By: Brad MacKenzie, vCISO to Secured Managed Services at CISO Global
In Part III of this series, Brad MacKenzie describes two different network configurations and contrasts the disadvantages of the open network with the advantages of the compartmentalized network. He describes how the open network is an attacker’s paradise, whereas the compartmentalized network follows the Principle of Least Privilege and can limit a compromise from spreading through and infecting the whole environment.
7. Network Segmentation and Isolation; Contrasting Extremes
Imagine an unfortunately common network configuration that has every single device in one large internal network with a Firewall protecting it from direct inbound attacks from the Internet but allowing any traffic outbound. On this network every system can contact the management ports for the Firewall, printers that haven’t had the firmware updated in a decade, servers, and a myriad of other IoT devices like cameras and thermostats, embedded systems, and lab machines that can’t be patched on any regular schedule. Not to mention every user’s desktop can talk to every desktop and server in the organization, whether on-site or remotely connected over a VPN. A hack or infection in this environment provides a myriad of attack vectors that an attacker can leverage across the entire environment using the unfettered internet access to report back to the “Command and Control” (C2) servers. This is literally an attacker’s paradise.
Conversely, imagine the opposite extreme, a “compartmentalized” network, which is a good standard to strive for in the future. This network would look something like this:
- Devices with management ports are put on an isolated management network that can only be contacted by people that manage the devices
- Embedded devices like cameras and thermostats are separated onto their own network with strict rules that allow management and software updates only. They are not trusted and, therefore, have no need to communicate with any business resources.
- Servers have no outbound access to the Internet except to specific sites needed for updates, but user systems can connect to them only in the manner needed for business. If users need to access a web application, then all other access is blocked except to the specific web service. Access to other ports like Remote Desktop Protocol port is unnecessary for normal users.
- User systems can browse the Internet but cannot contact any other internal systems apart from the specific servers and services needed for that job role. Access to services and servers is limited as much as possible; e.g. A finance user doesn’t have access to Engineering data.
- The firewall filters all traffic, brokers all inbound and outbound traffic, and blocks communications to known bad sites and countries where business is not conducted.
- A VPN user only gets access to the specific resources needed for the role, not every system on the network.
In the above scenario, which is essentially based on “The Principal of Least Privilege”, an infection on a user’s system has limited ability to spread within an organization, has no easy targets, and hopefully any “phone home” communications will be blocked at the firewall. It is possible the entire attack is essentially stifled before it escalates. Proper logging and SIEM configuration would be sending many serious alerts very early on!
Unfortunately, the second ‘compartmentalized’ scenario is rare because network architecture evolves, or devolves, over time and it becomes just an inherited system that is too difficult, or too costly, to change when it’s working well enough. If your network looks more like the first ‘open’ scenario, please consider steps to move towards the second scenario. Quick wins can be made by creating a management network and isolating vulnerable management interfaces, along with isolating embedded systems as well as systems that can’t be patched, protecting them with strict firewall rules. The next step is to create functional subnets for servers and users. These networks can be subdivided by role. Finance and HR are separated from IT and Development. Similarly, firewalls on endpoints could be programmatically configured, e.g. via a GPO, to only allow endpoint traffic to required servers and not every other system in the environment. Server networks can be divided by web/application servers, API services, data warehouses, and backend services. This model allows a compromise at one layer from spreading to the whole environment.
As this truth shows, moving from an open to a compartmentalized configuration is not without its challenges, but it’s well worth it for network managers to take steps to implementing these best practices and make their environments more secure from the devastating effects of cyberattacks. In Part IV of this series, we examine proactive steps IT managers can take to harden their systems through conducting threat hunts, establishing security awareness training, and creating an effective incident response plan.
Brad MacKenzie is a highly experienced cybersecurity practitioner who serves as vCISO to Secured Management Services a Cerberus Sentinel, a rapidly growing, global cybersecurity and compliance provider.