Sunday, July 24, 2011

Host and Server Based Security

Device Hardening

When a new operating system is installed on a computer, the security settings are set to the default values. In most cases, this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems:

Default usernames and passwords should be changed immediately.
Access to system resources should be restricted to only the individuals that are authorized to use those resources.
Any unnecessary services and applications should be turned off and uninstalled, when possible.

Section 4.2 "Securing Cisco Routers" describes device hardening in more detail.

It is critical to protect network hosts, such as workstation PCs and servers. These hosts need to be secured as they are added to the network, and should be updated with security patches as these updates become available. Additional steps can be taken to secure these hosts. Antivirus, firewall, and intrusion detection are valuable tools that can be used to secure network hosts. Because many business resources may be contained on a single file server, it is especially important for servers to be accessible and available.

Antivirus Software
Install host antivirus software to protect against known viruses. Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading in the network.

Antivirus software does this in two ways:

It scans files, comparing their contents to known viruses in a virus dictionary. Matches are flagged in a manner defined by the end user.
It monitors suspicious processes running on a host that might indicate infection. This monitoring may include data captures, port monitoring, and other methods.

Most commercial antivirus software uses both of these approaches.

Update antivirus software vigilantly.


Personal Firewall
Personal computers connected to the Internet through a dialup connection, DSL, or cable modems are as vulnerable as corporate networks. Personal firewalls reside on the PC of the user and attempt to prevent attacks. Personal firewalls are not designed for LAN implementations, such as appliance-based or server-based firewalls, and they may prevent network access if installed with other networking clients, services, protocols, or adapters.

Some personal firewall software vendors include McAfee, Norton, Symantec, and Zone Labs.

Operating System Patches
The most effective way to mitigate a worm and its variants is to download security updates from the operating system vendor and patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network, and even more troublesome if these systems are remotely connected to the network via a virtual private network (VPN) or remote access server (RAS). Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on deployed client systems) that is deployed on new or upgraded systems. These images may not contain the latest patches, and the process of continually remaking the image to integrate the latest patch may quickly become administratively time-consuming. Pushing patches out to all systems requires that those systems be connected in some way to the network, which may not be possible.

One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.

In addition to performing security updates from the OS vendor, determining which devices are exploitable can be simplified by the use of security auditing tools that look for vulnerabilities.

No comments:

Post a Comment