:star: G12 Boundary defense (:checkered_flag: G12-4 Intrusion Prevention…
:star: G12 Boundary defense
Firewall Ruleset validation / certification
Deny communications with (or limit data flow to ) known malicious IP addresses (black lists)
or limit access only to trusted sites (whitelists).
Tests can be periodically carried out by sending packets from bogon source IP addresses (non-routabe or otherwise unused IP addresses)
into the network to verify that they are not transmitted through network perimeters.
Lists of bogon addresses are publicly available on the internet from various sources
and indicate a series of IP addresses that should not be used for legitimate traffic traversing the Internet.
Network-based IPS devices should be deployed to complement IDS
by blocking known bad signatures
or the behaviour of potential attacks.
As attacks become automated
methods such as IDS typically delay the amount of time it takes for someone to react to an attack.
A properly configured network-based IPS
can provide automation to block bad traffic.
When evaluating network-based IPS products
include those using techniques
other than signature-based detection
(such as virtual machine or sandbox-based approaches)
Design and implement network perimeters
so that all outgoing network traffic to the internet must pass through at least one application layer filtering proxy server.
The proxy should support
decrypting network traffic
logging individual TCP sessions
blocking specificURLs, domain names, and IP addresses
to implement a black list
and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites.
Organizations should force outbound traffic to the internet
through an authenticated proxy server on the enterprise perimeter.
2-Factor Authentication for VPN Access
Require all remote login access
(including VPN, dial-up, and other forms of access that allow login to internal systems)
to use two-factor authentication.
Endpoint Health Check for remote access. Verify anti-malware, patch, firewall, etc...statuses
All enterprise devices remotely logging into the internal network should be managed by the enterprise
with remote control of their configuration
and patch levels.
For third-party devices (e.g., subcontactors/vendors)
publish minimum security standards for access to the enterprise network
and perform a security scan before allowing access.
Packet analysis, architecture reviews, etc.
Periodically scan for back-channel connections to the internet that bypass the DMZ
including unauthorized VPN connections and dual-homed hosts connected to the enterprise network
and to other networks via wireless, dial-up modems, or other mechanisms.
Deploy Netflow collection and analysis to DMZ network flows
to detect anomalous activity.
Session Length Tracking
To help identify covert channels exfiltrating data through a firewall
configure the built-in firewall session tracking mechanisms included in many commercial firewalls
to identify TCP sessions that last an unusually long time for the given organization and firewall device
altering personnel about the source and destitanation addresses associated with these long sessions.