Why you need layered security (with IPS/IDS)
Yesterday I had an experience where having layered security would have protected my network from a potentially nasty situation.
Several days ago, a vendor instructed one of our system engineers to connect a switch on the LAN to a switch on the DMZ, thus creating a direct hop from the DMZ to the inside network (and vice versa). Granted, system engineers shouldn’t be touching the network infrastructure but that’s for another blog day.
Problems didn’t materialize for a few days, presumably the time it took the switches to discover the new network topology and create additional routes. We began to notice the problem when hosts would either fall off the network completely or particular services would fail.
As a last resort, after checking the system logs, switch logs, etc, I was brought in to look at the security devices to see if they were impacting the situation. Looking at the firewall logs I found packets coming from our DMZ, but sourcing from our internal IP addresses. The firewall was dropping the packets because it knew those IP’s shouldn’t be originating from the DMZ (the firewall figured someone was spoofing IPs).
However, the real problem would have been had one of the hosts in the DMZ been compromised. In that situation, our entire internal infrastructure would have been vulnerable and exposed. This is exactly the reason why system hardening, network choke points, HIPS, etc are all necessary and are all part of the total security solution.
Since I have NIPS and HIPS deployed, I was able to check the logs and feel fairly confident there wasn’t a compromise as a result of the topology change. Granted, a hard core hacker can compromise hosts and cover her tracks and evade IPS/IDS systems, which is why we add more and more hurdles for the hacker to jump in hopes of tripping her up at some point.
I’d also like to point out that IT departments need to keep their vendors at arms length and always remember that NO ONE will prioritize the security of your network like you do. A vendor’s main priority is to put food on their table by selling you a product.
Don’t get me wrong. I’m not bashing vendors. I have solid relationships with several of my vendors but I try very hard to always remember to double-check any suggestions they have.
