Securing the Network Layer Against Malicious Attacks

A secure network is a web application’s first line of defense against malicious attacks. It is the gateway to the servers where your application resides. Securing the network layer is the only way to ensure your application is not flooded with attacks which could be easily blocked at that outermost layer.

Common network level threats include information gathering, sniffing, spoofing and denial of service (DoS).

Information Gathering

The information gathering threat involves attackers attempting to gain information about your system which may reveal common exploits and other vulnerabilities.

  • For example, attackers may scan your ports looking for open ports, which may allow them to gather information about software and operating systems running on your network, as well as the specific versions being run.
  • If you happen to be running a version of an application or operating system with a known exploit and an attacker discovers this, expect the attacker to mount an attack using that information.
  • Best practice countermeasures include:
    • Use a firewall to block services which should not be publicly exposed.
    • When services must be exposed, use generic service banners which give away as little information about the service as possible.  For example, if you're using an Apache server, change the response header to "Server: Apache" or "Server: my_server" instead of the default "Server: Apache/2.4.18 (Ubuntu)".

Network Sniffing

Network sniffing is simply the act of intercepting and monitoring your network traffic.

  • Attackers will be looking for private information being transmitted in plain-text, clear-text passwords, and weak encryption which can be cracked.
  • The best countermeasures against sniffing are:
    • Monitor all devices on your network and the software installed on them.  Follow through identifying any unknown equipment you discover.
    • Use strong encryption on any traffic that needs to be private, even on internal network connections.
    • Always assume that your network traffic is being intercepted by malicious parties and secure it based on that assumption.

Spoofing

Spoofing is the act of faking the true identity of packets.

  • Spoofed packets may be used for purposes such as hiding the identity of denial of service attacks or assuming the identity of sources which have access to private areas of your network.
  • Spoofing countermeasures include:
    • Ingress filtering (filtering packets coming from a network which should not be sending packets with that IP).
      • Ingress filtering only works if you know which IP addresses should originate from a given network.
      • It is most commonly used to eliminate packets originating from outside networks masquerading as IP addresses which originate from within a network.
    • Egress filtering (denying the sending of any packets outbound from the network which are not on a tightly controlled whitelist).
      • Egress filtering requires work configuring networks and thus is only common on large networks with high security requirements.

Denial of Service (DoS)

Denial of Service (DoS) attacks are one of the most basic and most prolific threats to networks.

  • Since the second half of 2010, DoS has been the most common attack in the United States.
  • The goal of a DoS attack is to deny legitimate users from accessing the servers which host your web application.
  • Common types of DoS attacks include packet floods and service buffer overflow attacks.
  • Other types of DoS attacks rely on specific flaws in various applications and operating systems, such as the teardrop attack which can crash some older operating systems.
  • The best countermeasure against DoS attacks are:
    • Properly configured routers, firewalls, and switches.
    • Keeping the operating systems, services and applications on the network updated with the latest security patches.

Best Practices for Router, Firewall, and Switch Configurations

Router Security

  • Router operating system is up to date on all security patches
  • Unused ports are blocked
  • Unused interfaces and services are disabled
  • Logging is enabled and auditing of unusual activity occurs
  • Packet filtering is enabled
  • Intrusion Detection and Prevention features are enabled

Firewall Security

  • Firewall software is up to date on all security patches
  • Firewalls are placed between all untrusted networks
  • Logging is enabled and auditing of unusual activity occurs
  • Packet filtering is enabled

Switch Security

  • Switch software is up to date on all security patches
  • Unused interfaces and services are disabled
  • Switch traffic is encrypted

To Recap

Making a system’s first line of defense, the network layer, secure against potential external threats like Information Gathering, Network Sniffing, Spoofing and DoS threats is essential. Securing the router, firewall, and switch are fundamental steps that deliver results.

Want to see what TDK can do for you?

Let's Talk