Securing the Network Layer Against Malicious Attacks
The costs associated with cybercrime are already staggering but are expected to skyrocket even higher. Cyberprotection Magazine reports the global cost of cybercrime is expected to surge to $23.84 trillion by 2027. But even that figure may not capture all costs, due to underreporting and other factors. The actual financial impact of ransomware attacks can vary significantly depending on the size of the organization, industry sector, geographic location, and the effectiveness of incident response and recovery efforts.
Being proactive can help mitigate the potential impact of cybercrime. A secure network is a web application’s first line of defense against malicious attacks. It is the gateway to the servers where your application resides, which is responsible for routing and forwarding data packets across networks. Securing the network layer is the only way to ensure your application is not flooded with attacks which could be easily blocked at that outermost layer.
Common network level threats include information gathering, sniffing, spoofing and distributed denial of service (DDoS).
Information Gathering
The information gathering threat involves attackers attempting to gain information about your system which may reveal common exploits and other vulnerabilities.
- For example, attackers may scan your ports looking for open ports, which may allow them to gather information about software and operating systems running on your network, as well as the specific versions being run.
- If you happen to be running a version of an application or operating system with a known exploit and an attacker discovers this, expect the attacker to mount an attack using that information.
- Best practice countermeasures include:
- Use a firewall to block services which should not be publicly exposed.
- When services must be exposed, use generic service banners which give away as little information about the service as possible.
Network Sniffing
Network sniffing is simply the act of intercepting and monitoring your network traffic.
- Attackers will be looking for private information being transmitted in plain-text, clear-text passwords, and weak encryption which can be cracked.
- The best countermeasures against sniffing are:
- Prevent sniffing devices from operating within the network and encryption.
- Monitor all devices on your network and the software installed on them.
- Use strong encryption on any traffic that needs to be private.
- Always assume that your network traffic is being intercepted by malicious parties and secure it based on that assumption.
Spoofing
Spoofing is the act of faking the true identity of packets.
- Spoofed packets may be used for purposes such as hiding the identity of denial of service attacks or assuming the identity of sources which have access to private areas of your network.
- Spoofing countermeasures include:
- Ingress filtering (filtering packets coming from a network which should not be sending packets with that IP).
- Ingress filtering only works if you know which IP addresses should originate from a given network.
- It is most commonly used to eliminate packets originating from outside networks masquerading as IP addresses which originate from within a network.
- Egress filtering (denying the sending of any packets outbound from the network which are not on a tightly controlled whitelist).
- Egress filtering requires work configuring networks and thus is only common on large networks with high security requirements.
- Ingress filtering (filtering packets coming from a network which should not be sending packets with that IP).
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) attacks are one of the most prolific threats to networks.
- The goal of a DDoS attack is to deny legitimate users from accessing the servers which host your web application.
- Common types of DDoS attacks include packet floods and service buffer overflow attacks.
- They are designed to overwhelm a target system or network by flooding it with a massive volume of traffic from multiple sources.
- This can disrupt network services and cause service outages.
- Other types of DDoS attacks rely on specific flaws in various applications and operating systems, such as the teardrop attack which can crash some older operating systems.
- The best countermeasures against DDoS attacks are:
- Properly configured routers, firewalls, and switches.
- Keeping the operating systems, services and applications on the network updated with the latest security patches.
- Utilize dedicated DDoS mitigation services or hardware appliances that can detect and mitigate volumetric, protocol, and application layer attacks.
- Continuously monitor network traffic for abnormal patterns or sudden spikes in traffic volume, and take appropriate actions based on predefined policies.
Best Practices for Router, Firewall, and Switch Configurations
Router Security
- Router operating system is up to date on all security patches
- Unused ports are blocked
- Unused interfaces and services are disabled
- Logging is enabled and auditing of unusual activity occurs
- Packet filtering is enabled
Firewall Security
- Firewall software is up to date on all security patches
- Firewalls are placed between all untrusted networks
- Logging is enabled and auditing of unusual activity occurs
- Packet filtering is enabled
Switch Security
- Switch software is up to date on all security patches
- Unused interfaces and services are disabled
- Switch traffic is encrypted
To Recap
To counter network layer security threats, implementing best practices and security measures can help mitigate risks. Making a system’s first line of defense, the network layer, secure against potential external threats like Information Gathering, Network Sniffing, Spoofing and DDoS threats is essential. Securing the router, firewall, and switch are fundamental steps that deliver results.