Sunday, November 27, 2005

Reduce vulnerability by limiting your network's reach

Large blocks of networks have recently taken advantage of zero-day exploits to steal financial data. Attackers manipulated an exploit to transmit an individual's financial information to a country with a poor record of tracking and prosecuting Internet criminals.

I won't mention the name of the country, but these networks are beyond the law enforcement boundaries of most civilized nations. How do you prevent hackers from performing such an attack on your organization's network?

You can regain control of your network by answering a few questions about the purpose of your organization's network:

  • Do we have a global business?
  • Is our business local or regional?
  • Do our internal users need access to every network on the planet?

Answering these questions can greatly limit your company's exposure to attacks beyond the reach of law enforcement in your country. If your business is local or regional, you only need to worry about who else is in your area of the world.

Do your research

The Internet is a big place, and one organization runs it: the Internet Assigned Numbers Authority (IANA). It divides all public IP addresses among the Regional Internet Registries (RIRs) to distribute blocks of IP addresses.

There are four RIRs:

By performing a little bit of detective work at each site, you can determine which IP addresses originate from each country or region.

Combining this information with your answers to the questions about the purpose of your organization's network, you can begin to diminish your vulnerability to hostile networks and concentrate on serving your organization's target communities.

Limit network exposure

Let's look at an example. If a business network serves only the European community, then you could block every IP address at the network boundary that doesn't originate from this area. For example, you would block everything except the following networks:

62.0.0.0 - 62.255.255.255
80.0.0.0 - 80.255.255.255
81.0.0.0 - 81.255.255.255
82.0.0.0 - 82.255.255.255
83.0.0.0 - 83.255.255.255
84.0.0.0 - 84.255.255.255
85.0.0.0 - 85.255.255.255
86.0.0.0 - 86.255.255.255
87.0.0.0 - 87.255.255.255
88.0.0.0 - 88.255.255.255
193.0.0.0 - 193.255.255.255
194.0.0.0 - 194.255.255.255
195.0.0.0 - 195.255.255.255
196.200.0.0 - 196.207.255.255
212.0.0.0 - 212.255.255.255
213.0.0.0 - 213.255.255.255
217.0.0.0 - 217.255.255.255

Apply this block or access list to both inbound and outbound traffic. In addition, integrate this strategy into any existing blocks or filters for services you already have in place.

This simple strategy defines the business area of your network, and it reduces your organization's exposure to hostile attacks.

No comments: