Awareness – Boundary Security

Attackers will attempt to exploit systems that are reachable over the Internet, including DMZ systems, workstations, and laptops that cross network boundaries to view or gather web-based content.  Organized crime, hacking groups and nation states exploit system weaknesses to gain initial access to target organizations.  From that foot hold, attackers often move deeper inside the network boundary to set up a persistent presence for later attacks, to alter or destroy information, to steal intellectual property or cash.  Many attacks are found to come from trusted business partner networks, as attackers hop from one connected network to another, exploiting vulnerable systems.

  • Boundary defenses should be multi-layered to be effective, consisting of firewalls, proxies, DMZ networks, and IDS/IPS systems.  It is also critical to filter and monitor both inbound and outbound traffic.  It is wise to understand what trafic is coming into the network, and just as important if not more so, what is leaving.
  • Require all remote login access to use two-factor authentication.
  • Deploy network-based sensors on Internet and DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems.
  • Implement Sender Policy Framework (SPF) records in DNS and enabling receiver-side verification in mail servers to reduce the likelihood of spoofed e-mail messages.
  • Deny communications with or limit data flow to known malicious IP addresses.  They are known malicious, so what do you expect to find there?  Better yet if you have the resources, limit access to trusted sites only.
  • Internal network segmentation is central to boundary security.  The more boundaries an attacker must cross to get to a high value target, the more likely they will “make some noise” and alert your defenses to their presence.  Protect each segment with a proxy and firewall to reduce an intruder’s access to other parts of the network, and don’t keep all of your high value targets in one subnet location.
  • Contain insider access abuse or malware spread on an internal network through network segmentation schemes to limit traffic to only necesary services.
  • On DMZ networks, monitoring systems should be used to record at least packet header information of the traffic destined for or passing through the network border.  Capture , full packet header and payloads if you have the capability.  This traffic should be sent to a Security Event Information Management (SEIM) system for correlation with events detected and logged by other devices on the network.
  • Only allow DMZ systems to communicate with private network systems via proxies or application-aware firewalls over approved channels to restrict attacker’s attack path.
  • Watch for communication sessions that occur regularly, at specific predictable increments, send encrypted data, use odd ports/protocols, or just look unusual compared to other traffic.