Network Security Settings use network segmentation and access control to defend against attacks

Comments: Active security control and secure network architecture play a very important role in defending against internal and external attacks, according to the data provided by the US Office of Logistics in the recent Verizon data leakage investigation report, the number of internal personnel attack accidents has doubled in the past year, but external attacks are still the main source of attacks, which indicates that enterprises still have not protected the security of networks and data.
Active security control and secure network architecture play a very important role in defending against internal and external attacks. However, without proper network segmentation and access control, once attackers gain access to the victim's internal network, everything is done: the sensitive server is in the internal network, waiting for attackers to plunder.
However, the results of security leaks are not always bad. "Network access control (NAC) is a philosophical, not a technical," said Advanced Digital, Carolina ." Network segmentation and Access Control adopt the in-depth defense method, which can slow down the spread of malicious software and prevent leakage of sensitive systems.
Vulnerabilities in embedded operating systems (such as VxWorks and QNX) found in the past few weeks highlight the importance of protecting these devices and isolating them as much as possible without affecting productivity. However, the general deployment of multi-functional devices and similar systems shows a lack of awareness of the impact of abuse of these systems on security issues.
For example, a new module released for Metasploit Framework allows the memory to be detached from a vulnerable VxWorks device. In the memory information dump, you can find the password and internal IP address that allows attackers to log on to the network switch, convert the VLAN into a device, or log on to the server through the exposed service account.
Since printers and streaming media devices are not just flat devices, but completely clients and servers, you must create a network segment to isolate these devices and provide sufficient access permissions for business needs.
For example, the multi-function photocopier used to send Scanning files via email should be allowed to communicate on port 25/tcp of the mail server, rather than remote login on the switch or windows server port on the file server. Similarly, embedded systems should not be allowed to access the Internet or have access permissions, unless they are used by Media Streaming devices like Vbrick.
An embedded device is a device in which employees are placed on the Internet without considering its impact on security. In the customer's vulnerability assessment, AirTight Networks found that 1/4 of Networks contain malicious wireless Networks installed by employees.
Whether it is for the purpose of productivity or ease of use, or because the user has malicious intentions, the results are the same: expose the internal enterprise network to anyone in the wireless port range. In the policy statement, it is recommended that you strictly prohibit any changes to the network, such as adding wireless access ports. However, you need to deploy necessary technical controls to implement such prohibitions, and detects any abnormal behavior.
Basic technical control (for example, limiting a MAC address for each network switch port) is the beginning, but it can be easily broken by skilled employees. Add more advanced controls to the network access control solution, to help identify wireless devices and prevent access to internal networks by disabling the connected network port or transferring the port to an isolated VLAN.
From the perspective of in-depth defense, you can add a wireless intrusion detection system (WIDS) to provide an additional protection layer against malicious wireless devices, and because the wireless intrusion detection system is within the scope of the enterprise's office, it also detects new wireless networks and sends alerts to security personnel.
The PCI Security Committee is aware of the impact of a malicious unlimited network and requires four wireless scans per year for pci dss. However, four scans per year may not be sufficient, and malicious wireless devices may escape detection within three months of the scan interval.
Wireless vendors are addressing these issues, including WIDS in the enterprise management system. For example, Cisco wireless service module (WiSM) can identify, locate, and control malicious wireless devices in the enterprise network (once malicious wireless devices are discovered ).
The ultimate goal of any network security solution is to prevent the leakage of important data and allow enterprises to meet their needs. Appropriate network segments, policies, and technical controls can help enterprises achieve these Goals well.