Tips on Network Segregation
In our first post, we discussed the big idea of Setting Up an Administrator Clean Room to separate all of your company’s security personnel and security-purposed devices from all of its non-security personnel and unsecured devices.
This post shows how you can additionally secure your environment with network segregation.
Most System Admins understand the need for a Local Access Network (LAN) that’s totally inaccessible from the Wide Access Network (WAN) or Internet. You also need a peripheral network or Demilitarized Zone (DMZ) for a Web Server, for FTP servers and other types of service that need to be accessible from the WAN.
So, here are some tips on how to segregate your networks to prevent attacks:
-
You should separate systems into their own networks. Two
different systems should never share the same LAN or DMZ
networks. Separation keeps a second system from getting
penetrated if the first system is breached. -
Don’t allow LAN networks to have ANY internet access
whatsoever. You don’t want to give a hacker who has breached
the database server anywhere to go with stolen data. With
internet access denied, the hacker’s only option now is to
find a path backwards from the entry point OR a path through
the Web Server. This makes exfiltration of data quite a bit
more difficult. This is especially so if you maintain an
Administrator Clean Room for all admin activities. Since
that room has no Internet access or email, there really is
no way for a hacker to exfiltrate the data from that user’s
desktop. -
Do not allow any FTP, SFTP or SSH type of traffic on ANY
network with your webserver. Segregate that traffic into a
separate DMZ network as well. It is amazing how much data
exfiltration happens simply because the outbound traffic
looks like legitimate FTP transfers. If you don’t even allow
FTP or SFTP traffic on those networks, it becomes much
harder to get unauthorized data transfers done. Also, if you
monitor your network for those protocols you can raise
alarms if anyone attempts to make such transfers. -
Don’t allow any UDP or connection protocol traffic out of
your DMZ networks. Trigger alarms if you find any. Again, it
will make the hacker’s life much more difficult. -
Be sure to monitor the perimeter of the LAN using your
Security Information and Event Management (SIEM) system. And
be sure to raise alarms whenever you find ANY attempts to
get traffic out. You should monitor traffic from the Web
Server cluster to see whether traffic going out is not
coming from direct responses to web requests. Setting up a
SIEM properly so you get real alerts and not a zillion
alerts all day is a black alert. If you don’t know how to,
find someone who does. -
If you’re unlucky enough to have a Windows Server in your
DMZ, be sure to put a Web Application Firewall (WAF) in
front of it. Microsoft, in our long experience, is incapable
of making a secure product. Simple as that. Leaving your
Windows server on the WAN without a WAF is like securing it
with a wing and a prayer.