Identifying Unauthorized Devices

• Asset management

 Most organizations today use some form of asset management.

 The challenge with rogue devices is that they are not part of the
management framework.
 The greater the number of unmanaged systems, the greater the risk to the
network.
 Identify Assets
• On-access or real-time detection
• On-demand or scheduled detection
 Asset Inventory Tool
• Automated asset inventory discovery tool -build a
preliminary asset inventory of systems connected to
an organization’s public and private network(s).
• Active tools – scan through network address ranges
• Passive tools – identify hosts based on analyzing
their traffic should be employed
• DHCP Server logging - utilize a system to improve
the asset inventory and help detect unknown
systems through this DHCP information
 Asset Inventory Tool Cont.…
• All equipment acquisitions should automatically update the inventory
system
• Maintain an asset inventory of all systems connected to the network and
the network devices themselves
• The inventory should include every system that has an Internet Protocol
(IP) address on the network
• The asset inventory created must also include data on whether the device is
a portable and/or personal device
• Make sure that asset inventory database is properly protected and a copy
stored in a secure location.
• In addition to an inventory of hardware, organizations should develop an
inventory of information assets that identifies their critical information.
• A department and individual responsible for each information asset should be
identified, recorded, and tracked.
• Further to the asset inventory tool the organisation needs to:
– Deploy network level authentication via 802.1x to limit and control which devices can be connected
to the network.
– Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact
can be remediated by moving the untrusted system to a virtual local area network that has minimal
access.
– Create separate VLANs for BYOD (bring your own device) systems or other untrusted devices.
– Utilize client certificates to validate and authenticate systems prior to connecting to the private
network.
• Mapping of asset attributes and owner-to-MAC address can be stored in a free or
commercial database management system.
• Use tools to pull information from network assets such as switches and routers
regarding the machines connected to the network.
• Effective organizations configure free or commercial network scanning tools to
perform network sweeps on a regular basis
• other asset identification tools passively listen on network interfaces looking for
devices to announce their presence by sending traffic.
• The asset inventory database and alerting system must be able to identify the
location, department, and other details of where authorized and unauthorized
devices are plugged into the network.
• To evaluate the implementation of Control 1 on a periodic basis, the evaluation
team
– will connect hardened test systems to at least 10 locations on the network, including a
selection of subnets associated with demilitarized zones (DMZs), workstations, and
servers. Two of the systems must be included in the asset inventory database, while the
other systems are not.
– must verify that the systems generate an alert or e-mail notice regarding the newly
connected systems within 24 hours of the test machines being connected to the network.
– must verify that the system provides details of the location of all the test machines
connected to the network.
– must verify that the system provides information about the asset owner.
– must verify that the test systems are automatically isolated from the production network
within one hour of initial notification and that an e-mail or alert indicating the isolation
has occurred.
– must verify that the connected test systems are isolated from production systems.
 1.2. Testing the Traffic Filtering Devices
• Traffic Filtering - to reduce security threats, organisations use
various devices, technologies and techniques
• institution/organisation - to improve the efficiency of filtering
and increase the level of security in its network should apply
the following recommendations:
– Define traffic-filtering rules
– Select a traffic-filtering technology
– Implement defined rules
– Maintain all the components of the solution
 Packet-filtering functionality
(stateless firewall)
• A packet filter enables the implementation of control of access to
resources by deciding whether a packet should be allowed to pass,
based on the information contained in the IP packet header.
• Does not analyse the content of the packet (unlike a content filter),
nor does it attempt to determine the sessions to which individual
packets belong, based on the information contained in the TCP or
UPD header, and therefore it does not make any further decisions in
that regard.
• For this reason, the process is also known as stateless packet
inspection
• Stateless firewall devices analyse each packet individually and filter
them based on the information contained in Layers 3 and 4 of the
OSI reference model
 Packet Filters
Filtering Decision is made based on the following information:
• source IP address
• destination IP address
• protocol
• source port number
• destination port number
The advantages of applying packet filters:
• simple implementation
• supported by most routers, so there is no need to invest in new equipment and software
• rarely cause bottlenecks in the area of their application, even at high speeds in Gigabit
networks.
The disadvantages of applying packet filters:
• vulnerability to IP spoofing attacks
• vulnerability to attacks that exploit problems within the TCP/IP specification and the protocol
stack
• problems with filtering packets that are fragmented (causing interoperability and
nonfunctioning of VPN connections)
• no support for the dynamic filtering of some services
• dynamic negotiation about the ports that will be used in communication – passive FTP.
 Stateful packet inspection

• improves the packet filtering process by monitoring the state of each

connection established through a firewall device.
• known that the TCP protocol, allows two-way communication and that
TCP traffic is characterized by three phases: establishing the connection,
data transfer, and terminating the connection.
• The state-table contains all currently active connections. Which contains
the following information:
– source IP address;
– destination IP address;
– source port number;
– destination port number;
– TCP sequence numbers;
– TCP flag values.
Advantages of applying stateful firewall devices:
– a higher level of protection compared to stateless firewall devices (greater efficiency and
more detailed traffic analysis)
– detection of IP spoofing and DoS attacks
– more log information compared to packet filters
Disadvantages of applying stateful firewall devices:
– no protection against application layer attacks
– performance degradation of the router on which they are deployed (this depends on the size
of the network and other services run on the router)
– not all of them provide support for UDP, GRE and IPSEC protocols, treating them in the
same way as stateless firewall devices
– no support for user authentication
Deep Packet Inspection - DPI
• The improved version, called stateful protocol analysis, also known as DPI
analysis of data on the application layer.
• include Application Firewall, Application Proxy Gateways and Proxy servers.
• Unlike stateful firewall devices that filter traffic based on the data on layers 3, 4
and 5 of the OSI reference model, these devices also enable traffic filtering based
on the information on the application layer of the OSI reference model (Layer 7).
 Application Firewall (AF)
• AF devices perform a stateful protocol analysis of the
application layer.
• Support numerous common protocols, such as HTTP, SQL, e-
mail service (SMTP, POP3 and IMAP), VoIP and XML.
• Stateful protocol analysis relies on predefined profiles of
acceptable operating modes for the selected protocol
• Problems may arise if there is a conflict between the operating
mode of a specific protocol, which is defined on the AF
device, and
• the way in which the protocol is implemented in the specific
version of the application or of the operating systems used in
the network
 Stateful Protocol Analysis

• determine whether an e-mail message contains a type of attachment that is not

allowed (e.g., exec files);
• determine whether instant messaging is used via an HTTP port;
• block the connection through which an unwanted command is executed (e.g.,
an FTP put command on the FTP server);
• block access to a page with unwanted active content (e.g., Java);
• identify an irregular sequence of commands exchanged in the communication
between two hosts
• enable the verification of individual commands and the minimum and
maximum length of appropriate command-line arguments
• Main disadvantage of the method of stateful protocol analysis is the intensive
use of AF devices.
 Application Proxy Gateway (APG)
• APG devices also perform an analysis of the traffic flow on the
application layer.
• APG devices contain proxy agents or “intermediaries” in the
communication between two end hosts. In this way, they prevent direct
communication between them
• Based on the filtering rules defined on the APG device, proxy agents
decide whether network traffic will be allowed or not.
• Traffic-filtering decisions can also be made based on the information
contained in the header of an application-layer message or even based
on the content conveyed by that message.
• Proxy agents can require user authentication.
• There are also APG devices with the capability of packet decryption,
analysis and re-encryption, before a packet is forwarded to the
destination host.
 APG devices Deficiencies
• requires a significantly greater utilisation of resources
• As a result, APG devices are not suitable for filtering real-time
applications.
• Another deficiency of these devices is the limitation in the number of
services that can be filtered through them.
• APG devices do not always support the filtering of new applications or
protocols.
• Due to their price, APG devices are commonly used for protecting data
centres or other networks containing publicly available servers that are of
high importance to an organisation.
• In order to reduce the load on APG devices and achieve greater efficiency,
modern networks more frequently use dedicated proxy servers.
 Dedicated Proxy (DP) Server
• Dedicated Proxy (DP) servers also have a role as “intermediaries” in the
communication between two hosts, although their traffic-filtering
capabilities are significantly lower,
• intended for the analysis of the operation of specific services and protocols
(e.g., HTTP or SMTP).
• Due to their limited traffic-filtering capabilities, DP devices are deployed
behind firewall devices in the network architecture.
• Their main function is to perform specialised filtering of a specific type of
traffic (based on a limited set of parameters) and carry out the logging
operation.
• The execution of these specific activities significantly reduces the load on
the firewall device itself, which is located in front of the DP server.
• The most widely used devices of this type are Web Proxy servers.
 Solutions Combining Traffic Filtering with
Other Technologies

1. NAT (Network Address Translation)

• NAT is a technology that enables devices that use private
IP addresses to communicate with devices on the Internet.
• This technology translates private IP addresses, which can
be used by devices within a Local Area Network (LAN),
into publicly available Internet addresses.
• There are three types of NAT translations:
– Dynamic NAT
– Static NAT and
– Port Address Translation PAT.
 2. VPN (Virtual Private Network)
• VPN (Virtual Private Network) technology is used to increase the security of data
transfer through a network infrastructure that does not provide a sufficient degree
of data security.
• It enables the encryption and decryption of network traffic between external
networks and an internal, protected network.
• VPN functionality - available on firewall devices or implemented on VPN
servers that are placed behind firewall devices in the network architecture.
• firewall device cannot perform an inspection, access control or logging of the
network traffic, and therefore cannot scan it for certain security threats.
• VPN service requires the application of certain filtering rules of the firewall
device in order to enable its uninterrupted operation.
• special attention should always be paid to making sure that the appropriate
protocols and the TCP/UDP services that are necessary for the functioning of the
chosen VPN solution are supported.
 3. IDP (Intrusion Detection and Prevention)
• Network Intrusion Detection (ID)
– based on monitoring the operation of computer systems or networks and
analysing the processes they perform, which can point to certain incidents.
• Network Intrusion Prevention (IP)
– process of detecting network intrusion events, but also includes the process
of preventing and blocking detected or potential network incidents.
• Network Intrusion Detection and Prevention systems (IDP)
– based on identifying potential incidents
– logging information about them
– attempting to prevent them
– alerting the administrators responsible for security
– identify problems concerning the adopted security policies
– To document existing security threats and
– To discourage individuals from violating security rules
– IDP systems use various incident detection methods
Primary Classes of Detection Methodology

– 1. Signature-based detection
– 2. Anomaly-based detection
– 3. Detection based on stateful protocol analysis
Intrusion Detection
System