Small Business Defense – Network Reconnaissance
Yesterday, we looked at the attacker’s view of Network Reconnaissance. Today we consider defenses. As before, your best defense is to segment your network, which limits what an attacker can see from any point on your network. However, there are some things that you can do to reduce the information that an attacker can see if they do get in.
The first is to limit what is actually running on each system. If you have workstations, ask yourself if anyone needs to connect to the systems remotely. If not, turn off all services and activate the local firewall. If so, consider which systems need to communicate and setup VLANs or local firewalls to only allow access from known-good systems.
Second, is to identify the key systems that could be targeted. On those systems, in addition to the basic hardening for workstations, look at scanning defense applications like SentryTools or PSAD. As well, you should be careful to keep all systems up to date. Even if attackers get a network map, it’s not too useful if there is no way to get in.
Lastly, at the network level, there are a few other techniques that can be used. Implementing an Intrusion Detection System will help alert you when someone runs a scan like this. Additionally, you could put a dedicated tarpit system on the network. This system would slow down an attacker and make them easier to detect. Of course, both of these solutions are sufficiently complex that they go beyond the scope of this blog post. However, this will hopefully help get you started.