The primary components that make up your network infrastructure are routers, firewalls, and switches. They act as the gatekeepers guarding your servers and applications from attacks and intrusions. An attacker may exploit poorly configured network devices. Common vulnerabilities include weak default installation settings, wide open access controls, and devices lacking the latest security patches. Top network level threats include:
Denial of service
Network devices can be discovered and profiled in much the same way as other types of systems. Attackers usually start with port scanning. After they identify open ports, they use banner grabbing and enumeration to detect device types and to determine operating system and application versions. Armed with this information, an attacker can attack known vulnerabilities that may not be updated with security patches.
Countermeasures to prevent information gathering include:
Configure routers to restrict their responses to footprinting requests.
Configure operating systems that host network software (for example, software firewalls) to prevent footprinting by disabling unused protocols and unnecessary ports.
Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. With a simple packet sniffer, an attacker can easily read all plaintext traffic. Also, attackers can crack packets encrypted by lightweight hashing algorithms and can decipher the payload that you considered to be safe. The sniffing of packets requires a packet sniffer in the path of the server/client communication.
Countermeasures to help prevent sniffing include:
Use strong physical security and proper segmenting of the network. This is the first step in preventing traffic from being collected locally.
Encrypt communication fully, including authentication credentials. This prevents sniffed packets from being usable to an attacker. SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.
Spoofing is a means to hide one's true identity on the network. To create a spoofed identity, an attacker uses a fake source address that does not represent the actual address of the packet. Spoofing may be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.
Although carefully crafted spoofed packets may never be tracked to the original sender, a combination of filtering rules prevents spoofed packets from originating from your network, allowing you to block obviously spoofed packets.
Countermeasures to prevent spoofing include:
Filter incoming packets that appear to come from an internal IP address at your perimeter.
Filter outgoing packets that appear to originate from an invalid local IP address.
Also known as man in the middle attacks, session hijacking deceives a server or a client into accepting the upstream host as the actual legitimate host. Instead the upstream host is an attacker's host that is manipulating the network so the attacker's host appears to be the desired destination.
Countermeasures to help prevent session hijacking include:
Use encrypted session negotiation.
Use encrypted communication channels.
Stay informed of platform patches to fix TCP/IP vulnerabilities, such as predictable packet sequences.
Denial of Service
Denial of service denies legitimate users access to a server or services. The SYN flood attack is a common example of a network level denial of service attack. It is easy to launch and difficult to track. The aim of the attack is to send more requests to a server than it can handle. The attack exploits a potential vulnerability in the TCP/IP connection establishment mechanism and floods the server's pending connection queue.
Countermeasures to prevent denial of service include:
Apply the latest service packs.
Harden the TCP/IP stack by applying the appropriate registry settings to increase the size of the TCP connection queue, decrease the connection establishment period, and employ dynamic backlog mechanisms to ensure that the connection queue is never exhausted.
Use a network Intrusion Detection System (IDS) because these can automatically detect and respond to SYN attacks.
Host Threats and Countermeasures
Host threats are directed at the system software upon which your applications are built. This includes Windows 2000, Microsoft Windows Server 2003, Internet Information Services (IIS), the .NET Framework, and SQL Server depending upon the specific server role. Top host level threats include:
Viruses, Trojan horses, and worms
Denial of service
Arbitrary code execution
Viruses, Trojan Horses, and Worms
A virus is a program that is designed to perform malicious acts and cause disruption to your operating system or applications. A Trojan horse resembles a virus except that the malicious code is contained inside what appears to be a harmless data file or executable program. A worm is similar to a Trojan horse except that it self-replicates from one server to another. Worms are difficult to detect because they do not regularly create files that can be seen. They are often noticed only when they begin to consume system resources because the system slows down or the execution of other programs halt. The Code Red Worm is one of the most notorious to afflict IIS; it relied upon a buffer overflow vulnerability in a particular ISAPI filter.
Although these three threats are actually attacks, together they pose a significant threat to Web applications, the hosts these applications live on, and the network used to deliver these applications. The success of these attacks on any system is possible through many vulnerabilities such as weak defaults, software bugs, user error, and inherent vulnerabilities in Internet protocols.
Countermeasures that you can use against viruses, Trojan horses, and worms include:
Stay current with the latest operating system service packs and software patches.
Block all unnecessary ports at the firewall and host.
Disable unused functionality including protocols and services.
Harden weak, default configuration settings.
Examples of footprinting are port scans, ping sweeps, and NetBIOS enumeration that can be used by attackers to glean valuable system-level information to help prepare for more significant attacks. The type of information potentially revealed by footprinting includes account details, operating system and other software versions, server names, and database schema details.
Countermeasures to help prevent footprinting include:
Disable unnecessary protocols.
Lock down ports with the appropriate firewall configuration.
Use TCP/IP and IPSec filters for defense in depth.
Configure IIS to prevent information disclosure through banner grabbing.
Use an IDS that can be configured to pick up footprinting patterns and reject suspicious traffic.
If the attacker cannot establish an anonymous connection with the server, he or she will try to establish an authenticated connection. For this, the attacker must know a valid username and password combination. If you use default account names, you are giving the attacker a head start. Then the attacker only has to crack the account's password. The use of blank or weak passwords makes the attacker's job even easier.
Countermeasures to help prevent password cracking include:
Use strong passwords for all account types.
Apply lockout policies to end-user accounts to limit the number of retry attempts that can be used to guess the password.
Do not use default account names, and rename standard accounts such as the administrator's account and the anonymous Internet user account used by many Web applications.
Audit failed logins for patterns of password hacking attempts.
Denial of Service
Denial of service can be attained by many methods aimed at several targets within your infrastructure. At the host, an attacker can disrupt service by brute force against your application, or an attacker may know of a vulnerability that exists in the service your application is hosted in or in the operating system that runs your server.
Countermeasures to help prevent denial of service include:
Configure your applications, services, and operating system with denial of service in mind.
Stay current with patches and security updates.
Harden the TCP/IP stack against denial of service.
Make sure your account lockout policies cannot be exploited to lock out well known service accounts.
Make sure your application is capable of handling high volumes of traffic and that thresholds are in place to handle abnormally high loads.
Review your application's failover functionality.
Use an IDS that can detect potential denial of service attacks.
Arbitrary Code Execution
If an attacker can execute malicious code on your server, the attacker can either compromise server resources or mount further attacks against downstream systems. The risks posed by arbitrary code execution increase if the server process under which the attacker's code runs is over-privileged. Common vulnerabilities include weak IIS configuration and unpatched servers that allow path traversal and buffer overflow attacks, both of which can lead to arbitrary code execution.
Countermeasures to help prevent arbitrary code execution include:
Configure IIS to reject URLs with "../" to prevent path traversal.
Lock down system commands and utilities with restricted ACLs.
Stay current with patches and updates to ensure that newly discovered buffer overflows are speedily patched.
Inadequate access controls could allow an unauthorized user to access restricted information or perform restricted operations. Common vulnerabilities include weak IIS Web access controls, including Web permissions and weak NTFS permissions.
Countermeasures to help prevent unauthorized access include:
Configure secure Web permissions.
Lock down files and folders with restricted NTFS permissions.
Use .NET Framework access control mechanisms within your ASP.NET applications, including URL authorization and principal permission demands.