The remaining controls apply to both connected devices and the network overall. No network is secure if attention isn't paid to hardening servers, desktops, laptops, etc. These controls and supporting activities fall into the following layers of a defense in depth security strategy:
- Host anti-virus and intrusion prevention
- Access control
- Secure configuration
- Monitoring, reporting and alerting
The concept of segmentation is simple; separate your critical infrastructure or sensitive data from the general access areas of your network. Deploy stronger- and usually more expensive- controls to protect the segments created. This is easier than it sounds.
The most common method of network segmentation is use of VLANs. VLANs (Virtual Local Area Networks) are network segments created via enterprise switch configuration. Refer to Figure 1.
Each VLAN is assigned an identifier. In this example, it is a single digit number. Access control lists (ACLs) determine if traffic is allowed to pass from one VLAN to another. (For more information about how to use VLANs for secure network segmentation, see Strengthen Data Protection with Network Access Controls.) Note that application servers and the database servers they access are on separate VLANs. VLAN 4 contains no sensitive data, so no special controls are in place. All sensitive information in this example is stored on database servers on VLAN 3.
Individual user devices are blocked from VLAN 3 with an ACL. So the only way to access the database servers is through an application server, and the application servers use service accounts to log into the databases. These service accounts have 24 random-character passwords known only to the security team.
Other "secure segment" controls you might consider include:
- A firewall used as a gateway, providing additional control over traffic entering the secure segment
- An IPS through which all traffic in and out of the secure segment passes, watching for unexpected data transfers/activity
Host Anti-malware and Intrusion Prevention
Every device connected to the network should be "hardened." Hardening includes installing and maintaining anti-malware software on securely configured- and patched- systems. It also includes using server- or end-user-hosted IPS software. Placing IPS solutions, including software firewalls, on end-point devices accomplishes two security objectives. First, it creates a final defensive line to deal with unwanted malware or human activity that might have made it through all the other layers. Second, it helps isolate unwanted behavior if a connected device is compromised. For example, a worm finding its way onto a desktop will have a hard time connecting to other computers if those devices are locked down and the infected desktop blocks questionable outbound connections.
When most people think of access control, they picture logging into their computer in the morning. While this is indeed an example of access control, it is only a small part of an overall network access control strategy.
A comprehensive strategy includes:
- User logins.
System-to-system authentication. When a computer contacts another computer, especially if sensitive data is involved, the two computers should authenticate each other. This is typically accomplished with certificates or other controls which uniquely identify devices.
Control of network segment access. The best way to begin protecting your data is to allow only those computers with an absolute business need to even see the data repositories. As we discussed earlier, this is accomplished with a combination of network segmentation, access control lists, and other controls deemed appropriate.
Restricting physical access to critical infrastructure. Although this article focuses on technical controls, it's important to include the importance of physical security. No amount of technical security will protect your data if an attacker can gain physical access to your critical infrastructure.
Secure configuration, or hardening, of devices is probably the best way to protect your data. It includes:
Disabling all ports/services not absolutely required
- Applying security patches as soon as is reasonable after release
- For firewalls and other network control devices, beginning by denying all traffic and open only what is required for the business to operate
- As far as is reasonable and appropriate, following vendor recommendations for securing your operating systems, switches, routers, etc.
Monitoring, Alerting, and Reporting
Several years ago, my CIO at the time drilled into my sometimes hard head one very important principle: inspect what you expect. In other words, under no circumstances should you assume that what is supposed to be happening is actually happening. Although this was intended as a general management lesson, it is also an important element of enterprise security.
Your prevention and detection controls don't always work as designed- or as you think you designed them. So you must always include monitoring, alerting, and reporting as outcomes for every control implementation project. These outcomes include not only whether the controls are actually working; they should also help identify anomalous events that only human intuition and experience might consider a problem event.
The best way to bring all this together is log management. A log management solution aggregates logs to a central repository from all security, LAN/WAN, and other key devices. The aggregated data is then passed through a correlation engine designed to look for collections of events with a high probability of being a security incident.
For more information about log management, see Use security log management to monitor network activity.