Many companies focus only on code when discussing website security.
“Here’s how to defend against XSS.”
“Don’t write your code this way, you’ll be vulnerable to SQL injection attacks.”
But there’s no website to secure without a network underneath it. In this post, we’ll take a look at securing the underlying network your website needs to exist.
Securing DNS
The Domain Name Service (DNS), is the lifeblood of the Internet. When you type a domain name into your browser, DNS maps that domain name to an IP address your computer can use to make a connection.
Unfortunately, DNS has long been an insecure protocol prone to spoofing and privacy issues. DNS, by default, supplies neither confidentiality (protection of the request/response details from unauthorized disclosure) nor authenticity (ensuring the DNS response comes from a true authoritative name-server). DNS doesn’t encrypt the request on the wire and there’s also no proof that the IP address you receive is the real IP address of the site you want. Not surprisingly, attackers have evolved specific threats against DNS.
“DNS Hijacking” is one of the more dangerous threats, attacking the foundation of a web connection. If an attacker takes control of a DNS server, they can replace legitimate domains with malicious IP addresses. You ask for your bank’s website and instead receive the IP address of a fake website trying to steal credentials. The phony website is usually made to look like the bank’s website, so you log in and have your credentials stolen.
Another attack against DNS is "Cache Poisoning” (DNS Spoofing). DNS servers maintain a cache of name-IP address pairs, so they don’t have to ask around to resolve a domain name. Similar to DNS hijacking, attackers can place their malicious IP addresses in the cache of a DNS server.
This poisoning has a twofold effect. Connecting to the compromised DNS server will lead you to the wrong website. Nearby DNS servers will also begin caching the wrong IP, spreading the false information further across the Internet.
To prevent these attacks, protect your corporate DNS servers with two-factor authentication. Only a handful of employees should have admin access to a DNS server and require 2FA to access it. More information on DNS security best practices can be found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-81-2, "Secure Domain Name System (DNS) Deployment Guide."
The industry is introducing new security features for DNS. Keep an eye on these new features so you can take advantage of them. DNS over HTTPS protects DNS requests while on the wire. DNS requests are typically sent using UDP, an unencrypted protocol that is fast but easily compromised.
DNSSEC signs the DNS records on the server to prevent spoofing. The data is signed using public-key cryptography. You sign your DNS records with your private key. The browser grabs the certificate and verifies the signature with your public key. Using DNSSEC, you’ll know the IP address is the right one. Both security features are necessary for a complete solution.
Traditional Network Defenses
Attackers are after your data. Your website is the vehicle used to present data to the outside world. Attackers will try to establish a beachhead in your network so they can get to the data behind the website.
Network protection begins with a "defense in depth" strategy. With defense in depth, multiple layers of security are applied across the entire IT infrastructure in the form of technical, administrative and physical security controls. The idea is, the more layers of security that exist, the harder it will be to breach all the defenses to steal sensitive data. Note that while the core concept of defense in depth is still viable, it must be continually assessed and re-adapted as threats evolve.
Here are some of the more significant tools and strategies recommended for a defense in depth approach to securing an environment in which to run a website.
Administrative Controls
Make sure you have a Change Control process and policy. A change control policy is used to govern the means and methods by which technology change is planned, approved and implemented. The goals are simple - to embrace required change, avoid unnecessary change and ensure that all approved change is implemented with minimal disruption to ongoing operations. Make sure all changes to your network infrastructure are planned, documented and approved
Document your Incident Response policy and develop a working response plans. The plan should include steps necessary to investigate alerts your intrusion detection system provides. Verify the warning and act to contain the breach. Then examine how they got into your network and contact authorities if necessary.
Technical Controls
Firewalls and intrusion detection/protection systems (IDS/IPS) are essential pieces of any security strategy. Firewalls monitor incoming and outgoing network traffic and block requests from the outside that don’t belong. IDS monitor the events occurring in your network and analyze them for signs of possible incidents, violations, or imminent threats to your security policies. IPS take things a step further and in addition to performing intrusion detection, take action to stop the detected incident.
Plan your firewall strategy carefully. Document all of your firewall rules and make sure every port you open to the Internet has a purpose. If you don’t need it anymore, close it.
Deploy a security information and event management, or SIEM (pronounced "SIM") solution. SIEM is a security system that ingests network and application event data from a wide variety of sources. It has two closely related purposes: to collect, store, analyze, investigate and report on log and other data for incident response, and regulatory compliance purposes; and to analyze the event data it ingests in real time to facilitate the early detection of targeted attacks, advanced threats, and data breaches.
VPNs are table stakes in today’s environment. More employees are working remotely and need a way to connect to your corporate network securely. VPNs create a private tunnel across the Internet. All traffic is encrypted to prevent eavesdroppers from stealing sensitive data.
System and device hardening is a part of network security many companies forget. Leaving critical servers up for grabs is a recipe for disaster.
For example, an attacker tricks an employee into installing a trojan onto their computer. The attacker then scans the network and finds a vulnerable server. If the server is running software with a default admin password, he’ll have access in no time. Default passwords are not secret.
Harden all of your servers. Change all default usernames and passwords. Make sure all operating systems are patched promptly to close security holes. Use two-factor authentication on the most sensitive servers.
Network segmentation is another way to reduce risk on your network. Segmentation creates divisions between sections of your system. Firewalls placed within your network closely watch what traffic is allowed into each section.
With network segmentation in play, the trojan on the computer of an employee in the shipping department won’t be able to access a server from HR or Finance. If there’s no business need for the connection to happen, it’s not allowed.
Finally, more mature security programs can deploy honeypots to gain intel on the habits of attackers. Honeypots are devices that make themselves look like high-volume targets. If an attacker is in your network, they’ll go after the honeypot, and you’ll be alerted so you can learn and react.
Some honeypots are made to get attackers out of your network. Some are built to watch attackers and learn their techniques. Either way, they’re powerful tools in network defense.
Protect Your Website By Protecting Your Network
Don’t only protect the front of your website. Attackers may try to get in through a side or back door. By protecting your network, you’ll close off all avenues attackers use to get to the data, their real goal.
Protect your DNS servers from DNS hijacking and cache poisoning. Use two-factor authentication for all DNS admin functions. Look to using DNSSEC and DNS over HTTPS and supporting it on your DNS servers.
Protect the boundaries of your network with firewalls. Protect the inside of your network with intrusion detection systems and network segmentation. Fool attackers with honeypots. Use VPNs for remote workers.
Protect your website on all sides. Don’t let attackers steal data out from under you.