January 26, 2009

Security in a Shared Space

The Problem

When your network is located in a facility where you are the only business, physical security is easy. You can be reasonably sure that the only way someone can compromise your network is by defeating your perimeter defenses. Frequent scans, effective antivirus and properly configured firewalls and IDS software should be sufficient to secure such a network.
When your network is in a shared location, such as an office building, it is more difficult to ensure that your wired network is fully secure. This is because in many shared spaces network cabling runs through the offices of other companies. In addition, network resources such as servers and routers may be located in shared server rooms.

The Attack

There are two different types of attacks that are unique to a shared space. The first is unauthorized access to a server located in a shared server room. This probably presents the greatest risk because the attacker is able to access all of the resources on the server and may be able to install backdoors or other malware on the server.
The second type of attack is tapping, where a network cable passing through another business's space is cut, and a router is installed on the line. This would allow additional computers to be connected to the network.

Detection

The only way to detect unauthorized access to a network device in a shared location is log analysis. For example, a script should be created that transfers the authentication log (which records login attempts) to another location. This exported log file should then be reviewed frequently for suspicious activity. The server should also be checked to ensure that only required users have the ability to log on, and unauthenticated or guest accounts are disabled.
Detection of tapping is more difficult. Periodic scans should be performed to look for unexpected devices. These scans should include thorough port scans that will scan the IP in question even if a ping is unsuccessful.

Prevention

The only way to prevent unauthorized access to a resource in a shared area is to lock the resource any time it is left unattended. The passwords should also be checked to ensure they are complex to protect against brute force attacks.
Tapping is impossible to prevent. However, the damage potential could be minimized or eliminated. First, routers and firewalls on the network should be, if possible, set to only allow traffic from devices with certain known mac addresses. This will prevent most attackers from accessing any resources on the network. Second, no resource on the network should be accessible to unauthenticated users, and all passwords on the network should be complex. Although an attacker would be able to use the network connection until a scan detects their access, they will not be able to gain access to the network's resources. Finally, regular scans should be run on outgoing traffic through the router. This will reveal the presence of any unauthorized devices.

No comments: