Securing the Network Layer

A secure network is a web application’s first line of defense against malicious attacks. It is the gateway to the servers where your application resides. Securing the network layer is the only way to ensure your application is not flooded with attacks which could be easily blocked at that outermost layer. Common network level threats include information gathering, sniffing, spoofing and denial of service (DoS).

The information gathering threat involves attackers attempting to gain information about your system which may reveal common exploits and other vulnerabilities. For example, attackers may scan your ports looking for open ports, which may allow them to gather information about software and operating systems running on your network, as well as the specific versions being run. If you happen to be running a version of an application or operating system with a known exploit and an attacker discovers this, expect the attacker to mount an attack using that information. Best practice countermeasures include using a firewall to block services which should not be publicly exposed, and when services must be exposed, using generic service banners which give away as little information about the service as possible.

Network sniffing is simply the act of intercepting and monitoring your network traffic. Attackers will be looking for private information being transmitted in plain-text, clear-text passwords, and weak encryption which can be cracked. The best countermeasures against sniffing are preventing sniffing devices from operating within the network and encryption. Monitor all devices on your network and the software installed on them. Use strong encryption on any traffic that needs to be private. Always assume that your network traffic is being intercepted by malicious parties and secure it based on that assumption.

Spoofing is the act of faking the true identity of packets. Spoofed packets may be used for purposes such as hiding the identity of denial of service attacks or assuming the identity of sources which have access to private areas of your network. Spoofing countermeasures include ingress filtering (filtering packets coming from a network which should not be sending packets with that IP) and egress filtering (denying the sending of any packets outbound from the network which are not on a tightly controlled whitelist). Ingress filtering only works if you know which IP addresses should originate from a given network. It is most commonly used to eliminate packets originating from outside networks masquerading as IP addresses which originate from within a network. Egress filtering requires work configuring networks and thus is only common on large networks with high security requirements.

Denial of Service (DoS) attacks are one of the most basic and most prolific threats to networks. Since the second half of 2010, DoS has been the most common attack in the United States. The goal of a DoS attack is to deny legitimate users from accessing the servers which host your web application. Common types of DoS attacks include packet floods and service buffer overflow attacks. Other types of DoS attacks rely on specific flaws in various applications and operating systems, such as the teardrop attack which can crash some older operating systems. The best countermeasure against DoS attacks is properly configured routers, firewalls and switches, and keeping the operating systems, services and applications on the network updated with the latest security patches.

Best practices for router, firewall and switch configurations include:

Router Security

  • Router operating system is up to date on all security patches
  • Unused ports are blocked
  • Unused interfaces and services are disabled
  • Logging is enabled and auditing of unusual activity occurs
  • Packet filtering is enabled

Firewall Security

  • Firewall software is up to date on all security patches
  • Firewalls are placed between all untrusted networks
  • Logging is enabled and auditing of unusual activity occurs
  • Packet filtering is enabled

Switch Security

  • Switch software is up to date on all security patches
  • Unused interfaces and services are disabled
  • Switch traffic is encrypted
Expertise you need. Results you deserve.