Monitoring your network, servers, or general devices is one of the most important aspects of overall systems security. I have reviewed many environments that simply put up a server and when there is a problem, they do not know about it because of a lack of monitoring. When an attack takes over, they don’t know about it. We like to think that everything is running just fine because the server is responding but monitoring goes beyond just a ping. It even goes beyond a port check to make sure a service is responding. True monitoring gets into the full flow of data through an application.
At the basics, a ping is better than nothing. Most general monitoring software implements a ping function. Great for a simple check but not so great for security. Some security experts will even tell you to block ping for your servers or network nodes but there is always a trade-off with security. If you block ping, you could trigger monitoring services which rely on it for a status or uptime information. It could also prevent useful tools such as Trace Route. From a security perspective it can be a layer of obscuring your servers but has other considerations. For the first issue, that’s something more easily addressed. Generally speaking if a server is on the network, it has a listening port to provide a service. Thus you can determine that a server is offline by checking that service and no ping is needed. On the second issue, a more round-about method can be used to check node-to-node connectivity utilizing documentation. If you know that RouterA is supposed to talk to RouterB, check for a listening SSH port or otherwise throughout the network. In general terms, ping is not the worst thing to have but if you really want to lock down the environment, disabling it does mean implimenting workarounds.
Next up is the extremely useful and easy port check. Monitoring for a listening port is the basics of server ownership. This type of monitoring gives you immediate information about the status because if you are the victim of a DDoS attack, you’ll know right away that your server is no longer responding. The same thing for if the server goes offline, reboots, or a firewall change. Many software suites such as Nagios or Solarwinds offer the ability to do a simple TCP connection to make sure the connection is alive. This is where the monitoring of what ports are open on the server makes a large impact. The software will give you alerts of an issue but there is an even better way to make sure your system is online, and not compromised.
Monitoring the actual function of a site or the content of the service gets you full-circle in verifying the status of the environment and the security of it’s setup. While website defacement is much less common these days, it’s still a good idea to keep an eye on the status of the content of the website. I use websites as my example here as it’s the most common source of a defacement attack. One method that seems to work ok on static websites is a simple MD5SUM. By running a curl on the website home page, you can then pipe the output to MD5SUM and get a fingerprint of the site. This is a process that might require frequent updates to the whitelisted string but it is a suggestion of a starting point. The other option that is much more intense but provides proof that a service is functional and not tampered with would be the submission of data and the retrieval of that data. For example, I setup a script that sent an email through my exchange server to an email address outside of the environment. Then I had second script that would get emails from the outside server and check the included security string and timestamp. This verified to me that my email server was not maliciously shutdown, disabled, blocked, or otherwise toyed with.
There are a lot of options for monitoring your environment but I highly encourage you to at least take the first steps of securing your environment by at least some level of monitoring to ensure you can take action if something were to happen.
No comments:
Post a Comment