Leverage network segmentation and access control to protect against attacks

The number of insider attacks has doubled in the past year, according to data from the US Secret Service's recently released Verizon data leak survey, but external attacks remain the main source of attacks, indicating that businesses still do not secure the network and data.

Active security control and secure network architecture play a very important role in resisting internal and external attacks, however, without proper network fragmentation and access control, once an attacker acquires access to the victim's internal network, it is over: The sensitive server is in the internal network, waiting to be plundered by the attacker.

However, the results of the safety spill are not always bad. "Network access Control (NAC) is a philosophical category, not a technical one," said Advanced digital, a chief information security officer in Carolina, USA. "A defense-in-depth approach to network segmentation and access control can slow down the spread of malware and prevent sensitive systems from leaking."

Vulnerabilities in embedded operating systems (such as VxWorks and QNX) found over the past few weeks underscore the importance of protecting these devices and isolating them as much as possible without impacting productivity. However, from the general deployment of multi-function devices and similar systems, there is a lack of awareness of the impact of the misuse of these systems on security issues.

For example, new modules released for the Metasploit framework allow memory to be unloaded from vulnerable vxworks devices. In a memory information dump, you can locate the password and internal IP address that allows an attacker to log on to a network switch and turn the VLAN into a device, or log on to the server through an exposed service account.

Because printers and streaming media devices are not just dumb devices, but are both client and server, you must create a network fragment to isolate these devices and provide sufficient access to your business needs.

For example, a multifunction copier used to send scanned files in e-mail should be allowed to communicate on the port 25/tcp of the mail server, not remote landings on the switch or Windows Server ports on the file server. Similarly, an embedded system should not be allowed to access the Internet or have access rights, unless it is used as a Vbrick media streaming device.

Embedded devices are devices that employees put on the web without considering its impact on security. In the customer vulnerability assessment, airtight networks found that One-fourth of the network has a malicious wireless network installed by employees.

Whether it's productive or easy to use, or because the user has malicious intent, the result is the same: exposing the internal corporate network to anyone within the wireless port range. The policy statement states that any changes to the network, such as the addition of wireless access ports, should be strictly prohibited, but need to deploy the necessary technical controls to enforce this prohibition and detect any unusual behavior.

Basic Technology Control (for example, a MAC address for each network switch port) is a start, but it can easily be broken by skilled employees. More advanced controls should be added to the network access control solution to help authenticate the wireless device and prevent access to the internal network by shutting down connected network ports or transferring ports to isolated VLANs.

From a defense-in-depth standpoint, wireless intrusion detection systems (WIDS) can be added to provide an additional layer of protection against malicious wireless devices, and because wireless intrusion detection systems are located within the corporate office, new wireless networks can be detected and alerted to security personnel.

The PCI Security Board is aware of the impact of a malicious unlimited network and provides four wireless scans per year for PCI DSS. But four scans a year may not be enough, and a malicious wireless device may escape detection within three months of the scan interval.

Wireless vendors are addressing these issues, including the Wids functionality within the Enterprise management system. For example, the Cisco Wireless Service Module (wism) can identify, locate, and control malicious wireless devices in the corporate network (once a malicious wireless device is found).

The ultimate goal of any network security solution is to prevent the leakage of critical data from occurring and to allow the enterprise to meet its needs. Through appropriate network segmentation, policy and technology control can help enterprises to achieve these goals well.