Network Security Design is Critical to Eliminating Security Gaps and Reducing Costs
by Robert Bond
The 5 Pieces to the Cybersecurity Puzzle
Network security design and network architecture have often been pushed to a secondary role as organizations invest in technology to solve their security concerns and migration to the cloud and the additional of countless IoT gadgets complicate matters. Network security architecture leverages the organizations resources while network security design implements the concepts. Well planned and constructed network security design is critical to minimizing the gaps in the infrastructure that are often targeted by attackers and essential to controlling access to critical data within the organization.
Optimizing the network security design for organizations that are adding systems and other technology, housing sensitive data, and adding new points of access for their customers, employees and contractors has added new elements of risk and additional pieces to the IT security puzzle.
We want to take a step back and discuss what we feel are the 5 critical pieces to a robust security design.
We know that technology has become the core of our society and subsequently, the nucleus of your business. For all the added value that technology brings to your business, it also adds substantial risk to your business and its reputation.
Surely, you’re asking yourself, then how do I design my business network to ensure security and reduce costs?
This is a great question and one that requires serious planning and review before you go out with your shopping cart and stock it with only the best network security solutions money can buy. The core objective of your plan is to maximize your business’ network performance, reliability, future modifiability, maintainability, scalability and most importantly, security. Thus, the best approach to reduce capital expenditures and operating expense is to formulate a secure network design then fill it with the technology that best fits your needs and budget.
With this in mind, let’s list and review the 5 core tenets of secure network design.
- High Value Systems and Assets
- Network Security Segmentation
- Monitoring and Prevention
- Security Event Logging
- Principal of Least Privilege (POLP)
Laying the Groundwork – Customer-Specific Design
Before we get started with the 5 core tenets, it is critical that partners invest time in understanding their customer’s needs, business goals, compliance issues and other requirements. Let’s be clear, in many engagements with customers we serve we often find that customers (1) are not certain what they really want, or (2) are not able to articulate it.
Like building your dream house; you can hire the best builder in town, he can purchase top of the line materials, however if the architect does not design the house correctly, leaks, foundation problems, and other structural problems will surface very quickly. The investment that was made in the builder and the quality materials is wasted.
When designing a network, the process must start with planning; that is, understanding the data the customer is trying to protect, on which systems that data is stored, the business impact if the data is compromised and of course the budget the customer has allocated for the project.
In addition, the legacy network, traffic and user population are variables the need to be included in as the planning phase concludes with the delivery of (1) Cost (2) Schedule and (3) Performance requirements. The blueprint for the design must include sound design principles as well as planning requirements to build a secure, cost efficient solution, however, customer needs and priorities should drive the vision and priorities of the project.
High Value Systems and Assets
The task of identifying high value systems and assets is easily the least glamorous aspect of secure network design. However, without going through the process of pinpointing those systems and assets, their locations and value, how are you going to decide the amount of time, effort and budgetary spend that you should allocate on securing your network?
High Value Systems & Assets can broadly be classified in the following categories:
- Information assets: Every piece of information about your business falls in this category. This information has been collected, classified, organized and stored in various forms.
- Databases: Contains information critical to your business.
- Data files: Information stored within file outside of a database.
- Archived information: Storage of information required by law.
- Software assets
- Application software: Implements business processes.
- System software: Operating Systems, Mobile OS’, VOIP, etc.
- Physical assets
- Computer equipment: desktops, laptops, phones, servers
- Communication equipment: PBX, POP gateway, routers, switches
- Storage media: off/on site backup media, software inventory, etc.
- Technical equipment: UPS, server racks, wiring closet(s), etc.
Understanding where your sensitive data lies, which systems house the data, and how to score the criticality of those systems often stop IT security teams in their tracks. This can be a daunting exercise; however, the initial assessment does not need to be perfect, it can be optimized in subsequent exercises.
After you categorize and rank your high value assets and systems, you can move to next tenet of secure network design, proper network security segmentation.
High Value Systems and Assets Key Takeaway
Score your assets by criticality. While the best practice is to use the three variables, confidentiality, integrity and availability to assess value, starting with a single value of criticality is a viable starting point.
Network Security Segmentation
The segmentation of systems & assets based on their value to your business is a key tenet to ensure the security of your high value systems & assets. A common example of segmentation is placing your Internet facing systems into a demilitarized zone (DMZ), which is physically and logically segmented by your point of presence firewall. This securely isolates those systems from your internal systems & assets so a malicious actor, who exploits a vulnerability and gains access to one of your DMZ systems, will be unable to leverage that access to laterally move within your network to highly valued systems on your internal network. Sounds easy right? Yes, but there’s more to consider when designing your secure network.
Example of Poorly Designed Network
An example of a poorly designed network would be the following: Using your POP firewall to segment your Internet facing systems from your internal resources but ignoring to segment the systems that directly interface with those DMZ systems, such as backend databases, from your DMZ and internal resources. A great example of what not to do was illustrated in the Target hack which involved malicious actors exploiting HVAC systems, laterally moving to POS (Point of Sale) devices and gaining access to the financial information of ~40 million customers. With proper network segmentation of HVAC systems from sales systems & databases, Target would’ve avoided the damage to its business and brand.
Network segmentation can be become tedious and time consuming because your business has many components to compartmentalize but consider the potential fallout to your business and Target’s actual: resignation of Target CEO and legal settlements resulting in over $300 million.
Network Security Segmentation Key Takeaway
One of the most common mistakes information technology teams make is arbitrarily adding technology to the corporate network. Without adding barriers to systems, attackers can move from one piece of technology to another searching for sensitive information or other targets on the corporate network.
Monitoring and Prevention
You’ve identified your high value systems & assets, categorized them accordingly and implemented network segmentation to isolate them from each other. Pat yourself on the back, but now it’s time to add another core tenet of secure network design: Monitoring and Prevention.
Using monitoring and prevention tools to defend your network is extremely important. Intrusion detection systems (IDS), intrusion prevention systems (IPS), data loss prevention systems (DLP) and database activity monitoring (DAM) are vital tools that help protect your network by preventing malicious actors from accessing vital systems & assets to your business.
- IDS: passive monitoring tool strategically placed at the major intersections of your segmented network. Typically deployed with a network tap or a VLAN span port to listen to monitor traffic.
- IPS: similar to an IDS, but actively prevents malicious traffic. Deployed off a network tap to eliminate a point of failure or in-line within your network.
- DLP: monitors and controls endpoint activities to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Deployed on end user systems such as desktops, laptops, mobile devices, etc.
- DAM: monitors all activity on a database and provides alerts and reports on that activity. Deployed on a database, but activity stored outside the database it is monitoring to avoid user/admin tampering.
Monitoring and Prevention Key Takeaway
IDS/IPS devices that have not been tuned properly can generate false-negative responses to true threats as well as thousands or millions of false-positive alerts each day. Make sure to tune the devices to streamline your SOC workload and response.
Security Event Logging
You’re almost there! Your network is segmented, monitoring and prevention tools are protecting your high value systems & assets, but your network design must incorporate logging. There’s a common adage: more logs the better and it’s definitely true because during an audit or breach, it’s always best to have more logs than less. After you verify that the proper level of logging is turned on, the enormity of log data can quickly lead to log fatigue. A secure network design requires a tool to alleviate log fatigue and aggregate, correlate, identify, mitigate, remediate and report malicious activity.
Security Event Logging is broken down into two major categories with both offering a level of full packet capture:
- SIEM: aggregate logs from multiple sources, identify anomalies and take appropriate action through alerting or remediation. Typically deployed with a front end tied to a log data lake on premise.
- Security Analytics: a “newer” version of SIEM that incorporates more than just systems such as UBA/UEBA. Deployed on premise or in the cloud to enable higher efficacy from collective good.
Security Event Logging Key Takeaway
Authorization and authentication, systems and data change, network activity, resource access, malware activity, and failure and critical error reports are often cited as the most critical reports for security analysts.
Principle of Least Privilege (POLP)
Last, but not least is the most important tenet of secure network design. You can segment network, monitor and prevent malicious actors, log and report anomalous activity within your network, but escalation of privileges is the single most used method by malicious actors. Adherence and implementing POLP is fundamental to your network design and reduces the risk of malicious actors gaining access to your high value systems & assets by compromising a low-level user account, device, or application.
POLP can be applied to end users, systems, processes, networks, databases, applications, and every other aspect of your business technology infrastructure.
Examples of POLP in Practice
- User Account with Least Privilege: An employee whose responsibilities include entering information into a database only needs the ability to add records to that database. If malware infects that employee’s computer, the malicious attack is limited to making database entries.
- MySQL Accounts with Least Privilege: Ideally, an online form that lets users sort records should use a MySQL account that only has sorting privileges. Thus, an attacker who exploits the form has only gained the power to sort records.
- Using Just in Time Least Privilege: A user who rarely needs root privileges should work with reduced privileges the rest of the time. To increase traceability, that user can retrieve root access credentials from a password vault as needed.
Principle of Least Privilege Key Takeaway
Applying the principle of least privilege to standard user accounts means granting a limited set of privileges — just enough privileges for users to get their jobs done, but no more than that.
Your network contains the most critical technology assets of your business organization. You should design your network in a secure manner that eliminates and minimizes single points of failure. The all or nothing approach to network security design has left many in IT security contemplating the dozens of variables that could be used in prioritizing how to design the network. However, starting with the 5 pieces of the puzzle we discussed today will provide a more than substantial start to a best practice network security design.
October 3, 2018
September 26, 2018