If one took a geographic look at many internal networks, they might see something that reminded them of the Great Plains: flat, open, and unregulated. They would find a terrain that allows someone to get from one place to another by traveling in a straight line. Those terms are fine when applied to the Great Plains; however, the time has come to fence in and segregate internal networks.
Segregation or Segmentation?
Many networks already have some form of segmentation in place. Network segmentation could take the form of different subnets for each location, floor, a specific switch, or a group of ports. Technologies like virtual local area networks (VLANS) can also help achieve segmentation. Network segregation goes a step further by restricting access to devices and services offered on each network segment and within network segments to only those devices that have been explicitly allowed. Network segregation defines what can communicate on the network and how that communication can occur. Technologies used to implement network segregation can include router, switch, and VLAN access control lists, and network, virtual, and host based firewalls.
Why Segregate?
Network compromises often originate from within a network. Attackers do not find much success by "hacking through the firewall." It is much easier to get access by tricking an internal user into clicking a link or attachment in a phishing email or website. The attacker then has gained a foothold on the internal network and will pivot mercilessly from machine to machine seeking the opportunity to elevate their level of privilege until control of the network is obtained.
An Important Principle
Many businesses, large and small, have an inherent trust in their employees. Duties within some business functions such as human resources or accounting may be separated so that no one employee has too much access. However, while operational job functions may have been addressed, the need to separate duties and restrict access to information, systems, and services is often not extended to the network level. The principle of least privilege must be applied. This principle gives an employee or system only the access needed to perform their job.
Implementing Segregation
Segmenting and then segregating a network is a challenging task. Good network architecture design skills, alongside working with third party vendors and application vendors will be necessary. Extensive testing is also a must. However, there are several quick wins that can significantly improve overall network security and take away attack paths employed by attackers. First, it is necessary to segment the network into categories by device. Some suggested categories are:
- Workstations
- Servers
- Printers
- VOIP Telephones
- Automated Teller Machines
- Auxiliary (all other devices)
Segmentation requires creating separate subnets for each category and moving devices to those subnets. For segregation to be complete, once the devices reside on the appropriate segment, access control rules must be applied. A basic set of access control rules that could be applied to workstations is:
- Deny all workstation-to-workstation traffic within the workstation subnet.
- Allow all traffic from the workstation subnet to the server subnet.
- Allow ports TCP 515, TCP 9100, UDP 161, UDP 162 to the printer subnet.
- Allow all traffic from the server subnet to the workstation subnet.
- Rules for specific access to devices in the Auxiliary subnet.
- Deny all remaining traffic that has not been explicitly allowed (applied as the last rule).
Restricting access between workstations is critical, because it removes the ability for an attacker who has compromised one workstation to pivot to other workstations. Two of the rules allow all traffic from workstations to servers and from servers to workstations. These should be replaced with more granular rules after further analysis of ports and protocols needed for applications is completed. The rules above are implemented easily by utilizing the free host-based firewall built-in to Microsoft Windows Operating systems and it can also be managed by utilizing Group Policy Objects.
Network segregation is the separation of devices and control of the traffic between those devices. Just as firewalls became necessary to protect from malicious Internet activity, network segregation is now a necessary and critical part of a secure network architecture.
Ty Purcell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com to learn how CoNetrix can improve your Cybersecurity maturity.