January 2002

Cutting Through Security Clutter

Simmering Security

BY Fred Avolio

We all know that security is inversely proportional to convenience. And, we know from experience that security is secondary to users' ability to get to the information and services they need. Users' apathy and ignorance is the reason why we spend more of our time responding to security problems than ensuring that our infrastructures are as secure as possible.

Making a network secure requires technical finesse and user cooperation. Overcoming technical obstacles is nothing in comparison to defeating the roadblocks erected by inconvenienced users. If security ever gets in the way of them doing what they want, we're sure to hear about it.

How can you improve security without upsetting the masses? Think about the boiling frog parable. As the story goes, if you try to put a frog in a pan of boiling water, it will jump right out. But, put a frog in a pan of cool water and gradually raise the temperature, and the frog will happily swim around--his temperature adjusting up--until he's boiled alive. This is what we want to do with our users: gradually raise the level of security in such a way that they don't notice the change. I want to suggest two ways to accomplish this.

Gateway Filtering

Gateway filtering is the job of border routers, which sit between networks of different levels of trust. Most networks allow far too many services through their border gateways, and every permitted service represents a potential risk. You should allow only the services required for business. While turning back the clock and doing away with all of the extraneous services isn't an option, you can tighten up your gateways to limit network traffic to those services being used.

Using a commercial or free packet sniffer, gather statistics on what services, ports and protocols are being used between your network and the Internet. These statistics provide you with a list of all services in use (including those that are necessary for business). The list doubles as a basic roadmap for tightening up border gateways by gradually turning off unnecessary services.

In addition, ensure that outgoing connections for well-known services, such as e-mail, are permitted only from e-mail systems, rather than from any internal host. The result will be a more secure network with fewer incoming attack paths. You'll also prevent Trojan horses from making outgoing connections.

Server Hardening

Next, turn your attention to your Internet-facing servers. The more complex a system, the harder it is to secure. The more network services running on a server, the greater the risk of a security breach.

Many servers come with too many services turned on by default. IIS is a good example. Or, perhaps we have inherited someone else's server, complete with its previous settings. If it's a Web server, all that needs to be running is HTTP--and perhaps SSL. If it's an e-mail gateway, then only SMTP is required. Yet, we run DNS, Telnet and Microsoft SMB on many of our servers. Why? They're unnecessary, not to mention potential avenues of attack. The fewer services running, the fewer vectors for an attacker to exploit.

Run a commercial or free port scanner against your servers, which will report the services available on each box. Disable all but those required. Additionally, configure border routers to talk only to servers using that limited list of ports, protocols and services. These adjustments will dramatically cut down on your network's vulnerability.

Are these suggestions idealistic? Of course. Unless an organization is building its IT infrastructure from scratch, it's probably too far along to immediately implement changes for better security. But it's not impossible.

Remember the goal: Slowly make security changes so users don't notice them. Like an audio engineer adjusting a sound system to get maximum volume with no feedback, we want to get maximum security while minimizing user complaints. Achieving 100 percent security--or 100 percent user satisfaction--isn't realistic. But small, incremental changes will make a difference.

C
olumnist FRED AVOLIO (favolio@infosecuritymag.com) is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.