Secure Your Perimeter and Play Nice on the 'Net
Executive Overview: Your network engineers will always have plenty of suggestions for how to secure the border. Here's a summary that will help you balance productivity with security.
In these times of viruses and hackers, the Internet can be quite an unforgiving place. There are countless people in the wild trying to gain access to your precious resources, and in most cases it's much too easy for them to get in. A few simple policies can help alleviate this threat without imposing too many burdens on current users trying to get work done.
Best Current Practices
Best practices are hard to define, since some sites may be willing to let down their guard more than others who may have a need to be very strict about security. Internet drafts given "Best Current Practices" status, or BCPs, outline some general ideals that everyone should follow. One of the most well-known, BCP 38, focuses on ingress and egress filtering. Both of these types of filters should be applied to the border router, or routers; i.e. anywhere your site connects to the Internet.
It seems fundamental, but if someone forgets to implement ingress/egress filtering at the border, it opens a humongous security hole. Ingress refers to the act of filtering input packets that claim to be from the inside. So, if your site has an IP address range in 126.96.36.199, anyone from the outside claiming to come from your IP range is obviously lying. Egress filtering is the opposite: You need to make sure that all packets leaving your site are addressed properly, with a source (or return address) within your actual IP address range. Implementing these filters is a trivial task on all routers, and will not impact usability for valid traffic.
Another important thing to block, which will not impact day-to-day usage, is directed broadcast.
Directed broadcast is a feature of IP that allows the sending of a packet across the network, and subsequently broadcasting it on a specific subnet. There are very few practical uses for this feature, but several security attacks employ it. Disabling directed broadcast can help to prevent those attacks, which are usually denial of service oriented.
Those are the major features of routers that businesses need to leverage in their favor. More detail about these and other security practices can be found on the IETF's website. BCPs 38, 46, and 84 are excellent starting places.
Services and Other Things to Block at the Border To keep every Windows computer on your site from being taken over by a 12-year-old in Russia, the general consensus among network engineers seems to be "block all Windows services at the border." This is sound advice, but often leads to loss of productivity.
Microsoft file and print sharing services are the leading cause of viruses/worms being able to spread. Blocking these services means that a home user cannot connect to their work computer and browse files using the Windows file sharing protocol, and most companies don't allow this anyway. In cases where it is allowed, the company needs to set up a VPN server, and allow users to connect through the VPN.
VPNs may make security personnel cringe, since their very purpose is to skip over filtering, but they are nonetheless useful. If a home user's computer infects company computers with a virus, it will be contained, for the most part.
For maximum protection from the internet, and also to stop your computers from becoming a security risk to other computers on the Internet, it is best to simply block the following:
- TCP and UDP Ports: 135, 137-139, and 445 (file and printer sharing)
- MS-SQL TCP: 1433
- MS-SQL UDP: 1434 (the slammer worm propagates and takes down entire networks using the Microsoft SQL port)
For Unix hosts, it is important to block certain protocols as well. Similar to Windows, Unix has some very insecure services that shouldn't be allowed on the Internet:
- TCP and UDP Port: 2049 (Network File System)
- TCP and PDU Port: 111 (Sun RPC)
This is basically the bare minimum, but simply blocking access to these ports will make your site tremendously more secure, and less succeptible to viruses, worms, and hackers. A recent study showed that a fresh install of Windows XP only lasts 11 minutes on the Internet before becoming infected.
In the interest of functionality, we cannot forget to mention ICMP. This is the Internet Control Message Protocol, part of which includes the widely used "ping packet." I cannot stress the following enough: ICMP is not ping. ICMP is used for control, and TCP uses it extensively.
Blocking all ICMP packets will result in breaking TCP. The most common complaint when someone blocks ICMP is that some websites no longer load for all users. Intermittent problems like this are normally a side effect of ICMP blocking that is breaking PMTUd, or Path MTU Discovery mechanism. In short, do not allow administrators to block all ICMP. Blocking ping (ICMP type 8), router advertisements (type 9) and mask requests (type 17) should appease even the most security conscious administrators.
Protecting the World from Yourself
A very large part of keeping your business's Internet presence functioning properly has to do with being a good Internet citizen. The previously mentioned Windows computers under the control of 12-year-olds in Russia can create a substantial headache for your company.
Increasingly often, companies are starting to use real-time blacklists for identifying spam sources. If a hacked computer starts relaying email for all the spammers on the Internet, then your company will end up on these lists rather quickly. Being on a widely used blacklist results in major losses of productivity, since real business emails may be blocked by remote sites.
The best way to combat this is by the use of only a select set of mail servers, and then blocking port 25 outbound. This guarantees that nobody on your network can send email, unless they relay it through one of your designated mail servers. If all companies would start doing this, spam would decrease dramatically. Of course, there's still the issue of home users' computers, but that's for the ISPs of the world to concern themselves with.
This has been a very light overview of a few basic security policies that should be in place everywhere. Certainly, this is not a comprehensive security checklist, but rather a minimum requirements guide. Local policy within your site may require the use of some insecure services that open you up to a host of problems with viruses and hackers. When the problems caused by these security holes become too great to manage, this article would be a decent starting point for reevaluating your security policies.