Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

In the zone

In the zone 

Another component of corporate security strategy is to enable in-line security products capable of automated risk mitigation. While concerns about false positives are understandable, those risks must be weighed against the risk of being unable to respond immediately to critical security alerts. While the media have pointed out that intruders in recent high profile cases generated thousands of alerts, it’s easy to understand how they could be lost in the background noise. Cutting edge developers are responding to this challenge; stay tuned.

Most organizations also need to make fundamental changes in the area of network architecture including the implementation of much stronger network security zoning to prevent and contain intrusions.

Media reports about compromises suggest that intruders have been able to perform tasks such as repeatedly loading malware onto point of sale systems and staging payment card information on internal servers prior to exfiltration. This type of connectivity should be blocked at the network level in addition to being detected by network and endpoint security software.

The practice of creating network security zones began with the DMZ. Internet-facing systems were placed on a separate network using firewalls to isolate them from both the Internet and the Internal network. Sadly, many organizations still operate today with this inadequate and outdated three zone model: Internet, DMZ, and internal network.

Users’ PCs may contain sensitive information, but they are usually not the primary target of criminals seeking intellectual property and payment card information. PCs are often the easiest computers to penetrate because of the sheer number of applications, especially email and web browsing. PCs in general have the largest attack surface of all corporate systems. Yet they are often located on an internal network segment with few, if any, limits placed on connectivity with corporate servers.

From a security architecture perspective, it is prudent to assume that internal systems will be attacked from user endpoints (PCs and mobile devices) as well as from the Internet. Determined attackers will steal credentials and malware will leverage the credentials of the currently logged in user to access other resources. As a result, from the perspective of internal servers, attacks by insiders and outsiders may look identical.

User zones should be designed similar to DMZs. Ingress and egress filtering should limit connectivity to that required to perform job functions and take into account that computers in user zones are more likely to suffer malware infections than those in other zones. For many organizations creating user zones also means new system administration practices. For example, direct file transfers and remote desktop sessions between an administrator’s regular PC and production servers should be blocked. Administrators should ideally use a dedicated PC connected to an administrative LAN that has no Internet connectivity. However, if connectivity from their corporate PC is a requirement, another option is to allow remote desktop from the administrator’s PC to a jump server located within the server subnet. In this case, it would be preferable to require two-factor authentication in case malware on an administrator’s PC is able to capture login credentials.

To detect and prevent attacks on internal systems, many organizations have deployed advanced firewalls, unified threat management devices, and advanced malware detection systems. These types of products are much more effective than traditional stateful packet inspection firewalls. However, they are typically deployed at the perimeter. They should also be deployed at zone interface points to restrict traffic flow and detect attacks emanating from user zones.

The use of desktop virtualization should also be considered, especially for administrators and users who must access highly sensitive information. For example, the user’s desktop PC (or thin client) can be connected to a high security zone that allows remote desktop connectivity to jump servers within the various server zones, and a virtual desktop for access to the Internet, email, and other general corporate applications. Users who must access systems with sensitive information, such as payment card data, could be required to connect to a different virtual desktop within a PCI zone. Virtualization can significantly reduce the attack surface of sensitive systems and contain data within the appropriate security zone.

Most organizations also require multiple server zones to help detect, prevent, and contain intrusions. For example, domain controllers, print servers, and general office file shares should be isolated from systems handling payment card information, sensitive intellectual property, and human resources databases. While this leads to more complex network topologies, it is not difficult to achieve using VLANs and modern advanced firewalls with multiple network interfaces.

Separate zones are also required for VoIP devices, physical security systems (access control, CCTV), SCADA systems, and control systems accessed by subcontractors. For example, it has been widely reported that the initial compromise at Target occurred via credentials assigned to an HVAC subcontractor. Controls should obviously have been in place to prevent an intrusion via this connection from impacting payment processing systems.

Implementing network security zones with appropriate controls at zone interface points goes a long way to prevent and contain internal and external attacks on sensitive systems. Zone interface points also provide an opportunity to monitor activity and identify security issues before sensitive data is stolen.


Related posts