When the Defense Advanced Research Projects Agency sponsored the Internet, security was not a requirement. The need for secure connectivity has become a priority, however, as industry embraces e-commerce, online banking, extranets, and the like. The success of these services and technologies in many ways depends on how well they can be secured.
     The Internet remains largely unregulated and unsecured, and more and more organizations are falling victim to electronic attacks. In 1997, the Computer Emergency Response Team handled more than 39,000 incidents affecting more than 140,000 sites.¹ The Department of Defense (DOD) conducted several wargames simulating cyber attacks on the nation's infrastructures with such success that they created a dedicated organization whose mandate is protection of the nation's information systems against information warfare attacks.² In October 1997 the President's Commission on Critical Infrastructure Protection reported that while the capability to do harm to critical infrastructures through computer attack is real and widespread and is growing at an alarming rate, we have little defense against it.³
     Corporate networks have similar security problems. Corporate security policies are based on assumptions that frequently do not match their risk profiles. To be effective, policies must be based on actual data measurement. These policies also need to be kept up to date in response to the dynamic characteristic of today's networks.
     Furthermore, today's corporate networks are so complex that this complexity alone leads to security risks. There are so many components to a company's network-firewalls, routers, switches, and servers-that to manage the security of each and every one is a huge task. Also, each of these components is liable to misconfiguration, which opens security holes on the network.
     Also, most companies today do not have employees that are professionally trained network security personnel. In short, there is a "skills gap" among the system administrators that are normally employed by companies to set up, configure, and watch the company network. No employee is dedicated to monitor all components of a network for security breaches, repair all security holes that are found, and verify that the holes remained fixed. Nor is there usually anyone assigned specifically to the task of creating and maintaining a corporate security policy.
     Lack of resources is further complicated by the fact that policies must be constantly updated in order to keep up with changes in the network. New technologies frequently introduce security holes on the network because access policies need to be changed in order to provide access to the proper underlying services. Personnel changes also affect authentication and integrity policies.
     Even the most pervasive security products do not offer a complete security solution. Firewalls serve as a filter point for all incoming and outgoing traffic. While an effective barrier to intrusion, a firewall is a static defense that frequently suffers from mis-configuration. Firewalls are also unable to assess misuse within authorized traffic. Other security products focus on authentication, encryption, and certificate authorities. All of these point products can be circumvented given enough time and effort.

Figure 1: The Security Wheel

     The best defense is achieved when these products are managed within an operational model that draws upon a well-defined network security policy. Cisco defines this operational model in the form of the Security Wheel^TM (Figure 1) which uses policy to drive the four processes: Secure, Monitor, Audit/Test, and Manage & Improve. These can be summarized as follows:

• Secure the network by combining point products with network scanning and real-time intrusion detection tools. Then establish baselines in order to measure the effectiveness of these products.
• Monitor the network and respond to attacks. Use attack metrics and network scans to adjust monitoring profiles and sensor placement.
• Audit/Test networks and their components. Reassess vulnerability profile by uncovering changes in network typology and device configurations.
• Manage & Improve corporate security by analyzing information obtained through the other parts of the security process. Also keep abreast of new network threats and improve security policies accordingly.

1. First, sensing technology should be migrated into network infrastructures. By embedding it into routers and switches, real-time sensing is scalable throughout an enterprise. Implemented correctly, embedded intrusion detection is also more difficult for hackers to compromise.
2. The second step in the strategy is development of "intelligent" devices that automatically configure themselves based on the network typology and vulnerabilities that are found. Intelligent devices need to configure themselves to the network when deployed, and update their configuration on a recurring basis, as well as on demand.
3. The third step is to build network management tools that allow you to leverage data coming from multiple network devices. This in turn allows for event correlation, automated response, centralized reporting, and configuration.

     Ad hoc strategies and point-solution technologies by themselves are inadequate to meet operational network security needs. For optimum defense in depth, active audit technologies should be implemented in conjunction with traditional approaches. Active audit includes two state-of-the-art technologies: Remote Intrusion Detection and Network Vulnerability Assessment. Intrusion detection is based on real-time monitoring of network packets pulled from a network interface configured as a promiscuous sniffer⁴.

Figure 2: Preferred Sensor-Router Deployment

The packets are then passed onto state machine logic that looks for patterns of misuse. These patterns can be as simple as an attempt to access a specific port on a specific host, or a coordinated series of events distributed across multiple ports and/or hosts. The first type of pattern is atomic whereas the second is composite. Intrusion detection systems search for these patterns of misuse by examining the header and/or the data portion of network packets. Content-based attacks derive from the data portion, and context-based attacks derive from the header portion.
     Most security incidents occur because system administrators do not implement available countermeasures, and hackers or disgruntled employees exploit the oversight. Therefore, the issue is not just one of confirming that a technical vulnerability exists and finding a countermeasure that works; it is also critical to verify that the countermeasure is in place and working properly throughout the corporate MIS environment. Identifying and implementing fixes is termed countermeasure engineering. Verifying they are active and working throughout the corporate MIS environment on a day-to-day basis is termed Security Posture Assessment (SPA).
     Security posture is the state of hardware, operating system software, utilities, and applications designed to control access to and use of services and information resident on the system. Security posture is neither policy documents nor education and awareness campaigns. It is neither the latest authentication device or encryption scheme nor the expertise of system administrators. Security Posture Assessment is the process used to characterize and quantify security posture in terms of business operations.
     Scanning a network for vulnerabilities is the best way to verify policy compliance. Most NVA systems first build a map of "live" devices such as client workstations, servers, routers, firewalls, switches, printers, and hubs. This map is then used to build an inventory of which services are running on which ports on those devices. This information is then used to assess related vulnerabilities through various passive as well as active exploit techniques.
     In order to be effective, an NVA system must be flexible enough to scan a single host, a collection of hosts scattered across multiple networks, or entire network segments. The types of vulnerabilities and scanning schedule should also be user-definable. For example, some sites only allow scanning activities to occur between 1 and 6 am. It is also not uncommon to limit nightly scans to well-known ports and restrict time intensive comprehensive scans to weekends.
     Cisco's NVA system extends the capabilities of its vulnerability scanner by allowing users to scan for potential as well as confirmed vulnerabilities. This provides a passive method for assessing the vulnerability state of a network that is much quicker than traditional active exploit techniques. Potential vulnerabilities are identified by passing the signon banners through a series of prepositional rules. Two important benefits that come out of this technique are that:

• Alternate rule sets can be applied to a given set of banners. This means that the information collected at a given point in time can be subjected to different types of analysis.
• Trends can be deduced by applying the same rule set to a series of scans.

1

Shipley, Greg, "Services Security: Request for Proposal," Network Computing, Manhasset, NY, April 1, 1998

2

Verton, Daniel, "DOD Preps Office for Cyberdefense," Federal Computer Week, Vol. 12, No. 23, July 13, 1998

3

Marsh, Robert T., Chairman, President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures, Washington, D.C., October 13, 1997, cover letter

4

The benefits of this type of configuration are twofold. First, the sensor does not create a point of failure on the network. Second, because the interface does not have an IP address it is impossible to detect.

Back to the Table of Contents
   [41]