In our first blog on ideal network security perimeter design, we looked at how to harden and configure your network as well as understanding what outsiders can see. In part 2 we'll examine the numerous layers in a sound network security perimeter design and how to enable access for authorized personnel.
No matter how hard you try to stop an adversary, one is going to slip by your well-planned network. Within the perimeter there are tools that can help us proactively block these threats if they’re found (this doesn’t mean they’ll catch all of them, but that’s why we have layers). Let’s take a look at these tools and where they are layered in:
A popular tool that’s making its way into the perimeter is cloud-based malware detection. These tools are used to scan data as it goes through the firewall or routers and filter for suspicious traffic entering your network. Unlike appliance-based solutions this sits outside your architecture and will have traffic analyzed before it hits your network
The traditional first line of defense against attacks is the firewall, which is configured to allow/deny traffic by source/destination IP, port or protocol. It’s very binary -either traffic is allowed or it’s blocked by these variables.
If an attack is leveraging one of these allowed firewall rules, then you better have the next layer on the perimeter, a well-tuned and monitored IPS. Having the IPS well-tuned and being viewed by security is a way to watch for those sneaky intruders that have slipped past the first castle wall and are now within the perimeter.
In some organizations these layers are merging with the advent of the NGFW, which gives you the ability to integrate layer 2 and layer 3 technologies if needed and review more traffic at the application layer.
Together these systems will help limit the risk and likelihood of an attacker walking through the front gate, but we can’t let our guard down just because we have them. Having these tools in place is one thing, but having the staff and policy to manage them is another. An important component of a truly secure architecture is having the right staff with the right expertise in place to manage it, including personnel who configure the systems to those that monitor the systems’ output for security related events. It’s a test of your architecture and team to tune everything if/when something gets through.
Designing the network security architecture is a task that will never truly be completed because as with many things the network, threats and security tools and processes evolve.
In order to future-proof your design though, you must set a baseline for what you want to protect and then ensure that the design can scale over time. A common failure in designing the network architecture is trying to find the silver bullet that covers everything. The problem here is that the threats you face today may not be the ones you face tomorrow and your network today does not look the same as it will tomorrow.
Think of your network perimeter like a castle during medieval times. You allow people from the outside to see them and you want to make sure you have multiple layers of defense setup behind them in case something fails. Like a medieval castle you have multiple layers of defense to stop an attacker and don’t rely on just walls to prevent attacks. That’s why castles had archers, high walls, big gates, people that dumped flaming hot tar on intruders below and my personal favorite, a moat filled with rabid alligators (if we could only find the cyber equivalent of a rabid alligator we’d all be safe on the internet). Even going back hundreds of years ago people understood the benefits of having security in layers and it’s no different today in information security. Over the course of this blog series we'll examine some tips for improving the design of your network architecture for a more secure perimeter.
Hardening and Configuration
In this part of the architecture we need to concern ourselves with how we implement our network. It’s here that we start setting up our walls to prevent attackers from gaining access into our precious kingdom and pillaging our citizens (or users). One of the first areas we need to review is the front line – the systems that are actually in place to prevent unauthorized entry. These would be our routers, firewalls, load balancers, etc. Verify that these systems are running the latest and greatest updates and that the configuration on these devices is locked down to only the needed administrators. Since setting up a DMZ in your network is so important we’re going to dedicate an entire blog post just to that (so be patient).
Another thing that needs to be reviewed on these public-facing systems is if they’re resilient enough under attack. Do you have these core, public-facing systems clustered as to not allow an enemy to knock one down and leave you stranded? Just like our castle example, you never see a castle made of paper. They’re made of brick and stone to keep an enemy away and we need to think of this the same way when it comes to routers and firewalls.
One way to limit risk on your perimeter-facing systems is to have a “golden image” of the systems already in place before being sent out to the front line. If you’re using Apache as a web server there should be an image already created of this server that’s been vetted by your information security department. The same thing goes with networking equipment – does the router allow any to telnet to it from the outside (please say no). Also, before putting a system out on the internet make sure that it’s running all the needed security patches and add these to your “golden image”. Simple things like these suggestions can stop you from being owned. Now that we’ve taken this step, it’s still possible we’ve missed something. Let’s see what others can make of our systems while they’re out on the perimeter trying to peer in.
Hello. My name is Ed Snowden. A little over one month ago, I had family, a home in paradise, and I lived in great comfort. I also had the capability without any warrant to search for, seize, and read your communications. Anyone’s communications at any time. That is the power to change people’s fates.
It is also a serious violation of the law. The 4th and 5th Amendments to the Constitution of my country, Article 12 of the Universal Declaration of Human Rights, and numerous statutes and treaties forbid such systems of massive, pervasive surveillance. While the US Constitution marks these programs as illegal, my government argues that secret court rulings, which the world is not permitted to see, somehow legitimize an illegal affair. These rulings simply corrupt the most basic notion of justice – that it must be seen to be done. The immoral cannot be made moral through the use of secret law.
I believe in the principle declared at Nuremberg in 1945: "Individuals have international duties which transcend the national obligations of obedience. Therefore individual citizens have the duty to violate domestic laws to prevent crimes against peace and humanity from occurring."
Accordingly, I did what I believed right and began a campaign to correct this wrongdoing. I did not seek to enrich myself. I did not seek to sell US secrets. I did not partner with any foreign government to guarantee my safety. Instead, I took what I knew to the public, so what affects all of us can be discussed by all of us in the light of day, and I asked the world for justice.
That moral decision to tell the public about spying that affects all of us has been costly, but it was the right thing to do and I have no regrets.
Since that time, the government and intelligence services of the United States of America have attempted to make an example of me, a warning to all others who might speak out as I have. I have been made stateless and hounded for my act of political expression. The United States Government has placed me on no-fly lists. It demanded Hong Kong return me outside of the framework of its laws, in direct violation of the principle of non-refoulement – the Law of Nations. It has threatened with sanctions countries who would stand up for my human rights and the UN asylum system. It has even taken the unprecedented step of ordering military allies to ground a Latin American president’s plane in search for a political refugee. These dangerous escalations represent a threat not just to the dignity of Latin America, but to the basic rights shared by every person, every nation, to live free from persecution, and to seek and enjoy asylum.
Yet even in the face of this historically disproportionate aggression, countries around the world have offered support and asylum. These nations, including Russia, Venezuela, Bolivia, Nicaragua, and Ecuador have my gratitude and respect for being the first to stand against human rights violations carried out by the powerful rather than the powerless. By refusing to compromise their principles in the face of intimidation, they have earned the respect of the world. It is my intention to travel to each of these countries to extend my personal thanks to their people and leaders.
I announce today my formal acceptance of all offers of support or asylum I have been extended and all others that may be offered in the future. With, for example, the grant of asylum provided by Venezuela’s President Maduro, my asylee status is now formal, and no state has a basis by which to limit or interfere with my right to enjoy that asylum. As we have seen, however, some governments in Western European and North American states have demonstrated a willingness to act outside the law, and this behavior persists today. This unlawful threat makes it impossible for me to travel to Latin America and enjoy the asylum granted there in accordance with our shared rights.
This willingness by powerful states to act extra-legally represents a threat to all of us, and must not be allowed to succeed. Accordingly, I ask for your assistance in requesting guarantees of safe passage from the relevant nations in securing my travel to Latin America, as well as requesting asylum in Russia until such time as these states accede to law and my legal travel is permitted. I will be submitting my request to Russia today, and hope it will be accepted favorably.
If you have any questions, I will answer what I can.