I recently saw an episode from one of those “caught on camera” television series that featured a group of thieves attempting to rob a jewelry store. What intrigued me most about this particular footage was the layers of security deployed by this particular jewelry store. Once the store owners had perceived these individuals as a threat, they retreated to a safe room and activated an alarm. This in turn triggered bulletproof barriers to drop across several entrances, the front door to lock and an alarm to sound. The thieves made an attempt to break through the barriers and display cases only to find they too were made of bulletproof glass. They then smashed the cash register and grabbed what they could from the few cases they were able to finally access. They then focused their attention on escaping from the store which also proved to be very difficult given the locked door and bulletproof glass. Just as they were finally able to break through the glass of the door, police were waiting outside to apprehend them.
I’ve seen my share of these television series and in most episodes that featured jewelry theft, the thieves came through the front door and smashed through the display cases taking what they wanted before leaving the same way they came. What made this store different was the bulletproof glass and security doors inside the store and the fact that the thieves were caught prior to leaving the store.
How does this relate to network security? Actually, there are several similarities that can be made. The main entrance and bulletproof glass of the street facing windows could be compared to a border firewall. The motion sensors and glass break detectors we will call our Intrusion Detection System and the cameras in many ways serve as event logging. Unfortunately for many businesses, that’s where the similarities stop. Once an intruder is beyond the border firewall/IDS system, there are typically very few measures in place to restrict their movements within the internal network.
I believe the best defense against a potential attacker is to never allow the attacker to “touch” the device in the first place. We have seen time and time again how malware spreads between systems that never had a need to communicate with each other utilizing ports that were never really required. Does Sally’s PC in the finance department really need to communicate with Fred’s PC in marketing? Most organizations are shocked to learn what little network traffic is really required compared to all that is allowed.
Segmentation can reduce the scope of certain audit requirements which in turn can reduce costs for an assessment. For example, the PCI DSS standard dictates that all systems, applications and processes that have access to credit card information will be considered within the scope of an audit. A flat network topology by default can provide access to protected data from systems without any need to access it. Segmenting the cardholder data environment from the rest of the corporate network reduces the scope of the audit to only those devices within the cardholder environment.
Introducing segmentation within an internal network may seem like a daunting task but in reality it doesn’t have to be that difficult. Developing a data classification policy is the first step followed by an access policy that defines traffic flow between different classifications of data. The access policy will then determine what hardware components (if any) will be needed. Many organizations already have components in place to begin segmenting their network with only configuration changes. The key to success is understanding where data currently is within the network, developing clear and enforceable policies and creating a migration plan to the new segments.
Back to the jewelry store, those barriers did little to stop the thieves from smashing the display cases, kicking in doors and cracking the windows, but it contained them long enough to prevent the thieves from escaping with the jewelry. What are the “jewels” within your network and what barriers are in place once the thieves are beyond your front door?