Co-authors: SureCloud’s Managing Cybersecurity Consultant Chris Hembrow and Senior Cybersecurity Consultant Nick Spencer.
As we discussed in Part 1 of our Network Segmentation Guide, segmentation within IT is the process of splitting a network into sub-networks. These sub-networks are isolated from each other, which increases the security of the overall network. In this instalment, we will explain how you can afford your network more protection against attackers with direct access to the network using segmentation and network management tools.
Segmentation of Local Area Networks (LAN)
In the previous article, we examined the threats and controls from an attacker across a disparate Wide Area Network (WAN). This article will review the controls to protect against an attacker with direct access to an Organization’s local corporate network.
After an attacker gains access to a network, they will typically attempt to “pivot” from their initial foothold system into the wider network, looking for additional targets to compromise. The original compromise could have entered the network from an end user’s computer after a social-engineering scam had convinced them to run a malicious file or click a malicious link in an email or web page. Alternatively, an attacker could gain access directly via a remote network exploit or through physical access to the network.
By extending their access through the network, the attacker can gain more access to data and further entrench themselves in the network, which makes it harder to locate and remove all their access. A low-privileged compromise originating with only one system can escalate if an attacker is able to seek out other vulnerable systems as a stepping stone to accessing higher-level privileges. These vulnerable systems could potentially be located in other offices or even countries.
For example, from an initial exploit running as a standard user obtained through phishing, an attacker might be able to locate and exploit a system missing the MS17-010 EternalBlue update to obtain system-level access and extract other users’ credentials from memory. Likewise, malware that executes on a system will typically attempt to propagate throughout the network to infect other systems.
Flat Network LAN Vulnerabilities
Often, corporate networks are based on flat networks, where all systems can connect to all others, with only system or application-level access control in place for security. There may be some segmented elements, such as for PCI-DSS, but these are usually very limited in scope.
By running a flat network, the “attack surface” for an intruder is much larger than with a segmented network, and there is a greater chance that they will be able to locate a vulnerable system that they can exploit.
A flat network could allow unauthorised and malicious access to systems from unintended locations, such as accessing a database system directly from a contact centre workstation or permitting access to management protocols on Domain Controllers. Although these targets will likely have some authentication in place, any missing patches or “zero-day” vulnerabilities would allow a compromise; SureCloud often utilises unpatched vulnerabilities such as MS17-010 EternalBlue to gain access to a system to provide an initial foothold on the network.
The Principle of Least Privilege
The principle of Least Privilege must apply to networks and the applications on those networks so that only approved and authorised systems or devices can communicate with each other. This will help to both minimise unauthorised access to systems and prevent attackers from “pivoting” across the network into other systems. It will also help to contain malware outbreaks.
“Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders can extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, if they have gained a foothold somewhere inside the network.”
To achieve Least Privilege, you need to break down the internal network into “trust domains,” configured only to allow access from approved sources. As is the case in our previous examples, access to the database systems should be controlled so that only the approved applications can connect to them over the network, rather than end-users being able to connect directly. Controlling this at the network layer and not just the application layer ensures that any weak authentication or system vulnerabilities cannot be exploited from the end-user networks.
Securing Access to Administrative and Management Services
Management and administration services used by system administrators, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH), and those which often permit highly elevated access, should be restricted to a limited occupancy network used exclusively for administrator workstations.
Allowing access to administrative services from general-purpose or unrestricted networks could allow attackers to compromise these sensitive services, thereby leading to a more significant compromise.
Without segregating access to these services, an attacker could access them from any compromised workstation or physically accessible network port on the corporate network, potentially even from remote offices. The attacker would then be able to focus their efforts on compromising these systems and gaining further access to other systems. They could then remove evidence of their presence or deploy a persistent, privileged “backdoor” from which to regain access to the network later or remotely. These attacks would not necessarily require an attacker to have legitimate administrator credentials either, as they may be able to compromise unpatched systems or systems with “zero-day” vulnerabilities. Limiting access to these services to segregated and controlled networks, and then only for the necessary protocols, would significantly limit the scope of such attacks.
It is also vital to ensure that access to the administrator network is restricted. Without this restriction, although an attacker on a non-privileged network may not be able to target administrative services directly, they could attempt to compromise an administrator’s system and gain access to sensitive systems.
SureCloud Penetration Testing
During penetration testing, SureCloud has exploited weaknesses such as those mentioned above to gain access to production systems, which are sometimes even housed in remote locations and accessed via VPN.
From the Cisco SAFE Reference Guide:
“Use access-class ACLs to control the sources from which sessions are going to be permitted. The source is typically the subnet where administrators reside. Use extended ACLs when available and indicate the allowed protocols.
“Although this is specific to network devices, the same principle should be applied to all administrative systems. At a minimum, server access should be segregated from user networks, and management traffic should be restricted to authorized management networks/devices.
“Although VLANs provide a mechanism to segment “trust domains,” they are insufficient by themselves to prevent access, because routing devices are designed primarily to allow traffic to transverse between VLANs. They should be coupled with a mechanism designed explicitly to restrict the traffic that is permitted between the VLANs.
“For best VLAN security, the segregation should be provided by firewalls rather than using Access Control Lists (ACLs); because firewalls are stateful devices they are better able to permit only authorized traffic, and as such can perform packet inspection to inspect the content of traffic for possible attacks. VLANs with ACLs should be used only where firewalls are not feasible, as they act principally on the routing mechanism; firewalls are designed primarily to block traffic, whereas routers and switches are designed fundamentally to allow traffic to flow between systems. Without adequate VLAN security, techniques such as VLAN Hopping can provide an attacker unauthorized access to VLANs; this can be achieved by leveraging poor configuration or misconfiguration, through techniques such as “Double-tagging” and using readily available tools such as “Frogger.” If VLANs are routable, without any access restrictions, it may not even be necessary for an attacker to use such tools to gain access; modifying the standard routing configuration on the attack system might be enough to provide access to unintended network segments.
“Private VLANs are an extension of standard VLANs which place each system into its own isolated VLAN, which is only permitted to communicate with an approved set of services. This applies a level of segregation that should make it very difficult for either an attacker or malware to spread throughout a network, particularly for end-user networks. Ordinarily, a system on a given VLAN would have unrestricted communication to other systems on the same VLAN, which is prevented with Private VLANs.”
The table below illustrates examples of different LAN trust domains and the suggested access groups which can connect to them. The Suggested Access Groups should still be restricted to approved and necessary services and ports.
Table 1 – LAN Network Groups
Network Access Control (NAC)
Network Access Control (NAC) is a technology designed to ensure a defined security policy is applied to the devices connecting to the network.
By restricting the availability of network resources to endpoint devices that do not comply with a defined security policy, the first layer of protection is applied at a network connection level. NAC systems are designed to operate at the point of connection and can be configured to protect both wired and wireless networks. In both cases, the NAC system applies port controls so that the only communication initially available to a connecting device is for the protocols required to communicate with the NAC service. Modern NAC systems attempt to unify authentication with endpoint security using the 802.1x standard.
Authentication checks, such as the presence of a valid Active Directory domain-issued computer or user certificate or user or computer Active Directory domain group membership, provide an initial level of assurance as to the identity of the connecting user and device. These can be combined with posture checking routines. Examples of these routines include checking for up-to-date antivirus definitions, security patches, enabled firewalls, or the presence of host-based intrusion prevention services. They ensure that devices meet a defined security threshold before being allowed access to the network. This posture checking service can also be used to ‘on-board’ devices, by placing non-compliant devices within a restricted ‘build’ DMZ network, with remediation services available to perform software updates, install or repair missing or broken antivirus, or deploy domain certificates to managed devices using Group Policy, etc. Following this remediation, the posture checking service would be satisfied, and the device automatically placed on the corporate network. Unknown devices should be put in a completely isolated network with no corporate access, although Internet access could be provided via public resources (including external DNS servers) to allow guest access.
Some devices, such as older printers and telephone devices may not be capable of 802.1x authentication. They must, therefore, be considered exceptions to the NAC system. Many newer printers and telephones do support 802.1x authentication and are consequently preferable whenever possible.
If the devices that cannot perform 802.1x are not correctly catered and accounted for, this vulnerability is typically one of the most common routes to bypass NAC implementation.
For example, the network port that a printer is plugged into may have a port exception from NAC policy; then, an attacker simply needs to unplug the printer and use the network cable to gain access.
Another example would be a network port that carries two VLANs (one for the Phone and one for client devices) and has an exception for the telephone MAC address in the NAC system to allow it to connect without enforcing control. An attacker simply needs to assume the MAC address of the telephone device to connect a rogue device to the network, bypassing the NAC system. If the two VLANs are routable, or if the DHCP system is not configured to detect the connected device type and issues an IP address on the end-user VLAN, the attacker would have full network access.
Devices unable to participate in the NAC implementation should be segregated into network segments that do not have wider access to the network. For example, a VLAN dedicated to telephone devices should be isolated from client devices and most servers. There will be some interaction required between the devices and other services on the network, such as the telephony services and potentially the Active Directory for integration, but access to the wider server and client networks should be restricted. This will significantly reduce the attack surface available to a rogue device that assumes the identity of a telephone or other device. Despite being relatively easy to bypass, MAC address filtering should still be enabled where possible. However, this could be restricted to checking the Organizationally Unique Identifier (OUI) part of the MAC, which identifies the vendor.
NAC and Dynamic VLANs
The recommended method to control network access for devices authenticating against the NAC is via dynamic VLANs, which ensures that devices and users are placed in an appropriate network VLAN when connecting. This removes the risk associated with NAC-disabled network ports, since all ports can be enabled for NAC. The connecting device is placed in an appropriate VLAN depending on the authentication, device type, and posture checking requirements. Administrative users would also be able to move around the network, maintain access to the administrative VLAN regardless of location, and potentially remove a ‘hot area’ where hardcoded administrative ports with access to administration networks are located. This also allows for validation that authorised administrative devices are appropriately configured and secured before connecting to the administration network.
Finally, dynamic VLANs ensure that a rogue device masquerading as another device, such as a telephone, would be placed within an appropriately restricted VLAN with minimal attack surface available.
While there may be some additional management overhead, AD Group membership can be used to allocate VLANs to supported devices such as workstations and even users, and unique organizational identifiers (OUI’s) can be used for MAC address exemptions for similar devices (e.g., Avaya or Cisco telephones).
Devices that fail the NAC policy or the remediation process should be placed in an isolated VLAN and investigated. We recommend setting up alerts for NAC failures to ensure that all unauthorised attempts to access the network are dealt with in this way.
SureCloud is a provider of Cybersecurity services and cloud-based Integrated Risk Management products which reinvent the way you manage risk.
To help you combat vulnerabilities like those outlined above, SureCloud also offers a wide range of cybersecurity testing and assurance services. We stay with you throughout the entire test life-cycle, from scoping to vulnerability discovery and remediation.
We are certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform). SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.