Advisory: Perimeter and External Networks

Your organizations network perimeter is made up of the devices and

gateways that connect private networks to the Internet. Perimeter
security is the practice of controlling external access to these
networks and the type of information allowed to be shared on the connection.

Firewalls
Firewalls are the primary and most critical tool protecting your organizations network from unintended access.
Configurations can span from a simple router utilizing access control lists (ACLs) to limit accessing IP
addresses and protocols in pre-approved configurations, to redundant sets of purpose-built hardware meant to
intercept and inspect every packet, file and data objects at wire speed and according to complex rule sets.
Firewalls analyze data packets moving in and out of the system, and prevent any unauthorized data transfers
based on pre-set rules. The strictness of these rules will depend on the security needs of the network and can
take two forms: blacklists and whitelists.
Blacklists prevent connections based on a specific list of banned hosts, services and/or applications while
allowing all other data through. Subsequently, they must be constantly updated as new threats are discovered
and they are powerless to protect against threats that have not yet been identified.
Conversely, whitelists block all forms of traffic except those that have been explicitly approved. Thus, whitelists
are an inherently more secure option than blacklists, as any unapproved traffic is dropped, and are the
preferred methodology. Whitelists do require a greater understanding of traffic that must be permitted to
perform business functions, and thus may be outside the capabilities of smaller organizations to fully
implement and manage.
A whitelist approach supplemented with broad blacklists (i.e. blocking entire countries) is a powerful approach,
but each organization must ultimately decide what balance to strike between security and ease-of-use.

Firewall Function
Firewalls are one of the oldest forms of IT network security technology, dating back to the late 1980s, and have
gone through refinement over decades as attackers find new ways to circumvent them. Early firewalls were
only able to separately inspect the header of each packet. Since it did not keep a record of existing
communications between networks, attackers could bypass firewalls by altering header contents to make
messages appear to be part of existing, approved connections. To combat this, stateful firewalls were
introduced. By tracking connections and the packets they send, these firewalls can tell the packets state, or if
and where the packet belongs in a transmission. Individual packets that are not part of an established
connection, or which have unusual or suspicious headers, are dropped.
However, these firewalls do not inspect what is actually in the packets, so a third firewall type was introduced:
proxies. Proxy firewalls, also known as deep packet inspection firewalls, do not pass data directly; instead they
assemble the information and analyze it. If it meets the firewalls security requirements, the proxy will then
break the information into packets and send it on to the final destination. If properly configured, proxies can
even decrypt traffic to and from the network, making it impossible for users or attackers to hide or disguise their
actions from the firewall. Although proxies are by far the most secure firewall type, they are also the slowest
and most expensive in terms of computing power. They also complicate networks as many devices and
applications must be specifically configured to work correctly with proxies. Deep content inspection is an
evolution of deep packet inspection, expanding review to the entire fire or object instead of a collection of
packets in the data stream.

Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com

Resources to protect your networks, and more: www.tagi.wiki

Distributed Denial of Service Attacks

Firewalls can also help protect against attacks designed to overwhelm targets, so call Denial of Service (DoS)
attacks. Distributed DoS attacks occur when a large number of outside systems start flooding a target network
with connection requests through the Internet. DDoS attackers use botnets, pools of virus-infected computers
controlled by attackers. The owners of machines used in these attacks are typically unaware. Eventually, the
huge number of connection requests overloads the target networks traffic-handling systems. With the traffic
system too busy to respond to legitimate requests, the network is effectively cut off from the Internet, denying
legitimate use.
Firewalls can help prevent DDoS attacks by recognizing and dropping repeated requests. However, botnets
can include millions of hijacked machines, and attackers can sometimes dedicate enough resources to a target
system that they can overwhelm firewall defenses. In the end, the group with the most bandwidth wins.
Organizations should always explore and plan additional countermeasures, such as peering and DDoS
protection services. These services take traffic meant for target sites and redirect it to their own massively
scaled cloud servers when an attack is detected. Using traffic analysis, these services are able to judge which
connections are valid before forwarding them on to the actual site while discarding the attack traffic.

Malware and Virus Protection

Most users are familiar with desktop antivirus software that actively scans data in memory and on disk at the
endpoint device to protect against malware infection. However, those programs only come into play after the
malware has managed to make it past perimeter defenses.
Organizations should invest in solutions that detect and block malware before it can reach hosts on the internal
network. Some firewalls are capable of detecting and blocking malware before it reaches an internal computer.
This class of firewall is commonly known as a unified threat management (UTM) device.
UTM devices primarily use signatures to identify viruses or malware. When a signature is detected, the UTM
drops the data stream and blocks the dangerous content from reaching the endpoint target. This type of
detection is only as good as the signatures it has access to, and, like firewall blacklists, constant updating of
the signature list is vital to ensure maximum network security. It also means that new viruses that do not yet
have signatures can slip through unnoticed.
Alternatively, some solutions will block access to a site based on risk or reputation scores developed through
feedback from customers and site. This reactive approach must make assumptions about sites and content,
and thus tends to result in a false positive or false negative site classifications. Like signature-based solutions,
this method cannot quickly identify and block new threats from novel sources.
A new approach unifies firewalls, intrusion detection systems, clients, and other sensors to identify suspicious
activity based on expected or normal network behavior, and then correlates malicious code, exploit URLs, call
back destinations, or traffic profiles as they disrupt typical behavior. The solutions then automatically test and
confirm the malicious behavior, allowing for much more rapid detection, categorization and sharing with
partners.
All publicly accessible ingress and egress points on your network should be protected by an anti-malware
solution as part of your defense in depth strategy, enabling you to block a large amount of risky traffic before it
reaches its target destination. Whenever possible, try and use dissimilar solutions using varying scanning
engines and identification methods to improve detection and blocking.

Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com

Resources to protect your networks, and more: www.tagi.wiki

Content Filtering
By automatically blocking access to phishing websites, websites known host malicious code, and sites that can
allow access to unauthorized software, content filtering services help reduce the possible attack vectors to your
network and data. They can also inspect and block data received from legitimate websites that may have been
unknowingly compromised by attackers and infected with malicious code, and shut down suspicious or
unauthorized connections.
Like firewalls, content filtering services can use either blacklists or whitelists to control what websites users are
allowed to visit. Given the high rate of change and sheer amount of web content, most solutions receive
regular update feeds from subscription services that continuously track and categorize sites and content.
Basic content filtering solutions simply block all sites for selected content categories, while more advanced
options can scan information using keywords and statistical analysis to ensure compliance with content
blocking rules. These can even run against outbound data streams, ensuring no sensitive or restricted
information is posted to the web, and so provide protection against data leakage as well.
Site blocking can be a contentious issue in any organization, and some users will inevitably feel that any web
filtering is overzealous and restrictive. To help mitigate user complaints and ensure acceptance of content
filtering, roll-outs of new filter rules should always be carefully reviewed beforehand to ensure they meet
corporate guidelines and that they do not block sites that users may have legitimate reasons to visit.
If the content filtering services does block access to a site needed for business operations, the site should be
carefully reviewed and then whitelisted for required personnel if acceptable. Keep in mind, whitelists should be
reviewed regularly to determine if the exception is still appropriate.
In the end, each individual organization must decide what level of web content filtering is appropriate for its
operations, but given that filtering is a crucial tool for network security, it should always be implemented to the
strongest degree that an organization can accept.

Virtual Private Network and Remote Access

Virtual private networks (VPNs) use encryption systems like Internet Protocol Security (IPSec), Secure Sockets
Layer (SSL) and Secure Shell (SSH) to create point-to-point encrypted tunnels through insecure networks
(i.e. the Internet). Using these tunnels, remote users and even entire networks at different physical locations
can be unified to provide what appears to end users to be one seamless organization-wide network.
Before the advent of VPNs, organizations wanting to privately and securely connect remote locations were
forced to run physical cable between geographically distant networks and access points. This was not only
highly cost prohibitive, it was simply logistically infeasible in many situations. VPNs are able to drastically
reduce remote access costs and provide a level of flexibility that previous systems could not provide at any
price.
However, this increased flexibility and improved access comes at the cost of increased risk. While its
incredibly difficult to infiltrate established encrypted connections and extract any useful data, attackers can
nevertheless target the authentication systems used by VPNs to attempt to forge credentials or circumvent
security to gain network access from anywhere on the planet. Also, keep in mind that if weak encryption or
broken security certificate chains are used, attackers who are able to intercept data may be able to decrypt the
transmissions. VPN security controls should be reviewed regularly to ensure that all systems are appropriate
and up-to-date.
VPNs should always use multi-factor authentication. These factors can be something the user knows (a
password or PIN), something the user has (a token or smartcard) or something the user is (biometrics like
palm prints or retinal scans). In addition, access to the VPN should be limited to only those users with a
legitimate business need, and any access to the network through VPNs should be tracked in security logs.
Both user lists and access logs should be reviewed for anomalies on a regular basis.
One common use of VPN technology is to provide a secure link to a corporate intranet, effectively tunneling
through the firewall to extend the internal network to a remote device like a laptop. In almost all cases, access
to all other networks on the remote device should be effectively disabled when the VPN is active to avoid splitContact us
Phone: 866.290.6774
Email: ahayden@trustcc.com

Resources to protect your networks, and more: www.tagi.wiki

tunneling, as that might enable an attacker on an unauthorized network to bounce through the remote device
and access the private LAN.

Wireless Access
Like VPNs, wireless access simultaneously increases the convenience and accessibility of a network while
allowing new attack vectors. The vast majority of wireless systems today use Wi-Fi (IEEE 802.11 standard) to
provide local access to networks. Wireless systems are not only installed for convenience; they can also
provide cost savings to organizations by allowing the installation of only a few wireless access points instead of
wiring an entire office.
However, wireless systems in the end are just radio wave transmissions and can be received by anyone with
the appropriate antenna. On initial release, Wi-Fi used the Wired Equivalent Privacy (WEP) standard to secure
the transmission, but it was quickly found to have numerous security flaws. Using widely available tools and
off-the-shelf equipment, WEP cyphers can be broken in as little as three minutes and should never be used to
secure networks. WEPs serious flaws led to a stopgap replacement system known as Wi-Fi Protected Access
(WPA) that could replace WEP firmware update, but WPA has also been found to have security flaws and has
been superseded by the WPA2 standard utilizing AES encryption (a more secure alternative to WPAs TKIP).
WPA2 using only AES encryption (not AES+TKIP) should always be the security option chosen for your
wireless systems.
However, keep in mind that even WPA2 is not wholly secure and should always be segregated from the
internal network. If wireless access to the internal network is necessary, the use of a VPN to protect the
transmission and multi-factor authentication to validate the endpoint should always be required.
The security of any protocol can be overcome by misconfiguration. The most common failing is to use of an
insufficient access key, making encryption easier to circumvent. The WPA2 standard permits a key of up to 256
bits, allowing for 63 ASCII characters or 64 hexadecimal numbers. Use the longest key practical, and one of at
least 32 characters. WPA2-Enterpise integrates with your RADIUS server for centralized authentication
management and is preferred to WPA2 standard as it.

Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com

Resources to protect your networks, and more: www.tagi.wiki

What controls do we test?

Control

Recommendation

01.01

Firewalls or Screening Routers

protect the perimeter

Firewalls should protect all connections, including connections to

trusted third parties.

01.02

Firewall rules should be specific

Firewall and screening router rules (ACLs) specify source and

destination attributes rather than using the "Any" attribute. The
primary exception to our recommendation is a generic rule for
http/s.

01.03

Malware protection on email and web Malware protection should be configured to detect and block
viruses, spyware phone home, spyware download, botnet, worms
and Trojans that may attempt to enter the network from the
Internet. Anti-malware solutions should be present on every
ingress/egress point, especially web downloads and email.

01.04

Remote access authentication

All VPN and remote access services should be protected by

multi-factor authentication. Examples include two of the following:
Domain authentication, client side certificates, and tokens.

01.05

Remote access results in log entries

All VPN sessions should generate security log entries. Access

should be reviewed and investigated for anomalies at least
weekly.

01.06

Analog modems are secured

Modems should be disabled when not in use and should require

enabling for authorized use.

01.07

Wireless network authentication

Any wireless networks should be segmented from the internal

network. Wireless users that need to access the internal network
should be required to use a VPN to help ensure the security of
the transmission.

01.08

Wireless utilizes WPA2

Any wireless access points should be protected with complex and

unpredictable WPA2 keys that are changed every 3 months.

01.09

Web content filtering

Web Content Filtering inspects network packets from the Internet

and blocks content that contains malware. A dedicated appliance
is preferred.

01.10

DDoS preparation

A risk assessment regarding threats should be documented and

include data scrubbing if deemed appropriate.

Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com

Resources to protect your networks, and more: www.tagi.wiki

We provide the support our clients need and we guarantee our services.
Were dedicated to continuous improvement. Advisories, trainings and help desk access simplify information
confidentiality, integrity, and availability. We also guarantee client satisfaction, eliminating the risks of trying something
new. Since our evaluation is independent, our recommended mitigation steps are unbiased and singularly optimized to
improve our clients security.

When IT is prepared, the risk of a data breach declines.

We work with clients IT teams to ensure security flaws are recognized and prioritized. Our evaluation is based upon
our experience performing nearly 3,000 security assessments. Experience matters in security and ours is far deeper
than any in-house IT expertise.

Our industry-leading approach is advanced and technically sophisticated.

We give our clients a realistic sense of their own security by testing their networks with the same tools hackers use,
plus a little extra ingenuity. Once on their networks, we breach sensitive information at just over 75% of our targets
and obtain escalated access to administrative privileges at 60%.

Trusted Advisory Team

Our team members average a 12-year tenure in high tech, and are rooted in a diversity of perspectives and technical
certifications. This balanced approach ensures all engagements provide the value our clients expect and allows us to
guarantee client satisfaction.
Tom Schauer, CISA, CISSP, CISM, CRISC, CTGA,
CEH has been practicing in information technology
security and auditing since 1988. Tom is one of the
countrys leading experts in IT compliance matters. Tom
is the founder of the Trusted Advisory Group.
Carl York, CISA, CRISC is a 20-year veteran of
banking and information technology. His experience
includes managing item-processing at the Federal
Reserve, consulting on financial IT systems, and
Security and Compliance Officer for a $700M bank.
David Frazier, MS.ISM, CEH, CISA has 25 years of
experience implementing IT infrastructure and large
applications. Dave is a strong IT auditor and security
assessment professional, and was with EYs consulting
practice for several years.
Michael Brown, CEH, CTGA, PMP is the central point
of contact for many engagements as Project Manager.
Mike managed projects for nearly a decade before
joining TrustCC.
Jeff Dimmock, CEH, CCNA Security, Security+ is
skilled in the design and execution of social engineering
exercises including developing payloads that evade
detection. Jeff is currently working on a Master's degree
in Information Security Assurance.

Timothy Gamble, CEH continuously demonstrates

client satisfaction with light-speed response to emerging
threats to our clients business as they surface.
Wes Hardcastle, CEH specializes in social
engineering, network penetration testing, and wireless
security. His background is in IT management.
Alex Haslach, GSEC, CEH has a wealth of experience
in systems administration at financial institutions. He
specializes in assessing vulnerabilities in web apps.
Aaron Hayden, CHPS, MBA consults on business,
operations, and healthcare privacy and security.
Shannon Hennessy, Security+, CEH is expert in the
areas of information security policies and standards,
social engineering, and wireless security.
Brandon Henry, MCSE, VCP, DCSE, CEH, CICP leads
TrustCCs technical services. He has mastery of the
BackTrack 5 security framework and tools, and has 10
years of experience implementing infrastructure and
virtualization.
Andrew Luke, CEH, CCNA occasionally plays red
team in the Pacific Cybersecurity War Games. He is a
member of the Washington State National Guard and
previously worked with the Department of Defense.
Andrew Robbins, CEH, Network+ drives our largest,
most complex engagements. His expertise covers
network security, web application security, and social
engineering.
Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com