How to recover your network after a security breach

If you have the time and money to invest in some of the more impressive network management systems, you can possibly recover your network by clicking a few buttons. If you're on a budget, with a typical medium-sized network, here's a list of things you should do when you discover something amiss.

By network, here I mean routers,switches, firewalls, etc. -- , to the exclusion of nodes like servers and PCs which are usually attacked in different ways. Routers, switches and their like are still susceptible to rootkits and other attacks that plant malicious software/firmware, but they're not prone to it to the same degree as Windows,Linux- or OS X-based systems. More common attacks target protocols and result in black holes, fill up your switch's FDB so it can't learn new MAC addresses, or attempt to deny service by using up all your bandwidth.

Another note is that the order in which you perform the tasks below may vary greatly by the nature of your organization. For instance, at one business, your primary concern may be restoring connectivity as fast as possible, while another business may be highly regulated and more tolerant of outages, and thus willing to take the time to do some forensic work.

More Information Attend our Intrusion Defense School and learn how to create and deploy a cohesive intrusion defense strategy across your organization. Use this checklist to learn what to do if you've been hacked.

1. Preserve the logs: In almost every case, you'll want to make an attempt to preserve the logs from your devices. If you want them for evidence, you'll need to take a few extra steps that are beyond the scope of this tip.

2. Notify the proper authorities: Depending on the nature of the attack, you'll want to notify some folks. Depending on your organization, this may be a security manager or an IT executive. You may also want to notify authorities such as the police or FBI. You may need to notify your ISP or carrier. And you may need to notify your customers, particularly if their networks were exposed to attack via your network. You do have daytime and after-hours contact information for all these people, right?

3. Check your infrastructure for compromise: If the nature of the attack was not a DoS but, let's say, a server administrator discovered a rootkit on several PCs that were using a peer-to-peer file-sharing program, or your Intrusion Detection System informs you that the attacks are coming from one of your routers, then you want to check your routers and switches to make sure they weren't compromised. The simple way is to verify that the software images' checksums still match those listed by your vendor.

4. Restore your configuration: If you want to make absolutely sure you're OK, reload the software images and restore the devices to their factory default configs and then reload your configs from backups. You do have backups of all your configs, right?

An extra tip: While most administrators keep their device configs in a configuration management tool on the network, a network disruption might prevent you from accessing them just when you need them most. It's a good idea to keep a copy of all the configs on a flash drive or CD in case you have to restore over the console cable, but you definitely have to exercise some common-sense physical security there. You don't want those to fall into the wrong hands, as it could be pretty easy to crack the password hashes found in many config files.

5. Steps to shield from attacks: If the nature of the attack is a DoS, then the way you stop the attack can vary widely. It's also entirely possible that you simply can't stop the attack from occurring, as companies with extreme budgets like Microsoft and the Federal Government get service denial attacks all the time. But you should be prepared to take the usual steps, such as manually implementing shunning on your firewall, or applying some temporary ACLs to your screening routers, or just shutting down the ports of offending internal machines. Alternately, you can configure an Intrusion Prevention System to do these things automatically.

As always, the key theme you should have noticed above is preparation. Like insurance, it's annoying, but occasionally pays off big.

About the Author: Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide, published by Sybex.

This tip originally appeared on SearchNetworking.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection Network Intrusion Prevention (IPS) Network intrusion prevention systems: Should enterprises deploy now? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device VeriSign, AirMagnet team up for wireless IPS Sourcefire, Nmap deal to open vulnerability scanning Interop: Vendors update software, demonstrate new security features McAfee launches IPS for 10g networks, but is IT ready? Network Intrusion Prevention (IPS) Research Network Intrusion Detection (IDS) What are best practices for creating an IDS and maintaining a signature database? Network intrusion prevention systems: Should enterprises deploy now? RSA 2008: Sourcefire founder Roesch previews Snort 3 Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Screencast: Snort -- Tactics for basic network analysis Can Snort stop application-layer attacks? Network Intrusion Detection (IDS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Diffie-Hellman key exchange  (SearchSecurity.com) intrusion prevention  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.