Protect Your Enterprise from Ransomware – Part II

Tips on Network Segregation

In our first post, we discussed the big idea of Setting Up an Administrator Clean Room to separate all of your company’s security personnel and security-purposed devices from all of its non-security personnel and unsecured devices.

This post shows how you can additionally secure your environment with network segregation.

Most System Admins understand the need for a Local Access Network (LAN) that’s totally inaccessible from the Wide Access Network (WAN) or Internet. You also need a peripheral network or Demilitarized Zone (DMZ) for a Web Server, for FTP servers and other types of service that need to be accessible from the WAN.

So, here are some tips on how to segregate your networks to prevent attacks:

  • You should separate systems into their own networks. Two
    different systems should never share the same LAN or DMZ
    networks. Separation keeps a second system from getting
    penetrated if the first system is breached.
  • Don’t allow LAN networks to have ANY internet access
    whatsoever. You don’t want to give a hacker who has breached
    the database server anywhere to go with stolen data. With
    internet access denied, the hacker’s only option now is to
    find a path backwards from the entry point OR a path through
    the Web Server. This makes exfiltration of data quite a bit
    more difficult. This is especially so if you maintain an
    Administrator Clean Room for all admin activities. Since
    that room has no Internet access or email, there really is
    no way for a hacker to exfiltrate the data from that user’s
  • Do not allow any FTP, SFTP or SSH type of traffic on ANY
    network with your webserver. Segregate that traffic into a
    separate DMZ network as well. It is amazing how much data
    exfiltration happens simply because the outbound traffic
    looks like legitimate FTP transfers. If you don’t even allow
    FTP or SFTP traffic on those networks, it becomes much
    harder to get unauthorized data transfers done. Also, if you
    monitor your network for those protocols you can raise
    alarms if anyone attempts to make such transfers.
  • Don’t allow any UDP or connection protocol traffic out of
    your DMZ networks. Trigger alarms if you find any. Again, it
    will make the hacker’s life much more difficult.
  • Be sure to monitor the perimeter of the LAN using your
    Security Information and Event Management (SIEM) system. And
    be sure to raise alarms whenever you find ANY attempts to
    get traffic out. You should monitor traffic from the Web
    Server cluster to see whether traffic going out is not
    coming from direct responses to web requests. Setting up a
    SIEM properly so you get real alerts and not a zillion
    alerts all day is a black alert. If you don’t know how to,
    find someone who does.
  • If you’re unlucky enough to have a Windows Server in your
    DMZ, be sure to put a Web Application Firewall (WAF) in
    front of it. Microsoft, in our long experience, is incapable
    of making a secure product. Simple as that. Leaving your
    Windows server on the WAN without a WAF is like securing it
    with a wing and a prayer.

Leave a Comment

Your email address will not be published. Required fields are marked *