Network Security in the twenty-first century is one of the critical aspects for the effective management and protection of the enterprise data alongside its sustained operations (Stallings, 2007). This is naturally because of the fact that the threat for network security has increased from passive attacks to active breach of the security through exploiting the vulnerabilities of the network and its set-up as argued by McClure et al, 2007. This makes it clear that apart from the traditional security measures in and organization, it is essential to launch a pro-active approach to identify and prevent attacks on the network. In this report a critical review on the application of proactive network defence techniques to help identify and prevent security attacks to enable network defence is presented to the reader.
2. What is Proactive Network Defence?
The proactive network defence strategy as opposed to the traditional network security differs mainly in its application within a given network. This is because of the fact that the proactive network defence strategy is predominantly involved in the process of analysing incoming communication and data transfer within the organization’s network to identify patterns for virus attack or security breach outside the purview of the virus definitions that are normally handled by anti-virus software used. This makes it clear that the application of the pro-active network defence strategy in an organization mainly focused on identifying and preventing new virus patterns, Trojan programs, etc., as opposed to handling the existing virus definitions (Todd and Johnson, 2001). Todd and Johnson (2001) further argues that the network attacks by hackers and other unauthorised users is mainly through exploiting the vulnerabilities in the existing set-up of a network and the programs used for communication etc., This makes it clear that the use of the proactive network defence strategy is a key requirement to assess the communication infrastructure and the protocols used on a regular basis to identify potential vulnerabilities through constant analysis in order to help prevent malicious attacks exploiting such vulnerabilities (McClure et al, 2007). Some of the key proactive network defence strategies are discussed with examples in the subsequent sections of this report.
The application of proactive network defence can be accomplished through implementing a set of applications that are targeted to perform network data analysis and performance analysis on the network as well as the computers connected to the network. This strategy will help feed the network security definitions with potential threats to the network thus enabling the organization to update the network security policies by an organization. Another critical factor associated with the network security and proactive defence approach is the increasing need for sustainability over disaster recovery for uninterrupted operations of the core business processes.
This makes it clear that the implementation of proactive network defence strategies through continuously monitoring the network traffic will help achieve the desired level of network defence against external attacks.
The level of threats faced by a network varies with the extent to which its vulnerabilities are visible to the hackers and the nature of the information being handled.
3. Event Correlation
This is deemed to be one of the key elements of proactive network defence as the events leading to the security attack like a Denial of Service (DoS) Attack when analysed online can help prevent the attack rather than repair the damage post-recovery of the attack (Hariri et al, 2005). This process is mainly the ability to use the proactive network defence system to analyse the network data and the events handled by an application as part of the network communication in order to identify patterns of unusual nature that can affect the network defence as argued by Todd and Johnson (2001).
One of the key areas where event correlation online is necessary would be the ICMP attacks and the DoS attacks mentioned above. In these cases the major vulnerability of the network is the ability of the attacker to exploit the basic nature of the protocol architecture and logical conditions that lead to the handshake and subsequent communication between the parties involved. The spoofing and flooding attacks that exploit the network layer protocol communication vulnerabilities associated with the handshake process.
The sequence of events that lead to the successful attack are mainly associated with the network switch or the hub failing to recognise the malicious user in the handshake process resulting in the transfer of data to the unauthorised user. The events correlation at the network level on the hub will help analyse the series of events in the handshake process raised by the unauthorised user just by identifying the level of communication ports dedicated to the channel for communication thus helping prevent such an attack at the network level.
Apart from the case of spoofing and flooding at the network layer protocol attacks, the process of event correlation is one of the critical components of proactive network defence owing to the fact that the communication vulnerabilities is evident at all the communication layers of the TCP/IP model as well as the applications using them for communication as argued by Conway (2004) (2004).
This is naturally because of the fact that the event correlation is one of the major elements that help identify new Trojan programs that have infiltrated the firewall. Once the events are recorded, a correlation either linear or non-linear would help identify potential threats to the network by identifying
Vulnerabilities in the network
The programs that have exploited such vulnerabilities
The events leading to the threat
Upon identifying the above, a network administrator can successfully prevent the attack by updating the security policies and virus definitions of the network’s anti-virus program.
Another example for the case above will be the Pine e-mail program in UNIX and Linux Machines that generated temporary file a user was editing an e-mail message (Howard and Whittaker, 2005). The event correlation process can help identify the sequence of events associated with the access of the temporary files by unauthorised users. The above example also justifies that the communication level security vulnerability is not the only issue but also the actual software application that is utilising the communication protocol (Conway, 2004).
4. Real-time Analysis and Event logging
The process of real-time analysis is deemed to be one of the key aspects of proactive network defence. This is necessary because both the software application vulnerability and the network vulnerability. The real-time analysis as argued by Hariri et al (2005) is mainly performed as a listener service that is dedicated to capture the events as they occur whilst analysing them against the logged events from either a database-based application or the event logs that are generated by the operating system. This is the process that can help control the network attacks as the comparison with the historic events is one of the key aspects associated with identifying planned attacks on a network as argued by Hariri et al (2005). The use of the real-time analysis of the events along with using the existing set of events is indeed a memory rich and processor demanding process. Hence the implementation of this procedure across a wide network would require effective configuration of the available resources in order to optimize the network performance for running the enterprise applications.
The implementation of the real-time analysis strategy as part of the proactive network defence is deemed to be an advanced level of security implementation purely due to the fact that the resources consumed and the nature of the requirement to prevent the slightest attack on the network. This makes it clear that the real-time analysis with correlation to the archive events in either the event logs or database is not an option for small and medium enterprises whilst the real-time analysis in itself is a powerful tool that can help fend the network attacks effectively in a proactive manner.
One of the major areas where the real-time analysis is applicable is the case of spyware (Luo, 2006). The case of spyware is predominantly dependant on the ability to mask the events and listen into the target computer/network without the knowledge of the user. The use of the real-time analysis of the events will help identify patterns that can be assessed in order to identify potential spyware that are running in the computer. The use of real-time analysis as part of the proactive network defence will also help identify critical issues associated with the network performance as the primary aim of attackers is the de-stabilise the network. The use of the real-time analysis to review the network performance will help prevent the infiltration of hackers through the use of listeners programs on the transport layer and network layer protocols either through opening an additional communication port or through flooding the communication ports with malicious handshake requests.
Attacks like Tiny Fragment Attack which is targeted on the TCP protocol through exploiting the filtering rules of the protocol algorithm can be identified effectively using the real-time analysis. The use of appropriate conditions on identifying the filtering rules’ manipulation in the real-time analysis will help achieve the desired level of network defence whilst preventing the exploitation of the TCP protocol rules.
Spyware related attacks that threaten the corporate environment heavily as argued by Lou (2006) can be identified and prevented effectively using the proactive network defence strategies. The real-time analysis strategy of proactive network defence will help accomplish the desired level of network defence whilst continuously analysing the data transferred across the network.
5. Access Control and Network Immunity
The use of the access control and network immunity in a network defence strategy is one of the major areas where the network security can be maintained whilst preventing the unauthorised access to the network/network resources as argued by Hariri et al (2005). The proactive network defence strategy in an organization though event correlation and real-time analysis can be achieved effectively through enabling a robust access control policy across the network as argued by Conway (2004). This owing to the fact that the code hacking targeted on the TLS and SET protocols of the TCP/IOP protocol stack can be identified through analysis through the effective use of the access control policies as argued by Conway (2004). This is plausible by integrating the real-time analysis with the access control policies of the network thus providing the ability to handle exceptions and violations to the network access for a given user registered with the network.
It is further critical to appreciate the fact that the major vulnerability within a network is the access control which when not implemented effectively will provide room for the registered users to exploit their network access rights. Role-Based Access control that is deemed to be a logical and proactive measure to prevent the malicious access to the information whilst enabling robust access control policy is one of the strategies that can help achieve proactive network defence. The combined use of the real-time analysis and the Role-Based Access Control methodology will help accomplish proactive network defence against external as well as internal attacks on the network.
Application penetration as argued by Howard and Whittaker (2005) is one of the major areas where the network immunity strategy can help achieve proactive network defence against malicious attacks on the network. As the inherent weaknesses of the application when identified by the hacker to use for his/her benefit will result in the network being attacked from the core through the application, it is necessary to implement strategies like the aforementioned in order to enable reliable network security. This process is also evident in the case of throughput-based attacks on the communication protocols like the Blind-Throughput reduction attack which can be used by the attacker to reduce the amount of data transferred on purpose when using ICMP protocols. The use of the network immunity through real-time analysis and the use of access control strategies will help draft a better appreciation of the issue faced by the network and the cause for the performance reduction. This when identified can be integrated to the existing security policies of the network in order to prevent abuse of the vulnerabilities within the network.
The case of through reduction attacks also accompany the threat of forcing the server computer to re-send the same message multiple times with reduction in the packet size owing to the inability of the destination to receive the packet. This strategy popularly known as the performance degradation attack by the hackers can have serious impact on the server performance due to the lack of the server to cater for more number of users can be identified through the use of proactive network defence strategies like real-time analysis and network immunity to ensure that the performance of the network as well as the computers connected to the network are not affected.
The use of event correlation and real-time analysis strategies will help identify the critical issues associated with the communication port related attacks on server computers like the TCP port 80 attacks can be identified and prevented effectively. As the port 80 is one of the key communication ports for TCP protocol in external communication, the exploitation of this vulnerability will affect the overall performance of the server computer being attacked thus resulting in performance degradation. The use of the proactive monitoring methods for network defence can help overcome these issues by identifying patterns through running correlation (linear or non-linear) to prevent new attacks targeted on such communication ports. The HTTP protocol which is a critical element in the Web-based applications for electronic commerce is another key application layer protocol that is targeted by hackers on specific communication ports of the computers involved in the communication.
6. Applied Proactive Network Defence and Protocol Attacks’ countermeasures
The countermeasures for protocol attacks specific to the vulnerability in each network communication protocols used for communication over the Internet are mainly reactive in nature. This is because of the fact that the countermeasures Port Randomization for Blind Connection Reset Attack etc., were set in place following an attack but not prevented through assessing the network communication architecture beforehand. In case of the use of the proactive network defence strategy, the key advantage is to use specific software algorithms to assess the existing network and perform a vulnerability check in order to identify the key areas where there will be potential external attacks. This approach will help prevent new attacks through enabling new virus definitions that handle exceptions raised through these attacks.
The applied proactive network defence strategy is deemed to be a continuously evolving strategy that can help identify and handle vulnerabilities in the network as well as the applications used in the network. This makes it clear that the effective use of the applied proactive network defence strategies will help realize the desired network security at an on-going basis as opposed to the traditional countermeasures approach which is mainly reactive in nature.
From the discussion presented above it is clear that the proactive network defence when applied across a given enterprise network will help achieve a dynamic network security management. However, the key element that must be appreciated is the fact that the network security must be enabled for the existing security threats using the security definitions and policies defined by the organization alongside the commercial software used for the network security. The continuous update of the virus definitions alongside the firewall configuration and security updates from the security software vendor is critical for the network security. The major advantage of the use of the proactive network defence strategy is the ability to identify patterns that may have been missed by the definitions from the security software vendor. The configuration of proactive network defence system to the security requirements specific to the organization’s network will help implement a layer of security over the otherwise reactive network security strategy. It is also critical to appreciate that the proactive network defence in an organization will help address not only the security related aspects of the network but provide a comprehensive support strategy by analysing the performance of the network and the server/nodes comprising the network. The applied proactive network defence strategy is thus a layer of security that can help effectively use the security software and network resources in an integrated fashion.