There is no question that the uptake in cloud services and the influx of connected devices create a more complex environment for implementing security. This is illustrated by the fact that CSO online estimates that a typical enterprise may have as many as 75 different security products that they are evaluating and or deploying to cover the many different security aspects.
With so much emphasis on the latest and greatest firewalls or threat detection systems, one often overlooked solution to improving a company’s security posture is the network itself. And what’s ironic is that with most breaches – it’s the network design that gets organizations into trouble.
Sadly, the designs of many networks remain flat. A hacker makes their way onto the network through an unsuspecting user or unattended IoT device, and once are the hacker is in - they have an IP interface. Next, with relatively little effort, the attacker can easily discover the IP network topology, which ultimately allows the hacker to carefully navigate their way to the organizations “crown jewels.”
This scenario was highlighted in a proof of concept hack when due to the hospital’s flat network, researchers discovered and then penetrated an ultrasound. From there, they were able to download and manipulate patient files, then execute ransomware.
Investing in the proper network infrastructure and well thought out network design can prevent this type of dangerous occurrence and can enhance security by:
Businesses have transitioned to a global hybrid workforce that requires infinitely distributed connectivity and a consumer-centric experience. A modern-day Infinite Enterprise requires solutions that offer immense value in providing an inherently secure network. Furthermore, scalable cloud management of these solutions can make life easier for the average administrator. Allow me to detail how well-thought-out network design can help improve an organization's overall security posture.
According to Rob Joyce of the NSA, “A well-segmented network means that if a breach occurs, it can be contained… the difference between a contained and uncontained breach is the difference between an incident and a catastrophe.” I refer you back to the breached ultrasound. A segmented network would have contained the hacker to his/her point of entry. The attacker wouldn’t have had any visibility to the ultrasounds connected to the network.
Businesses deploy network segments on a massive scale to accommodate the needs of a distributed enterprise. An addressing hierarchy clearly separates user services, network segments, and the underlying network infrastructure. User traffic can be encapsulated at the edge with the right design, making the traffic completely invisible to the network core. Additionally, network services and segments should run as ships in the night, without any awareness of each other. They should be completely isolated from each other without allowing any access in or out, unless otherwise configured through strictly controlled access points. Isolation ensures that if there is a breach, that breach is contained to the segment where it occurred – minimizing potential damage.
A core design based on Ethernet Switched Paths (as opposed to IP) – is impervious to commonly used IP scanning and hacking tools that hackers use to discover the network topology. Anyone running an IP scan against this type of design environment would just get a list of IP subnets, each showing just a single hop to the egress of the network. Everything in between would be “dark.” This inability to discover the network’s topology makes it near impossible for hackers to laterally move to sensitive areas of the network. At the same time, however, network administrators require full visibility & control into the functioning topology of the network.
Network admins are often overwhelmed with the amount of configuration required for segmentation in a large-scale distributed enterprise. Therefore, a network fabric that enables the dynamic establishment of secure segments at the network edge is critical. They can extend and retract as authenticated users and devices connect and disconnect from the network. When a user disconnects from a switch port and access to the segment is no longer required, the residual configuration is automatically deleted on the edge switches. This dynamic capability not only removes the delays and risks associated with manually configured conventional networks - it also eliminates the risk of a back-door entry point to the network.
The most stealth network segment in an infinite enterprise network is a Layer 2 segment - where absolutely no IP interface is defined. IP can still run ‘inside’ the L2 segment – but the segment itself is a closed environment where nothing can enter or exit unless otherwise provisioned. This type of service is useful for protocols used for control and management of security-critical infrastructures such as power grids, subways, trains, and production and manufacturing floors - where providing a closed environment is crucial.
Some organizations rely on firewalls to perform the task of segmenting the network. Over time this approach can lead to high CAPEX and OPEX costs. If the automatic and dynamic segmentation mentioned above is deployed, a distributed enterprise network becomes simple to segment and easy to manage. And then, firewalls can be used much more efficiently at demarcation points. Threat protection agents can be strategically deployed at the ingress and egress of the network segments. They watch for abnormal data moving in and out of each segment. Policy servers should still be used to control access to network segments. This, of course, ensures users and devices are properly validated and have the necessary authentication credentials to gain access to a specific segment.
The bottom line is a well-thought-out segmentation strategy, and design is crucial. Your distributed enterprise network can be an active participant in protecting organizations from a catastrophic “headline making” attack. The time has come to start turning over a portion of that security budget to the network.