A few years ago cyber-attacks were not so popular as today. In our hard days of cyber warfare I will post here some tips that I think can be a baseline to protect organizations and corporations from that threat. Let’s take a brief look at our network connection to the world, threat is available when the connection exists even if networks are separated there some kind of data flow between them such as disk on key devices, fax2mail or voice2mail solutions, proprietary kind of connection with service providers, such as leased lines, metropolitan networks, and more...
First level of remediation-WAN (ISP (Internet Services Provider side)
Each organization (and corporation) has an internet connection (the connection that connects the organization network to the Internet). It could be a dial-up connection till to lease line connection. When threat comes from the Internet it is very complicated to distinguish trusted and untrusted sources. Because very few corporations have unlimited Internet access bandwidth can prepare ACL’s (based on huge profiles) my recommendation will hosting kind of ACL device at ISP (n a case of DDoS ISP can provide alternate routes using BGP tunnels or any other kind of smart routing protocol to deliver request from Internet to organization).
ü Filter out country based addresses (IP)
ü Filter out anonymous networks and anonymous proxies (ToR, I2V and more)
ü Filter out hacked hosts
ü Filter out known botnet hosts
ü Filter out blacklisted addresses (IP)
ü Filter out spam
ü Prepare basic content filter (such as SQL injections, untrusted certificates, viruses and everything possible), IDPS with minimal false/positive rates
Second level of remediation-External LAN (Corporate outbound network side)
ü Allow a 2-nd OSI/ISO layer protocol only from ISP’s where your first level devices are hosted.
ü Prepare FIREWALL (is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions). Keep in mind that threat will come as ALLOWED, it is doesn’t matter how much rejects, drops you will see in log. Threat will come as something that we allowed in rule base. Just remember that.
ü Prepare smart IDPS (Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.) For each inbound connection.
ü Prepare content filter systems, WAF (Web Application Firewall - An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically), DAF (Database Application Firewall), Reverse proxies in DMZ (sometimes referred to as a perimeter network) is a physical or logical sub network that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military action is not permitted.) Or multiple DMZs.
ü Digitally sign each packet that should be delivered to front-end servers and make sure that front-end servers can validate those signatures. This will allow us to be sure that packets passed to front-end servers have been checked and no malicious content has been detected in.
That’s all. When you done all of above I am sure your organization threat level is well minimized but still exists! In next I will explain what to do at front-end server and back-end server. And later what we can do at our LAN and end users side.
Organizations, Corporates whom availability level is critical should think to prepare all of controls above in cloud based hosting, so DoS and DDoS from cloud hosting providers cant damage resources and reputation. Simple search anti DDoS and you can find a huge service provider who delivers services above o part of them.
