In contrast to the delicious, soft center of a perfectly cooked chocolate chip cookie, having a soft centered network is not a good thing. Many small to medium businesses employ network topologies with a “hard, crusty” exterior, but have a soft center or core. These networks employ firewalls and intrusion detection/prevention systems on the edge to keep out cybercriminals and script kiddies which are seen to be the most prominent threat from the outside. The “soft middle” is typically a large, flat network that is optimized for performance and simplicity. PCs assigned to departments reside on the open network with the servers and systems that they access for applications and databases. It is not uncommon to find sales, customer service, finance PCs and system administrators all interspersed without separation or access restrictions at the network layer.
The administrative interfaces on storage systems, domain controllers, business applications, databases, network switches and firewalls are open from any internal network IP address. Individual PCs may freely communicate with other PCs and typically are deployed in “default” configurations with unnecessary services exposed.
This soft middle network topology plays right into the hands of current threat actors that use phishing with malicious weblinks or weaponized attachments to gain a foothold within an enterprise network. Once inside, the attacker can gain access to any network or system in the “trusted” or soft network zone through lateral movement. This is an “insider threat” scenario that victimizes employees and uses their access privileges to gain more privileged user credentials and to complete their actions against their target(s).
In this blog, we will discuss a number of controls to help mitigate the risk and exposure to the insider threat through use of network segmentation based upon FFIEC Examiner’s Handbook and the Center for Internet Security (CIS) controls.
Fair warning—this is no easy task! A firm understanding of your data and their classification and a need to know approach for access control are critical to success.
The FFIEC Examiner’s Handbook states that “management should develop data flow diagrams to supplement its understanding of information flow within and between network segments as well as across the institutions perimeter to external parties.”
Data flow diagrams should identify:
- Data sets and subsets shared between systems;
- Applications sharing data; and
- Classification of data (public, private, confidential, or other) being transmitted.
What Can You Do?
Any network segmentation project should begin with mapping of critical data and documentation through a data flow diagram, which should include user access controls based upon need to know. The data flow diagram need not be extensive or perfect at this point, but a baseline needs to be established as you classify and identify your critical data and where it is accessed on your networks or from your third-party providers. Like any risk management task this is a continuous process improvement exercise that will be further improved over time.
Once the data flow diagram is started then network segmentation work can begin.
Let’s look at the Center for Internet Security (CIS) controls relevant to the topic known as CIS Control 14 – Controlled Access Based on the Need to Know.
“14.1 Segment the network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.”
The placement of a firewall or similar network infrastructure with access control lists (ACLs) into the core of the network is critical to an effective segmentation project. These devices typically have good quality logging capabilities and will allow for instrumentation and alerting in the event that rules are violated or connections are blocked. If the firewall has built-in intrusion detection/prevention then those rule sets can be applied to internal traffic to detect or block insider indicators of attack, such as network reconnaissance or multiple Sever Message Block (SMB) connections, etc. Again, this is a continuous improvement process and will require careful design and implementation over time. Start with the most critical vulnerabilities and exposures and then move to the next one and so on.
Begin by looking at your network, server, printing, and storage infrastructure for quick wins. All network devices whether a router, switch, PC, server, storage system or printer/multi-function device should be strictly controlled to only allow ports, protocols and services that have a valid business need. Protocols that use clear text authentication such as FTP, TFTP, Telnet, and SNMP (version 1 and 2) should be deprecated in favor of SFTP (secure FTP), Secure Shell and SNMP version 3. Web administration interfaces should use HTTPS and require authentication for access. These quick wins will improve your security posture and are relatively easy to implement and test.
“14.3 All network switches will enable Private Virtual Local Area Networks (VLANs) for segmented workstation networks to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attackers’ ability to laterally move to compromise neighboring systems.”
Specifically, for the Windows operating system—why do user PCs or laptop devices need to connect directly to other user PCs? Back 20 years ago when Windows for Workgroups was prevalent, sharing drives, databases and printers from a power user PC was fairly common. Today, not so much. Multifunction printers (MFPs) and network file sharing appliances are typically centrally controlled and managed and have protocol support for direct connection and use by the user community. Windows PCs should be locked down to only allow remote connection by system administrators if necessary.
Finally, instrumentation of your infrastructure should be enabled and logged to a central syslog server/Security Information and Event Management system (SIEM) to be reviewed by trained and qualified security experts. Devices running Windows should be instrumented to have Windows Audit Policy enabled as well as Microsoft’s Sysmon agent installed to detect indicators of compromise on endpoints and servers.
These steps and guidelines, while not always quickly accomplished, are well worth the investment of time and other resources to mitigate the risks that accompany soft-in- the-middle network topologies. More often than not it is the “old school” approaches to network safety, as opposed to cutting edge (not mention budget draining) solutions, that can provide effective relief to contemporary network threats.