Tips to Secure the LAN: A Look at the Application Layer
Now that we have the LAN locked down at the network layer, let’s try and get the application layer tied up a little bit. This is going to include apps that allow for tighter control over the workstations within our LAN. These apps can be both software installed on the users workstation or applications that are in use between the workstations and the internet that allow for additional protection.
One thing that users hate in an organization is proxy/web filtering services. These are the systems that attempt to block all the “Cat Videos” that users are trying to click on repeatedly. This layer needs to be there to give the Internet access some type of “cleansing” before the users attempt to access the outside world. Once again, this isn’t bulletproof, but if it stops one incident from occurring it’s paid for itself.
Patch, patch, patch, patch. I was going to leave it there, but maybe I need some more explaining. You need to patch everything and you need to do it regularly on a repeatable basis. To be clear, I’m not talking about having all your workstations set for “Automatic Updates” either. However if you’re patching your user workstations you need to have a process to deploy patches from a centralized console and allow for scheduled and out-of-band patches. These aren’t just from the operating system either, this is for all software. The biggest risk to your enterprise right now from a user’s perspective is third party apps. You can have all the fancy firewalls in place, but if you have an old version of Java installed with a weaponized “Cat Video” link that’s going to execute a payload through a Java vulnerability, you’re dead. Patch all workstations, patch all software on them and patch often.
I’m going to make an assumption here and assume that you’re using a Windows based system in a corporate network. I’m sure they’ll be many people upset that I didn’t bring in Linux or Apple (be quiet fanboys), but I wanted to go with the most prevalent user workstation out there, Windows. If you’re running a Windows domain within your infrastructure you should be relying heavily on Group Policies (GPO) to harden the workstations that report it. It’s here that you need to create policy on each system reporting to it like a password policy, enabling host firewalls, limiting administrator access, limiting the capability to insert USB drives, enabling UAC, etc. This is where the war is going to take place, so lock down those systems as best you can. Now, if you have Macs or Linux boxes on a windows domain you can still push policy to them with third party software. Something to take a look at.
Centrally pushing our anti-malware agents to each workstation is something that’s becoming less effective against persistent attackers, but it’s still a layer (see the pattern here)!! The key is to find an anti-malware vendor that has a decent rating (so few do these days) and make sure you have it installed on all systems. This can include a NAC, HIPS, AV, etc. client installed on the user workstation.