In recent times we have witnessed multiple successful attacks on the network and infrastructure at various large organisations, writes Mugdha Raje, member of the Ethernet Testing and Certification group at AT&T Labs. Attackers routinely target database servers at organisations where information is the key to their business, such as banks and pharmaceutical organisations. Additionally, the network infrastructure itself is targeted at organisations where the network is the key to the business, such as internet service providers and cable service providers.
In either case, the path to access an organisation's vulnerability is usually through the network. Having a dedicated test team to conduct daily/nightly network health checks and run some simple test cases can help build strong walls around an organisation's network.
1. Often networks are designed with only the security policies for firewall and routers in mind. These policies get configured and implemented at set-up. As the network grows, new policies are built, but old policies aren't necessarily updated.
2. Network and security engineers are often called upon to "shut down all security policies" during key troubleshooting phases in the interests of quicker incident resolution and bring the network back up and running and/or to identify faulty network components. As if this is not enough of a security risk, few remember to turn all the security policies back on after the troubleshooting is completed.
3. Denial of service (DoS) and distributed denial of service (DDoS) attacks are the oldest methods of attacking IP networks. While these methods are well-known and have been studied for years, they continue to remain one of the most effective ways to impact the performance of IP networks or services, or completely restrict access to a network, service, or application for legitimate users.
4. As time passes, the network is not as secure as it was designed to be
A possible solution
Organisations that change their network topologies on a regular (daily/weekly) basis, either for troubleshooting, testing or outages, or have a complex network design, can benefit greatly from the institution of a test engineer role specific to this purpose.
- The new role would implement simple daily scripts that check the security configuration on all the nodes, and in case of version inconsistencies, update the security configuration to the latest version or send an e-mail to the supervisor informing which nodes/firewalls require attention.
- The test engineer could run test cases that determine the degree of degradation that the denial of service (DoS) attacks have on the device and test application forwarding performance.
- Additionally, the test engineer could determine the impact of network-based attacks on the performance of an application-aware device while processing and forwarding legitimate traffic.
- Another test case could be to run scripts which will send series of malicious packets, broadcast storms, unwanted protocol packets and packets with very small packet sizes or first fragments using test equipment and validate the implementation of firewall and security policies.
These tests could be performed using standard off-the-shelf test-set equipment. By running the test cases or scripts, the network team and security team would be in control of the current architecture and could analyse how secure the network is in parallel with their daily activities.
Finally, an added advantage of the test engineer role is to bridge the gap between the network teams that primarily deal with the design and implementation of LAN and WAN architecture and the security teams that primarily deal with security policies and devices used to apply constraints and restrictions for preventing from misuse of the network by highlighting network performance over complexity and/or lapses in security policies, or filters.
In conclusion, the above recommended role will help solidify the relationship between the test, security and operations teams, and as a result help improve network design and reduce vulnerability.