Enterprise Security Tip #1: Keep a Watchful Eye on Web Traffic

Welcome to the first post in the SML Enterprise Security Tips series. In this post, we’re going to discuss a danger present in many enterprise networks: HTTP port and protocol abuse.

Let’s start with a scenario. Like all good security administrators, you have installed a firewall between your internal network and the Internet, and you’ve configured the firewall to allow only those services required by your employees, customers, and partners. One day, you notice an unusually large amount of traffic originating from a desktop on your internal network to a host on the Internet. You inquire with the user of the computer, but he knows nothing about what’s going on. Fearing that the computer has been compromised, you removing it from the network. You later hear about a large, distributed denial of services (DDoS) attack against a high-profile U.S. government agency. After further inspection of your firewall logs, you realize that your host was likely involved in the attack.

When setting up your firewall, you configured the firewall to block incoming connections to all hosts except those in your DMZ. For added security, you explicitly blocked all outbound access from your internal network to the Internet, and enabled only those services required for day-to-day operations. So how was the desktop compromised? Here’s a likely scenario – using a phishing email sent to a personal webmail account, Joe H. Acker, a skilled cyber criminal, tricked an employee within your organization into clicking on a malicious link to a drive-by malware website. A script on the website instructed the employee’s web browser to download and execute a small application that exploited a newly discovered vulnerability in the desktop operating system. The malware then “phoned home” to a web server on the Internet, and was giving instructions to launch a denial of service (DoS) attack. All of this occurred over TCP ports 80 and 443, the network ports assigned to the Hypertext Transfer Protocol (HTTP) and Secure Hypertext Transfer Protocol (HTTPS).

The attack succeeded in part because your firewall allows outbound web requests. Attackers know that most organizations allow internal hosts to make outbound HTTP and HTTPS connections, and they have devised methods for communicating with internal hosts using these protocols. This problem isn’t limited to HTTP/HTTPS either. Hackers have been known to leverage other common ports and protocols, such as DNS (TCP and UDP port 53) and ICMP, to communicate through firewalls. (Note: When encapsulating one protocol within another to bypass firewall restrictions, the process is known as protocol tunneling.)

Now you’re probably saying to yourself, “Wait a minute, I can’t block access to the Web. My users require web access to conduct business.” For most companies completely blocking web traffic is not an option, so what can you do to protect yourself? Here’s a list of products that can help prevent and mitigate attacks over HTTP and HTTPS:

• Desktop firewalls – Possibly the most effective tool for blocking unwanted communication, desktop firewalls can block outbound connection attempts by malicious software. However, if you provide your users with administrative access to desktops or servers, they can easily bypass the desktop firewall restrictions.
  
• Secure web gateways – A secure web gateway protects users from web-based threats by intercepting and inspecting web traffic at the application layer to identify and block malicious activity. Most secure web gateways also block access to known malware websites. In addition, secure web gateways provide for more centralized control and enforcement of your Internet security policy.
• Intrusion prevention systems (IPSes) – Similar in operation to secure web gateways, intrusion prevention devices inspect and block malicious traffic. They typically provide a broader range of protection against network-based threats, but with less specific focus on web-borne threats. In addition, IPSes can detect abuses of non-web protocols, such as DNS tunneling.
• Data loss prevention (DLP) appliances – The primary goal of a DLP appliance is to detect and prevent the leakage of confidential information from your network, particularly over commonly used communication channels, such as web, email, and online chat programs. If an attacker manages to compromise a host within your organization, a DLP appliance may prevent the attacker from transmitting sensitive data out of your network.

Each of these options has its advantages and disadvantages, and a complete solution will likely incorporate more than one product. The number, type, and placement of products will depend on your network environment and communication needs.