In today’s breach-of-the-day environment, it is easy to get overwhelmed by the technologies and options available to help secure networks. However, I have found there are some foundational concepts in network security that apply in any client environment yet are often overlooked or have fallen to the wayside.
Limiting the Attack Surface Is Still Important
Shutting down unnecessary services, limiting open ports and making smart architectural decisions isn’t as exciting as the latest shiny box, but they are likely the most important things that can be done to prevent a system’s compromise over the network. In other words, if there is nothing listening on the network, it can’t be exploited over the network.
Take, for example, a spree of vulnerabilities from major network vendors, which allow an attacker to compromise an administrative interface simply through knowledge of a hard-coded backdoor password. Although interfaces such as SSH cannot typically be shut down for operational reasons, the attack surface of the system can be minimized by exposing the interfaces on a tightly controlled management network rather than the general corporate network. This will help mitigate the risk of compromise until the component is patched.
Almost every system can be evaluated to determine whether it is appropriately reducing the attack surface available to an adversary by exposing the right services on the right networks.
Managing and Minimizing Third-Party Connectivity Is Critical
In a rush to satisfy business demands, many organizations haphazardly enable connectivity between third parties (e.g., developers, business partners, joint ventures, etc.) and their internal networks. This includes user-based connectivity, such as virtual private networks (VPNs) or Citrix, as well as permanently established connectivity such as site-to-site VPN, multiprotocol label switching (MPLS) and leased lines.
Consistent security controls must be enforced on all third-party connectivity and processes established to manage third-party relationships. Always-on third-party connections should be isolated in exclusive perimeter networks or demilitarized zones (DMZs) with restricted and mediated access to corporate systems.
The minimum necessary connectivity requirements for each third-party connection must be periodically validated. Restrictions should be enforced close to the connection termination point. In addition, regular third-party security assessments should be completed for those entrusted with direct access to the corporate network. “permit IP any any” is not your friend.
Network Design Must Assume Assets Are Compromised
When designing networks and their security controls, consider the blast radius of a compromise, or what else could be negatively impacted if a particular system is breached. Attackers rely on the ability to easily move unimpeded throughout the network environment. Implementing connectivity restrictions and security controls to limit such movement and contain the compromise can greatly reduce the impact of a breach.
To start, controls to limit lateral movement should be placed within DMZs and at WAN termination points. DMZ design should vertically isolate application tiers, horizontally protect applications from one another and minimize inbound connectivity to internal systems. Enforcement at WAN touch points can ensure connectivity between physical locations such as corporate offices, branches and data centers truly aligns with business requirements. Eventually, this concept can be extended to build a full network zoning model.
As more organizations implement network virtualization technologies, innovations such as the VMWare NSX Distributed Firewall can be used to provide flexible microsegmentation capabilities.
Clear Visibility Into Outbound Connections Is Vital for Detection
For an attacker, outbound communication from an organization’s network is necessary for the establishment of a persistent command-and-control channel and for the subsequent data exfiltration. Organizations must have the ability to quickly detect and respond to such communication attempts from all parts of the network.
Architectural decisions can be made to provide an opportunity to inspect outbound traffic without the noise of other network traffic. Connection metadata such as the number of connections, the longest connections and the volume of data transferred can be just as useful in identifying malicious traffic as traditional outbound controls such as Web filtering, intrusion prevention systems and data loss prevention.
Additionally, consider the consequences of network zoning to understand where along the data path a connection can potentially be blocked. A blocked outbound connection deep inside the network may not be configured to raise an alert, resulting in a lost opportunity for rapid detection.
Network Security Doesn’t Have to Be Fancy
All the above points seem like commonsense items that could typically be implemented with an organization’s existing technology and tools. But the first step in that process may consist of asking important questions about your security posture, possibly with the help of a third party. What network security basics work for you in your organization? What could be improved? What practices worked in the past and could help you plan for the future?