Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : As we wrap up our initial wave of Network Security Fundamentals, we've already discussed Default Deny, Monitoring everything, Correlation, and Looking for Not Normal. Now it's time to see if we can actually get in the way of some of these nasty attacks. So what are we trying to block Basically a lot of the issues we find through looking for not normal. The general idea involves implementing a positive security model not just to inbound traffic default deny , but to outbound traffic as well. This is called egress filtering, and in practice is basically turning your perimeter device inside out and applying policies to outbound traffic. This defensive tactic ensures that non-standard ports and protocols don't make their way out of your network. Filtering can also block reconnaissance tactics, network enumeration techniques, outbound spam bots, and those pesky employees running Internet businesses from within your corporate network. Amazingly enough this still happens, and too many organizations are none the wiser. Defining Egress Filtering Policies ---------------------------------- Your best bet is to start with recent incidents and their root causes. Define the outbound ports and protocols which allowed the data to be exfiltrated from your network. Yes, this is obvious, but it's a start and you don't want to block everything. Not unless you enjoy being ritually flayed by your users. Next leverage the initial steps in the Fundamentals series and analyze correlated data to determine what is normal. Armed with this information, next turn to the recent high-profile attacks getting a lot of airtime. Think Aurora and learn how that attack exfiltrates data custom encrypted protocol on ports 443 . For such higher-probability attacks, define another set of egress filtering rules to make sure you block or at least are notified when you have outbound traffic on the ports used during the attacks. You can also use tighter location-based filtering policies, like not allowing traffic to countries where you don't do business. This won't work for mega-corporations doing business in every country in the world, but for the other 99.99pourcents of you, it's an option. Or you could enforcing RFC standards on Port 80 and 443 to make sure no custom protocol is hiding anything in a standard HTTP stream. Again, there are lots of different ways to set up your egress filtering rules. Most can help, depending on the nature of your network traffic, none are a panacea. Whichever you decide to implement, make sure you are testing the rules in non-blocking mode first to make sure nothing breaks. Blocking or Alerting -------------------- As you can imagine, it's a dicey proposition to start blocking traffic that may break legitimate applications. So take care when defining these rules, or take the easy way out and just send alerts when one of your egress policies is violated. Of course, the alerting approach can and probably will result in plenty of false positives, but as you tune the policies, you'll be able to minimize that. Which brings up the hard truth of playing around with these policies. There are no short cuts. Vendors who talk about self-defending anything, or learning systems, or anything else that doesn't involve the brutal work of defining policies and tuning them over time until they work in your environment, basically doesn't spend enough time in the real world. 'nuff said. To finish our discussion of blocking, again think about these rules in terms of your IPS. You block the stuff you know is bad, and you alert on the stuff you aren't sure about. Let's hope you aren't so buried under alerts that something important gets by, but that's life in the big city. No Magic Bullets ---------------- Yes, we believe egress filtering is a key control in your security arsenal, but as with everything else, it's not a panacea. There are lots of attacks which will skate by undetected, including those that send traffic over standard ports. So once again, it's important to look at other controls to provide additional layers of defense. These may include outbound content filtering, application-aware perimeter devices, deep packet inspection, and others. More Network Security Fundamentals ---------------------------------- I'm going to switch gears a bit and start documenting Endpoint Security Fundamentals next week, but be back to networks soon enough, getting into wireless security, network pen testing, perimeter change control, and outsourced perimeter monitoring. Stay tuned. - Mike Rothman 0 Comments

Les mots clés de la revue de presse pour cet article : network security
Les videos sur SecuObs pour les mots clés : network security
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clé : network security





Les derniers articles du site "Securosis Blog" :

- GSM Cell Phones to be Intercepted in Defcon Demonstration
- Tokenization Series Index
- Tokenization Token Servers, Part 3, Deployment Models
- Tokenization Token Servers, Part 2 Architecture, Integration, and Management
- Death, Irrelevance and a Pig Roast
- Friday Summary July 23, 2010
- NSO Quant Monitor Process Revisited
- Tokenization Token Servers
- NSO Quant Monitoring Health Maintenance Subprocesses
- The Cancer Within Evidence Based Research Methodologies

---

S'abonner au fil RSS global de la revue de presse

---