PRINCIPLES OF DEFENSE -
GENERAL GUIDELINES
Defending your IT infrastructure is a tricky and time consuming
business, and there
are many different details to bear in mind, depending as well on type
and size of
your IT infrastructure. But, no matter what size or technology or type
of business you are involved in protecting, there are some general
rules to keep in mind when
working out the details. I cannot claim to have originated, or to being
the author of these guidelines,
some are commonly known principles, some are common sense, but
regardless, I have found them
to be true enough time and again.
- The "Outrun-the-Bear"
Defense
We all know the joke (and if you have'nt, you will now) about the two
friends
walking in the woods and they stumble across a large, grumpy and hungry
bear. When
the one man gets ready to run, his friend tells him that it is useless
as a bear can easily outrun a man. To which his mate responds "I don't
have to outrun the
bear, just you." This is the most basic rule of your IT defense, deal
with the
fact that there is no perfect, un-hackable defense, but you can secure
your infrastructure so that attackers will rather try someplace easier,
or realise that
the effort and risks involved are not worth the probable rewards.
- Enforce the concept of
"Least Privilege"
Almost all attacks happen through the breaking of some trust
relationship. Whether
its a server-to-server trust, or a trusted employee, or a trusted
client, or any other situation, it is the breaking of these trusts
which enable attacks.
This can be limited if in setting up your IT infrastructure, you make
sure to
give any resource only what is needed to fufill it's function. Nothing
more, nothing less. This could be applied to the rights of users on a
network, all the
way to only running the required services on a server. By only giving
what is needed, you limit the damage which could be caused by an
attacker exploiting a trust relationship.
- Make your first answer "No"
Everything that is and will happen on your IT infrastructure can be
classified in three ways 1) Something Good, 2) Something Bad, and 3)
Not Sure. Simple right?
You see, dealing with the first two is easy, it is the third type which
causes most of the problems. If your stance is only to stop things once
they are proven
bad, then you fall prey to those things which have not yet -for
whatever reason- been proven bad yet, but actually are. But if you only
allow those things that have been proven good, then such "grey areas"
will hold no threat, as anything new has to
prove itself good before it is allowed. This way of thinking is nothing
new to
those who administer firewalls, or even to those who approve new
medicines.
- There are such things as
"Weak Links"
This is similar to the trust relationship principle. But this deals
with the fact
that -no matter what- there will be weak links somewhere in your
infrastructure. They
could be an employee with a legimately large amount of authority, or a
server that
has to run an unsecure service (against your recommendations of
course). These will
happen, these will be targets for attackers, and these are your weak
links. What you must do to recognise this and therefore increase your
monitoring of these weak links and endevour to make them as secure as
possible under the circumstances.
- Have a "Not-a-Smartie"
Network
In case you don't know, Smarties are small discus-shaped sweets. They
have a thin
outside coating of candy, underneath this is chocolate. When it comes
to snacks
I like smarties, but as a blueprint for an IT infrastructure the idea
.. sucks.
If your infrastructure is all "crunchy" on the outside (firewalls,
proxies, etc) but yet inside your network you are using exploitable
versions of software, insecure
protocols, bad passwords, etc. You then have a "Smartie" network,
crunchy on the outside,
but soft on the inside. You need to have "Defense-in-Depth". This
entails multiple layers
of defense/protection. If you have multiple layers of defense
protecting your infrastructure than any attacker has to work that much
harder, and it lessens the chances of a single
attack causing a wide level of access. Such layers could include VPN's,
secure protocols, proper passwords, proxies, multiple firewalls, etc.
- Realise that Variety is good
Similar to "Defense-in-Depth", is the principle of
"Defense-in-Breadth". What this means
is that if your infrastructure is protected by only one type or make of
defense, then it
really does'nt matter how many times you've layered them, one exploit
will still fit all.
It makes better sense to have similar defenses but from different
sources, this way if
a defense from source A has a certain exploit, you'll still be okay
because the same defense
from source B does'nt. Think of it a an automated second opinion. An
easy example could be
to have a dual layer of firewalls, each from a different vendor, each
supporting the others
weak areas.
- Make sure that all Access
is through Chokepoints
Try as much as possible to limit all access to your infrastructure or
highly sensitive assests
is restricited to coming through one -or as close to one as possible-
points. For example your
internet access should all go through one firewall, your email should
all come through one gateway server, etc. restricting access or data
flows to such chokepoints offers serveral benefits.
The most important of which is that you can better monitor and secure
them. It also makes it
more economical in concentrating your resources, as you know which are
your most important channels.
- Enable the "Fog-of-War"
Security through obscurity is a concept which has received a fair
amount of negative publicity. Much
of this is well-deserved. As a first and last line of defense, using
security through obscurity is
a recipie for disaster. But as a single principle in an already well
setup infrastructure it makes a
lot of sense. The simple principle is that you should make the attacker
work for every last thing they
want. Why make their jobs any easier by having public DNS information?
or easily accessible corporate phone lists? Heck, you spent long enough
setting your infrastructure up securely, let them suffer.
- Keep It Simple ....
However much we may not like it, we are human. And to err is human.
When setting up your infrastructure
try to keep things simple, not unsecure, just simple. By limiting as
far as possible the complicated setups
on your infrastructure you make maintainence easier, as well as the
monitoring of your infrastructure. Most
importantly you lessen the chances that you would have made a mistake.
There will be times when you have to
have something complicated in your infrastructure, but always remember
that true genius is being able to make
complicated things simple.
- Watch your Infrastructure
Finally, as a general principle and also to be used in conjunction with
all the above, make sure that you
know what is happening on your infrastructure. Monitor it, read the
logs, establish baselines, find out what is happening and why, be
pro-active in checking new events and fixing any possible avenues for
exploit. Make sure that you don't only do something because the famous
human by-product has hit the fan. Do not shirk your responsiblities.
Always remember that these are guidelines, and it is entirely feasible
that you may need to setup an IT infrastructure in an environment where
some of these are just not possible. But keeping these in mind in
whatever you do should help