Network Defense at Blackhat 2012
Just back from presenting lab-based training session Detecting & Mitigating Attacks Using Your Network Infrastructure with Joe Karpenko at Blackhat USA 2012. Great to see a Defense track of Briefings which included Intrusion Detection Along The Kill Chain: Why Your Detection System Sucks And What To Do About It and more of an emphasis on protecting or remediating network infrastructures in topics like Targeted Intrusion Remediation: Lessons From The Front Lines. I attended several of these briefings and was impressed with the breadth of information provided for network operators. The Defense briefings align well with the network security best practices advocated by Cisco and presented in our training. These best practices include:
- Network device hardening – This best practice includes disabling unused services and features as well as enabling commands and features that protect network device processing power for the forwarding of legitimate business IP traffic
- Enable syslog on network devices – Event logging provides visibility of network devices and network infrastructures
- Correlate syslog events across network devices to identify potential issues – Send logging information to a centralized syslog server so that events across network devices can be aggregated and matched to known security and network issues
- Enabling NetFlow on strategic network devices – NetFlow provides visibility for IP Traffic transiting a network.
- Use the collected NetFlow information to understand network traffic patterns – Anomalous and security-related network activity can be identified by tracking IP traffic flows
- Use DNS logging to identify potential issues – DNS event logging provides visibility into the destination domains for user and device IP traffic.
- Use the telemetry gathered from the above best practices to construct a network IP traffic baseline and leverage it to quickly identify anomalies – Network traffic baselines help us determine normal traffic patterns so that we can better identify anomalous behavior. Correlating all of these different telemetry types can help us infer the causes and effects of unusual network activity so that we can react before legitimate business IP traffic is impacted
Other network security best practices are covered in these security best practice documents:
- Cisco Guide to Harden Cisco IOS Devices
- Cisco Guide to Securing Cisco NX-OS Software Devices
- Cisco Guide to Harden Cisco IOS XR Devices
- Cisco TelePresence Hardening Guide
- Cisco Firewall Best Practices Guide (Forthcoming)