NIST SP 800-137

From: Government Security News

By: Neil Harrington

Botnet infections, denial of services, exfiltration of data — these threats are all par for the course in cyber space, and they’re only increasing in frequency and sophistication, threatening our most critical networks. Protecting these networks may seem to be a daunting task, but with constant vigilance, solid policies and best practices — as well as a layered approach to the security architecture itself — network operators can meet these threats head-on.

A fundamental tenet: Configuration management

Whether a peer review or a configuration control board, solid configuration management processes should be in place to ensure that all changes to the network are reviewed and approved prior to deployment. In any case, the separation of duties should be such that the person making the change should not be the person approving the change.

Each change should include a communication plan and a backup or fallback plan, and should encompass deployment of network elements (routers, switches, servers, firewalls and IPS) and network changes (route changes, adding/removing applications, service changes and cable plant changes).

In order to be effective, the configuration management program should be augmented with tools that enforce security polices, such as separation of duties, multi-factor user authentication and role-based authorization. The tools should provide support for enforcing the use of “golden configuration” templates by device type, as well as automatically detecting configuration changes. Continuous monitoring should be in place to assess the impact of any change to the network — good or bad.

Building a secure network architecture

In the past, perimeter defenses were sufficient to protect the internal network, but this is no longer the case. Building a secure network today requires a different way of thinking. In a secure network, every network element must be self-sufficient and self-protected, and must provide feedback to the security and management systems. Rigid control plane, management plane, and data plane architectures should be adopted, and tools should be in place to enforce the policies for each plane.

Control plane

The control plane is where network elements exchange signaling and control information, such as routing topology data. The control plane of a network should be sourced to specific loopback interfaces and should be addressed from specific subnets that are not part of the main routed infrastructure of the data plane. Where possible, the control plane should be a separate out-of-band network. Each network element should have a single control plane interface. Control plane traffic should be limited to signaling and control functions only.

For example, route announcements and network peering activity should be the only traffic permitted over the control plane of a routed network. All control plane connections should be limited to known sources and destinations only, and be mutually authenticated before accepting any traffic.

There is never a valid reason for a user connection to the control plane interface. All connection attempts should be logged, and alerts should be sent to the network management and security systems for analysis and event correlation. Any successful connection should be scrutinized for malicious intent and violation of configuration management policies.

Adherence to a rigid control plane configuration management policy is critical for protecting the network infrastructure. A compromise of the control plane is catastrophic, and puts the entire network at risk. Continuous monitoring should be in place to monitor the security of the network and compliance with control plane policies.

Management plane

The management plane is used to perform routine maintenance and management of network elements. It is where health and welfare status information of the network elements is communicated. The management plane of a network should be sourced to separate loopback interfaces and should be addressed from specific subnets that are not part of the main routed infrastructure of the data plane. Where possible, the management plane should be a separate out-of-band network.

Each network element should have a single management plane interface. Management plane traffic should be limited to network management functions, such as SNMP access, secure shell sessions from network management systems, and configuration management systems. As an example, code upgrades, configuration changes and SNMP traffic should be permitted over the management plane interface. However, no user data or signaling and control data is permitted over the management plane interface.

All connection attempts to the management plane interface should be logged. Failed connection attempts should generate alerts to the network management and security systems for analysis and event correlation.

Again, adherence to a rigid management plane configuration management policy is critical for protecting the network infrastructure, and could be catastrophic if compromised.

Data plane

The data plane is sometimes considered the “Wild West” of the network, and is where all of the user traffic traverses the network. While it may be the Wild West in terms of unstructured user traffic, there are some policies that must be applied to the data plane of the network, including permitted protocols, connections and applications, as well as specific proxy services and DMZ/enclave processing.

In a routed network, no end-user connections should be permitted to the data plane interfaces, as it is intended to pass traffic only. All connection attempts should be logged, and alerts sent to the network management and security systems for analysis and event correlation. Any successful connection should be scrutinized for malicious intent and violation of configuration management policies.

While server farms have a management plane and potentially a control plane, most of the interfaces reside in the data plane. Network clients also reside in the data plane. A structured IP addressing and naming scheme should be used for both clients and servers. Client and server connections should be base-lined and profiled, so that at any given time there is an expected connection set and server volume. Deviations above or below the expected connection set or volume should generate alerts and be sent to the network management and security systems for analysis and event correlation.

Each server operating on the data plane should have a known set of services, ports, protocols and interfaces permitted on the network. All unnecessary interfaces and services should be shut down. Each server should be configured to ensure unauthorized interfaces and services are not started when the system is initialized. A continuous monitoring system should be in place to identify unauthorized servers or services as soon as they appear on the network. Unauthorized services entering the network should be logged, and alerts sent to the network management and security systems for analysis and event correlation.

… and everything else

There are a number of other actions that should be taken to ensure the safety of the network. Some are vendor-specific, while others are concepts dependent on specific network architecture and implementation. These include:

• Unicast Reverse Path Forwarding (uRPF) validates that packets are received on the expected interface from the expected source path. This helps prevent IP spoofing.
• Don’t advertise the IP addresses of the point-to-point connections between your network and the network service provider. Those point-to-point connections (particularly Internet gateway connections) do not need to be exposed to the routing infrastructure and could serve as an entry point for further compromises.
• Build a routing profile and monitor for changes. Every routed IP network has specific paths where traffic flows. If the traffic flow varies from the normal routing profile, it could indicate a problem and should be investigated.
• Enable Cisco Express Forwarding (CEF) on Cisco routers. When enabled on the IP backbone of a large enterprise network, CEF adds an additional element of security to the routing infrastructure by building and maintaining adjacency tables for the backbone of all known routes.

Indeed, keeping critical networks safe is a daunting task, but far from impossible. Securing any network requires a layered approach to security, which includes perimeter defenses and end-point security, augmented by strong policies, best practices and constant vigilance.

Neil Harrington is the director of product management for the NarusInsight Analytics solutions at Narus.