Categories
Research>The Hitlist

The Hitlist: Perimeter Network Security Part 1

To “completely” secure an enterprise network is a very complex, and often, nearly impossible task.  There are several different factors that come into play that must be considered and weighed: business requirements, stakeholders, network configuration, compliance requirements, etc.  We have told a number of our clients that, in most situations, if someone really wants to get into a network, they will, and you can’t stop them.  However, you can prepare yourself to better recognize, and respond to attacks.  This list is designed to offer a list of basic  key points of entry into a network, both virtual and physical, one should consider.

Virtual Considerations:

The virtual perimeter of an organization often requires the most regular attention.

1. Enterprise Firewall

You should use nothing less than an enterprise class firewall.  There are a number of well-known vendors that you can consider, but any firewalls securing a corporate environment should be enterprise class and not a small business or consumer class; you should not skimp on spending when it comes to your primary perimeter security device.  Enterprise class devices cost what they do for a reason, and are built to protect more robust networks.  They offer the performance needed, as well as the feature sets, and the configurability that an enterprise will need to secure their network.  The firewall acts as the front gate to your network.

2. IDS/IPS

An intrusion detection/prevention system (IDS/IPS) is a very important piece to network security, both internally and externally.  An intrusion detection system lets you know if something is happening, but can’t do anything about it.  An intrusion prevention system allows automatic prevention measures to be taken if a threat signature is detected.  These devices should be deployed behind the external firewall, in-line with network traffic, in a DMZ.  If the firewall is the front gate, an IDS/IPS acts as the security guards for the gate which can detect and prevent malicious visitors from intruding on your network.

3. Close Unnecessary Ports

We assess many networks where there are many unused, and unnecessary ports left open on the network.   A review of all externally opened ports and services should be conducted and only those necessary for business should be allowed to be opened.  So, if you have your gate, and guards at the gate, if you leave unnecessary ports open on your external network, that would be like having a side entrance on your guarded gate that you just leave unlocked.

4. Use Secure Protocols

Unsecured protocols such as FTP and HTTP should not be used unless there is no other alternative.  All published web applications, with the exceptions of content only websites, should be secured using HTTPS.  In general I would recommend hosting the company website outside of the corporate network as it often allows unnecessary vulnerabilities.  Also, file transfers should only be made using secure methods such as SSH, FTPS or SFTP.  Insecure protocols could be thought of as being like weak locks on your door.  So, even though there might be a lock there, it will not take much to bypass it.

5. Vulnerability Scanning

This is necessary to measure your efforts at protecting your network.  If you do not test your network for vulnerabilities, how will you know whether they exist or not?  Vulnerability Assessments provide a way to scan all externally facing IPs and web applications in your network, and measure the effectiveness of the defenses you have in place.

6. Logging

As we previously mentioned, if someone really wants to get into your network, and has the resources and motivation, they probably will.  Without logging, you may never know that it happened.  Centralized Logging with an enterprise class SIEM solution provides correlation between events and logs. This allows you to quickly and effectively review logs and determine if/when an attack has occurred.

7. Social Engineering

This is often one avenue that people forget to consider when securing their network.  Even if you think you have done everything possible to button up your network by purchasing and implementing thousands of dollars of network security hardware/software, your users can still be the weakest point of failure.  Social engineering comes in many forms, including phishing emails, malware, phone calls, and more.  The types that we most commonly see are phishing and phone calls.  End users should be trained to spot phishing emails and recognize suspicious phone calls in order to reduce the amount of information that freely given out to potential attackers.

8. Remote Access

Remote access is one of the easiest ways to breach a network if it is not properly secured.  Several home users do not have a firewall, and many don’t even have antivirus, and if they are using their home computer to connect to your corporate network, their home devices can easily be compromised and provide direct access into your network.  Consider only allowing firm owned or secured devices to connect to the corporate network remotely, and only with an enterprise class VPN solution.  An alternative could also be to use a virtual desktop solution to provide remote access, this would prevent opening any services to the outside except for HTTPS.

The virtual perimeter of a network is constantly changing on a number of fronts.  Often, not by way of attack surface, but by way of tactics. In Part 2 we cover the physical considerations for securing the perimeter of a corporate network.