Co-authors: SureCloud’s Managing Cybersecurity Consultant Chris Hembrow and Senior Cybersecurity Consultant Nick Spencer.
Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each one is a separate network segment. Segmented networks can then be isolated from each other, increasing the security of the network. This series of blog posts will describe the different types of segmentation, the benefits of each, and applicable controls to maximize the security they provide.
In the previous article, we examined the threats and controls from an attacker across a disparate Wide Area Network (WAN). In this article, we will review the controls to protect against an attacker with direct access to an Organization’s local corporate network.
After an attacker gains access to a network, they will typically attempt to “pivot” from their initial foothold system into the wider network, looking for additional targets to compromise. This could be from a compromise originated on an end user’s computer after they have been socially engineered into running a malicious file or clicking a malicious link in an email or on a web page. Alternatively, an attacker could gain access directly via a remote network exploit or through physical access to the network. By extending their access through the network, the attacker can gain more access to data, and also further entrench themselves on the network, making it harder to locate and remove all their access. A low-privileged compromise originating at one system can escalate if an attacker can enumerate the wider network looking for vulnerable systems that can be used to escalate their access to higher-level privileges; these vulnerable systems could potentially be located in other offices or even countries. For example, from an initial exploit running as a standard user obtained through phishing, an attacker might be able to locate and exploit a system missing the MS17-010 EternalBlue update to obtain system-level access and extract other user’s credentials from memory. Likewise, malware that executes on a system will typically attempt to propagate throughout the network to infect further systems.
Often a corporate network is based on a flat network, where all systems can connect to all others with only system or application-level access control preventing connections. There may be some segmented elements, such as for PCI-DSS, but these are usually very limited in scope.
By running a flat network, the “attack surface” for an intruder is much larger than with a segmented network, and there is a greater chance that they will be able to locate a vulnerable system that they can exploit. A flat network could allow unauthorized and malicious access to systems from unintended locations, such as accessing a databases system directly from a contact center workstation or permitting access to management protocols on Domain Controllers. Although these targets will likely have some authentication in place, any missing patches or “zero-day” vulnerabilities would allow a compromise; SureCloud often utilizes unpatched vulnerabilities such as MS17-010 EternalBlue to gain access to a system to provide an initial foothold on the network.
The principle of Least Privilege must apply to networks as well as to the applications on those networks so that only approved and authorized systems or devices can communicate with each other. This will help to minimize unauthorized access to systems, and to prevent attackers from “pivoting” across the network into other systems. It will also help to contain malware outbreaks.
“Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders can extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, if they have gained a foothold somewhere inside the network.”
To achieve ‘Least Privilege,’ the internal network should be broken down into “trust domains,” which are configured only to allow access from approved sources. Referring to the previous examples, access to the database systems should be controlled so that only the approved applications can connect to them over the network, rather than end-users being able to connect directly. Controlling this at the network layer and not just the application layer ensures that any weak authentication or system vulnerabilities cannot be exploited from the end-user networks.
Management and administration services which are used by system administrators, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH), and which often permit highly elevated access, should be restricted to a limited occupancy network used exclusively for administrator workstations.
Allowing access to administrative services from general-purpose or unrestricted networks could provide an attacker the opportunity to compromise these sensitive services, thereby leading to a greater compromise. Without segregating access to these services, an attacker could access them from any compromised workstation or physically accessible network port on the corporate network, potentially even from remote offices. The attacker would then be able to focus their efforts on compromising these systems, providing them further access to other systems, give them the ability to remove evidence of their presence, or allow them to deploy a persistent, privileged “backdoor” from which to regain access to the network at a later date or remotely. These attacks would not necessarily require an attacker to have legitimate administrator credentials either, as they may be able to compromise unpatched systems or systems with “zero-day” vulnerabilities. Limiting access to these services to segregated and controlled networks, and then only for the necessary protocols, would significantly limit the scope of such attacks. It is also important to ensure that access to the administrator network is restricted. Without this restriction, although an attacker on a non-privileged network may not be able to target administrative services directly, they could attempt to compromise an administrator’s system and through that gain access to the sensitive systems. On penetration tests, SureCloud has exploited this weakness to gain access to production systems, systems that are sometimes even housed in remote locations and accessed via VPN. From the Cisco SAFE Reference Guide:
Use access-class ACLs to control the sources from which sessions are going to be permitted. The source is typically the subnet where administrators reside. Use extended ACLs when available and indicate the allowed protocols.
Although this is specific to network devices, the same principle should be applied to all administrative systems. At a minimum, server access should be segregated from user networks, and management traffic should be restricted to authorized management networks/devices.
Although VLANs provide a mechanism to segment “trust domains,” they are insufficient by themselves to prevent access, because routing devices are designed primarily to allow traffic to transverse between VLANs. They should be coupled with a mechanism designed explicitly to restrict the traffic that is permitted between the VLANs.
For best VLAN security, the segregation should be provided by firewalls rather than using Access Control Lists (ACLs); because firewalls are stateful devices they are better able to permit only authorized traffic, and as such can perform packet inspection to inspect the content of traffic for possible attacks. VLANs with ACLs should be used only where firewalls are not feasible, as they act principally on the routing mechanism; firewalls are designed primarily to block traffic, whereas routers and switches are designed fundamentally to allow traffic to flow between systems. Without adequate VLAN security, techniques such as VLAN Hopping can provide an attacker unauthorized access to VLANs; this can be achieved by leveraging poor configuration or misconfiguration, through techniques such as “Double-tagging” and using readily available tools such as “Frogger.” If VLANs are routable, without any access restrictions, it may not even be necessary for an attacker to use such tools to gain access; modifying the standard routing configuration on the attack system might be enough to provide access to unintended network segments.
Private VLANs are an extension of standard VLANs which place each system into its own isolated VLAN, which is only permitted to communicate with an approved set of services. This applies a level of segregation that should make it very difficult for either an attacker or malware to spread throughout a network, particularly for end-user networks. Ordinarily, a system on a given VLAN would have unrestricted communication to other systems on the same VLAN, which is prevented with Private VLANs.
Examples of different LAN trust domains and the suggested access groups which can connect to them can be seen in the table below. The Suggested Access Groups in the table should still be restricted to approved and necessary services and ports.
Network Access Control (NAC) is a technology designed to ensure that a defined security policy is applied to the devices connecting to the network. By restricting the availability of network resources to endpoint devices that do not comply with a defined security policy, the first layer of protection is applied at a network connection level. NAC systems are designed to operate at the point of connection and can be configured to protect both wired and wireless networks. In both cases, the NAC system applies port controls so that the only communication initially available to a connecting device is for the protocols required to communicate with the NAC service. Modern NAC systems attempt to unify authentication with endpoint security using the 802.1x standard. Authentication checks, such as the presence of a valid Active Directory domain-issued computer or user certificate or user or computer Active Directory domain group membership, provide an initial level of assurance as to the identity of the connecting user and device. These can be combined with posture checking routines such as checking for up to date antivirus definitions and security patches, enabled firewalls, or the presence of host-based intrusion prevention services to ensure that devices meet a defined security threshold before being allowed access to the network. This posture checking service can also be used to ‘on-board’ devices, by placing non-compliant devices within a restricted ‘build’ DMZ network, with remediation services available to perform software updates, install or repair missing or broken anti-virus, or deploy domain certificates to managed devices using Group Policy, etc. Following this remediation, the posture checking service would be satisfied and the device automatically placed on the corporate network. Unknown devices should be put in a completely isolated network with no corporate access, although Internet access could be provided via public resources (including external DNS servers) to allow guest access.
Some devices, such as older printers and telephone devices may not be capable of 802.1x authentication and must, therefore, be exceptions to the NAC system; many newer printers and telephones do support 802.1x authentication, however, which should be used whenever possible. This is typically one of the most common routes to bypass a NAC implementation if the devices that cannot perform 802.1x are not properly catered for. As an example, the network port that a printer is plugged into may have a port exception from NAC policy; then an attacker simply needs to unplug the printer and use the network cable to gain access to the network. Another example would be where a network port that carries two VLAN’s (one for the Phone and one for client devices) may have an exception for the telephone MAC address in the NAC system to allow it to connect without enforcing control. An attacker simply needs to assume the MAC address of the telephone device and would then be able to connect a rogue device to the network bypassing the NAC system. If the two VLAN’s are routable, or if the DHCP system is not configured to detect the connected device type and issues an IP address on the end-user VLAN, the attacker would have full network access.
Devices that are unable to participate in the NAC implementation should be segregated into network segments that do not have wider access to the network. For example, a VLAN dedicated to telephone devices should be isolated from both client devices and the majority of servers. There will be some interaction required between the devices and other services on the network, such as to the telephony services and potentially Active Directory for integration, but access to the wider server and client networks should be restricted. This severely reduces the attack surface available to a rogue device that assumes the identity of a telephone or other device. Despite being relatively easy to bypass, MAC address filtering should still be enabled where possible, although this could be restricted to checking the Organizationally Unique Identifier (OUI) part of the MAC which identifies the vendor.
The recommended method to control network access for devices authenticating against the NAC is via dynamic VLAN’s, which ensures that devices and users are placed in an appropriate network VLAN when connecting. This removes the risk associated with NAC disabled network ports since all ports can be enabled for NAC and the connecting device is placed in an appropriate VLAN depending on the authentication, device type, and posture checking requirements. This could also allow for administrative users to move around the network and maintain access to the administrative VLAN regardless of location, and potentially remove a ‘hot area’ where hardcoded administrative ports with access to administration networks are located. This also allows for validation that authorized administrative devices are appropriately configured and secured before allowing connection to the administration network. Finally, dynamic VLANs ensure that a rogue device masquerading as another device such as a telephone would be placed within an appropriately restricted VLAN with very little attack surface available. While there may be some additional management overhead, AD Group membership can be used to allocate VLAN’s to supported devices such as workstations and even users, and unique organizational identifiers (OUI’s) can be used for MAC address exemptions for similar devices (e.g., Avaya or Cisco telephones).
Devices that fail the NAC policy, or fail the remediation process, should be placed in an isolated VLAN and investigated. It is highly recommended to set up alerting for NAC failures to ensure that unauthorized attempts to access the network are captured and can be investigated.
SureCloud is a provider of Cybersecurity services, and cloud-based, Integrated Risk Management products which reinvent the way you manage risk.
SureCloud also offers a wide range of cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.