Tuesday, February 14, 2012

Building a Better Castle: Hardening the Squishy Center of your Network

by Rob Bathurst.

For several years, companies and consultants pushed very heavily on enhancing perimeter security through the use of firewalls and other network defense technologies intended to prevent unwanted traffic from entering the network. While this hardened outer wall is a great piece of the defense-in-depth model, it should not be considered the be-all-end-all in preventing malicious attackers from gaining access to your network.


When architecting your network security, ask yourself three questions:
  1. What does the company care about (what is my treasure)?
  2. Can a compromise be contained (how strong is my castle)?
  3. Who are the threats (identify the dragons and hordes)?

This post will focus on the first two of these questions. Dragons and Hordes will be covered in depth in a later posting. Keep in mind that the goal of this approach is to offer a new way of thinking about the complex problem of data-centric design and layered network defenses. Using this document as a blueprint- for actual castles, for company networks, or for repelling invading hordes- is not recommended.

Critical Assets: What is my treasure?

When attempting to protect your pile of gold from the hordes seeking to sack your keep it is important to first know what we need to put in the keep. A king would not store farm equipment, dirty clothes, and empty tankards with the Crown Jewels and nor should you. To figure out what are your Crown Jewels you need to ask yourself about your organization and what your organization does to make money. Even after characterizing the company’s business critical data, it’s important to realize that just as no two diamonds have the same value, no two documents do, either- even documents about the same subject.

A good example of identifying critical assets can be found in a post from earlier this month, “Just That Easy: Real World Pen Testing Attack Vectors [Part 2]:”

Sensitivity Matrix: Treasure Room, Strongbox, or Nightstand?

Establishing a matrix to determine the sensitivity of a business document is essential for data-centric security. The sample matrix below is simplistic, but shows the thought process you should use to determine the value of the diamond and where you should store that diamond (In a safe in the keep or on the night stand).

The document owner is responsible for using the data classification matrix to determine the sensitivity of their document, based upon the data it contains. The overall result of the document (a classification rating) places the document in a particular zone of the protected IT infrastructure (which room in the castle), and mandates certain controls (guards, patrols, locks, strongboxes).

Example: Mega Widgets, Ltd.

Mega Widgets Limited manufactures widgets in a very competitive widget market, and has determined they would like to classify their data to determine what level of protection to assign to a document.

Through a series of meetings with data stakeholders, Mega Widget Ltd. has determined that they will use three data classifications (Confidential, Restricted, and Mega Secret) based upon the content of the documents:

  • Confidential: Release of Confidential data may cause harm to the company. Confidential documents should be password-protected, but may remain on the creator’s or user’s system (the castle’s throne room).
  • Restricted: Release of Restricted data will cause harm to the company. Restricted documents must be password-protected; must be moved off the creator’s system to secured file storage; and the creator must delete the original copy from the creator’s system. Restricted documents can only be accessed by explicitly authorized users on the file server using a “special company document viewer widget” (the castle’s treasure room).
  • Mega Secret: Release of Mega Secret data may result in a substantial loss for the company. Mega Secret documents must be password-protected; must be moved off the creator’s system to secured file storage; the creator must delete the original copy from the creator’s system; and access to this document must be explicitly approved by management through a “special company document viewer widget” (the castle’s strongbox).

Mega Widgets Ltd.’s data architects, further, produced the following classification matrix to classify documents:

Business Critical Process Business Financial Data Competitive Edge Data
Business Critical Process Confidential Restricted Mega Secret
Business Financial Data Restricted Confidential Restricted
Competitive Edge Data Mega Secret Mega Secret Confidential

Mega Widget Limited’s classification matrix shows that, for example, they have determined any document containing a combination of Business Data and Competitive Edge Data results in a document of great importance to the company, worthy of the utmost protection (placed under guard in the Keep).

Identifying which data to protect and how much effort to put forward doing so is only the first step, however- Mega Widget Limited still needs to build their castle, reinforce the treasure room, and acquire the best strongbox they can to place in the Keep.

So how does the Mega Widget Limited protect their Mega Secrets? I’m glad you asked.

Secure Data Network: The Keep

In a data-centric security model, the greatest amount of effort, time, and money is focused on critical business assets. The first step is to gather the treasure and determine where it will need to be stored (see above), prior to attempting to protect it. This ensures that money is not wasted buying extra treasure chests for dirty clothes and farm equipment.

Once all of the treasure is classified, it comes time to build the Keep. The Keep is the last line of defense before the hordes and dragons can get to the jewels. This must be the most restrictive area of a company network, generally following at a minimum the guidelines below:

  • Not all business users should have access to the data in this area (I cannot overstate the importance of this principle)
  • User should be given access to the least amount of data needed to complete their job
  • User access should be closely monitored and logged
  • Servers within this secure zone should use multi-factor authentication with verbose logging.
  • Data transfer in and out of the Keep should be monitored at all times (Why is Bob moving a document at 2am?)
  • Data transfer should be encrypted end-to-end.
  • Network should be segmented via technological controls (ACL, Packet-Filtering firewalls, etc), not just policies and procedures.

Much like the castle (our perimeter firewall) is only a foundation; the Keep is only an intermediate step. Further defensive structures exist in and around the keep to contain perimeter breaches and further secure the treasure.

User LAN: The Killing Grounds

As bad as the name sounds, this area is the best for containing attackers who have made it past your front door, but have not yet advanced to the Keep. This part of the Castle is designed for damage control- and the same principle applies when designing a network.

The Killing Zone of a castle is design to be ceded to the besieging attackers, but only in such a way that the critical assets- the King and the crown jewels- remain defended, still secure within the Keep.

Maximizing security means working under the assumption that everything in the Killing Ground- the User LAN- will be compromised or has already been compromised. Accepting this as a working premise heightens awareness of suspicious activity and lessens the time between breach and response. When a user’s machine has been compromised via 0-day, social engineering, or simple bad luck, the security team must be able to detect this activity and dispatch guards to eject the usurpers.

  • Wanted Posters – These let your citizens know to watch out for the bad guys. This is your user awareness and security training programs. Social Engineering is a very popular attack vector and is almost always lethal with unaware users. A user spotting abnormal activity and notifying the proper personnel can save your business time, money, and headache.
  • Tower Guards – They watch over your whole castle and allow you to correlate your attack events. These represent edge sensors, event correlation databases, etc. They span the enterprise and are critical for monitoring the health of your Castle.
  • Castle Scouts – They let you know someone is inside your walls. These will be your IDS sensor monitoring for non-standard traffic such as, “Why is your user machine suddenly attempting to connect to multiple shares the user does not need.” Scouts rely on understanding their environment and must be trained to recognize “abnormal” traffic.
  • Castle Guards – They let you isolate your attacker preventing them from doing more damage. These will be your firewall isolating your network segments in critical places such as the DMZ, Server LAN, User LAN, accounting systems, etc. When your scouts notice a compromise your guards spring into action blocking network traffic from the compromised machine.
  • Executioners - They let you identify the threat signature and remove it from your Castle. These represent your enterprise security department and their tools, such as Enterprise AV, incident response tools, and training.

Perimeter Defense: The Walls

Walls are easy to conceive but hard to implement. The Wall is ironically the weakest part of the Castle, because it necessarily contains a gate. Perimeter protection devices are used to repel attackers- or at least force them into the open- acting as your first line of defense for attackers attempting to remove the castle’s treasure.

  • Archers and Border Guards – They stop the attackers before the reach the door. These are firewalls and intrusion prevention systems. By blocking known bad IP address, bad port numbers, and bogus addresses inbound from the internet you lessen the work on your guards inside. Archers and Guards require constant training to keep their skills honed just as your firewalls require constant attention and tuning to ensure you gain the most benefit from them.
  • Advanced Scouts – They are your eyes warning you of an inbound attack. This is your in-line or tapped IDS carefully inspecting packets coming into your Castle both before and after passing through the firewalls.
  • Chief Inspector Guy – While there is no direct analogy for this person in a castle, they are of utmost importance. This is your outbound proxy protecting your users and making sure no one is running off with the treasure. But what about encrypted streams you cannot inspect you say? Block them, institute a site white-listing policy and only allow encrypted connections to sites with a business need that have been approved by management.

Outside Resources: Allied Armies

What‘s a King without friends? In the case of a denial-of-service attack the traffic can be offloaded to another company to help filter the requests and provide bandwidth before the requests are passed to the web servers. In the case of a compromise, a company specializing in Incident Response ready to help clean up and prevent further damage. And an important point to remember, not all attackers are people; a service provider that provides secure offsite backup facilities to protect against natural or accidental destruction of data is a critical alliance.


So now we’ve built our Castle, but are we done? No, not at all. Bricks require mortar, people require training, and someone always is building a better mouse trap. Ensure you are constantly evaluating what is critical data and what isn’t and devote your efforts to protecting what your company values most.

1 comment: