In our first blog on ideal network security perimeter design, we looked at how to harden and configure your network as well as understanding what outsiders can see. In part 2 we'll examine the numerous layers in a sound network security perimeter design and how to enable access for authorized personnel.
No matter how hard you try to stop an adversary, one is going to slip by your well-planned network. Within the perimeter there are tools that can help us proactively block these threats if they’re found (this doesn’t mean they’ll catch all of them, but that’s why we have layers). Let’s take a look at these tools and where they are layered in:
A popular tool that’s making its way into the perimeter is cloud-based malware detection. These tools are used to scan data as it goes through the firewall or routers and filter for suspicious traffic entering your network. Unlike appliance-based solutions this sits outside your architecture and will have traffic analyzed before it hits your network
The traditional first line of defense against attacks is the firewall, which is configured to allow/deny traffic by source/destination IP, port or protocol. It’s very binary -either traffic is allowed or it’s blocked by these variables.
If an attack is leveraging one of these allowed firewall rules, then you better have the next layer on the perimeter, a well-tuned and monitored IPS. Having the IPS well-tuned and being viewed by security is a way to watch for those sneaky intruders that have slipped past the first castle wall and are now within the perimeter.
In some organizations these layers are merging with the advent of the NGFW, which gives you the ability to integrate layer 2 and layer 3 technologies if needed and review more traffic at the application layer.
Together these systems will help limit the risk and likelihood of an attacker walking through the front gate, but we can’t let our guard down just because we have them. Having these tools in place is one thing, but having the staff and policy to manage them is another. An important component of a truly secure architecture is having the right staff with the right expertise in place to manage it, including personnel who configure the systems to those that monitor the systems’ output for security related events. It’s a test of your architecture and team to tune everything if/when something gets through.
Designing the network security architecture is a task that will never truly be completed because as with many things the network, threats and security tools and processes evolve.
In order to future-proof your design though, you must set a baseline for what you want to protect and then ensure that the design can scale over time. A common failure in designing the network architecture is trying to find the silver bullet that covers everything. The problem here is that the threats you face today may not be the ones you face tomorrow and your network today does not look the same as it will tomorrow.
Think of your network perimeter like a castle during medieval times. You allow people from the outside to see them and you want to make sure you have multiple layers of defense setup behind them in case something fails. Like a medieval castle you have multiple layers of defense to stop an attacker and don’t rely on just walls to prevent attacks. That’s why castles had archers, high walls, big gates, people that dumped flaming hot tar on intruders below and my personal favorite, a moat filled with rabid alligators (if we could only find the cyber equivalent of a rabid alligator we’d all be safe on the internet). Even going back hundreds of years ago people understood the benefits of having security in layers and it’s no different today in information security. Over the course of this blog series we'll examine some tips for improving the design of your network architecture for a more secure perimeter.
Hardening and Configuration
In this part of the architecture we need to concern ourselves with how we implement our network. It’s here that we start setting up our walls to prevent attackers from gaining access into our precious kingdom and pillaging our citizens (or users). One of the first areas we need to review is the front line – the systems that are actually in place to prevent unauthorized entry. These would be our routers, firewalls, load balancers, etc. Verify that these systems are running the latest and greatest updates and that the configuration on these devices is locked down to only the needed administrators. Since setting up a DMZ in your network is so important we’re going to dedicate an entire blog post just to that (so be patient).
Another thing that needs to be reviewed on these public-facing systems is if they’re resilient enough under attack. Do you have these core, public-facing systems clustered as to not allow an enemy to knock one down and leave you stranded? Just like our castle example, you never see a castle made of paper. They’re made of brick and stone to keep an enemy away and we need to think of this the same way when it comes to routers and firewalls.
One way to limit risk on your perimeter-facing systems is to have a “golden image” of the systems already in place before being sent out to the front line. If you’re using Apache as a web server there should be an image already created of this server that’s been vetted by your information security department. The same thing goes with networking equipment – does the router allow any to telnet to it from the outside (please say no). Also, before putting a system out on the internet make sure that it’s running all the needed security patches and add these to your “golden image”. Simple things like these suggestions can stop you from being owned. Now that we’ve taken this step, it’s still possible we’ve missed something. Let’s see what others can make of our systems while they’re out on the perimeter trying to peer in.