Top 10 Network Security Mistakes - #7: Permissive Access Controls
November 25, 2013
Life, in general, is a balancing act. How much of your income should you route to your retirement? How many cold, delicious beverages can you consume before waking up on time hurts too much? How much can you repress the commoners before they overthrow you? How much usability are you (or your users) willing to give up in order to secure your kingdom?
These questions in some form or another are persistent and eternal. And how people answer these questions is always a fascinating study in social psychology.
There are a lot of factors to consider. How much does it cost to secure something? Will users find a way to circumvent a solution they don’t like? What’s the total cost of a data ‘incident’, and is that more or less than the investment required to make an incident less likely?
All of these things must (or should) be taken into account when designing the processes and policies that govern access to resources and data in any organization. Some places have done a very good job of weaving a secure mindset into the fabric of the culture. Others have compliance or audit requirements that force them to use (or say they use) secure design and processes appropriately. But, more often than I’d like to admit, I’ve seen decisions made by following what I can only assume is the path of least resistance.
The great thing about paths of least resistance: you’ll never be alone. If you use them, others will follow.
Access Controls break into two main components: Physical and Logical, each has a number of sub-components. A complete study of all the possibilities is outside the scope of time, value and interest of this article. So let’s just shoot for a bowl of low-hanging fruit.
Take Olivia Newton John’s Advice – Get Physical
Physical security can cover buildings, rooms, devices and more. Most organizations these days have their critical infrastructure under lock and key. Most. Sadly, I still occasionally see switches, routers and even firewalls or servers just hanging out as if there is a little social mixer going on in the lobby:
IPS: “More bacon-wrapped scallops, Mr. Firewall?”
Firewall: “No thanks. Mrs. Firewall will be upset if I outgrow another pair of power cables.”
If you cannot prevent anyone from touching your firewall or critical network infrastructure, then you have very little assurance that it even belongs to you anymore. If you do not have a data center/room/closet/rack/box, then go MacGyver on it. Build a box. Knit a firewall cozy to hide it. Do something, anything! Improvise if you have to, but figure something out to protect your critical devices from visitors, consultants, the cleaning crew and perhaps even malevolent critters.
BTW, you cannot retrofit assurance. If your firewall has been your stalwart coffee caddy for the last three years, assume that it is compromised. Do this with your old firewalls, then start over from scratch.
That is Logical, Captain
Logical security is all over the place in networks. An exhaustive list would be…well, exhausting. So, let’s focus on a few key areas where some basic attention can pay big dividends.
Network Access Control (wired/wireless)
This is really the starting point for any discussion about perimeter network security (if you still happen to believe in that paradigm). This idea generally applies to machines connecting to the “trusted” side of the network, as controls are generally less rigid internally. This includes users, contractors, visitors, printers – anything that needs a network connection to function.
Controlling access to the network itself is a great way to avoid giving an attacker somewhere to set up camp and do further damage. There are numerous stories of compromised or malicious devices gaining access to the trusted network, where lax internal access controls allowed them to run rampant. Happy Birthday, Mr(s). Attacker!
Let’s cover our two main network access methods:
Wireless – Vendors and admins finally seem to be defaulting to encrypted wireless networks. Using any encryption is better than nothing, but remember - the legacy standard WEP is exceedingly easy to crack. WPA is preferred and even better if you can use the enterprise version and secure it with strong authentication like a Multifactor Authentication or a certificate instead of a simple pre-shared key. Bonus points for hiding SSIDs and adding client supplicants or host scans before allowing access to secured networks. After all, you don’t want have to explain how a coffee machine hacked into your network, do you?
Wired – most modern switches are capable of enforcing 802.1x port security. This is a huge improvement over open ports to which anyone can connect. But of course, there are some caveats. Moving from implicit connectivity to explicit connectivity requires some consideration. How will you authenticate, and what will you use as a credential? What about ports where there is not a full-blown workstation, such as a printer or fax? Who will be responsible for turning up new ports and turning down old ports? You may require a MAC harvesting solution to help your authentication service identify static devices. A smooth deployment may require some consulting help, but the sleep you’ll gain at night knowing that the Jimmy John’s delivery guy isn’t plugging a pwnie express in while you’re eating lunch is totally worth it.
If you can’t control your network access for some reason, then you can help mitigate some of the risks by implementing default segmentation in your network.
Many legacy networks have a Castle & Moat design, where anyone on the inside has access to anything else on the inside. This is bad form on a number of levels, especially if you can’t validate the identity, actions and/or intentions of those on the inside. Verizon’s paper from 2009 says that 43% of malicious attacks came from insiders. So, don’t assume everyone you’re trying to protect has your best interests in mind.
To alleviate this issue, segment users from production resources and only open specific rules to allow certain IPs or Identities through on specific ports. If possible, segment users from each other as well. Users will do whatever works for them and allows them to overcome a challenge and sometimes that means creating network shares or turning off firewalls “temporarily.” Sometimes we have to save users from themselves, even if it means hearing complaints about how they cannot figure out how to move the picture of their niece’s dance recital off their computer.
Identification and Authentication
Many of the current generation (or “next-generation” according to the marketing material) have the ability to operate based on identity instead of source/destination IP. This is a massive improvement over using static IPs because we can avoid overly permissive rules on the firewall.
Workstation access can be tough to control. There are a handful of Multifactor Authentication solutions that work on the endpoint to help increase assurance that the correct user is the one granted access. These are great if you can find one that works for your environment. If not, then you’ll be relegated to doing your verification deeper in the network. Either way, require some level of complexity in passwords and educate users about safe password habits.
Services and Applications
Services and applications are generally where the good stuff is stashed. Many applications store or cache data on the workstation, underscoring the importance of the previous section, but the fact remains that the reason you have services and applications is to manage and grant access to data of value. So, protect it. Single factor passwords are a liability, so avoid them whenever possible. Use strong authentication to help increase assurance that the right person is getting access. If you have compliance concerns, make sure all access and validation activities are logged and stored for correlation and auditing purposes.
Many times, organizations overlook their remote access solution when considering network security. This is an area where Multifactor Authentication is very easy to implement, and the choices are many. If your remote solution allows non-managed devices to connect, this is even more important. Also, wherever possible, avoid using full network connectivity solutions. There is danger in allowing remote endpoints to traipse across the network unfettered via IPSEC or SSL VPN. Use a portal VPN solution and place a service wrapper around specific resources if you can. This is starting to become a common approach to BYOD implementations as well. I can recommend a reputable security company if you’d like to talk more about that.
The number of ways in which a firewall can be misconfigured are tragically infinite. We’ll focus on a couple main points here:
Internal - We covered this above. Allowing everything behind your firewalls to talk to everything else is a mistake. Segment, identify and enforce wherever you can. Many organizations are moving towards using a firewall as the network core to ensure default segmentation. There are design and performance considerations to this approach, but it helps ensure your organization doesn’t have a soft, gooey inside. Otherwise, an Enclave approach may be appropriate.
Inbound - We covered DMZ design in a previous article, but that didn’t fully cover limiting access. Most admins know that inbound traffic needs to be tightly controlled, but to avoid assumptions, I’ll write it here in plain language:
Inbound traffic rules should allow only necessary traffic. You often cannot control the source, but you should heavily scrutinize the use of “ANY” in a firewall rule’s destination or service. Unnecessary destinations and services increase the possibility of an attacker finding an unintentionally unprotected host or service, leading to deeper and more damaging intrusions.
Outbound - Many organizations are getting better about this, but it is worth stating here clearly:
It is important to restrict outbound traffic. Allowing any and all traffic to go out is a great way to facilitate malware infection or become an accessory in the next botnet DDoS attack.
Limit outbound traffic to only necessary ports. If possible, use a web filter to help prevent access to known infected hosts, CNC servers, unknown destinations and otherwise suspicious content. If you can’t implement a proper proxy/web filter, consider OpenDNS.
I’ll also mention Extrusion Detection/Prevention Systems here as well. This is an emergent technology that focuses on monitoring outbound traffic to look for backscatter signs of infection. So, where traditional antivirus solutions try to catch malware on the way into your hosts, EDP looks at the behavior of your traffic on the way out of your network to identify infected hosts.
Wrapping It Up
That’s about it for this installment. I know it’s daunting to consider exchanging connectivity and ease for security and hassle, but doing so can help you avoid hosting a raging kegger at 111 Path-of-Least-Resistance Lane. Just sayin’.