Thursday

Physical Layer - Easiest or Hardest to Defend?

Most of us who go to an office every day have gotten used to having to wear our ID badges and using them to access buildings, specific facilities, and sometimes even as part of the login process. Securing the physical facility is the most direct, and often the most obvious way of protecting the physical layer. But challenges abound, especially due to our problems in the meatspace layer (as we discussed in this post.) How many people in your office will challenge someone who may be wandering around without a badge? How well protected is your network closet, even from employees? 
http://cyberunited.com/2013/10/08/the-human-risk-factor-proactively-managing-the-insider-threat/
Some other questions to consider:
  • Do you regularly check for rogue wireless access points?
  • Can your employees identify when they might be subject to a keystroke logger?
  • Is everyone required to use an anti-virus application to connect to the network?
  • What's your policy on removable media (CD's, thumb drives, etc?)
  • How often do you audit your username and password databases?

A brief early history of firewalls

As the internet was just beginning to welcome commercial usage in the late 1990's, it became apparent that not everyone that had access would use it for the altruistic reasons set out by the initial community. I had the opportunity to work with some of the first firewalls, providing network and systems security consulting to the City of Palo Alto, CA. Palo Alto, then the home of Digital Equipment Corporation (DEC), billed itself as "The First City in Cyberspace." Their website drew a lot of attention, not all of it the type they wanted.

The earliest implementation of the firewall at Palo Alto was a DEC unix based system, with what at the time was an unusual two NIC cards. The computer was situated between their internet connection and their web server, and ran a program called gated. The configuration was referred to as a "bastion host" (see below.) Gated was a fairly simple application. It examined the source address of a packet, and if the address was on a list of known malicious sources, it was dropped, otherwise, it was forwarded out the second NIC to the web server. Outbound packets were not filtered and gated had to be re-compiled to add new hosts. The policy had to be allow unless denied. The firewall worked entirely at the network layer.

http://lib.ru/SECURITY/firewall-faq/firewall-faq.txt_with-big-pictures.html
Clearly, there were some great limitations to this approach going forward. One had to know the malicious sites ahead of time, and the firewall was not at all selective about services. Later firewalls would become much more flexible and effective, allowing security minded companies to switch over to a deny unless allowed stance, which is much more secure. 


Defending the Meatspace Layer

Humans have two tendencies that make the top layer of network security the most challenging. These two tendencies sometimes apply to the same people, though not always at the same time. Each of these tendencies requires us to take different approaches to secure our data.


  1. People Make Mistakes
  2. People are Ingenious
Musical accompaniment to the next section

Mistakes - I've made a few, but then, too few to mention. We've all made them. Sometimes it's a user that gives away a password, or clicks a suspicious link. The next thing you know, you're re-imaging systems and dealing with a mess. Or maybe your systems administrator forgot to lock down a service on the mail server, and you've suddenly become the home for the latest Nigerian SPAM. The best way to combat error prone humans is with training. Systems are created by people as well, and the more complicated they are, the more likely we've created an opening for an exploit.

People are also ingenious. They find ways to infiltrate systems that look and act securely. Sometimes it's by acting as a Man-In-the-Middle, sometimes it's by exploiting a programming error that exposes a backend database (SQL Injection.) The best way to combat ingenious people is with rigorous preparation - including planning, maintenance and testing of your systems and software.

Defense in Depth

When creating your strategy for securing information on your systems and in your network, always remember to plan for a layered security approach. A useful tool for identifying different layers of security is the OSI network model, displayed using the infographic below.

http://securityblog.s21sec.com/2009/06/attacks-on-layer-two-of-osi-model-i.html
While the OSI model only includes seven layers, there is one missing. Layer 8, which may be the most difficult to secure, is often referred to as the "Political Layer" or, to use a more recent term "Meatspace." Each layer in the model has unique challenges and tools for security, and each type of attack has some well known examples of successful break-in. In future blog posts, we'll discuss some of the attacks directed at specific layers, and some of the tools and techniques for combating those attacks.