’t exploit the vulnerability if a threat does not exist. So by default the services (ports) which are not required in a system (server) will present an unnecessary threat to be exploited if specific vulnerability exists in a system.

These unnecessary and unattended services are also the prime target of an attacker which they will find in reconnaissance session and ultimately exploit these vulnerabilities to get into a system. Modern networks should be resilient enough to handle the availability and bandwidth of traffic but also the daily barrage of attacks. Information security is a necessary evil to stay in business (cost of doing business) today. Compliance and regulatory fines aside, InfoSec is treated as business enabler in today’s business suite.

Below are five services which must be disabled unless there is a business reason. If you do have to enable one of these services then utilize compensatory controls to minimize the given risk to acceptable level.

1. Finger – the finger is TCP Unix service (port 79) which is utilized to determine who was logged on to system. After that all you have to find what is their password to get into the system and there are plenty of brute force applications out there to do that for you. Same service can be provided from other lookup secure services (like whois) which may minimize the risk in your environment. So make sure this service is disabled on all devices.

2. Telnet – is used for remote device management to get into system, no wonder a gold mine for a hacker. Like FTP, Telnet communicate in clear text, so it is insecure protocol. So it should be replaced with other secure services like SSH (port 22).

3. HTTP – is the most common user friendly web interface today. Because of its commonality the hackers have discovered several methods of exploiting HTTP service. Beside that HTTP is a clear text protocol as well which provides an extra advantage to a hacker. So it should be replaced with other secure services like Https (port 443).

4. NTP – Network Time protocol utilize to synchronize all the time clocks with a remote time server which also use to keep all the logs in sync for forensic or incident handling. If NTP is not required on a system it should be disabled.

5. ICMP – is data link layer protocol which provides information about neighboring network devices. ICMP flood, also known as Ping flood or Smurf attack, is type of Denial of Service attack that sends large amounts of (or just over-sized) ICMP packets to a machine in order to attempt to crash the TCP/IP stack on the machine and cause it to stop responding to TCP/IP requests. Some time it necessary to enable this protocol when troubleshooting, so only enable when necessary otherwise keep it disable.

Please feel free to comment and add more services which you think should be added to this list

Related Topics

Hardening Linux

Hardening Windows Systems

Tags: Denial-of-service attack, HTTP, HTTP Secure, Hypertext Transfer Protocol, Information Security, Internet Control Message Protocol, Network Time Protocol, Smurf attack

One Response to “5 Essentials changes to harden Network Infrastructure”

  1. disc7 says:

    Will it help L2 dos attck if you disable icmp?
     

    ICMP is usually used for network troubleshooting at layer3, which
    can be used for ddos attacks from  outside. So I will say ICMP is a
    necessary evil so enable it when you need it otherwise it should remain
    disable.

     

    ·        
    ARP and ICMP is layer 3
    – Network Layer.

    Layer
    2 is Ethernet, PPP, HDLC, DSL, Frames, Network Switching, CAM table, MAC
    address …

     

    So
    icmp ddos attack is possible only at L3 since it is a L3 protocol. Ex of L2
    ddos attacks are manipulation of wireless frame content or Cam table overflow.
    Therefore I agree by disabling icmp will not help L2 dos attacks.

     

    A layer2 attack is hard to achieve from
    the outside world, The effect of a DOS attack on L2 takes another dimension as
    the Bandwidth is considerably higher.

     

    Ex: L2 use CAM table overflow attack.
    Content-Addressable Memory (CAM) (ARP)table address-learning process

     

    Countermeasure: Limit
    amount of MAC addresses to be learned / port

Leave a Reply

You must be logged in to post a comment. Login now.