Re: Network Segregation to prevent spread of malware

[Alex Creek <acreek83 () yahoo com>]

This is from a report published by Australia's DSD (Defence Signals Directorate) on strategies to mitigate targeted 
cyber intrusions.  This doesn't talk specifically about malware, but it does highlight the importance of network 
segregation.

Full article dsd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Why is network segmentation and segregation important?
    1. Once a malicious cyber adversary compromises your network, usually through the compromise of a system under the 
control of a legitimate user by means of social engineering, they will attempt to move around your network to locate 
and access the information they are targeting. This is known as propagation or lateral movement.
    2. In order to minimise the impact of such a compromise, it should be as hard as possible for the malicious cyber 
adversary to find and access the information they seek and move undetected around a system or network, and remove the 
information from the network once they locate it.
    3. The malicious cyber adversary may attempt to make connections directly from the compromised system(s) to the 
more sensitive system(s) using tools and techniques they have at their disposal. This is typically executed using their 
own or enhanced versions of legitimate network administration tools. For example, if the malicious cyber adversary has 
initially compromised a workstation, they may seek to create a remote connection to a sensitive server, map a network 
resource or use installed legitimate network administration tools in order to access information on that server, or 
execute software remotely on the server. This is particularly common when the adversary targets an organisation’s 
authentication server. Properly planned and implemented network segmentation and segregation is a key control to stop 
such activities from occurring. You may be able to explicitly disallow remote desktop connections or the use of common 
network administration
 tools from end-user workstations on sensitive servers (as most users do not require such functionality) and/or 
configure sensitive servers to prohibit the sharing of files and restrict their ability to communicate via remote 
connections.
    4. Network segmentation and segregation also assists an organisation to both detect and respond to an intrusion. 
The technologies implemented to enforce segmentation and separation will:
    1. contain audit and alerting capabilities that may prove critical in identifying an intrusion
   2. allow an organisation to better focus their auditing and alerting tools to a limited subset of attacks based on 
the approved access methods, and
  3. provide a ready way to isolate a compromised device from the rest of your network in the event of an intrusion.
    5. Network segmentation and segregation is a key enabler for the implementation of workforce mobility and a secure 
bring your own device (BYOD) strategy as it allows you to better isolate a compromised or potentially compromised 
device from the key information on your network.



Best practice in implementing network segmentation and segregation
    1. Regardless of the technology chosen to implement network segmentation and segregation, there are five common 
themes for good network segmentation and segregation, including:
    1. Apply technologies at more than just the network layer. Each system and network should be segmented and 
segregated, where possible, from the data link layer up to and including the application layer. It is not sufficient to 
implement a hardware-based firewall as the only protective security measure.
    2. Use the principles of least privilege and need-to-know. If a system doesn’t need to communicate with another 
system on the network, it should not be allowed to. If a system only needs to talk to another system on a specific port 
or protocol and nothing else, it should be restricted as such.
    3. Separate information and infrastructure based on your security requirements. This may include using different 
hardware or platforms based on security classifications or different threat and risk environments in which each system 
or network segment operates.
    4. Identify, authenticate and authorise access for entities based on your security requirements. This includes 
users, systems and services that should have their access restricted to that required to perform their intended 
function.
     5. Implement whitelisting instead of blacklisting. That is, grant access to the known good, rather then denying 
access to the known bad. This will also improve an organisation’s capacity to analyse log files.

Alex

________________________________
From: Sagar <sagarnseas () gmail com>
To: listbounce () securityfocus com; "tomright006 () gmail com" <tomright006 () gmail com> 
Cc: "security-basics () securityfocus com" <security-basics () securityfocus com> 
Sent: Thursday, January 24, 2013 9:48 AM
Subject: Re: Network Segregation to prevent spread of malware

Hi Tom,

In my experience and humble opinion, technology and architecture would just amount to about 30 percent of your attempt 
to secure systems and infrastructure, what you would be aiming at (of course once your network is setup) is not only 
perimeter security coupled with best practice architecture but detection of traffic flow.. Pattern and pattern anomaly 
detection will play a vital role. 
IMHO a few critical aspects in this regard will be using SIEM technology, that is evolving by leaps and bounds.. 
DETECTION is the keyword, though setting up an efficient SIEM and continous monitoring will involve resources in terms 
of cost and human resources .
Of course nothing beats employees aware of safe internet practices so I would invest sufficiently in training them.
In a nutshell my two cents - SIEM monitoring (aggregation and correlation) and Employee awareness training.

Cheers,
Stay Info Safe :)
Sagar Narasimha
LA 27k,20k,9k
PMP,six sigma GB,ITIL
CCSA,NCSS,CCSP
Sent from my BlackBerry® on Reliance Mobile, India's No. 1 Network. Go for it!

-----Original Message-----
From: Jerry Bell <jerry () riskologist com>
Sender: listbounce () securityfocus com
Date: Wed, 23 Jan 2013 07:07:25 
To: tomright006 () gmail com<tomright006 () gmail com>
Cc: security-basics () securityfocus com<security-basics () securityfocus com>
Subject: Re: Network Segregation to prevent spread of malware

Hi Tom,

The answer is 'it depends', but probably no. If you are talking about a classic company network and dividing 
workstations into separate networks to prevent cross contamination, you have to consider the pivot points for most 
malware - email, file shares, etc, which can still allow malware to propagate between networks even if no traffic is 
allowed directly between them. Some kinds of malware, notably worms who propagate directly from one system to another 
via some kind of remotely exploitable vulnerability, would be contained by network segmentation, however those sorts of 
events are becoming increasingly rare (however when they do happen, they tend to be big events). 

Jerry

Sent from my iPhone

On Jan 22, 2013, at 5:33 PM, tomright006 () gmail com wrote:

> Hello All,
>
> I need few tips on Network Segregation to prevent spread of Malware. Can I avoid Malware spreading from one network 
> segment to another just by segregating network with access list or firewalls?
>
>
> Thanks,
>
> Tom
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------