Security is No Longer About the Perimeter
Years ago, cybersecurity practices emulated that of the medieval lord who relied on the fortified castle wall to protect his inner kingdom. Castle defenses were designed around securing an impermeable wall while the attackers relied on their ability to break through the perimeter wall, upon which their soldiers would flood in through the exposed break. In similar fashion, enterprises have relied on a robust firewall appliance that established a perimeter to protect the network from attacks from the outside in order to counter the efforts of external attackers who diligently probed the perimeter for exposed or neglected ports.
It is a different world today, however. Just as military defense strategy has evolved in order to combat advanced offensive tactics driven by technology innovation, today’s enterprise can no longer rely on single-focus solutions to protect itself from all threats. Modern-day military defensive strategy no longer commits most of its resources to the front line due to the swift mobility of attack mechanisms. Just as the French failed to stop the German Blitzkrieg, the antiquated model of perimeter security can no longer protect the expansive fluid enterprises of today, as pervading attackers can run unabated and perform mayhem at will. Instead, military strategists rely on what is referred to as defense in depth, where reserves are positioned behind the front lines in layers, allowing those forces to counterstrike and combat any enemy attackers that manage to breach the line.
Cybersecurity strategists now incorporate this philosophy of multiple defensive layers to combat embryonic threats of attackers. Hackers continue to advance their attack methodologies and take advantage of users and their devices in the mobile digitally connected world that we live in today. IT security professionals need to think about network architecture in a way that incorporates multi-layer defensive strategies, creating a systematic approach in which multiple defense strategies cover for the failings of other components. In order to combat the endless list of zero-day exploits, destructive malware strains and financially motivated attacks, enterprises must incorporate multiple defense strategies to stop gap attack avenues that can serve as unabated highways into the heart of the data center. In the process of implementing these tools into a comprehensive strategy, the whole is greater than the sum of its parts. The idea is to incorporate information security at every level of your physical network and software landscape, a strategy recommended by the National Security Agency (NSA).
The role of internal IT today begins and ends with cybersecurity. In the following sections of this tutorial, we will look at the required security components that make up a typical multi-layer security model today and how they should be a natural part of your enterprise architecture. While the firewall appliance is still a paramount centerpiece of an enterprise security architecture, the subsequent components are equally necessary and serve a vital role in ensuring the security of users, devices, data and infrastructure.
Firewalls Methodologies
Whether you are creating the architecture for a small business office of less than ten people or a global conglomerate composed of hundreds of thousands of employees, it all starts with the establishment of a perimeter, which constitutes some type of firewall. At the very least, a firewall appliance establishes a demark between your internal LAN and the external WAN. It then serves as the traffic cop that either allows or discards traffic flows that attempt to stream between the internal and external zone. Many organizations may have additional zones as well. One common example is referred to as the DMZ, which hosts internet resources such as web hosting, FTP or email servers. The DMZ is a less restrictive zone than the LAN, as anonymous external users must access these servers. While the firewall would reject HTTP/HTTPS traffic originating from outside the network into the LAN, it would allow authorized web traffic into the DMZ. This obviously opens up the enterprise to potential vulnerabilities, which is why the firewall restricts traffic between the DMZ and the LAN in order to contain malicious traffic within the DMZ and prevent it from infiltrating more valuable assets and resources.
An organization may have restricted zones housing business-critical systems and large repositories of sensitive information. Restricted zones usually include databases comprising HR, financial or intellectual property. These zones are far more restrictive in order to protect against any threats that could damage an organization’s competitive advantage or reputation. Controls should be in place to not only face internet traffic, but also secure authorized access from internal assets as well.
Firewalls have evolved over the years and now utilize a number of methodologies in order to examine network traffic in order to discern the intent of the traffic flows. The main types are as follows:
- Packet Filtering – This traditional filtering methodology may be “old school” but is still utilized today. Also referred to as static packet filtering, it is based on an established rule set that is made up of objects and services. A rule states that traffic originating from point A flowing to point B that utilizes a stated protocol or port number is allowed to pass through. Any traffic that is not accommodated for on the list is rejected by default. Although most firewalls still utilize this practice, the modern-day firewall requires greater intelligence to secure today’s enterprises from an ever-expanding threat base.
- Stateful Inspection – While traditional packet filtering only examines the headers of a packet, stateful inspection actually analyzes the packets down to the application layer. It is an intelligence-based approach that analyzes traffic inflows and outflows over time in order to better discern what types of traffic are habitual of the network and which ones should be deemed suspicious.
- Next-Generation Firewall – This loosely coined phrase is used to summarize the purpose of these highly thorough intelligent devices. Like stateful inspection, next-generation firewall (NGFW) appliances go beyond layers 3 and 4 of the OSI model to determine the appropriateness of a traffic flow. These systems offer far more granular application and traffic behavior inspection that can even analyze the contents of HTTPS and SSH traffic. It can also identify embedded malware or malicious code that is riding on the backs of legitimate traffic. NGFW solutions include a variety of security tools to augment their protection abilities such as intrusion detection systems (IDS) and intrusion protection services (IPS) as well as antivirus detection and application control. They also have the ability to perform quality-of-service tasks to throttle or prioritize different types of traffic and applications as well as combat denial-of-service attacks.
- Web Application Firewall – A WAF is a specialized firewall that is used to protect web-based applications. It is usually deployed through a proxy that is placed in front of one or more web applications. The WAF inspects incoming and outgoing packets, analyzes layer 7 traffic and uses intelligence to scrutinize traffic flows and patterns. WAFs are designed to combat zero-day exploits, cross-site scripting, SQL injection and other attacks defined by the the Open Web Application Security Project (OWASP).
One mistake that some network administrators make is to only filter incoming traffic. While incoming traffic is the primary security concern, outgoing traffic must be scrutinized as well. It is not uncommon for internal users to download spambots or worms that immediately go about dispersing their malicious traffic to the outside world. Allowing these outgoing traffic patterns can result in your organization becoming blacklisted or worse.
Network Segmentation and Segregation
Today’s enterprise networks have many facets and components, and a company’s overall network is only as secure as its weakest link. A hacker will always utilize the easiest attack avenue first, often using social engineering attacks to infect a user device that has local admin rights to their computer or seize control of a company’s fleet of unprotected IoT devices that still utilize default credentials and original firmware. Once an attacker obtains some type of foothold within the targeted enterprise, they will attempt to move around the network in order to locate and access valuable information and hosts. A classic example was the Target breach back in 2014 in which hackers infiltrated the network of the retail conglomerate through its HVAC system before laterally moving to the payment network system.
Network segmentation involves partitioning a network into smaller units. Each one is then segregated so that access amongst these units is governed by a strict rule set in order to limit communications and access between hosts and services. This is the same design strategy that ship builders utilize today in that the hull of a large ship is segmented into multiple compartments. In the event of a leak, water damage is contained within that compartment of the ship. Incorporating this practice into IT means creating separation layers between the servers that contain sensitive data and everything else. This strategy not only protects internal assets and data from external threats, but internally induced attacks as well. At the very least, this combination of segmentation and segregation will slow down an attack by forcing it to spend time to break free of each segmented portion. This can buy valuable time for enterprise personnel to discover the attack and combat it. While virtually all IT professionals agree that network segmentation is an essential security measure, less than 25 percent of organizations actually implement this practice.
Most enterprises utilize multiple methods to segment and segregate their networks.
- Routers – You can separate your network into distinct physical segments with routers. This will limit the scope of malware broadcasts. You can also create access control lists (ACLs) to perform basic layer 3 and 4 firewall filtering according to port, protocol and IP address.
- VLANs – Enterprise switches are used to create virtual network segments, each one comprising a unique subnet. Each access port is assigned a VLAN. Any device plugged into that port is automatically assigned that particular VLAN. This is an easy but effective way to separate IoT devices or BYOD devices from the core network.
- Physical Security – While it is easy to overlook physical security in the digital world of today, physical security is still an effective way to emplace obstacles in the way of potential attackers. Such measures include locks, access control cards, mantraps and biometric control systems.
- Isolation – There are instances in which security is so paramount that it constitutes the total isolation of a network segment or device. This is not uncommon for highly sensitive government agencies in which access to the internet or outside world is completely terminated. There are other forms of isolation as well, though. Advanced virtualization techniques utilize virtual containers for websites or code. This is similar to sandboxing in which a security appliance creates an isolated test environment that emulates a production environment so that suspicious files or URLs can be executed or detonated.
- IPsec – By implementing IPsec on your Windows servers and clients, you can encrypt the traffic flows between them by issuing policies. This is an effective way that allows only authorized machines to access the data hosted on a designated server.
The end goal of segmentation and segregation is to disseminate a zero-trust architectural model that in turn restricts the maneuverability of hackers and malware by limiting the avenues they can traverse. Network admins then enforce this architecture with the deployment of granular security policies that are assigned to applications and users all the way down to the workload level.
The Importance of Email and Web Security
So why is email and web filtering included in a topic about the security of network architecture? Well, according to a 2016 study, 91 percent of all cyberattacks start with a phishing email of some type. It is the primary delivery mechanism for ransomware and other malware attacks. Even the indictment of the 16 Russian nationals concerning the U.S. 2016 presidential elections began with a phishing email. Earlier this year, a survey of 600 business decision-makers across the U.S., U.K., Germany and Australia stated that phishing emails are the biggest cyber threat to their businesses. While the notion of spam may have been a comical matter a decade ago, characterized by outlandish schemes of African rulers looking for someone to park their millions, phishing scams are no laughing matter today. In 2016, the Mattel Corporation lost $3 million dollars after falling for a phishing scam that involved them wiring the money to a Chinese bank account. You cannot think about network architecture without considering how to secure email and web attack avenues.
Just as the telephone became the mechanism to usurp the barrier of the front door and connect with a homeowner, email is the instrument that allows hackers to skirt the firewall perimeter and reach users directly. This is why a dedicated email security solution is paramount for any enterprise today. As mobile devices are commonplace now, many users check their email outside of the protected confines of the on-premise LAN, making it the perfect mechanism to deploy malware on user devices. Once these devices return to the LAN, these malware applications can perform their nefarious deeds. While email security solutions have traditionally been deployed in the form of a gateway appliance, public and private cloud solutions are highly popular today. An effective email security solution today must do more than identify spam-based domains and phrases. It must be able to scan embedded links and attachments, perform multilayer analysis and recipient verification.
Until recently, web filtering primarily served as a means to block offensive or distasteful web content. It also served as a means to block or throttle media streaming or social media sites that consume the attention of employees and negatively affect productivity. Today web filtering serves as an important part of a layered security strategy. Solutions today are integrated with malware detection and can block malicious code that hackers have managed to deposit on legitimate websites. They can also block newly purchased or parked domains that often exist for malicious purposes. A web filtering system can serve as a backup to your email security solution in the event that a phishing email with an embedded link to a malware deployment site manages to get through.
The Impact of Virtualization and the Cloud on Network Security
Enterprises began recognizing the value of virtualizing the compute component of the data center more than a decade ago when VMware began promoting its ESX platform. Today, enterprises are virtualizing the storage and networking facets as well, culminating in a seamless platform. This provides companies with a highly flexible and adaptable infrastructure that can support the vast array of services provided in order to meet the needs of its customers. The software-defined data center is a compilation of unity and simplicity that provides unparalleled agility.
The concept of software-defined networking centers around the abstraction of the control plane from the data or forwarding plane. This means that network devices such as switches and routers are essentially dumb devices that are managed exclusively by a centralized controller. This allows network resources to be deployed or decommissioned in quick fashion based on real-time demand conditions, and manage them with deployed policies.
Software defining the network also means software defining your security. In traditional networking, security professionals are saddled with the task of plugging holes with firewalls and access control lists. In a software-defined network environment, nothing is open by default. Instead, a central authority dictates every move of the network. Security is handled network wide in automated fashion. Policies are created for new devices or application deployments, assuring that these resources are fully protected from their initial startup. As a result, security is built into the very fabric and architecture of the network, and like so many other facets of IT, delivered as a service.
While companies continue to migrate resources and services to the cloud, many applications and data types must remain on premise. While the majority of applications remain incompatible with the cloud, many companies are reluctant to host high-value proprietary data in the cloud, while other companies must host personal records on premise for compliance regulations. This means that IT must contend with the challenge of protecting the enterprise on two fronts, managing differentiating levels of security mandates concerning company data. Meeting this challenge is one of the motivating factors in choosing hybrid IT as your enterprise platform.
The beauty of hybrid IT is that it offers the best of both worlds: the controllability and governance of on-premise along with the scalability of the public cloud. This approach gives IT the flexibility to manage different data types and sources by distinct security policies. Just as hybrid IT allows you to pair each workload with the optimum platform, it allows you to match data with the appropriate store location based on its security parameters and preferences.
The merging of visualization technologies and the cloud gives enterprises the unrestricted ability to perform disaster recovery on a nearly on-demand basis. This provides quick recovery from attacks such as the WannaCry and NotPetya attacks last year that crippled some of the largest corporate global giants in the world for weeks. Today’s enterprise architectures must be designed for redundancy and backup from the ground up in order to prepare for the next set of destructive malware.
Security Embedded Architecture
Security is about reducing risk, and every organization must determine what its acceptable level of risk is. While no enterprise can protect itself from every threat, it can integrate a secure design, methodology and mindset into all facets of the enterprise. From the perimeter firewall that combats attacks head on, the host-based firewall and human firewalls that serve as the security of last resort, an enterprise's architecture today must be designed around security first.
The primary goal for every cybersecurity professional is to reduce the attack surface of their enterprise, both at the perimeter and device level. No matter its design, IT departments must ensure that the entire technology stack is secure. This requires a layered security architecture that involves more than simply layering new security tools on top of existing infrastructure. Layered security is an architecture that requires a well-conceived blueprint. A piecemeal approach to the implementation of security tools can introduce inhibitive complexities into systems management. It is also important for IT not silo their security functions and that all personnel work collaboratively with one another in establishing security practices, managing systems infrastructure, monitoring alerts and planning future purchases. In a sense, like your security architecture, your personnel must work in conjunction with one another.