Co-authors: SureCloud’s Managing Cybersecurity Consultant Chris Hembrow and Senior Cybersecurity Consultant Nick Spencer.
Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each one is a separate network segment. Segmented networks can then be isolated from each other, increasing the security of the network. This series of blog posts will describe the different types of segmentation, the benefits of each, and applicable controls to maximize the security they provide.
In the previous article, we discussed protecting the corporate network from external parties. In this article, we will review the controls applicable to a geographically dispersed Wide Area Network (WAN), as used by many larger Organizations to join multiple offices.
A Wide Area Network (WAN) will often be used by an Organization to join geographically disparate offices and sites, connecting them to the main corporate network using an MPLS network, VPN, or similar method. In many cases these sites are connected directly to each other, with no security appliances in place to restrict traffic between these sites, relying on physical security controls in each location to protect the network. Due to this, a compromise at one site, whether achieved through an attacker gaining physical access to the local network or through remote compromise such as a malware infection against a connected device, could enable an attack to target systems in remote sites. This could include compromising remote systems which are affected by unpatched or “zero-day” vulnerabilities.
For example, an attacker who has gained access to the corporate network via a remote “satellite” office, potentially in a different country to the main corporate systems, may be able to identify and connect to vulnerable systems or services on other systems elsewhere on the corporate network. These could then be used to gain access to unauthorized information, to create a “back door” into the network to allow them to reconnect in the future, or to “pivot” further onto other vulnerable systems elsewhere on the network.
A lack of WAN segregation could also allow a malware infection to spread throughout the entire corporate network, rather than being isolated to a small network where it can more easily be contained. There were reports of networks still hosting the Conficker malware, due primarily to insufficient segregation, as recently as June 2016, more than seven years after its initial release. In 2017, Conficker was also found to be related to the delivery of the Wannacry ransomware. The APT1 report from Mandiant demonstrated that attackers might be able to remain inside networks without being detected for over 12 months. While segregation would not prevent this, it would reduce the scope to which an attacker could compromise the network.
“Big networks tend to become unmanageable in terms of security unless there is some form of separation between parts of the network. In a country-wide network that is internally completely open, a security incident such as a break-in in one office might require all hosts of the entire network to be reinstalled, to ensure that the attacker has not left some Trojan horses somewhere. An increasing number of companies are securing their internal networks additionally by, for example, separating offices with firewalls. This is, in general, a good security practice.”
Firewalls, or combined router/firewall devices, provisioned at the edge of office networks should be used to limit the inbound and outbound traffic between remote sites to only authorized sources and destinations, and only for the minimum number of authorized services. When this is in place, the connections between sites would be limited to the specific services or systems which are required by each site, and only from specific networks within each site. For example, the end-user network in a remote site may be allowed connection to the Intranet servers located at another site, and Domain Controllers would be allowed to replicate traffic to remote Domain Controllers, but the end-user network would only be able to access the local Domain Controllers. As well as restricting the source and destinations of traffic, the individual services should be restricted to only those necessary. For example, to connect to the aforementioned Intranet server, only HTTP ports such as 80 and 443 would typically be required.
“Network policy enforcement on the WAN edge can be extended to include the enforcement of different security policy domains through the integration of firewall functionality. A firewall provides additional protection from unauthorized access, as well as stateful, application and protocol inspection.”
SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.