How to recover your network after a security breach

If you have the time and money to invest in some of the more impressive network management systems, you can possibly recover your network by clicking a few buttons. If you're on a budget, with a typical medium-sized network, here's a list of things you should do when you discover something amiss.

By network, here I mean routers,switches, firewalls, etc. -- , to the exclusion of nodes like servers and PCs which are usually attacked in different ways. Routers, switches and their like are still susceptible to rootkits and other attacks that plant malicious software/firmware, but they're not prone to it to the same degree as Windows,Linux- or OS X-based systems. More common attacks target protocols and result in black holes, fill up your switch's FDB so it can't learn new MAC addresses, or attempt to deny service by using up all your bandwidth.

Another note is that the order in which you perform the tasks below may vary greatly by the nature of your organization. For instance, at one business, your primary concern may be restoring connectivity as fast as possible, while another business may be highly regulated and more tolerant of outages, and thus willing to take the time to do some forensic work.

1. Preserve the logs: In almost every case, you'll want to make an attempt to preserve the logs from your devices. If you want them for evidence, you'll need to take a few extra steps that are beyond the scope of this tip.

2. Notify the proper authorities: Depending on the nature of the attack, you'll want to notify some folks. Depending on your organization, this may be a security manager or an IT executive. You may also want to notify authorities such as the police or FBI. You may need to notify your ISP or carrier. And you may need to notify your customers, particularly if their networks were exposed to attack via your network. You do have daytime and after-hours contact information for all these people, right?

3. Check your infrastructure for compromise: If the nature of the attack was not a DoS but, let's say, a server administrator discovered a rootkit on several PCs that were using a peer-to-peer file-sharing program, or ...


To continue reading for free, register below or login
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
Email Address:



By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy
To read more you must become a member of SearchSecurity.com
As an existing member of the TechTarget network please activate your SearchSecurity.com account 
By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy



your Intrusion Detection System informs you that the attacks are coming from one of your routers, then you want to check your routers and switches to make sure they weren't compromised. The simple way is to verify that the software images' checksums still match those listed by your vendor.

4. Restore your configuration: If you want to make absolutely sure you're OK, reload the software images and restore the devices to their factory default configs and then reload your configs from backups. You do have backups of all your configs, right?

An extra tip: While most administrators keep their device configs in a configuration management tool on the network, a network disruption might prevent you from accessing them just when you need them most. It's a good idea to keep a copy of all the configs on a flash drive or CD in case you have to restore over the console cable, but you definitely have to exercise some common-sense physical security there. You don't want those to fall into the wrong hands, as it could be pretty easy to crack the password hashes found in many config files.

5. Steps to shield from attacks: If the nature of the attack is a DoS, then the way you stop the attack can vary widely. It's also entirely possible that you simply can't stop the attack from occurring, as companies with extreme budgets like Microsoft and the Federal Government get service denial attacks all the time. But you should be prepared to take the usual steps, such as manually implementing shunning on your firewall, or applying some temporary ACLs to your screening routers, or just shutting down the ports of offending internal machines. Alternately, you can configure an Intrusion Prevention System to do these things automatically.

As always, the key theme you should have noticed above is preparation. Like insurance, it's annoying, but occasionally pays off big.

About the Author: Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide, published by Sybex.

This tip originally appeared on SearchNetworking.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Intrusion Prevention (IPS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Network Intrusion Detection (IDS),   Denial of Service (DoS) Attack Prevention,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network Intrusion Prevention (IPS) Aligning network security with business priorities Best Intrusion Prevention and Detection Products Port scan attack prevention best practices Lesson 4: How to use wireless IPS Lesson 1 quiz: Risky business Hacker attack techniques and tactics: Understanding hacking strategies SIMs tools and tactics for business intelligence IPS and IDS deployment strategies I'll be watching you: Wireless IPS Know when you need IDS, IPS or both Network Intrusion Prevention (IPS) Research Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Diffie-Hellman key exchange  (SearchSecurity.com) intrusion prevention  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.