Search This Blog

Wednesday, 9 October 2013

Host Protection - Standards and Reference Controls

The Concept of Zero-Trust

To allow for near-future work models, where employees can bring their own mobile devices into the workplace,  where “work from home” is standard practice, and where the Data Center is being virtualized and services abstracted to external third party providers,  the Security Industry is rethinking the traditional concepts of  boundaries and perimeters.

The concept of Zero-Trust is an approach to network and device security that places security at the core of the network and makes it central to all network transactions

This security centric approach advocates a number of principles to design a secure and flexible network that can protect against modern malware and threats.  

Key to this design is the transformation from classical security overlay which simply inspects packets destined to and from the Internet, to ensuring every packet is securely delivered to its destination.

TheZero Trust model provides an innovative data-centric approach to security that protects against sophisticated and targeted attacks. 

 Regardless of the reason, your data center is expanding beyond your bricks and mortar controls.  Many call this the Shrinking Perimeter. (Here, and Here, and Here,)   Firewalls at the edge of your network are no longer adequate, and provide for a false sense of comfort.

Empowered users are accessing the network from a variety of devices (e.g., laptops, tablets, and smart phones) and from a variety of locations. 

The expectation of anytime anywhere “workspaces” for these users enable new gains in productivity, but also leads to new security challenges in differentiating access based on user, application, device-type or access type (wired, wireless, VPN).

A typical "Data Center" is constantly under threat, both from 
external sources as well as internal entities.
What is "Host Protection"?
A “Host Protection” service must ensure the integrity of all resources within the system it is protecting.  This would include monitoring of and prevention against unwanted or malicious Network traffic coming in and out of the host, monitoring and management of file integrity, memory integrity, and in the case of Windows Servers, registry integrity

Host protection will employ centrally managed rules and profiles to ensure that applications on the host behave appropriately and that user and service accounts only have appropriate access to files and applications through whitelisting and blacklisting

A Host Protection Service must:

Operate on the significant majority of our Host Operating Systems, and support all of our existing Database and Middleware
Protect against Zero-Day malware and malicious actor attacks.
Prevent unauthorized changes or actions, even if the perpetrator has administrative rights.
Enable demonstrable change control on mission-critical systems.
Centralize configuration protection across the enterprise, reducing administrative burden.
Support a library of pre-defined rules that recognize common security events.
Support policies across logical groups of hosts, helping to ensure the appropriate level of security and ease administrative burden.
Run pre-defined and customized reports on policies and security events enterprise-wide across heterogeneous systems.
Automatically trigger alerts and actions, based on pre-defined thresholds, when an event matches a rule.
Record the event in a centralized corporate SEIM.

What is considered a Host?

In the simplest terms, a  Host” is just a network connected server that provides services to other systems.  These services may include database, mail, web, file share, print, etc…

  • A host can be physical or virtual, and may run any of a dozen operating systems. 
  • A host typically will have additional software added to provide it’s specific functionality. This may include various commercial database and/or application server packages from a multitude of vendors.
  • A host will generally have a specific purpose or “role” within the data center which would be defined by it’s configuration and/or applications/services running on it. 
    • Similar hosts may be “clustered” together to provide a single service for performance or availability reasons.
    • Hosts may be grouped together by similar role
    • Hosts that work together to provide a specific service may be grouped together
    • Hosts that belong to a specific Business Unit may be grouped together

A managed host may reside anywhere that connectivity and general network security is provided.  This includes data center, branch/campus, telco service provider, 3rd party business partner, hosting provider or cloud service provider.

Regardless of Operating System, Almost all Servers are 
comprised of the above layers.

All layers above the Operating System kernel are potential places for vulnerabilities, and exploitation.  A complete Host Protection Service must take all of these into account.

Protecting a Heterogeneous Environment

Any system or service devised to protect a typical data center environment must be all-encompassing. 

Broad Spectrum of Host Operating System coverage:
  • Any Host protection system deployed must operate and protect the majority of Operating Systems that can be found within the environment. This includes but is not limited to Microsoft Windows Server, IBM AIX , HPUX, Solaris, Linux, VMware, Xen, Microsoft HyperV
Broad Spectrum of Database Server coverage:
  • Any Host protection system deployed must operate and protect the majority of Database Systems that can be found within the environment. This includes but is not limited to Microsoft SQL Server, Oracle SQL, Sybase, IBM DB2, Ingres, PosGreSQL, MySQL,

Broad Spectrum of Application Server coverage:
  • Any Host protection system deployed must operate and protect the majority of Application Servers and Frameworks that can be found within the environment.  This includes but is not limited to Microsoft Active Directory, Exchange, SharePoint, and ISA, WebLogic, Oracle, WebSphere, Jboss,  IBM Domino,  Java, ASP.Net, PHP

Broad Spectrum of Web Server coverage:
  • Any Host protection system deployed must operate and protect the majority of Web Servers that can be found within the environment.  This includes but is not limited to Microsoft IIS, Apache, Tomcat, Weblogic, Oracle


Host Protection - Operating System Layer

  • File Integrity Monitoring and Prevention:
    • Identify changes to files in real-time, including who made the change and what changed within the file.
  • Memory Integrity Monitoring and Prevention: 
    • Identify in real-time, any attempt to modify or corrupt memory outside of the boundaries of that owned or managed by a specific application or service.
  • Registry Integrity Monitoring and Prevention: 
    • Identify changes to Windows Registry settings in real-time, including who made the change and what changed within the registry.
  • Device Control: 
    • Identify, prevent and alert on attempts to access system devices which are outside of a particular security profile.
  • Configuration Monitoring: 
    • Identify policy violations, suspicious administrators or intruder activity in real-time.
  • Targeted Prevention Policy: 
    • Respond to server incursion or compromise immediately with quickly customizable hardening policies.
  • Granular Intrusion Prevention Policies: 
    • Protect against zero day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.
  • File, system and admin lock down: 
    • Harden virtual and physical servers to maximize system uptime and avoid ongoing support costs for legacy operating systems.

Host Protection - Network Layer

A Host Protection Service must be able to provide a means to identify and control network traffic into and out of the host in  question.

Centralized management, reporting, alerting of standard Layer 3 firewall functionality is mandatory

Source / Destination / Port / Service   for each packet must be validated

Stateful inspection is “nice to have” but not a requirement 

Centralized management, reporting, alerting of  Layer 4 through 7 “Application Firewall” functionality is mandatory for systems not protected by Network based WAFs. Depending on the purpose of the host, the WAF profile will differ:

At minimum recognize and protect against OWASP top 10 application vulnerabilities

Intrusion Prevention through any of signature / whitelist / blacklist or heuristics, identify malicious or malformed traffic, and based on policy settings: prevent, log, and alert.

Host Protection - Application Layer

A Host Protection Service must be able to provide a means to identify and control appropriate access within and  between applications…..

A host protection service must be able to monitor/collect/report on all resources that an application uses over a period of time to define a “baseline” for appropriate behavior or functionality.  These resources include, but are not limited to:

  • Files
  • Folders
  • registry settings
  • device drivers
  • Libraries
  • network connections
  • service accounts

Once the baseline has been set, any deviation from that must get escalated for review and/or remediation.

This baseline can them be used as a template for other hosts running this same application.

A profile or role can be made, based on this baseline, and a centralized policy defined to manage all hosts that use this template.


Host Protection - Database Layer

A Host Protection Service must be able to proactively prevent or provide remediation for security risks to database systems.

These risks include, but are not limited to:
  • Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers.
  • Unauthorized or unintended activity or misuse by or by unauthorized users
  • Unauthorized or unintended privilege escalation
  • Malware infections causing unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems
  • Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities


Host Protection - Web Layer

According to OWASP ( and SANS ( The top Web Server vulnerabilities include:

  • Cross Site Scripting,
  • SQL Injection,
  • PHP Injection,
  • Javascript Injection,
  • Path Disclosure,
  • Denial of Service,
  • Code Execution,
  • Memory Corruption,
  • Cross Site Request Forgery,
  • Information Disclosure,
  • Arbitrary File,
  • Local File Include,
  • Remote File Include,
  • Overflow,
  • Other,

OWASP is the emerging standards body for Web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database[8] and also produced open source best practice documents on Web application security.


Host Protection - Managing Profiles

A Host Protection Service must be able to centrally manage security profiles and templates, proactively alert on deviations, accept real-time updates from external threat intelligence providers, and feed a centralized SIEM or SOC.

Management of security profiles will allow for granular nesting of roles/profiles

For example:
  • Nested security profiles, akin to Active Directory’s “Group Policy” management will enable quick access and visibility to host assets by Owner, Role, or Location
  • A high level role would be assigned to “Operating System Platform”
    • A nested role would be assigned to SPECIFIC Operating Systems (Windows Server 2003, Windows Server 2007, AIX 5.3, AIX 6.0, HPUX 11…) to refine control
  • A high level role would be assigned to each Database System Platform
    • A nested role would be assigned to SPECIFIC Database Systems to refine control
    • A nested role would be assigned to Critical Database Systems to refine control
  • A high level role would be assigned to each Application Type
    • A nested role would be assigned to SPECIFIC Application Instances to refine control
  • A high level role would be assigned to each Web Server Platform
    • A nested role would be assigned to SPECIFIC Web Server types to refine control
    • A nested role would be assigned to Critical Web Servers to refine control

Security profiles can be nested and grouped by role, owner, or location.

To be effective, a Host Protection Service must be managed centrally, receive
 live threat and signature updates, and report into a SEIM or SOC in real-time.


 So?  Who are the players in this field? 
Symantec Critical System Protection   - To date, Symantec CSP provides the widest coverage for server roles across the most Operating Systems - Both Physical and Virtual.  Their System Protection Console cleanly integrates their Security and Malware product suites into a single pane of glass.
TripWire Enterprise File Integrity Monitor - TripWire has been the industry leader in this space for over a decade, and is perfect for small to medium enterprises.
McAfee File Integrity Monitor - McAfee provides a suite of tools that are well integrated for protecting Windows Based Servers and Databases..
IBM Tivoli Virtual Server Protection - VMware ESX protection suite.

SafeNet Data Protection Suite
NewNetTechnologies NNT
Splunk Change Monitor

Further Reading:
McAfee Total Protection for Endpoint Datasheet
McAfee Total Protection for Virtualization Solution Breif Datasheet

3rd party List of System Integrity Tools:

Thursday, 18 July 2013

CDN: Content Delivery Networks in the Context of Security

In Information Security, we very frequently discuss the merits and challenges of Confidentiality and Integrity, but alas, Availability regularly takes the back seat...

 In today's world of Dynamic Web Content, 24/7 uptime requirements, expectations of immediately downloads, and Customers that come to you from anywhere around the world, Content Deliver Networks are fast becoming a commodity service.

 In our Enterprise Reference Architecture, we have all been taught to remove single points of failure.  A High Availability (HA) environment consists of:
  • Duplicate Network Switches with redundancy protocols
  • Duplicate routers with redundancy protocols
  • Duplicate firewalls with Heartbeat
  • Redundant ISP circuits from two different providers
  • redundant power supplies in all critical infrastructure, supplied from...
  • Redundant street power from two separate grids
  • Cluster or HA servers for critical systems such as Corporate Websites 
These are all wonderful in a fair and decent world.... However... 

Where your Company's Image / Brand / Reputation meets your consumers, at your WebServers... there a higher level of risk, and a greater requirement for un-interrupted availability.

Enter the Content Delivery Networks (CDN)


 Content Delivery Networks provide a Geographically Disperse Web Service to replicate the content of your Web Servers, and provide that to your Customers in a highly available mode.

Most of the CDN providers use a subscription based approach with initial trial periods to evaluate their services.   Almost all of them provide:

 Introducing a CDN service to front your Critical Corporate websites not only makes sense, but will greatly enhance your Disaster Recovery and Business Continuity programme.

Content Delivery Network Providers:  
(nowhere near a compete list, and with mergers and aquisitions... )


Friday, 12 July 2013

Security Appliances: In-band or out-of-band?

Do we need to place our Security Appliances inline? 

In a typical Corporate DMZ, such as a Public Internet Landing Zone, where private internal network traffic and public Internet traffic meet, you would find several security products or appliances to monitor, log , and manage that transition of data.

Almost all companies employ corporate Firewalls at the very perimeter where your network connects to the Internet.  These would have rules designed to block inbound traffic, except that which is destined to your Web, FTP, or Mail servers, and to only allow outbound traffic that meets your corporate security policy, ie: HTTP/HTTPS, mail, ftp.

Between the firewall  and the internal corporate network (intranet) you may (should!) find any of several Security Appliances to filter, inspect, log, and ultimately pass or block traffic based on it's content, source, destination or type.

Network Intrusion Detection / Prevention systems look for malicious, malformed or erroneous traffic that could impact the security of the network and ultimately corporate data.  Rules are evaluated against the traffic flowing in and outbound to ensure compliance.  Non-compliant traffic can be actively blocked.

Web URL filtering or Content filtering applies a set of rules to validate whether an individual can gain access to a particular site or service on the Internet.  These are typically used on "Code of Conduct" compliance.
Botnet / Malware Control Appliances like Damballa or FireEye  inspect traffic source/destination, comparing against known Command and Control networks  and can download and inspect the content of attachments for malicious payload and remove where appropriate.

Data Loss Prevention Infrastructure may inspect the content of traffic passing in and out of the network, and block or quarantine any messages or attachments that are deemed to contain Corporate Sensitive Data.

The question is, how best to inject these appliances into the corporate network to provide the best security coverage without compromising availability. 

There are five primary ways in which Network Traffic can be provided to Analysis or Security tools:

Comparing these is the purpose of this particular discussion.

SPAN or Mirror:
  • SPAN (Switched Port ANalyzer) ports are a feature of virtually every managed switch on the market, ie: they are free.  Most switches have at least two SPAN ports available.
  • A SPAN port is remotely configurable, allowing you to change which physical ports or VLANs on a switch are mirrored to the port being monitored. However, when traffic levels on the network exceed the output capability of the SPAN, because of duplex aggregation, the switch is forced to drop packets. (*see note below)
  • Layer 1 and 2 errors are also not mirrored, and therefore never reach the port being monitored.  Bad or malformed packets are dropped, ie: not monitored.  
  • If all you are doing is monitoring network traffic for compliance, this may do, but for forensics, legal, data loss, Anti-Malware, or Intrusion Prevention, this is not your solution.

Breakout or Passive TAPs
  • These are the simplest type of TAP (Test Access Point). Typically these would have have four to eight ports. Two for Ethernet in and out and the remainder as "monitoring ports". The network traffic is sent between the input and output ports unimpeded.  The network segment does not “see” the TAP.  At the same time the TAP sends a copy of all the traffic to monitoring ports of the TAP.
  • The problem is that a Breakout TAP does not allow the Security Appliance to directly affect the passing traffic. 
  •  For monitoring purposes, it is fantastic, but if you need to actively manage or block traffic.... this is not your solution.

Daisy Chaining Inline Appliances
  •  An efficient and inexpensive way to allow your security appliances to inspect and make immediate decisions on all traffic.
  • However it comes at the great cost of adding several points of failure in your egress zone.  
  • If any one appliance fails, or stops passing traffic, the entire segment is down. This is typically unacceptable.

The Appliance Sandwich
  • Otherwise known as a Firewall Sandwich uses other network equipment like firewalls or switches to provide for failover mechanisms between appliances. 
  • This is a very costly method of providing redundancy, and actually adds several points of failure to the design.
  • The firewalls in this approach will want to manage traffic according to their rules rather than providing ALL passing data to the security appliances. This has the high probability of failing to identify malicious traffic.  It's not like malicious code follows rules....

And finally...

Bypass TAPs
  • A Bypass Tap or Switch will allow you to place Security Appliances into the network while removing the risk of introducing a point of failure. 
  • With a bypass TAP, failure of the inline device, reboots, upgrades, or even removal and replacement of the device can be accomplished without taking down the network. 
  • In applications requiring inline tools, bypass TAPs save time, money and network downtime.
  • In a high availability design, ie: your infrastructure from the switch to the firewall and router, is completely redundant, the bypass unit can be configured to actively manage link states up and downstream to force natural failover and failback upon  appliance failure.
  • The bypass unit can also be configured - as it's name states - to pass traffic beyond the failed appliance un-inspected if that is required. 
  • Failure modes are decided as part of the architecture, and are automatic. The Bypass Switch sends heartbeat packets through each connected appliance, and upon failure to receive the heartbeat through the appliance can opt to bypass that particular appliance or force a failover to the secondary stream.

In short:  
 Terminate your Internet connection in an HA pair of firewalls. Each these firewalls would connect to the upstream corporate switch via a multiport Bypass Switch.   Security/Monitoring/Logging/Forensics/Compliance tools can be inserted into this Bypass switch without loss of network. Any failure of an attached appliance would automatically trigger a natural network failover both up and downstream.

The advantages of TAPs compared to SPAN/mirror ports are:

  • TAPs do not alter the time relationships of frames – spacing and response times are especially important with RTPs like VoIP and Triple Play analysis including FDX analysis.
  • TAPs do not introduce any additional jitter or distortion nor do they groom the flow, which is very important in all real-time flows like VoIP/video analysis.
  • VLAN tags are not normally passed through the SPAN port so this can lead to false issues detected and difficulty in finding VLAN issues.
  • TAPs do not groom data nor filter out physical layer errored packets.
  • Short or large frames are not filtered/dropped.
  • Bad CRC frames are not filtered.
  • TAPs do not drop packets regardless of the bandwidth.
  • TAPs are not addressable network devices and therefore cannot be hacked.
  • TAPs have no setups or command line issues so getting all the data is assured and saves users time.
  • TAPs are completely passive and do not cause any distortion even on FDX and full bandwidth networks.
  • TAPs do not care if the traffic is IPv4 or IPv6; it passes all traffic through.

From Cisco’s own White Paper – On SPAN port usability and using the SPAN port for LAN analysis
Cisco warns that “the switch treats SPAN data with a lower priority than regular port-to-port data.” In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded. This rule applies to preserving network traffic in any situation. For instance, when transporting remote SPAN (RSPAN) traffic through an Inter Switch Link (ISL), which shares the ISL bandwidth with regular network traffic, the network traffic takes priority. If there is not enough capacity for the remote SPAN traffic, the switch drops it. Knowing that the SPAN port arbitrarily drops traffic under specific load conditions, what strategy should users adopt so as not to miss frames? According to Cisco, “the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations.”


NetworkWorld: Security appliances should be in-line rather than out of band
NetworkInstruments: Tap vs SPAN port
Juniper Networks: Optimize Network Access and Visibility Without Introducing a Point of Failure
CISCO: Using the Cisco Span Port for San Analysis
CISCO: Catalyst Switched Port Analyzer (SPAN) Configuration Example
Benefits and Limitations of SPAN Ports
IXIA: To SPAN or to TAP - That is the question
NetworkInstruments: Analyzing Full-Duplex Networks
WikiPedia: Network Tap
SANS: Egress Filtering For a Better Internet
Net Optics, Inc. Introduces iBypass for Fail-Safe IPS Security Deployments
Overcoming Challenges with SPAN and TAP limitations
Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks
Hardware tap vs port mirroring - Any limitations?
Has Your Network Outgrown SPAN Ports?
Load Balancing 101: Firewall Sandwiches
Your Firewall Sandwich Gives Me Indigestion
Sandwich Mode Insanity Reaches New Levels of Breakage
Security Best Practices
Public DMZ network architecture Carrier-grade, hardware-based bypass solution
IBM: 10 Gb Network_Active_Bypass
IBM pfd: 10GB Network Active Bypass Unit overview
Detailed Modes of Proventia Network Active Bypass
Intelligent Bypass switches

The Players in this Space:

GarlandTechnology ( )
Network Critical  ( ) 
Gigamon ( )  
Net Optics ( )
Network Instruments ( )
Silicom-USA  (
Procera Networks ( )
Net Equalizer ( )
IBM Proventia (