Everything Is a Target

As a designer of secure networks, one of the first things you must consider is the vast interdependency of today's larger networks. The Internet is the best example, but within each organization there exists a microcosm of the Internet. From an attacker's perspective, these interdependencies allow for the attacker's goals to be met in any number of ways.

As an example, assume an attacker wants to bring down your website. The following list outlines the attacker's options:

• Find an application or OS vulnerability on your system, exploit it to gain root privileges, and then simply take the server offline or modify its content.
• Send your web server some type of directed denial of service (DoS), such as a TCP SYN flood, designed to exhaust resources on the server and cause it to be nonresponsive.
• Send at your Internet connection a DDoS attack designed to consume all available bandwidth and thus prevent legitimate users from accessing the server.
• Send to a router or firewall crafted packets designed to cause these devices to process useless data at the expense of legitimate traffic.
• Compromise your Domain Name System (DNS) server or the DNS server of your Internet service provider (ISP) and change the name record to point to another server hosting bogus content.
• Compromise another server on the same subnet as your web server and launch an Address Resolution Protocol (ARP) spoofing attack that either denies service to all web requests or acts as a man-in-the-middle (MITM) attack that modifies content before it leaves for its intended host.
• Compromise the Ethernet switch providing network connectivity to the server and disable the port.
• Inject or modify routing information with your ISP to cause queries to your IP subnet to be directed to another location.

The list of options that an attacker has goes on and on. In the preceding example, the attacker has several target options, as follows:

• Code security of applications and the operating system
• DoS resilience of applications and the operating system
• Internet bandwidth
• Routers or other Layer 3 (L3) devices
• DNS redirection
• TCP/IP protocol suite
• Layer 2 (L2) devices
• Routing protocols

You could generate a list like this for every network-connected device anywhere in the world: end stations, servers, wireless LAN access points (WLAN APs), routers, operating systems, switches, firewalls, the network medium, applications, load balancers, personal digital assistants (PDAs), cell phones, and so on. Everything is a target.

Many security deployments are overly concerned with protecting servers without spending much energy protecting the rest of the network. Although there is no doubt that Internet-reachable servers (such as the web server example) are one of the highest-profile targets, focusing on protecting only those systems will leave your design lacking in many areas. Which of the following attacks would you consider more damaging to your enterprise?

1. Your website is defaced with inappropriate material, and this event makes news headlines around the world.
2. Your CEO's e-mail is compromised by an internal employee who then learns about an acquisition plan that has not been made public. After obtaining further details by hacking into your voice-mail system, the employee profits from the information (as do the employee's coworkers), and your company is investigated for insider trading one month later.

Number 2 clearly has the biggest impact on the organization. In addition, worrying mostly about your servers implies that that's where most of the good stuff is. With today's mobile workforce, portable computers can contain critical organization information, just like a server can. In addition, portable computers are generally much easier for an attacker to compromise. When you stop to consider the different ways in which an attacker can gain access to your network, it can be very daunting. You, as the security architect, must devise a way to protect every system you have in your organization, whereas an attacker must simply find one where you messed up. As you will see in Chapter 2, having a good security policy can help guide you down the path of worrying about the right things, in the right amounts.