by Perry Lynch
3:30 min read | Audio
Defending network boundaries is an increasingly complicated and difficult task. Cloud services, remote access, and mobile devices can make it difficult to identify the exact boundaries of a network. CIS Control #12, which deals with the defense of network boundaries, is correspondingly complex. It pays to remember that boundary protection isn't just a matter of securing the front lines, it’s also a major component in a layered defense strategy.
Managing the task
Securing the boundaries means paying attention to new threats and attack methods and evaluating them against the needs of the business. Achieving a balance between effective security and user needs will require frequent risk analysis and constant communication with upper management. By doing so you will enable enforcement of an effective and realistic security plan that supports the business needs of your network.
A well-structured network architecture includes not just a DMZ for the limited number of Internet-facing systems, but also specific security zones for internal servers, systems management workstations, and other business-critical systems or applications.
Network scanning is necessary to make sure no one attempts an end run around the proxy. These might come from malware or from impatient users trying to circumvent the rules. Unauthorized VPN connections might send encrypted traffic through the proxy and present a security risk even if its purpose is relatively innocent.
Decryption of network traffic should take place at the proxy level. That lets it apply application-level security on top of IP and port filtering. The proxy will use whitelisting or blacklisting to prevent connections to malicious servers. Whitelisting is safer, but it's difficult to maintain a complete list of approved domains and IP addresses without constantly adding to it. Blacklisting requires constant updating from services that list rogue addresses.
Both inbound and outbound traffic needs filtering. Only ports and protocols that are considered mission-critical should be permitted outbound through the firewall. Additionally, blocking access to known malicious domains will defeat many phishing attempts. If malware can't reach a command and control server, it becomes far less effective, and easier to eliminate.
Intrusion prevention and detection
Preventing unauthorized activities and catching them as they happen are crucial to boundary protection. The Intrusion Detection/Prevention Systems (IDS/IPS) should be configured to alert and/or stop a majority of attempts by catching suspicious traffic. Signature-based detection is the traditional approach, but sandboxing and other methods can be considered as supplemental tools to detect zero-day attacks.
Monitoring should record the headers of any suspicious packets, if not the whole packet. This information is valuable for event monitoring, so that the source of the problem (external or internal) can be identified. Analytics run on this information can turn up patterns that are too subtle to detect from a small sample.
Malicious traffic can piggyback on all kinds of protocols to escape notice. For instance, if large numbers of senseless DNS requests are being sent out, they may cloak communication with a hostile server. For this reason, DNS queries should only be permitted to trusted external servers, many of whom can provide filtering services to further limit the ability to introduce malware to the network.
Security would be simpler if the entire network were physically behind the router and firewall. However, most businesses find that allowing remote access increases productivity and improves employee satisfaction. The amount of control IT management can exercise over these devices is generally less.
The CIS control recommends requiring all remote access to use two-factor authentication for logins. If those devices fall into the wrong hands or if someone steals the password, an additional factor such as a token or a text message will make it harder for them to take advantage of it.
If the business lends devices for use outside the office, it should set up remote device management for them. This will ensure they stay up to date on patches and have a secure configuration. In the case of cell phones and other smart devices, it should include remote wiping. BYOD devices should meet company-set security standards before getting access.
Business partners that connect to the network can be a serious risk if they don't observe high security standards. The business needs to specify security standards which connected partners have to meet, then monitor their access.