Containment Security: How to Keep an Attacker In
By Dave Piscitello, President, Core Competence
In The Da Vinci Code, Dan Brown shows how the Louvre, like many art museums, employs containment security. This security strategy emphasizes measures that prevent an intruder who has broken in from escaping with precious artwork. Containment security can work as a network security strategy, too. It helps prevent intruders from removing information assets from your organization's network, and it can also help prevent attackers from using the organization's network as a launch point for subsequent attacks.
Containment security is common in the physical realm. For example, businesses that deal with cash and valuable goods in high-crime neighborhoods use "man traps." The man trap has two doors, and only one can be opened at any time. This arrangement "contains" intruders in two ways. A party can enter the exterior door of the store but cannot pass through the interior door without permission. This gives the store owner an opportunity to inspect a party who enters the exterior door, and refuse entry if he chooses. It also contains a clever thief who managed to gain entry, by preventing him from making a hasty exit once he's "smashed and grabbed" jewelry or cash. Certain man traps are as effective as jail cells: the arrangement described in The Da Vinci Code seals all doors, and keeps the intruder locked in the museum until law enforcement agents arrived.
Containment Security in your network
The principles of containment security extend naturally into network security. We want to keep intruders out of our networks, but if they do manage to get in, we want to prevent them from stealing or doing harm to assets accessible via our networks. For example, we want to prevent unauthorized access to (and misuse of) sensitive information. We want to prevent misuse of bandwidth. We also want to prevent intruders from doing harm from our network. If we "good guys" are ever to get ahead of the broader attack curve, we must do more to prevent intruders from using our networks as a vector for Denial of Service attacks and as distributed hosts of spam and emails containing viruses.
Fortunately, many policies and measures you can implement will prevent intruders from doing harm to and from your network. Containment measures can be applied at many levels, and at locations throughout your network. Many can be implemented in Firebox X firewalls. Firebox X proxies are the data equivalent of a man trap: the packet doesn't move on until the proxy is done inspecting it.
What would containment security look like on your network? Here are sample ideas of egress traffic handling policies you might implement:
- Allow outbound connections for client hosts only to those services your policies approve. If you begin with a "deny all" services policy, and allow access only to those services specifically permitted by security policy and acceptable use policy, you will have blocked many ports that trojan horse programs utilize. You'll also block many applications your users might adopt before your organization has done an impact analysis and security assessment on them.
- Block outbound traffic from hosts connected to internal network segments that should not be establishing client connections to (external) Internet servers. An example might be an intranet server that relies entirely on internally provided services (DNS, mail, time, etc.) and uses no applications that require Internet access.
- On smaller networks, you can configure your DHCP server so that it only assigns IP addresses to MAC addresses that are on your approved list. This can add an extra barrier for attackers trying to connect an unauthorized device to your network. Clever attackers can spoof a MAC address, but since they won't know you've implemented this policy, it might frustrate them enough to make them consider moving to an easier target. If you use Windows Server 2000 Advanced or Windows Server 2003, configuring DHCP this way is not difficult; but it does require you to list the MAC addresses of approved devices on your network.
- Concerned about information leakage? Tighten the screws on outgoing FTP and email. If you must allow FTP to external servers, and you use a Firebox X Core or Peak, consider using the FTP proxy to prevent intentional or inadvertent disclosure of sensitive files. Where possible, whitelist approved FTP sites. Block commands (e.g., PUT) that would allow a user or attacker to upload a file to a remote server. Block users from uploading specific file types (e.g., databases or spreadsheets) that often contain confidential data. Use an SMTP proxy to block attachments on outgoing messages by MIME content type or even (simply) by filename. Recognize, however, that file type and name based filters may not be sufficient to thwart a sophisticated attacker or parties in your organization who are familiar with your filtering policies. Do not rely exclusively on these measures, but treat them as additive.
- Scanning outgoing email and attachments for viruses and operating secure mail relays can keep your organization's domain off black lists and improve your domain's rating in reputation-based antispam systems.
Handcrafted containers
There is no set list of best practices for containment security. Your organization will have to decide what kinds of outbound traffic pose significant threats, and what types of information merit additional measures to prevent disclosure via outbound channels. Be creative. In some cases, containment measures may prevent your organization from embarrassment or a tarnished reputation.
Also, take the Da Vinci Code analogy with a grain of salt. Dr. Robert Langdon got one thing wrong. While taking in the Louvre crime scene and the containment measures that helped the curator leave his secret message, Langdon mused, "Forget about keeping them out. Keep them in." When securing your network, containment security is an additive measure. You can't afford to "forget about keeping them out;" you must do your best to repel attackers. But adding containment security helps you hedge your bet. ##
Author's Note: My tenure as a LiveSecurity columnist is coming to an end. For nearly six years, WatchGuard Technologies has provided me with enormous editorial latitude so that I could explore a multitude of security issues and take you, my audience,beyond firewalls. I've had the distinct pleasure of working with a very fine technical staff, an outstanding editor, and an appreciative audience. I cannot thank you enough for your positive feedback on so many of my columns, and wish you all great success in your future security endeavors. Please do keep in touch. I'm always reachable at dave@corecom.com.
Copyright© 2006, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.