Secured IT Infra for SMEs


 Secured IT Infrastructure For SMEs 

(Small & Medium Enterprises)

Contents

2. Overview of the Project    3

2.1 Definition of SME    3

2.2 The importance of SME    3

2.3 SME’s business challenges towards IT security    3

2.4 Purpose and Objectives    3

3. PROJECT SCOPE AND MILESTONES    5

3.1 Outline of network topology:    5

3.2 Security framework layer    6

3.2.1 Infrastructure    6

3.2.1 Data in Transit    7

3.2.3 Application    7

3.2.4 Physical Security    7

3.2.5 Security awareness (for end user training)    8

3.2.6 Audit and monitor    8

4. Risk Management and Security Policies    9

4.1 The risk management process    9

4.2 A Risk and Impact Analysis for Small and Medium Enterprises (SMEs)    13

5. INFRASTRUCTURE CONTROLS    16

5.1 Router Configuration    16

5.2 Exchange 2010 Configuration    21

5.3 Windows Server Update Service (WSUS)    24

5.4 VPN    28

5.5 TMG 2010    29

5.6 Spiceworks    36

5.7 OSSEC    37

5.8 SNORT    40

5.9 Network File Share Using MS 2008 R2 AD    46

5.10 Symantec Corporate Anti-Virus Setup    54

6. APPLICATION CONTROLS    63

6.1 Application security    63

6.2 Database Security    66

6.3 Web Server Security    68

7. PENETRATION TESTING    70

2. Overview of the Project

The definition of Small and Medium Enterprise (SME) varies between regions of the world. However, regardless of the region, SME’s account for a huge percentage of global businesses – as high as 99% (according to reference source Wikipedia). The SME sector in Asia plays a crucial role in the growth of its economies and their competitiveness with large western markets.

2.1 Definition of SME

  1. Small businesses are privately owned corporations, with a small number of employees, and low operating revenue. Small businesses can come in the form of sole proprietorships, partnerships or private limited companies. In the European Union a small business is determined by having fewer than 50 employees, and in America, 100 employees. Medium Enterprise is generally referred to, in Europe, as having fewer than 250 employees and, in the US, as fewer than 500 employees.
  2. For the purpose of this project, SMEs as companies employing not more than 200 employees and annual turnover not exceeded more than 100 million [SPRING].
  3. Apart from number of employees, SME’s can also be defined by turnover and assets held by the company.
  4. According to Wikipedia, SMEs account for 99% of all business numbers and contribute approximately 40 – 50% of the global GDP. There are in excess of 1 million SMEs.

2.2 The importance of SME

  1. While large multinational corporations (MNC) account for a significantly higher portion of global GDP, SME’s are crucial for the successful functioning of niche markets and developing economies. Being a small company, there is less bureaucratic red tape allowing the company to make quick decisions in a modern society that embraces quick fads and market swings.
  2. SMEs also play a pivotal role in driving innovation and competition. Often in markets that are not dominated by monopolistic MNCs, SMEs offer stiff competition and inspire development.

In comparison to large corporations, SMEs typically have fewer resources and less expertise in strategic and operational IT security policies and tasks. Their IT infrastructure is either maintained by one or very few employees, usually with limited knowhow regarding IT security, or by small IT service companies, most of which are not accustomed to even consider using information security.

We understand that there is a lack of framework for action within SMEs – how to set priorities, assign tasks, get started and monitor implementation of IT security measures.

The objective of the project is to propose a layered sample security framework, for typical SMEs, to tackle IT security challenges.

2.3 SME’s business challenges towards IT security

The challenges which SMEs face with regards to IT security implementation include government initiatives, leadership/ corporate governance,
corporate culture, defining personal rules and responsibility, user education, best practices or standards, cost justifications and lack of experienced IT personnel etc.)

2.4 Purpose and Objectives

In SMEs, resources are scarce and employees are trusted on their integrity to hold on to pieces of important information of the organization during the course of their work.

The sheer lack of good resources to hire or receive professional advice from security domain experts translates to narrower knowledge on such subject. It is therefore not uncommon for SMEs to perceive and relate security to off-the-shelf (COTS) products such as firewall and anti-virus software. This sets them thinking that they are properly secured as long as their procured firewall and antivirus software are turned on and subscriptions renewed on a vendor specific term basis.

Hence, to address challenges faced by SMEs especially, we aim to establish an framework that can allow them to implement cost effective security measures. Particularly, we discusses IT security requirements and appropriate controls. We also suggest effective organisational information security culture where employees intuitively protect corporate information assets.

3. PROJECT SCOPE AND MILESTONES

Undertaking this project for the purpose of addressing SME’s information security issues by protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide:

  • Integrity – Guarding against inappropriate information modification or destruction, and includes ensuring information non-repudiation and authenticity.
  • Confidentiality – Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
  • Availability – Ensuring timely and reliable access to and use of information.

Use of information security assertions — integrity, confidentiality, and availability — allows business-level and security professionals to speak a common language. To fully understand these assertions and make appropriate business decisions, they need to be coupled with an understanding of what the data is, where it is communicated to/from, identify what assets need to be protected and placement of all these assets and also clear understanding of their network topology as well as each security layer approach is important.

3.1 Outline of network topology:

Generally SME network is simple and does not require dividing it to many segments. However, based on required segments, we need to analyze the weaknesses to protect is adequately. A risk based approach to segment the network based on security needed for each segment thus helps configure network appliances such as firewall rules, IDS/IPS policy and other relevant policy and controls effectively.

Secure network topology

In our proposed design, we have segmented our network system (infrastructure) as follows:-

  • Outside segment (Internet) :
    Outside/ external segment is where Internet connection meets the edge router [shown figure]. There is no control on incoming traffic but we can implement access-list (ACL) to decide which traffic can get-in or which traffic to discard.
  • Service segment (DMZ Network):
    This segment contain servers or resources which we are looking to provide service to the public. In networking terms, these servers are placed in a zone called the DMZ (demilitarize

    zone). This segment has exposure to outside world and we have placed firewall and network based IDS/IPS as well as host based IDS/IPS to safe guard these servers from external threats. We also maintained a policy to secure every server from internal threat as well by placing firewall and IDS/IPS to appropriate entry points and all servers.

  • Internal segment (User LAN):
    Internal segment of network system is behind the firewall and accessible by only internal network users and remote VPN users. Internal resources are extremely secured by firewall, router access list, NAT (network address translation), network and host based IDS/IPS to safe protect confidential company’s information and also mission critical severs like finance, Active directory (authentication) and other critical servers. All servers, workstations and VPN users are also equipped with anti-virus and internal firewall is turned on.
    Servers and workstations and network equipment (Route, firewall, layer three switches), operating systems are also hardened accordingly and deployed by group policy to achieve maximum secure system and its performance.

  • Remote user segment (remote uses and remote branch office):
    This segment is most critical in terms of securing it. This segment of system using untrusted public network (Intenet) to access local internal resources. We implemented stringent remote access policy and encryption (IPSec VPN) technique to secure resources from unauthorized access.

3.2 Security framework layer

The term layers in reference to information security come from common data communication models similar to the Transmission Control Protocol/Internet Protocol (TCP/IP) Suite or the Open Systems Interconnection (OSI) Model. These frameworks provide guidance on how systems communicate and how data generally flows between systems using a layered approach.

Unfortunately for risk management and auditing, it’s not always practical or easy for nontechnical stakeholders to understand the use of all the layers in the OSI or TCP/IP models because some of the layers can be combined into more general groupings. Specifically, the groupings the information security layer methodology focuses on are the application, infrastructure, data in transit, and physical layers.

3.2.1 Infrastructure

Access to infrastructure components is restricted to business users on a need-to-know and least privilege access basis. An example of this layer could be servers, firewalls, router, switches, operating systems etc.

Common security threats are operating system (OS), database server (DB) vulnerability, physical security vulnerability etc.

3.2.1 Data in Transit

Data can be secured while it is in transit by adopting various methods including:-

  1. Transport Layer – shutdown unnecessary services, close unnecessary ports
  2. Internet Layer – implement IPSec for secure IP communication, Virtual Local Area Network (VLAN)
  3. Network Access Layer – Medium-Access-Control lockdown,
  4. Data Link layer: Medium-Access-Control lockdown; ARP poison, Ethernet
  5. Network layer: PKI (SSL, Encryption) , VLAN, VPN (remote access), IPSec, Firewall, Proxy, IPS/IDS, security policy and auditing, authentication etc.
  6. Transport layer: TCP UDP, shutdown unnecessary services, close unnecessary ports
  7. Session Layer : Sockets / Stream, session high jack
  8. Presentation Layer: RPC

Common security threats are hackers, network vulnerabilities, denial of service etc.

3.2.3 Application

Access to end-user applications are restricted to business (client-server applications) and web servers where applications are hosted and accessed by web browser; such as online CRM, HRM and shopping card applications etc. Placement for applications servers are commonly in internal LAN (client-server applications) and DMZ (web-based).

3.2.4 Physical Security

Physical access to system, servers, PCs, data centers etc. holding sensitive information is restricted to business users on a need-to-know and least privilege basis. We need to ensure all the system and network resource are physically secure from unauthorized access. Physical security is equally important to safeguard system from possible stealing information by attached external storage, sabotage and unauthorized modification of hardware. Proper network cabling, lock computer room with biometric access control and CCTV monitoring can be used for such purpose.

Common security threats are social engineering, insider threats etc.


The Security Layer Approach Illustrated

3.2.5 Security awareness (for end user training)

Human would always be the weakest link in information security, and only through organizational security education, employees would be able to learn best practices, have a better understanding of security in an organizational context thus create the security awareness.

3.2.6 Audit and monitor

Since availability is one of the security goals, while designing the secure network architecture, we also need to take into account the data and service availability. For example, if the SME company is providing services like e-Commerce, some network devices and tools can help to improve the service availability. By deploying load balancer, web farm and some redundant network connections, the company can achieve almost 100% uptime for the services they provided. However, it’s a tradeoff between cost and availability ratio, the more percentage of uptime required, the more investment the company needs to put on designing the secure network.

Nagios is one of the tools which can help to improve service availability by monitoring the status of the company’s IT infrastructure. In case of any service outage, alert can be triggered immediately to inform administrator to take action.

4. Risk Management and Security Policies

A threat is any action or incident with the potential to cause harm to an organization through the disclosure, modification, or destruction of information, or by the denial of critical services.

Security threats can be divided into human threats and natural disaster threats.

Human threats can further divided into malicious (intentional) threats and non-malicious (unintentional) threats. A malicious threat exploits vulnerabilities in security policies and controls to launch an attack. Malicious threats can range from opportunistic attacks to well-planned attacks.

Some methods of attack include: Social engineering, Viruses, worms, and Trojan horses, Denial of service attack tools, Packet modification, IP spoofing, Password cracking, etc.

Non-malicious human threats can occur through employee error or ignorance. These employees may accidentally cause data corruption, deletion, or modification while trying to capture data or change information.

        Security Threats

                Human             Natural Disasters


        Malicious              Non-Malicious     Floods, Fire

                     Earthquakes


Outsiders like        Insiders Like        Ignorant

Crackers or        discontented        Employees

Hackers        Employees

Hence, risk assessment is a very important part of computer security planning.

No plan of action can be put into place before a risk assessment has been performed.

The risk assessment provides a baseline for implementing security plans to protect assets against various threats.

4.1 The risk management process

Published by National Institute of Standards and Technology ( NIST ), Special Publication 800-30, Risk Management Guide for Information Technology Systems ( see : http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf ), describes a nine step Risk Analysis Process :

  1. System Characterization
  2. Threat Identification
  3. Vulnerability Identification
  4. Control Analysis
  5. Likelihood Determination
  6. Impact Analysis
  7. Risk Determination
  1. Control Recommendations
    1. Results Documentation

      Step 1

      System Characterization, describes the scope of the risk management effort and the systems that will be analysed.

      Step 2 and 3

      Threat Identification and Vulnerability Identification, identify the threats and vulnerabilities required to determine risks using the “Risk = Threat x Vulnerability ” formula.

      Step 4

      Control Analysis, analyses the security controls (safeguards) in place or planned to mitigate risk.

      Step 5 and 6

    Likelihood Determination and Impact Analysis, identify important risks ( especially those with high likelihood and high impact / consequence ).

    Quantitative versus Qualitative Assessment

    In conducting the impact analysis, consideration should be given to the advantages and disadvantages of quantitative versus qualitative assessments.

    The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

    The disadvantage of the qualitative analysis is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.

    The major advantage of a quantitative impact analysis is that it provides a measurement of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls.

    The disadvantage is that, depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be interpreted in a qualitative manner.

    Step 7

    Risk Determination, the purpose of this step is to assess the level of risk to the IT system.

    To measure risk, a risk scale and a risk-level matrix must be developed.

    Risk-Level Matrix

Threat Likelihood

Impact

Low

(10)

Medium

(50)

High

(100)

High (1.0)

Low

10 X 1.0 = 10

Medium

50 X 1.0 = 50

High

100 X 1.0 = 100

Medium (0.5)

Low

10 X 0.5 = 5

Medium

50 X 0.5 = 25

Medium

100 X 0.5 = 50

Low (0.1)

Low

10 X 0.1 = 1

Low

50 X 0.1 = 5

Low

100 X 0.1 = 10

Risk Scale: High ( >50 to 100); Medium ( >10 to 50); Low (1 to 10)

The risk scale, with its ratings of High, Medium, and Low, represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were execised. The risk scale also presents action that senior management, the mission owners, must take for each risk level.

Risk Scale and Necessary Actions

Risk Level

Risk Description and Necessary Actions

High

If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.

Medium

If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.

Low

If an observation is described as low risk, the system’s approving authority must determine whether corrective actions are still required or decide to accept the risk.

Step 8

Step 1 through 7, are used to determine Control Recommendations, or the risk mitigation strategy.

Step 9

The Risk mitigation strategy is documented.

  • Refer to the Risk Assessment Activities diagram as follows :


    Input              Risk Assessment Activities     Output


    4.2 A Risk and Impact Analysis for Small and Medium Enterprises (SMEs)

    Risk Probability Impact Response
    Solution does not meet the business needs Low High Ensure good participation and collaboration involving representatives and resources from all concerned areas of the business ( and external parties where appropriate )
    Technical solution has major flaws Low High Invest in appropriate levels of testing. Consider a period of parallel running. Have a fallback contingency plan to revert to a previous system if necessary.
    Hardware, network or system sizings inadequate to meet live demands. Medium Medium Sizing calculations are always difficult. Many successful eSolutions have been flooded by demand. Make sure the systems use can be scaled up by a significant factor before any need to move to a different technological platform.
    System failures High Medium Invest now in fault tolerant components and adequate redundant contingency resources. Ensure the plan includes appropriate backup, recovery, and disaster recovery procedures

( and tests them ).

Hence, after assessing the risk, the next step is proactive planning. Proactive planning involves developing security policies and controls and implementing tools and techniques to aid in security. As with security strategies, it is necessary to define a plan for proactive and reactive security planning. The proactive plan is developed to protect assets by preventing attacks and employee mistakes. The reactive plan is a contingency plan to implement when proactive plans have failed. In summary, the following diagram illustrates the relationships between a good risk assessment and good security polices and controls.


Example :

Malicious Threats: Disgruntled employee

Motives and Goal: To stop productivity.

Techniques and Methods:

Denial-of-Service attack tool called Trin00 to start an attack on the company’s Web server.

Vulnerability: No filtering on routers

No Reverse Path Forwarding (RPF) used to check for spoofing

Assets: Loss of Productivity.

To conclude, security planning involves developing security policies and implementing controls to prevent computer risks from becoming reality.

The policies outlined below are merely guidelines for future SME start-ups to secure their IT infrastructure. Each organization is different and will need to plan and create policies based upon its individual security goals and needs.

In other words, policies can be defined for any area of security. It is up to the security administrator and IT manager to classify what policies need to be defined and who should plan the policies. There could be policies for the whole SMEs or policies for various sections within the SMEs.

The various types of policies that could be included are:

  • Password policies
    •     Administrative Responsibilities
    • User Responsibilities
  • E-mail policies
  • Internet policies
  • Backup and restore policies

Password Policies

It is possible to specify minimum password length, no blank passwords, and maximum and minimum password age.

It is also possible to prevent users from reusing passwords and ensure that users use specific characters in their passwords making passwords more difficult to crack.

E-mail Policies

Some ways to prevent accidents are to:

· Train users what to do when things go wrong, as well as how to do it right.

· Configure e-mail software so that the default behavior is the safest behavior.

Internet Policies

There are many areas of Web servers to secure:

  • the underlying operating system,
  • the Web server software,
  • Server scripts and other software, and so forth.
    • Firewalls and proper configuration of routers and the IP protocol can help to fend off denial of service attacks

Backup and Restore Policies

Emergency Repair Disks (ERDs) should be stored with backups both onsite and offsite if possible.

Nevertheless, SMEs have limited IT resources in terms of expertise and budget to formulate and implement a secured infrastructure. Therefore, using e-Commerce applications for advertising company’s products/services, performing online transactions and obtaining user feedbacks is a cost-effective way to conduct businesses by many SMEs.

5. INFRASTRUCTURE CONTROLS

5.1 Router Configuration

We have implemented two Cisco routers – 3640 series as one core router (CR) interfaces among external traffic (Internet), LAN and another Edge router (ER) which connects to DMZ network. We implemented such to separate our network in different segments for efficient management and controls. Implementation of static routes determines the traffic flow in various segments of networks and router ACLs acts a firewall to control allow/deny request for network, host and ports level.

Following figure shows Cisco routers model 3640 (Core Router – CR, Edge Router – ER) connectivity with different network interfaces

Router Connectivity and Design

Network Segmentation

Core Router (CR) Configuration:

Showing ACLs and routing implementation to secure network.

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CR

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$rxoz$T/ZMX3KGt/bX6SF/jG0jU0

enable password cisco

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

!

!

ip cef

no ip domain lookup

interface FastEthernet0/0

description CR-Uplink

ip address 172.16.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

description LAN

ip address 192.168.111.10 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet2/0

ip address 192.168.113.10 255.255.255.0

ip access-group 101 in

duplex auto

speed auto

!

interface FastEthernet3/0

no ip address

shutdown

duplex auto

speed auto

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 FastEthernet2/0

ip route 192.168.112.0 255.255.255.0 172.16.1.2

!

access-list 101 permit tcp any host 192.168.111.8 eq 443

access-list 101 permit tcp any host 192.168.111.8 eq www

access-list 101 permit tcp any host 192.168.111.8 eq smtp

access-list 101 permit udp any host 192.168.111.9 eq domain

access-list 101 permit tcp any host 192.168.111.8 eq telnet

access-list 101 permit icmp any host 192.168.111.9

access-list 101 permit tcp any host 192.168.112.11 eq www

access-list 101 permit tcp any host 192.168.112.11 eq 443

access-list 101 permit tcp any host 192.168.111.8 eq pop3

access-list 101 permit tcp any host 192.168.111.8 eq 995

access-list 101 permit tcp any host 192.168.111.8 eq 143

access-list 101 permit tcp any host 192.168.111.8 eq 993

access-list 101 permit tcp any host 192.168.111.6 eq 1723

access-list 101 permit gre any host 192.168.111.6

access-list 101 permit icmp any host 192.168.111.6

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

password cisco

login

line vty 5 871

login

!

End

Edge Router (ER) Configuration:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ER

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$C0Dq$n3uIqRPmHRRmD61ZKrIFY1

enable password cisco

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

!

ip cef

no ip domain lookup

!

interface FastEthernet0/0

description ER-Uplink-CR

ip address 172.16.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

description DMZ

ip address 192.168.112.10 255.255.255.0

duplex auto

speed auto

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 192.168.111.0 255.255.255.0 172.16.1.1

ip route 192.168.113.0 255.255.255.0 172.16.1.1

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0

password cisco

login

line vty 1 4

login

!

End

Following screenshots shows result of above ACLs in action to block/allow traffic in Internal to external and vise-versa.

Internal à External

External à Internal
External to internal traffic restricted by the firewall (route ACLs)

Internal àDMZ

Internet (external) à DMZ- ping block (ICMP) for external network

External à Internal:
Only port 443 and 80 open for database server externally.

5.2 Exchange 2010 Configuration

Microsoft Exchange combines built-in anti-spam and encryption technologies with an advanced anti-virus infrastructure for efficient management of a wide range of security threats. Such as automatic encryption at both the channel and message levels to help control access to data and ensure trusted communications both inside and outside the network, Multi-layered anti-spam filtering comes with continuous updates to help guard against increasingly sophisticated spam and phishing threats, protect against malware, leading anti-virus solutions can be integrated throughout the Exchange 2010 network

Telnet to port 25 externally.

Outlook and OWA:

5.3 Windows Server Update Service (WSUS)

Microsoft WSUS software tools that automate the patch fixes (updates) for Windows based system. WSUS enables IT engineers to deploy the latest Microsoft product updates (all most all the Microsoft products) to computers that are running the Windows operating system. By using WSUS, IT engineers can fully manage the distribution of updates that are released through Microsoft update to computers in their network.

Use GPO to push updates

client: c:\wuauclt.exe /detectnow (force update manually)

5.4 VPN

A virtual private network (VPN) is a private network that connects office networks through primarily public communication infrastructures such as the Internet. VPNs provide security through tunneling protocols and encryption. Thus VPN users connects office network securely as they are in office. We implemented Microsoft PPTP VPN server for secure VPN connectivity for remote users. Please see Appendix 3 for more detail.

Configuration of client to dial vpn server


Windows PPTP VPN server accepted the vpn clients request and assigned a ip address.


5.5 TMG 2010

Forefront Threat Management Gateway 2010 (TMG) is a secure web gateway that provides comprehensive protection against web-based threats by integrating multiple layers of protections into a unified, easy-to-use solution. Forefront TMG allows our employees to safely and productively use the Internet for business without worrying about malware and other threats. We implement TMG 2010 standard edition to secure our LAN segments from malware threats, control web-traffics and improve web-surfing experience for end users by caching the most recent visited sites.


LAN workstations (client access) configuration (Internet access via proxy server)

5.6 Spiceworks

Spiceworks provides a free systems management, inventory, and helpdesk software application, Spiceworks IT Desktop, designed for network administrators working in SME businesses. We implemented this tools for host monitoring, manage inventory and view various alerts from dashboard.

5.7 OSSEC

We have implemented the OSSEC HIPS to protect our servers from unauthorized system file modification and analyzing system events and system file integrity. Few words about OSSEC, it is a free scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

OSSEC HIPS service status

5.8 SNORT

Snort is the very popular and robust Network based Intrusion Detection/Prevention System (NIDS/NIPS) and it is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. We have implemented snort to secure our network from malicious threats and for better report and view we have also implemented two snort frontend GUI applications called Snorby and SqueRT .

Snort configuration file – Snort.conf.

Snorby (GUI for snort)

https://192.168.111.38:3000/users/login

SQueRT (another GUI front end for snort)

https://192.168.111.38/squert/

5.9 Network File Share Using MS 2008 R2 AD

  1. SET UP SAMPLE USERS & GROUPS

  1. CREATE SUITABLE FILE SHARE FOLDER STRUCTURE (HIERARCHY)

    Note: There can be several possible file share implementations depending on business requirements. Two sample scenarios are presented below for the sake of demonstration.

SCENARIO 1: STANDARD CORPORATE FILE SHARE

  • Public/ Common Folder: Users can use the folder to share documents among themselves
  • Private/ User Folder: Users store personal documents which they do not intend to share with anyone

SCENARIO 2: DEPARTMENT LEVEL FILE SHARE

  • Root Folder: Users can only access their department’s (group) folder.
  • User Folder: Users belonging to the department (group) have individual folders. Each user has full access to own personal folder. Other users only have read access to the folder

  1. CREATE SUITABLE ACCESS PERMISSIONS

SMB/ Windows share and NTFS permissions were used for domain users and groups (subjects) to define access to folders and files (objects) as per scenario specifications.

Sample screen shots for illustration are provided below:-





SCENARIO 1: STANDARD CORPORATE FILE SHARE

  • Public/ Common Folder: Users can use the folder to share documents among themselves
    • All users have full access (to read, create, edit and delete sub folders and files)
    • No user can delete the common folder
  • Private/ User Folder: Users store personal documents which they do not intend to share with anyone
    • Each user has full access (to read, create, edit and delete sub folders and files) to the folder
    • The user cannot delete the folder
    • No other user can access the folder

Sample screen shots for illustration are provided below:-


A domain user i.e. ‘Tuen’ logs on to a workstation


Tuen is able to create sub-folders and files within the common (public) folder for sharing


Tuen is unable to delete the common (public) folder


Tuen is able to create sub-folders and files within his personal (private) directory for storage/ access

Tuen is unable to delete his personal (private) folder


Tuen is not able to access any other user’s folder


Other users are able to access the common (public) folder for shared files

SCENARIO 2: DEPARTMENT LEVEL FILE SHARE

  • Root Folder: Users can only access their department’s (group) folder.
    • Users cannot access other department’s (group) folder (and files)
    • No user can delete the root folder
  • User Folder: Users belonging to the department (group) have individual folders. Each user has full access to own personal folder. Other users only have read access to the folder
    • The user cannot delete the folder

Sample screen shots for illustration purpose are provided below:-


A domain user i.e. Sandeep logs on to a workstation


As Sandeep is a member of Finance department (group), he can access the root folder


Sandeep is able to create sub-folders and files within his folder for storage/ access. Other Finance department (group) users e.g. Tuen has only read-only access to the folder


As Jane is a member of Marketing department (group), she cannot even access the root folder

5.10 Symantec Corporate Anti-Virus Setup

INSTALL SYMANTEC SYSTEM CENTER

Key installation screen shots are provided below for illustration:-

INSTALL SYMANTEC ANTI-VIRUS SERVER

Key installation screen shots are provided below for illustration:-

CONFIGURE PRIMARY MANAGEMENT SERVER

INSTALL SYMANTEC CLIENTS

Key installation screen shots are provided below for illustration:-

INSTALL SYMANTEC REPORTING SERVER

Key installation screen shots are provided below for illustration:-

TESTING SYMANTEC ANTI-VIRUS CLIENT WITH EICAR TEST VIRUS

Download test virus file(s) from the website


SAV client detects a virus and alerts!

6. APPLICATION CONTROLS

A typical small to medium size e-Commerce application comprises of a Web application component which handles the business and presentation logics, a Web server component which hosts and manages the Web application resources, and a database component which provides non-volatile storage for data used by the Web application.

Since most E-Commerce applications run in an unsecure public network susceptible to many malicious attacks, it is pertinent for companies to implement thorough security measures for protecting their e-Commerce applications.

Followings are some of the security recommendations for e-Commerce applications implemented in Microsoft ASP.NET, Internet Information Server 7.0 and SQL Server 2008.

6.1 Application security

  1. Preventing Unauthorized Database Access through SQL Injection

    SQL Injection is a form of database attack via user inputs for web applications without proper verification mechanism. It can be prevented by validating all user input with “White List” or canonicalization (i.e. transform an input into “safe” data), or using Parameterized Queries API to feed user provided data into an SQL statement. Following is a code segment of a Parameterized Query written for an ASP.NET application:

    Dim strSQL as String = “Select * from customer where customerID = @userid;”

    Dim comm as new SqlCommand(strSQL, objconn)

    objConn.Open()

    comm.Parameters.Add(New SqlParameter(“@userid”,Session(“custid”)))

    Dim customerReader as SqlDataReader = comm.ExecuteReader()

    1. Preventing Cross-Site Scripting (XSS) Attack

      XSS is a form of insecurity vulnerability whereby attacker injects a block of malicious client-side script (e.g. JavaScript) into an unprotected Web application. To have a thorough protection of XSS attack, mechanisms must be in place to 1) validate all user inputs and 2) filter malicious characters before displaying the data. The former measure can be achieved by using “White List” validation or canonicalization of the user inputs before accepting the data. For ASP.NET application, XSS validation check is handled by controls under the namespace “System.Web.UI.WebControls”. Input fields written with these controls are protected from XXS attack. The latter measure (in case the malicious script is already in database) can prevent the malicious script from displaying to the Web browser by escaping all the suspicious characters such as “<script>” or by encoding all special characters into HTML code (e.g. converting “<script>” into “&lt;script&gt;”).

  1. Protecting User Passwords

    Improper protection of password might cause the exposure of sensitive information such as user’s particulars or loss of property such as cash from bank account. Password can be protected with the following measures:

    1. Store hashed password in database: Password should be hashed with strong hashing algorithms such as SHA 256 before it is being stored in database. Salt should also be used to prevent the same hash code from being generated due to users using the same password.

      Followings are the hash codes for the same password hashed with the same algorithm with different salts.


  1. Enforce password complexity: By enforce a more complex password such as one with uppercase and lowercase alphabets, numbers and special characters combination would made brute-force attack more difficult for hackers.
  2. Suspend user account after a number of login failure attempts: Disabling the user account after several failed attempts would prevent attacker from using brute-force attack.
  3. Not show either login or password incorrect when login attempt failed: By not informing the user either the login or password is incorrect when a login attempt failed would not give the attacker any inference information on the user credentials.
  1. Securing user session

    User session enables a Web application to store and retrieve user information relevance to the login session. By obtaining the session ID of an authorized user, attacker can access the Web application and perform malicious activities to the user account like viewing the user’s sensitive information or making illegitimate transactions. User session ID can be protected by not exposing the session ID from the URL, setting timeout to deactivate inactive session, changing the session ID frequently during a user login session and transmitting session ID with encryption. Following is the ASP.NET configuration for setting the session timeout in web.config:

    <system.web>

    <!–End session after 20 minutes of inactivity–>

    <sessionState timeout=”20″ />

    <system.web>

  2. Protecting direct object references

    Insecure direct object reference occurs when an unauthorized user gains access to the restricted resources through modifying the parameter in a query string or an URL. Insecure direct object reference can be prevented by verifying the user access right to the resource or using indirect object references to prevent user from directly accessing the targeted resources. One way to implement indirect object reference is through mapping the resource with an indicator whereby resources can only be accessed through the indicators instead of the physical path of the resource. Below is an example of indirect object reference via “White List” validation in an ASP.NET application:

    <asp:DropDownList id=”type” runat=”server”>

        <asp:ListItem value = “1”>Fruit</asp:ListItem>

        <asp:ListItem value = “2”>Fruit Product</asp:ListItem>

    </asp:DropDownList>

    .

    .

    .

    Dim strSQL as string = “select * from product where type ”

    if type.selectedItem.value = “1” then

    strSQL + = “= ‘Fruit’;”

    else if type.selectedItem.value = “2” then

        strSQL + = “= Product;’ ”

    else

        strSQL += ” is null;”

    end if

  3. Preventing Cross-Site Request Forgery

    Cross-Site Request Forgery occurs when a malicious Website or email causes a user’s Web browser to perform an unintended action to a trusted Website for which the legitimate user could access to. Cross-Site Request Forgery attack can be prevented by using token verification in the Web page which perform insert, update or delete record operations to the database. If the token does not match, the operation will not be performed. For ASP.NET application, Cross-Site Request Forgery can be prevented by setting the ViewStateUserKey property to the session ID as shown:

    sub page_init(sender as object, e as commandeventargs)

        ViewStateUserKey = Session.SessionID

    end sub

  1. Protecting Sensitive User Information with Encryption

    User sensitive information such as credit card number, employees’ salary or trade secrets should be encrypted with strong encryption algorithm such as AES or Blowfish before it is being stored into the database. Microsoft .NET Framework has provided a number of cryptographic services including secret-key and public-key encryption, hashing, random number generation, and message authentication under the namespace System.Security.Cryptography. Following are cipher texts for some credit card numbers after encryption.

    1. Preventing Website Registration from Automated Programs

      Website providing user registration facility may suffer attack from automated programs or “Bots” signing up thousands of unused accounts. The attack might deplete the Web application server resources and result in service unavailable for legitimate users. The attack can be prevented by using CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which can be placed with the online registration form as one of the validation fields.

      The CAPTCHA component generates an image of random texts which challenges a legitimate user (a human user) to enter the displayed text as one of the validation criteria in order for the form to be processed by the Web application.

      Following is an example of CAPTCHA component in an online registration form.


6.2 Database Security

  1. Protecting Default Administrator Account in Database

    Database which comes with the default administrator account should be protected. By getting hold of the unprotected administrator account such as the “SA” account in MS SQL Server, attackers could gain access to the database and causes damages. Followings are some hardening measures to protect the default administrator account:

    1. Using complex password for the default administrator account which contains uppercase and lowercase letters, numbers and non-alphanumeric character such as @, #, ^, etc. (Refer to “Enforcing a Strong SA Password for SQL Server 2008” in appendices for the setup of strong SA password)
    2. Disabling and renaming the default administrator account to mitigate the possibility of hacker’s exploitation. Disabling and renaming the “SA” account is now available in MS SQL Server 2008 with the following command:

    USE MASTER

    ALTER LOGIN SA DISABLE;

    GO

    ALTER LOGIN SA WITH NAME = [DANIEL]

    GO

  1. Granting User Account with the Least Privileges

    Users or processes should only be given the necessary access rights which enable them to perform the essential works. For example, if a Web application only requires “Insert” and “Update” operations, the account used by the Web application to access the database should only have these rights. This prevents attackers from causing serious damages to the database in case he has gained access to the database via the Web.

  2. Reducing Database Vulnerability by Installing Only the Necessary Services

    By removing, not installing or disabling unused database services make database less susceptible to malicious attacks. Some database services might contain vulnerabilities which enable an attacker to bypass the existing security measures and causes serious damages. Unnecessary database services, components and features should be disabled or removed to reduce the exposure of possible vulnerabilities. MS SQL Server 2008’s services can be disabled or removed by using the SQL Server Configuration Manager. Administrator can use this tool to start, stop or resume the SQL Server’s services or disable network protocols used by the services. (Refer to Appendices “Disabling SQL Server Service” form procedure on stopping a SQL Service)

  3. Changing the Default Ports Associated with the SQL Server Installation

    The default port numbers used by many database management systems during installation are well-known in the industry. For example, MS SQL Server 2008 uses the default port number 1433 for all requests and communications. Default port number could be used by hackers as an easy target to perform database attack. Hence, it is a good practice to change the default port of a database during or after installation. Administrator can change the default port for MS SQL Server 2008 by using the SQL Server Configuration Manager tool. (Refer to “Changing SQL Server Database Default Port Number” in Appendices for detailed instructions)

  4. Hiding SQL Server Instances from Broadcasting Information

    Some database management systems allow running instances’ information to be broadcasted so that database client can establish connection with them. This may pose security vulnerability as attackers could use the broadcasted information to conduct attack. Broadcasting services should be turned off to prevent attackers from obtaining information for malicious purpose. Database administrator can hide a SQL Server 2008 database instances form broadcasting via SQL Server Configuration Manager. (Refer to “Hiding SQL Server Database Instance” in Appendices for detailed instructions)

  5. Installing Patches and Service Packs

    Like all other applications and server products, database management system should be updated periodically or whenever security patches are available. Security updates fixes all newly discovered critical security vulnerabilities. SQL Server patches and services packs can be obtained using Windows Update or downloading from the Microsoft Website.

  1. Enabling Database Auditing

    Enabling database security log capability allows a database management system to monitor and log activities either from the database users or processes that use the database. Security logs are pertinent inputs for database auditing and database related incident handling. MS SQL Server 2008 offers four levels of security logging:

    1. None: logging capability is disabled
    2. Successful Logins Only: Only successful login attempts are logged
    3. Failed Logins Only: Only failed login attempts are logged
    1. Both Failed and Successful Logins: Both failed and successful attempts are logged

6.3 Web Server Security

  1. Reducing Web Server Vulnerability by Installing Only the Necessary Services

    Unnecessary services should be removed or disabled from a Web server as a security measure to reduce the attack surface. By removing or disabling services that are not used in a Web server would reduce the vulnerability exposed to the attackers and hence enhance security. Microsoft Internet Information Server 7.0 (IIS 7.0) currently has over 40 modular components that an administrator can choose to install as needed. As a security consideration, IIS 7.0 uses a minimum installation by default approach. Administrator can configure the server further by adding or removed the service components as required by the organization. IIS 7.0 components can be installed or removed via the Server Manager in Windows Server 2008. (Refer to “Removing IIS Components” in Appendices for detailed instruction)

  2. Setting the Authentication Mechanism

    If the Web application is meant for internal users or business partners only, then it would be an added security to have the users authenticated before permitting them to access the web resources. User accessing Web application hosted in IIS 7.0 can be authenticated via the Windows Authentication mechanism. Windows Authentication mechanism can be turned on via IIS Manger by enabling the “Windows Authentication” setting and disabling the “Anonymous Authentication” setting. (Refer to “Setting IIS Authentication Mechanism” in Appendices for detailed instructions)

  3. Configuring IP Address Restriction

    Web server security can be further enhanced by restricting the access of the Web resources to only selected IP addresses and domain names. IP addresses or domain names can be allowed or deny on ISS 7.0 by using the IP and Domain Restriction Setting. (Refer to “Configuring IP Address Restriction in IIS” in Appendices for detailed instructions)

  4. Enabling Secure Sockets Layer (SSL)

    In order to have a secured communication channel between the Web Server and the client’s computer over an untrusted network, Secure Socket Layer (SSL) must be enabled to protect the transmitting data from network sniffing or host spoofing. SSL requires a
    certificate to prove the
    Web server’s identity and it must be trusted by the client. SSL certificate can be installed on IIS 7.0 via the Server Certificates setting in ISS Manger. After installing the certificate, secure data transmission will only be available through HTTPS protocol which can be set by binding the Web application IP address with HTTPS via Port 443. Lastly, in order to enforce only HTTPS traffic between the Web server and the client, SSL Settings must be set to “Required SSL” so that the unsecured HTTP traffic will be disabled. (Refer to “Enabling SSL in IIS” in Appendices for detailed instructions)

  5. Disabling directory browsing for Web application

    Directory browsing feature should be disabled on Web server in order to hide application directory information form unintended users or attackers. Enabling directory browsing exposes the internal structure of a Web application to attackers who might find vulnerabilities and use the information to conduct attack. On IIS 7.0, directory browsing can be turned off via the Directory Browsing feature in IIS Manager. (Refer to “Disabling Directory Browsing” in Appendices for detailed instructions)

  6. Configuring MIME-Type in Web Server

    By configuring the allowable MIME-types that can be served by a Web Server, attackers would be prevented from downloading sensitive system objects such as configuration files, data files or system binary file. Information embedded in these sensitive objects might expose system vulnerabilities. A MIME-type can be added or removed from IIS 7.0 via IIS Manager. When a client attempts to download a file with the MIME type that is not defined in IIS, a 404.3 HTTP message will be displayed to the user. (Refer to “Configuring MIME-Type in IIS” in Appendices for detailed instructions)

  7. Installing Service Packs and Patches When Available

    Web server should be updated periodically or whenever security patches are available. ISS updates, patches and services packs can be obtained using Windows Update or downloading from the Microsoft Website.

  8. Enabling Audit Logs

    Audit logs allow a Web Server administrator to effectively detect and track any possible malicious event or activities. In the event of a successful attack, audit logs can help to identify the exploits an attacker used to gain access to the system and to provide evidences for any future legal proceeding. On IIS 7.0, audit logging can be configured via the Logging setting in IIS Manager. (Refer to “Enabling Logging in IIS” in Appendices for detailed instructions)

7. PENETRATION TESTING

External to Internal:

MS Exchange 2010 open ports.

NESSUS VULNERABILITY SCANNING


Home (free/ non-commercial subscription) edition of Nessus used


On-demand Internal network scan on AD (domain) and Symantec anti-virus server hosts


On demand scan has been started


Scan report


Scan results for SAV server (NAT IP: 192.168.89.130)

Scan results for AD server (NAT IP: 192.168.89.135)


Detailed CRITICAL vulnerability and resolution


Detailed CRITICAL vulnerability and resolution


Patches (MS hotfixes) KB2509553 & KB2562485 applied to remediate the CRITICAL vulnerabilities


On-demand internal network scan on AD (domain) server host


Scan report


Scan results for AD server (NAT IP: 192.168.89.138)

Pre-Scanning for Web Application – 60 Critical Vulnerabilities found

Post-Scanning for Web Application – 0 Critical Vulnerability found

Conclusion

In the past Internal network used to be very flat and it was alienated only from the Internet by a single firewall. Rapid increase of use electronic services like e-mail, web, e-commerce, intranet, extranet and internal network department boundaries.

A growing security concern of the value for confidential information (such as financial services, e-commerce, collaboration with external applications) and intra dependency on different infrastructure led to think of further security measures.

Malware, viruses and worm has been spreading without user intervention and worm also able to replicate to other system in the network quickly thus imposes a shocking threat to non-secure flat network.

People in the organization (employee) or out site the organization (hackers, script kiddies) possess equal threats. Thus, additional protection for networks against each other, as well as for systems within these networks, is required.

By applying those methods and policies discussed in this paper, anyone can achieve to simple network with good level of security. The security is not a product it is a process. Therefore we need continuously monitoring, inspection and fixing issues and repeat these processes over again and again to stay secure.

References:

  1. SANS Institute (2005). Design Secure Network Segmentation Approach. Retrieved May 01, 2012 from http://www.sans.org/reading_room/whitepapers/hsoffice/design_secure_network_segmentation_approach_1645
  2. Microsoft TechNet (2012), Security Control Diagram. Retrieved May 30, 2012 from http://technet.microsoft.com/en-us/library/Cc723503.secpln05_big(l=en-us).gif

Appendices

Enforcing a Strong SA Password for SQL Server 2008

  1. In the Object Explorer of SQL Server Management Studio, right-click “SA” from Security -> Login in the database object and select Properties

  2. In the Login Properties of SA, click the Enforce password policy checkbox and specify an complex password based on the policy

  3. Click OK

Disabling SQL Server Service

  1. In SQL server Configuration Manager, select SQL Server Services


  2. In the right panel, right-click a service and select Stop to disable it

Changing SQL Server Database Default Port Number

  1. In SQL server Configuration Manager, select SQL Server Network Configuration -> Protocols for [instance name]


  2. In the right panel, right-click TCP/IP Protocol Name and click the IP Addresses tab


  3. In the TCP Port field, change the port number to another number

Hiding SQL Server Database Instance

  1. In SQL server Configuration Manager, right-click SQL Server Network Configuration -> Protocols for [instance name]
  2. In the Protocol for [instance name] dialog box, select Flag tab and change the Hide Instance field to “Yes”

Enabling SQL Server Logging Mechanism

  1. In SQL Server Management Studio, select the [Database name] -> Properties
  2. From the Server Properties dialog box, select Security and click the appropriate login auditing radio button


  1. The log information can be view from Event Viewer function of the Windows Operating system

Removing IIS Components

  1. In Server Manager, select Roles -> Web Server(IIS) -> Remove Roles Services to open the Remove Role Service dialog box

  1. In the Remove Role Service dialog box, select the components to be remove and click Next
  2. Click Remove

Setting IIS Windows Authentication Mechanism

  1. In IIS Manager, select a Web application and choose Authentication from the right panel

  2. In the right panel of IIS Manager, change the Anonymous Authentication status to “Disable” and set the Windows Authentication status to “Enable”

  3. After turning on the Windows Authentication Mechanism, user will be prompted to enter their credential when they access the Web application

Configuring IP Address Restriction in IIS

  1. In IIS Manager, select a Web application and choose IP Address and Domain Restriction from the Right Panel

  2. In the right panel, select the IP addresses that are allowed or denied to access the Web application

Enabling SSL in IIS

  1. In IIS Manager, select a Web Server and choose Server Certificate from the Right Panel

  1. In the right panel, Import a Certificate for the Web server

  2. In the left panel, select and right-click a Web application and choose Edit Bindings

  3. In the Edit Site Binding dialog box, select the SSL certificate which had just been installed in step 2 and click OK
  4. In the left panel of IIS Manager, select a Web application and choose SSL Settings from the right panel
  5. Check the Require SSL checkbox and click Apply

Disabling Directory Browsing

  1. In the left panel of IIS Manager, select a Web application and choose Directory Browsing from the right panel

  1. In the Directory Browsing dialog box and click “Disable” in the Action Panel

Configuring MIME-Type in IIS

  1. In the left panel of IIS Manager, select a Web application and choose MIME-Type from the right panel


  1. Add, edit or remove a MIME-type from the right panel


Enabling Logging in IIS

  1. In the left panel of IIS Manager, select a Web application and choose Logging from the right panel


  1. Click “Enable” in the Action Panel to enable Logging in IIS



About Robiul

Robiul has 15 years of continuous successful career experience in ICT with extensive background in System Engineering, IT infrastructure design, operations and service delivery, managing IT projects / MIS functions for local and multi-national companies with in-depth knowledge of multiple operating systems as well as construct / manage small to medium size Data Center. Proven ability to design and implement medium to semi-large scale LAN/WAN/WLAN and system infrastructures. Academic qualification: Master of Science in Information Systems. Professional certifications are: MCSE, CCNA, ITIL and FoundStone Security Professional, VCP, NetAPP, CISSP etc.
This entry was posted in Thesis and tagged . Bookmark the permalink.