Strategies for Network Intrusion Detection

For the network admin, fighting network intrusion can prove to be a full time job. With more and more malevolent actors operating on the edges of the Internet, fighting against network intrusion is a pain in the butt. Due to this, we are going to use this space to spell out some quick tips for fighting against network intrusion and you can implement them into your daily routine.

1. Fight Proactively

First things first, the single best defense against network intrusion is proactive network management. By proactive network management we mean two things: establishing trusted daily network and hardware monitoring and continually keeping up-to-date with new forms of SQL injections, DDoS attacks, IP spoofing, application layer attacks and password-based attacks.

The first part of the plan is to establish daily, hourly and minute-by-minute network monitoring software which you trust and work to keep up-to-date with the most advanced patches. While you could go ahead and create network monitoring protocols, the best bet is to apply established network monitoring tools to your network, tinker with them to meet your needs and constantly stay on top of software updates.

Some of the best network monitoring tools on the market today are GFI LanGurad, SysAid, IPHost Network Monitor, Paessler, Manage Engine and LogicMonitor. Now, a key to using these technologies is to understand the difference between a general network monitoring solutions and a dual layer monitor which applies to both overall network security and individual hardware piece security.

A good network monitoring solution will have key functionality focusing on fault management, configuration management, accounting management, performance management and security management. Drilling down, these tools will arm you with alarm filtering, a range of high-end network diagnostic tests, error logging CPU load data and bandwidth utilization data, to name a few.

Getting more granular, a good networking monitoring solution will also offer hardware monitoring. While the software monitors the entire network, the software also applies the same stringent tests to network hardware to ensure switches, ports, nodes, hypervisors and servers aren’t individual compromised from a leaked IP address.

The first and best thing you can do for your network is to deploy a solid networking management tool which you constantly monitor and define rules for.

2. Protect Against SQL Injections

SQL Injections are yesterday’s news, right? Wrong. According to a November 2014 study, roughly 97% of all data breaches worldwide involved SQL injections at some point. Now, although SQL injections have been a prime mover of network intrusions for the better part of ten years, the strategies for fighting them are constantly evolving. Here is how you do it:

1. All code installed into the SQL engine must be validated. All code must abide by strict guidelines and protocols that spell out parameterized queries for all SQL input. Another way of saying this is to guard against injections, make sure all SQL input keeps the inputted data and executable code away from one another. Like two children fighting, keep them away from each other to prevent further problems.
2. All databases, all applications and all software must be kept fully patched and current. There is no excuse for you running behind in patching a databases or an application when your job is network administrator. With most companies putting out free patches for all networking monitoring solutions, if you choose not to install those patches and an SQL injection occurs on your watch, you have no one to blame but yourself.

Chart via securityaffairs.co

1. Utilize a web application firewall. Another reason you have no excuse if your network gets killed with a SQL Injection. Free web application firewalls like ModSecurity and paid for WAF’s like Barracuda work around the clock to protect your network against SQL injections, DDoS attacks and many other forms of automated & targeted attacks on your network or on a single device. Download a free WAF or purchase one. Don’t be a fool.
2. 4. Filter all user data. In an ideal world, all data passing through your network should be filtered to prevent anything funny from slipping in or out. A typical example of this is only allowing user data phone numbers into your network which contain numerals and dashes/periods, i.e. the content that makes up a phone number. The same objective filtering should take place for all data passing in and out of your network. If an email comes into your network which looks like this jedd#*&^345@outlook##.org, something is wrong.

SQL injection attacks have been around for a while. They are relatively easy to detect, prevent and fight. Don’t make the mistake of not protecting your network against them.

3. User Passwords Matter, Network Configurations Matter, Cross Referencing Matters

Part of your job as a network admin is to protect the network against every type of threat, external and internal. When it comes to internal network threats, there is no bigger threat or misstep to overlook than user passwords. A typical password-based attack preys on older applications not protecting the identity (ID and password) of a user while they pass through your network for validation. By not protecting the identity, those details are vulnerable to outside access. Once that data is compromised, an outside source has the same user rights an employee in your company has.

We don’t have to tell you, but this could spell big problems.

This said, to fight password-based attacks, follow these steps:

1. Always modify password data. Even though your employees might get annoyed that they have to come up with and remember a new password every 30 days, do it anyway. Modify, change and redefine passwords in a routine manner.
2. Always keep lists of valid credentials across the network. Keep that list in a secured database. Set up a monitoring tool which scans valid credentials, cross-references them your established list and flags any credentials which do not match.
3. Much like switching password credentials on a monthly basis, do the same with server and network configurations. Routinely change server and network configurations. Again, much like changing user login credentials, do not rotate your network configurations. Always make them different.

4. Deny Man in the Middle Attacks

Ever feel like someone is listening to your conversation while talking to a friend on the phone? No, it isn’t the NSA (well, maybe, it is). Much like the feeling of being snooped upon by another, a man in the middle attack takes place when someone gets between your network and who you are communicating with to capture and control all communication.

Here are some tips for defending against man in the middle attacks:

1. Check all user credentials. Change passwords routinely. Always keep user credentials fresh and in a secure database outside of the network or behind multiple layers of security.
2. Keep up-to-date with encryption and authentication. The basic concept behind a man in the middle attack is a third party effectively acting to impersonate each communication end point without being noticed by either end. A good way to prevent against this type of attack is to make sure both sides maintain and keep a current SSL certificate. Another way to prevent against man in the middle is to utilize a direct to point VPN connection, utilize data encrypted proxy server or route communication through a SSH socks tunnel.

5. Don’t Be Stupid

This one might seem flippant, but it isn’t. As a network admin, your job is to keep websites and traffic off of your network which might be malicious. For this reason, if something feels like a threat or something feels like it could become a potential threat, kill it from your network.

Case in point, if you are a hosting company with a website on your network which seems malicious, kill it. Don’t be stupid. If something feels off, act quickly.

Fighting against network intrusion isn’t that hard these days. With the plethora of tools available on the web to keep your network clean and with these aforementioned Seattle colocation tips, you should be just fine.