Harden your network services and contain zero-day threats

We all dread the thought of zero-day threats; they arrive and you have no vaccine for them. These exploits are all too common in recent months and years. Fortunately, there are some common sense steps you can take to harden your network layer against these threats.

You may not know exactly what the exploit is, but you can certainly deploy some protective elements like these that might stop such a problem in its tracks:

• Use virtual LANs (VLANs), if possible, to segregate some areas of your network.
  VLANs are essentially multiple logical boundaries created within one physical network. VLANs are an easy way to divide critical areas of your network from others. For instance, you could have one VLAN for servers and another for client machines, or you could segregate machines based on department, or any other scheme you choose. Creating a VLAN in and of itself doesn't necessarily create a layer of protection, but it forms the basis for any number of other hardening techniques, and it provides a way to limit the scope of more stringent security procedures to only the most critical areas of a network.

• Implement Internet Protocol Security (IPsec) to protect the contents of individual transmissions.
  IPsec encapsulates communications in a layer of encryption that is difficult to break, but it also allows you to restrict communications to and from certain machines based on whether their machine certificates are signed and valid. By doing this, the machines restricted by IPsec would simply ignore it, even if an exploit was introduced into your network. Using IPsec in this way also forms the basis for using network access control, covered later in this list.

• Deploy an intrusion detection system (IDS).
  Intrusion detection systems often use heuristics that can detect malicious activity on your network before an actual definition is created by antivirus and anti-malware vendors. IDSes also provide a foundation for forensic analysis in case you care to examine how an exploit entered your network (should one actually penetrate your defenses).

• Employ perimeter protection, like a stateful firewall.
  This almost goes without saying (which is why I put it midway through the list), but perimeter defense is the first, best and most effective way to protect against zero-day exploits in a variety of forms. To help prevent your network from being a vector of delivery for a nasty vulnerability, deploy a firewall immediately. Better yet, deploy a better firewall than the one you have now, and perform regular audits of that firewall if you aren't doing audits already.

• Introduce network access control to prevent rogue machines from gaining access to the wire.
  One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep onto your ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchEnterpriseDesktop.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchEnterpriseDesktop.com

  As an existing member of the TechTarget network please activate your SearchEnterpriseDesktop.com account 

  By joining SearchEnterpriseDesktop.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  network is not through holes in your firewall, nor brute-force password attacks nor anything else that might occur at your corporate headquarters or campus. It's through your mobile users -- when they try to connect to your business network while on the road and through visitors on your campus trying to attach themselves to your network. Neither of these categories of machines are subject to your (hopefully) stringent security policies, and that's a problem. Network access control products, like Cisco's NAC, NAQC in Windows Server 2003 and the possible inclusion of network access point (NAP) in the upcoming Longhorn Server are all good ways to close this attack vector.

• Lock down wireless access points and use a security scheme like Wi-Fi Protected Access or WPA2 for maximum protection against wireless-based attacks.
  Simply using media access control (MAC) filtering and not broadcasting your service set identifier (SSID) are methods that just don't cut it anymore in a corporate setting. WEP has been cracked numerous times and even the most junior cracker will have no trouble gaining access to your wireless network protected only by WEP. Look into WPA2 to really filter out the bad guys.

Click here for other pieces in the "Containing zero-day threats" series:
Define server roles, counterattack zero-day threats

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.