DATA CENTRE SECURITY

The design of security in the Data Center requires understanding the security
threats, the attacks, and the technology to counter them.

You can use such tools as ACLs, firewalls, IDSs, and security features on switches
and routers to mitigate the effects of attacks against servers and network devices.

Designing the Data Center requires configuring the appropriate ciphers on SSL
and IPSec devices, generating and installing certificates, and enabling HMAC on
routers—all of which require an understanding of the key concepts of
cryptography, AAA, and VPNs.

Creating security policies, secure management, and incident response and attack
mitigation are as important as understanding the technology. The last part of this
chapter described the key considerations for creating a Data Center security
framework.

Data Centers are key components of enterprise networks. The Data Center houses
the enterprise applications and data, hence the need for proper security. Losing
data and applications can impact the organization’s ability to conduct business.

Vulnerabilities and Common Attacks

The following terms often used in security discussions are important to define in
the context of security in Data Centers:

a. Threat—An event that poses some harm to the Data Center or its resources

b. Vulnerability—A deficiency on a system or resource whose exploitation

leads to the materialization of the threat

c. Attack—The actual exploitation of a vulnerability to make a threat reality

Applied to a web application, for example, a threat could be the loss of the
application server’s capability to process requests from legitimate users.
The vulnerability could be that the server is running a software version
known to be susceptible to buffer-overflow attacks.

Threats
Data Centers are vulnerable to threats that affect the rest of the enterprise network
and to threats that are specific to the Data Center.

The following are some of the most common threats to Data Centers:

• DoS

• Breach of confidential information

• Data theft or alteration

• Unauthorized use of compute resources

• Identity theft

Vulnerabilities

Most of the vulnerabilities found today originated in at least one of the following
areas:

Implementation—Software and protocols flaws, incorrect or faulty software

design, incomplete testing, etc.

Configuration—Elements not properly configured, use of defaults, and so on.

Design—Ineffective or inadequate security design, lack of or inappropriate

implementation of redundancy mechanisms, etc. The following section discusses
the details of the most common vulnerabilities and their relation to source
problems.

Exploitation of Out-of-Date Software

Running out-of-date software and using insecure default configurations are the top
two causes of security incidents. Most attacks to Data Centers today exploit well-
known vulnerabilities that are usually discovered and announced months before
the first attack takes place. The worms CodeRed, Nimda, and SQL Slammer are
good examples of exploited known vulnerabilities that could have been avoided.

Exploitation of Software Defaults

The second most common cause behind exploits is the use of default configuration
values. Many systems are shipped with default accounts and passwords, which are
exploited for unauthorized access and theft of information, among other threats.

Common attacked
Scanning or Probing
Rather than an attack, this activity precedes an attack to gain access by discovering
information about a system or network. This reconnaissance activity usually
preludes a more severe security incident. The term probe refers to an individual
attempt, whereas a scan consists of a large number of probes by an automated tool.

A port scan is an example of scanning whose purpose is to identify the services

that a host is running. During a port scan, the offender basically tries to open a
TCP connection to each of the well-known ports, such FTP, Telnet, HTTP, Simple
Mail Transfer Protocol (SMTP), and so on. Then, the offender can direct more
precise attacks to those ports the host is listening on.

DOS
The goal of a DoS attack is to degrade service to the point that legitimate users are
unable to conduct their regular activities. DoS attacks can take many different
forms, but the most common case consists of generating large volumes of data to
deliberately consume limited resources such as bandwidth, CPU cycles, and
memory blocks.

A DoS attack can also consist of generating a single malformed packet that
exploits a flaw in an application or protocol stack. Ping of death (PoD) is a good
example. PoD sends an ICMP echo packet that violates the maximum size of the
packet. Some old TCP/IP stacks did not verify the packet size and ended up
allocating more memory than needed, which eventually causes a system crash.

In Data Centers, most DoS attacks target server farms primarily by sending the
servers large volumes of traffic. A large volume of traffic over the network could
lead to network congestion, which is an indirect result of the DoS attack.

DDOS

Distributed denial-of-service (DDoS) attacks are a particular case of DoS attacks

where a large number of systems are compromised and used as the source of
traffic on a synchronized attack. DDoS attacks work in a hierarchical model
typically consisting of clients, handlers, and agents.

Unauthorized Access
Unauthorized access consists of gaining access to restricted resources by using a
valid account or a backdoor. An account compromise is a type of unauthorized
access where someone other than the account owner uses the privileges associated
with the compromised account.

Viruses and Worms

Viruses and worms are both cases of malicious code that, when executed, produces
undesired results on the infected system. The malicious code usually remains
hidden in the system until the damage is discovered. The difference between
viruses and worms is the way they auto-replicate. Worms are self-replicating
programs that propagate without any human intervention.

Internet Infrastructure Attacks

Internet infrastructure attacks target the critical components of the Internet
infrastructure rather than individual systems or networks. These attacks are
becoming more frequent and mostly affect service providers. Domain Name
System (DNS) servers, edge routers, cache clusters, and access servers are some of
the devices targeted by these attacks.

Trust Exploitation
These attacks exploit the trust relationships that computer systems have to
communicate. Communications in networked environments are always based on
trust. For example, when a web server communicates with a back-end database, a
trust relationship exists between the two systems. If an attacker can forge his
identity, appearing to be coming from the web server, he or she can gain
unauthorized access to the database. Figure 5-3 displays a trust- exploitation
situation.

Session Hijacking
Session hijacking consists of stealing a legitimate session established between a
target and a trusted host. The attacker intercepts the session and makes the target
believe it is communicating with the trusted host.

Buffer Overflow Attacks

A buffer overflow occurs when a program allocates memory buffer space beyond
what it had reserved; it results in memory corruption affecting the data stored in
the memory areas that were overflowed.

Layer 2 Attacks
Layer 2 attacks exploit the vulnerabilities of data link layer protocols and their
implementations on Layer 2 switching platforms. One of the characteristics of
Layer 2 attacks is that the attacker must be connected to the same LAN as the
victims.

Address Resolution Protocol (ARP) spoofing and MAC flooding are examples of
attacks that fall into this category:

• ARP spoofing—An attack in which the attacker forges the identity of a trusted
system by spoofing the system’s IP address.

Network Security Infrastructure

The network security infrastructure includes the security tools used in the Data
Center to enforce security policies. The tools include packet-filtering technologies
such as ACLs and firewalls and intrusion detection systems (IDSs) both network-
based and host-based. The following sections discuss these security tools.

ACLs
ACLs are filtering mechanisms explicitly defined based on packet header
information to permit or deny traffic on specific interfaces. An ACL is typically
set up as a list that is applied sequentially on the packets until a match is found.
Once the match is found, the associated permit or deny operation is applied.

Firewalls
A firewall is a sophisticated filtering device that separates LAN segments, giving
each segment a different security level and establishing a security perimeter that
controls the traffic flow between segments. Firewalls are typically deployed in
strategic locations and commonly work as the only pass-through point to sensitive
resources. For example, firewalls are most commonly deployed at the Internet
Edge where they act as boundary to the internal networks.

There are different types of firewalls based on their packet-processing capabilities

and their awareness of application-level information:

 Packet-filtering firewalls

 Proxy firewalls

 Stateful firewalls

 Hybrid firewalls

Packet-Filtering Firewalls
Packet-filtering firewalls, often referred to as screening routers, are network
devices that filter packets based on header information. A router configured
with ACLs is an example of this type of firewall. The capability to identify
different protocols and applications depends on the granularity of the filters.
For example, you can use extended ACLs to specify which TCP/UDP ports
are permitted or blocked.

Proxy Firewalls
Proxy firewalls, also known as application-level proxies, are application-specific
firewalls that are frequently implemented in software. These firewalls are specially
designed to protect applications associated with well-known ports and are
typically limited to SMTP, HTTP, Telnet, and FTP.

Stateful Firewalls
Stateful firewalls keep track of connection state and only permit packets that
match legitimate connections. IOS Firewall, PIX Firewall, and the Catalyst 6500
Firewall Services Module are examples of Stateful firewalls.

Hybrid Firewalls
Hybrid firewalls combine the behavior of the previous types of firewalls, including
key features that make the firewalls more flexible and intelligent in dealing with
application traffic. The comprehensive feature set is the basis for the most
common types of firewalls.

IDS

IDSs are real-time systems that can detect intruders and suspicious activities and
report them to a monitoring system. They are configured to block or mitigate
intrusions in progress and eventually immunize the systems from future attacks.
IDSs have two fundamental components:

 Sensors—Appliances and software agents that analyze the traffic on the

network or the resource usage on end systems to identify intrusions
and suspicious activities. Sensors can be network-based or host-
based.

 IDS management—Single- or multi-device system used to configure and

administer sensors and to additionally collect all the alarm
information generated by the sensors.