|This excerpt is from Chapter 9 - Network Infrastructure in "Hacking
for Dummies, 2nd edition" written by Kevin Beaver and published by Wiley Publishing.
Click here to purchase the entire book.
Network infrastructure vulnerabilities are the foundation for all technical security issues in your information systems. These lower-level vulnerabilities affect everything running on your network. That's why you need to test for them and eliminate them whenever possible.
Your focus for ethical hacking tests on your network infrastructure should be to find weaknesses that others can see in your network so you can quantify your network's level of exposure.
Many issues are related to the security of your network infrastructure. Some issues are more technical and require you to use various tools to assess them properly. You can assess others with a good pair of eyes and some logical thinking. Some issues are easy to see from outside the network, and others are easier to detect from inside your network.
When you assess your company's network infrastructure security, you need to look at such areas as:
- Where devices such as a firewall or IPS are placed on the network and how they are configured.
- What hackers see when they perform port scans, and how they can exploit vulnerabilities in your network hosts.
- Network design, such as Internet connections, remote access capabilities, layered defenses and placement of hosts on the network.
- Interaction of installed security devices such as firewalls, IDSs, antivirus and so on.
- What protocols are in use.
- Commonly attacked ports that are unprotected.
- Network host configuration.
- Network monitoring and maintenance.
If a hacker exploits a vulnerability in one of the items above or anywhere in your network's security, bad things can happen:
- A hacker can use a DoS attack, which can take down your Internet connection -- or even your entire network.
- A malicious employee using a network analyzer can steal confidential information in emails and files being transferred on the network.
- A hacker can set up backdoors into your network.
- A hacker can attack specific hosts by exploiting local vulnerabilities across the network.
Before moving forward with assessing your network infrastructure security, remember to do the following:
- Test your systems from the outside in, the inside out and the inside in (that is, between internal network segments and DMZs).
- Obtain permission from partner networks that are connected to your network to check for vulnerabilities on their ends that can affect your network's security, such as open ports, the lack of a firewall or a misconfigured router.
Your tests require the right tools -- you need scanners and analyzers, as well as vulnerability assessment tools. Great commercial, shareware and freeware tools are available. I describe a few of my favorite tools in the following sections of Hacking for Dummies. Just keep in mind that you need more than one tool, and that no tool does everything you need.
If you're looking for easy-to-use security tools with all-in-one packaging, you get what you pay for -- most of the time -- especially for the Windows platform. Tons of security professionals swear by many free security tools, especially those that run on Linux and other UNIX-based operating systems. Many of these tools offer a lot of value -- if you have the time, patience and willingness to learn their ins and outs.
HACKING FOR DUMMIES
Part 1: Use a network analyzer to sniff the network
Part 2: Microsoft network security testing for ARP spoofing
Part 3: Network security assessment for network infrastructure
|Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.|
This was first published in November 2007