Co-authors: SureCloud’s Managing Cybersecurity Consultant Chris Hembrow and Senior Cybersecurity Consultant Nick Spencer.
Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each one is a separate network segment. Segmented networks can then be isolated from each other, increasing the security of the network. This series of blog posts will describe the different types of segmentation, the benefits of each, and applicable controls to maximize the security they provide.
So far in this series, we have reviewed controls to protect against attacks from outside the corporate network, or with direct access to corporate networks. This final article will review controls aimed to protect from threats from wirelessly-connected devices.
Wireless networks provide a convenient method to allow computers to connect to a network, but unfortunately, this very convenience makes it easier for unauthorized or inappropriate devices to connect unless suitable controls are implemented. The very nature of wireless technologies also means that an attacker might not need to have physical access to an office or another environment, or potentially not even need to be in close proximity to be able to connect to the network. This article discusses controls for three common categories of wireless devices:
Corporate devices refer to those which are provided by an organization, and which are usually configured with appropriate security and management tools. Because of this, these are the most trusted devices, and as such are often allowed to make the same connections via the wireless connection as when physically connected to the network. As a result, steps should be taken to ensure that only approved and trusted corporate devices can connect via any high access wireless network. The connection should identify the connecting device, ideally using a centrally managed and controlled mechanism such as a Domain-issued computer certificate to mitigate against unknown or unapproved devices connecting. Optionally, the connection authentication could also confirm the user of the device, to ensure that they are an approved organization user, and not an attacker using a stolen or otherwise compromised device. Once connected to the wireless network, the devices should be isolated from each other to prevent cross-device exposure or compromise, and all connections should use the strongest encryption available to prevent eavesdropping.
Allowing uncontrolled and unmanaged devices to have full access to the corporate network, without any restrictions or without verifying the state of the device, could lead to a malware infection being introduced onto the network, or provide an attacker with access to the network through a compromised device. Bring Your Own Device (BYOD) provides a particular challenge, namely, how to allow unknown and untrusted devices to connect to the corporate network without impacting the security of that network. These types of devices typically belong to an organization’s employees, who are subject to corporate policy and standards, and where there is a level of trust in place. This trust does not, however, signify that their devices are sufficiently secured to be permitted to join the network; it only suggests that the intent of the user is known and non-malicious.
All BYOD devices which connect to a corporate network should do so via a dedicated, segregated, and authenticated connection. The authentication should occur at the network layer during the initial connection, not after connection; this will permit the use of encrypted connections and help to prevent eavesdropping. Protocols such as WPA2-Enterprise can be configured to require users to authenticate using RADIUS or equivalent, rather than via an unencrypted, open connection and web form authentication, or a shared password or key. To further enhance the authentication, Multi-Factor Authentication could be used to mitigate against attacks from compromised user credentials.
Devices such as smartphones and tablets should be placed in a further restricted network which permits access to only the services which are appropriate to these devices. This might allow access to an Intranet and proxied Internet access, but not to systems which would not typically be used by these types of devices such as file servers.
Employee-owned laptops, if permitted, should only be allowed to connect after the IT and/or IT Security department confirms that appropriate protections such as anti-virus are present, and that devices are patched and updated to a suitable level. This could alternatively be managed as part of the connection itself with systems such as Network Access Control which can interrogate the devices; this could place the devices in a restricted network if the security level is not appropriate, allowing them to be remediated before allowing a full connection.
As with corporate wireless, devices connecting to the BYOD wireless network should be isolated from each other to prevent cross-device issues.
As discussed in the first article, unknown or untrusted “guest” wireless devices should be isolated completely from the corporate network. This could provide guests with to access external systems such as the Internet, or to connect to their own VPN while protecting the corporate network from possible compromise from these devices. The difference between a “guest” or unknown device, and a BYOD device, is that the owner or user of that device is typically unknown to the organization; there would be no contractual or other obligations in place against them regarding their conduct on any organization network. The Cisco BYOD Design Guide states:
“Guest wireless traffic from the campus or a branch location is configured to be auto-anchored (tunneled via Ethernet-over-IP or CAPWAP) from the internal wireless controllers to the guest wireless controller. This may provide a somewhat higher level of security, in that guest wireless devices are not terminated on the “inside” of the corporate network. This is often desirable from a customer perspective because the security posture of guest devices cannot be determined.”
To achieve this, a dedicated Wireless LAN Controller or similar can be placed inside a dedicated, isolated DMZ segment. Traffic would be tunneled from the wireless access points through internal Wireless LAN Controllers, and on to the Guest controller before finally exiting the network. This efficiently segregates the traffic from the corporate network as it transitions to the exit point, without requiring additional access points.
Guest access should also require users to authenticate, either during the connection itself or after connection via a web form. This could be using temporary credentials provided to the guest on request, which would provide a level of accountability to any actions conducted by connected devices, and also discourage potential misuse by guests.
Once again, devices connecting to the Guest wireless network should be isolated from each other, to prevent cross-device issues.
I will be hosting a webinar about network segmentation, where I will cover some of the key topics in the blog series as well as engaging with some interactive poll questions. This webcast is coming soon, enter your details into the pop-up form and I will email the details when made available.
SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.