Network Administration / Security

Harden your network services and contain zero-day threats

We all dread the thought of zero-day threats; they arrive and you have no vaccine for them. These exploits are all too common in recent months and years. Fortunately, there are some common sense steps you can take to harden your network layer against these threats.

You may not know exactly what the exploit is, but you can certainly deploy some protective elements like these that might stop such a problem in its tracks:

Use virtual LANs (VLANs), if possible, to segregate some areas of your network.
VLANs are essentially multiple logical boundaries created within one physical network. VLANs are an easy way to divide critical areas of your network from others. For instance, you could have one VLAN for servers and another for client machines, or you could segregate machines based on department, or any other scheme you choose. Creating a VLAN in and of itself doesn't necessarily create a layer of protection, but it forms the basis for any number of other hardening techniques, and it provides a way to limit the scope of more stringent security procedures to only the most critical areas of a network.

Implement Internet Protocol Security (IPsec) to protect the contents of individual transmissions.
IPsec encapsulates communications in a layer of encryption that is difficult to break, but it also allows you to restrict communications to and from certain machines based on whether their machine certificates are signed and valid. By doing this, the machines restricted by IPsec would simply ignore it, even if an exploit was introduced into your network. Using IPsec in this way also forms the basis for using network access control, covered later in this list.

Deploy an intrusion detection system (IDS).
Intrusion detection systems often use heuristics that can detect malicious activity on your network before an actual definition is created by antivirus and anti-malware vendors. IDSes also provide a foundation for forensic analysis in case you care to examine how an exploit entered your network (should one actually penetrate your defenses).

Employ perimeter protection, like a stateful firewall.
This almost goes without saying (which is why I put it midway through the list), but perimeter defense is the first, best and most effective way to protect against zero-day exploits in a variety of forms. To help prevent your network from being a vector of delivery for a nasty vulnerability, deploy a firewall immediately. Better yet, deploy a better firewall than the one you have now, and perform regular audits of that firewall if you aren't doing audits already.

Introduce network access control to prevent rogue machines from gaining access to the wire.
One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep onto your network is not through holes in your firewall, nor brute-force password attacks nor anything else that might occur at your corporate headquarters or campus. It's through your mobile users -- when they try to connect to your business network while on the road and through visitors on your campus trying to attach themselves to your network. Neither of these categories of machines are subject to your (hopefully) stringent security policies, and that's a problem. Network access control products, like Cisco's NAC, NAQC in Windows Server 2003 and the possible inclusion of network access point (NAP) in the upcoming Longhorn Server are all good ways to close this attack vector.

Lock down wireless access points and use a security scheme like Wi-Fi Protected Access or WPA2 for maximum protection against wireless-based attacks.
Simply using media access control (MAC) filtering and not broadcasting your service set identifier (SSID) are methods that just don't cut it anymore in a corporate setting. WEP has been cracked numerous times and even the most junior cracker will have no trouble gaining access to your wireless network protected only by WEP. Look into WPA2 to really filter out the bad guys.

Contact Us | Authors | Subject Index | RSS Feeds

Copyright ©2007