Four Strategic Principles of Network Security Design
by Robert Bond
We recently looked at the CIS 20 – a list of 20 key controls that you should implement within your organization to maintain comprehensive cybersecurity. A recurring element in these controls is the importance of protecting your network: controls 9,11 and 12 look at controlling network ports, secure configuration of network devices, and boundary defense, respectively.
Today, we take the opportunity to delve into network security design: How do you set up a network security design strategy? While we have addressed tips for network security design before, the recent Twitter hack emphasizes that many organizations are still not doing enough to ensure their network is secure from outside interference.
Here we set out four key principles that should be covered in your Strategy for Network Security Design.
There are two key aspects to compartmentalization within a secure network.
The first is that within the organization, the network should be segmented. If an organization has a flat and open network, once that network is infiltrated, the attacker is able to establish a foothold to move across the network, potentially stealing data, and infecting key assets. Through network segmentation, the entire network is partitioned into smaller sub-networks. A related concept of segregation means applying a set of rules for communication between hosts and services.
The key step for segmentation is setting up ‘demilitarized zones’ (DMZs) between sub-networks: These are small networks located between the organization’s internal network and the public internet which can be used to prevent malicious actors from reaching the organization’s ‘inner sanctum’. Segregation can be put in place through firewall protocols which prohibit traffic from traveling from the public network to the inner private network, and from the DMZ to the inner network.
In addition to DMZs organizations should consider smaller sub-networks where there are different security requirements applying across the organization (for example, to ensure any card-handling complies with the Payment Card Industry Data Security Standard (PCI DSS)). As well as network firewalls, this can be achieved via routers or switches or setting up Virtual Local Area Networks (VLANs).
For more information on segregation see the Australian Cyber Security Centre’s Implementing Network Segmentation and Segregation.
The second aspect of compartmentalization is thinking carefully about user privileges. Users that have no need to access customer personal data, for example, should have their user access restricted from networks containing that data.
This is where the ‘Principle of Least Privilege’ or ‘PoLP’ comes in: Individuals within the organization should only have the privileges/access within the system that is necessary in order to perform their job. As we assess user privileges, this relates to network segmentation and segregation as well: If a particular sub-network has no need to communicate with another sub-network it should not be able to.
Compartmentalization Key Takeaway: Stop any intruders in their tracks by separating your organization’s network into sub-networks and ensuring that all employees and contractors have appropriate user privileges.
The Weakest Link
In every organization, there will be points of weakness for the network. The weakest link in the chain, so to speak. And sadly, for most organizations, this is their people. For example, no matter how robust your IT defense systems are, this can all fall apart if an employee falls for a phishing scam. Particular areas of risk here include:
- Use of personal devices to access workplace assets. If the employee or contractor does not have sufficient protection on their personal device, this can be a route into the organization’s network for intruders
- Bypassing password security. While we are still not sure exactly what happened, it looks as though the recent Twitter hack involved unauthorized users gaining access to employee accounts. Protocols should be in place to ensure that employees have passwords that are robust, required to be regularly changed, and subject to regular renewal
Organizations should ensure that they have the right training in place to verify that employees and contractors understand what they need to do to ensure network security.
Key takeaway: Often, the people within your organization are the biggest risk to network security that needs to be managed.
Once all the different aspects of your network security system are in place, you need to ensure that they are working to protect your organization’s assets. This is where vulnerability testing is essential; regularly testing the defenses that you have in place to see where the ‘holes’ are.
It is recommended that an organization use a mixed automated and manual approach. An automated vulnerability scanning tool will identify all the systems (e.g., servers, desktops, laptops) connected to the network. It will then use a checklist of known vulnerabilities and check if any of these are present.
This is distinct from penetration testing which looks at specific weaknesses in the network that could be exploited using an individual ‘impersonating’ an actual individual or attacker. To learn more about this see The Difference Between a Penetration Test and Vulnerability Assessment.
Key takeaway: Your network security needs to be regularly assessed for any potential gaps.
The Importance of Layering
Protecting a medieval castle meant establishing several different layers of security. First, the castle was located in a spot where the natural geography protected it from invasion: often next to cliffs, on hills, and adjacent to large bodies of water. Second, a series of man-made obstacles (moats, heavy gates, and traps) were put in place to prevent intruders advancing to the King’s Keep. Similarly, layering is a key aspect of secure network design. The idea, of course, is that if any intrusion or attack gets through one layer of defense, another layer of defense will catch the attack. Layering brings together all the prior elements of the network security design that we have discussed. Key layers for network security include:
- Perimeter and network controls. Firewalls need to be in place. This is the main barrier between your network and the public internet. Relatedly, the organization should employ segmentation to ensure that any attack can be localized within the organization
- Email protections. This includes setting up email filtering and encryption protocols
- Web filtering
- Data encryption of important financial and personal information
- Device management. Ensuring that all devices connected to the network meet organizational security requirements
Key takeaway: If any one protection fails, the other protections should act as a backup to stop any attack or intrusion doing any further damage.
Network security design may be the most important part of your cybersecurity strategy as it ‘brings everything together’. Implementing individual cybersecurity elements such as encryption and firewalls in an ad hoc manner will not be enough. They must be cohesively tied together. We recommend that your network security design be grounded in the strategic principles of compartmentalization, the weakest link, vulnerability testing, and layering.
To read more about network security design check out:
- As an example of a robust network security design standard, a recent document prepared by the United Kingdom Government;
- Technical advice on design considerations for network zones from the Canadian Centre for Cyber Security.
To Learn More About Network Security Design, Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.
You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://www.secureops.com/contact-us/
October 15, 2020
September 22, 2020