Finding the loopholes and soft spots in a network can be difficult for anyone, be they network administrator or security auditor. Network speeds are growing with widespread adoption of 10G and initial deployments of 40G, plus increasing cross-connectivity that is difficult to police with enough granular policy enforcement. Application complexity is likewise growing, with increasing horizontal scalability of applications through separation of systems and large-scale virtualization. Both of these trends combine to increase the initial attack surface and expand the potential exploitability of historically small flaws.
In short: networks of services are getting more complex, and that complexity leads to vulnerabilities which are more serious than they would have been. Given that these vulnerabilities exist, it’s important that you find and fix them, rather than an attacker.
Below are three straightforward ways to find the holes in your system before someone else does.
1. Hack Yourself
“Hacking yourself” means checking your systems for known (and potentially unknown) vulnerabilities. The easiest way to get started with this is to use pre-built tools and services which are frequently updated with the knowledge of what to look for. Security researchers constantly publish information about new exploits, which means that a security test 6 months ago doesn’t have any guarantees about the state of your systems today.
Start with your externally-facing systems, since those are the ones that are most obviously reachable by an external attacker. Try to adjust your administrative mentality to allow continuous testing, touching every system on a daily basis. There’s a great discussion about this in the Risky Business Podcast, episode 261.
A good tool will also check for “unknown” vulnerabilities in your application using techniques like SQL injection, in which the scanner attempts to send database commands through your application directly to the database. When used by an attacker, SQL injection is a potentially serious application flaw that can allow massive amounts of data to be stolen – such as the entire list of usernames and password hashes – with minimal effort.
2. Capture, Capture, Capture
Network recorders are becoming a more common tool in high-value environments, because they allow reconstruction of events after a security incident has occurred. The variety of log types and output for various applications can make it difficult to reconstruct the sequence of events in a breach. I’ve seen web servers that didn’t log an attack at all, because the request didn’t “complete” according to the web server, despite the fact that the attacker successfully extracted lots of data. However, packets don’t lie, so packet capture will show you what happened, from where.
Network recorders are also useful for tracking down “pivot” attacks, in which an outside system is compromised, then used to attack an internal system. If there are known patterns of application interaction – front end servers should only send certain SQL queries, and only to certain databases – then finding something else, like a ping from the server, or an outbound SSH connection, is an indication that something unusual is going on.
3. Sniff Out the Rogues
Self-hacking shouldn’t stop at external systems, because there are ways into the heart of a network through other means. A classic example is a rogue Wi-Fi user. Older wireless security protocols afford little protection these days: WEP is fairly easy to crack, and even WPA has some “dents” in its encryption. The most secure setup uses WPA2-Enterprise, with specific user access per machine. Similar protection comes from 802.1X, which got a bad reputation with first-generation wired NAC products, but which provides a valuable extra layer of unique keying in Wi-Fi. Once you have a reasonable user authentication layer in place, failed authentication becomes your best friend in finding brute-force attacks.
Another method that intruders gain access to the network internal is by attacking individual user machines, usually through a malicious download via the web browser. While anti-virus can help detect common worms, viruses, and Trojans, it’s not any guarantee against a targeted attack. Classic “back door” tools used IRC to communicate to a remote controller, so it’s useful to watch for ports 194, 6666, 6667, and other “non-standard” ports. Other tools may use HTTP, which makes it useful to watch out for long-lived connections and “ghost” browsing, connections from PCs after the users have gone home.
The fact of the matter is, sometimes there are vulnerable spots that we can’t find with surface monitors, and a deeper dive is necessary to identify weaknesses that could lead to a breach. Keep in mind that the best way to stay on top of your network and actually locate holes is by taking action early and often.
Author Profile - Jim MacLeod is a Product Manager at WildPackets. He has been in the networking industry since 1994, and started doing protocol analysis in 1996. His experience includes positions in firewall and VPN setup and policy analysis, log management, Internet filtering, anti-spam, intrusion detection, network monitoring and control, and of course packet sniffing.