Top 10 Network Security Mistakes - #5: Lack of Segmentation
February 11, 2014
The Yolk is on Who?
If your current network design hasn’t been revisited within the last 15 years, there is a chance you’ve got a dust bunny or two lurking somewhere. While dated equipment and old wiring plants pose their own set of problems, what we’ll be touching on today is what some like to refer to as an egg network. Why an egg, you ask? Because egg networks have a conspicuously strong perimeter surrounding their soft, gooey, defenseless (data) yolks.
This is not a bad design if you have a high level of assurance that nothing bad will ever get past your perimeter.
To secure a network like this, all you have to do is prevent users from getting email, visiting websites, sharing files, or really, just using the Internet at all. Once you’ve sealed off access the outside world, you need to constantly monitor existing internal resources for suspicious behavior, and to be safe, you should also prohibit users from interacting with internal systems containing critical data. So, block access to network mount points, databases and application servers as well.
You can enhance this design by disconnecting all devices from the network as well. This is as close to 100% secure as we can get, but there are, of course, still ways to compromise offline hosts. So, you’ll also need a Faraday cage. Then disable all CDROM drives, USB ports and any other peripheral data channels. Finally, prohibit non-managed machines from touching your infrastructure, and you should have a pretty solid design!
Or, perhaps, take it to the next level and go back to analog. I’ve yet to hear about a compromised typewriter, though fridges and entertainment centers are apparently no longer beyond reproach.
If you happen to have one of those business models that require communication and interaction for some reason, fret not. Here are some ideas that might help prevent a parasitic wasp from landing on your network and embedding larvae that will eat you from the inside out.
If you caught #10 in our series here, you know that a DMZ should be used to house any resources that interact with the Internet. But, what if you have servers that are only intended for internal resources? Do they need to be protected too?
Here’s an example of what a wide open internal network might look like:
Figure 1: The Ted Nugent Free-For-All Network
Everybody can touch everybody else. Very friendly. Too friendly. That guy isn’t taking my daughter out friendly. Hey, IT User, keep your hands where I can see them, please!
Okay, maybe this is too cozy, right?
Gimme a Break
One effective way to prevent being ravaged completely by a single intruder is network segmentation. This means that specific Layer 2 and 3 boundaries help separate different types of hosts and users from one another. These are typically governed by at least a Firewall, but can also benefit from IPS, DLP and other mitigating solutions.
There are two main approaches to this sort of endeavor:
Explicit segmentation identifies, classifies and purposefully separates specific groups of resources. This is most commonly exemplified by putting a firewall between users and other resources:
Figure 2: The Offspring Keep-Em-Separated Network
Now, users can still see each other, and servers can still see each other, but a firewall policy must allow users access to the servers. This serves two purposes:
1. Limit Traffic
2. Generate Logs
You are certainly still susceptible to security events, but it will be much easier to manage and remediate if you can determine the source, destination and nature of the events.
Retrofitting a firewall is not for the faint of heart. It is hard work that is more likely to garner complaints and anger than trophies and appreciation. Can’t handle the heat? Try an Ove Glove! Or, get an executive sponsor for the effort, drive it from the top down and make sure you fasten your buckle before you begin. Also, having treats at your cube during transition may help mollify crabby coworkers or at least induce a post-sugar-fueled-rant stupor, which should let you get back to work. Just a thought.
Implicit segmentation identifies, classifies and separates all groups of resources by default. Implicit segmentation is easiest to implement at the start of a new design. Essentially, the firewall becomes your core, and new segments get a separate interface on the firewall. Now everyone has to go to ask the friendly police officer for directions. Nice!
What’s that, Mr. BotNet Agent? You say you are looking for unprotected servers to scan and report back to your C&C? Sure, just sit over here in the bit bucket waiting room, and I’ll notify the Music Factory that you are here.
Figure 3: The Georgia Satellites Keep-Your-Hands-To-Yourself Network
This is a significant improvement over the Ted Nugent network above, but it is not without drawbacks. Firewalls are not switches or routers, and they will almost certainly increase latency across your network. This probably will not be detected by the average user perusing Craigslist for a new sectional couch, but it might be an issue for internal applications with high demands.
Many applications are written by developers who know nothing about network efficiency. They might be fortunate enough to build their app in a network fairytale lab with direct 10G bonded fiber links between all their hosts.
Are those good expectations to have of the real world? No. That’s like taking driving lessons from Justin Bieber on GTAV. If you have one of these voracious resource hogs powering your revenue stream, then you may need to adjust your design accordingly.
If you wanted to secure your house, you’d probably start with the doors, right? Perhaps you get a solid-core front door with a reinforced steel jamb, add a heavy-duty deadbolt and a titanium chain. Man, no one is coming through that door, right? Not without a lot of effort, anyway.
But, what if you leave the back door wide open? Same result, less effort for the bad guys.
Layer 2/3 bypasses are logical bridges that obviate your security design, and they are used more often than you might expect.
These offenses often take the form of a multi-homed server or device that spans two network segments without discrete routing instances to force the traffic back to a firewall.
Figure 4: The House of Pain Jump-Around Network
This issue can also present with misconfigured infrastructure like firewalls, switches and routers. Generally speaking, it is ideal if all traffic returns to a firewall before going to another network segment. Otherwise, you are just making it easier for would-be ne’er-do-well hoodlums to wear you like a hat.
To help prevent this issue, develop and maintain an accurate network topology map and regularly monitor your Layer 2 device tables to ensure only the right devices are directly connected. Monitoring firewall logs for inappropriate packet states should help spot any asymmetric routing issues.
That’s a Wrap
There you have it. Don’t put all your eggs in a basket. Put them in a nicely partitioned carton, and you’ll possess less mess on your desk. If you find yourself missing the mess, you can always turn your keyboard upside down and smack it a few times. Bon Apetit!