Yesterday, we looked at the attacker’s view of Network Reconnaissance.  Today we consider defenses.  As before, your best defense is to segment your network, which limits what an attacker can see from any point on your network.  However, there are some things that you can do to reduce the information that an attacker can see if they do get in.

The first is to limit what is actually running on each system.  If you have workstations, ask yourself if anyone needs to connect to the systems remotely.  If not, turn off all services and activate the local firewall.  If so, consider which systems need to communicate and setup VLANs or local firewalls to only allow access from known-good systems.

Second, is to identify the key systems that could be targeted. On those systems, in addition to the basic hardening for workstations, look at scanning defense applications like SentryTools or PSAD. As well, you should be careful to keep all systems up to date. Even if attackers get a network map, it’s not too useful if there is no way to get in.

Lastly, at the network level, there are a few other techniques that can be used. Implementing an Intrusion Detection System will help alert you when someone runs a scan like this. Additionally, you could put a dedicated tarpit system on the network. This system would slow down an attacker and make them easier to detect. Of course, both of these solutions are sufficiently complex that they go beyond the scope of this blog post. However, this will hopefully help get you started.

Suppose an attacker gets into your network. Last week, we discussed a few tools that they might use to profile different systems, but we didn’t look that deeply into network scanning. Once they’ve done some of the more-basic and subtle checks, they may go on to more active exploration. The advantage of more active exploration is that an attacker can identify all services on all systems in a very short period of time. The disadvantage, of course, is that they are more likely to be detected.

However, since this is an attack day, let’s look at what the attacker can do here. Once they have control of a system, they can use namp to scan the system. Suppose you have an internal file server, other workstations and printers. In seconds, the attacker will have a list of all systems and what’s running on them. For example, here is a (slightly altered) list of systems available from a wireless network.

# nmap 192.168.4.*

Starting Nmap 4.75 ( http://nmap.org ) at 2009-09-04 14:01 CDT
Interesting ports on 192.168.4.21:
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
8654/tcp open  unknown

Interesting ports on 192.168.4.249:
Not shown: 997 closed ports
PORT      STATE SERVICE
6006/tcp  open  X11:6
9220/tcp  open  unknown
16001/tcp open  unknown
MAC Address: 00:40:63:99:58:E2 (VIA Technologies)

Interesting ports on 192.168.4.254:
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2000/tcp open  callbook
MAC Address: 00:B0:D0:C0:54:11 (Dell Computer)

Nmap done: 256 IP addresses (5 hosts up) scanned in 12.61 seconds

So here, an attacker would know that 192.168.0.254 and 192.168.0.21 are running ssh, and therefore are likely Linux or Unix servers as well as the brands. For example, a Dell Computer that is running ssh may well be a server worth attacking (in this case, it’s not… but it could be). So, in twelve seconds, the attacker will know exactly what to target. Sure, it’s a noisy and noticeable way to profile a network, but if you don’t notice the attack, it’s well worth the risk.

But what can you do about it?