Network segmentation is vital in order to limit the risks for business data after a network intrusion. The goal is to make very difficult the movement of threat inside the network and to give to intruders not authorized the minimun privilege possible for avoiding the exploit of critical services for the business.
By phishing campaign it’s very easy to exploit a window client (see my article http://www.securityandit.com/security/exploit-an-active-directory-system/). What we can do is to imprison the hackers in a harmless network and a secure network segmentation can help.
In this context, I will show how is possible to have security benefits from a network segmentation that continues to have sense from logical point of view despite today the device mobility and the use of cloud services are very increased
In this context the logical network segmentation proposed and commented is the following:
Following the matrix traffic to adapt to the your business needs.
|Source Network||Destination Network||Protocol Permitted|
|Internet||DMZ||HTTP, HTTPS, SMTP, SSH, DNS|
|DMZ||Application Server||HTTP, HTTPS, SMTP|
|Security Gateway||Application Server||SSH, HTTP, HTTPS, SQL,SMTP|
|Inside||HTTP Proxy||HTTP, HTTPS|
|Inside||Security Gateway||SSH, HTTP, HTTPS, SQL|
|Inside||Management||Kerberos, Ldap, HTTPS, Radius|
|Inside||Intranet||HTTP, HTTPS, SMTP|
Let’s start to speak about the first segmentation network:
DMZ Segment Network
The DMZ segmentation is a very old concept still valid that hosts the front end software layer.
In this segment we find Reverse Proxy, MTA, DNS, Bastion Hosts: frontend web applications that don’t have any direct access to database or other important business data. The data access is permitted by the services offered by Web Applications hosted in the WebApp segmentation Network. If the hackers exploit DMZ, they will not could to reach directly the company database.
The access to internet must be limited only to protocol required. DNS, SMTP, NTP should be enough. If the web server is compromised, the hacker must not have the possibility to have a reverse shell or to download some php back-door file or a binary for some exploit like dirty cow vulnerability.
I suggest, if it’s possible, not to permit the using of the web services from inside network. This example can justify it: let’s suppose to suffer a XSS vulnerability. The hackers could use it for obtaining the session cookie stealing them to workers. If the workers connect to other web application server equal to that reachable from internet the sessions tokens stolen cannot be reused from external.
I suggest to use a IPS directly on Firewall and an Antivirus/Antispam for smtp traffic. It’s interesting my article about how to integrate a IPS like suricata with Pfsense and Kibana: http://www.securityandit.com/security/ids-with-pfsense-suricata-and-kibana/.
It’s best practice to install and configure in all the servers of this segment firewall suitably configured (shorewall, firewalld, iptables, etc) for reducing the effects of a DOS attack.
Let’s talk now about the next segment.
WebApp Segment Network
In this segment I suggest to put all the application web application hosted by application servers. We find Tomcat, Jboss, WebLogicServer, SpringBoot and others.
Only the services ports are exposed and opened to DMZ network. The management ports are opened only to Security Gateway.
The web application network must connect to database and for that they ports to database are opened fron this segment.
If possible I suggest for avoiding unnecessary overload to permit only http connection between reverse proxy and this network: the SSL protocol is run only behind the SSL offloading proxy. In this way it’s possible by another IPS makes http inspection of all the traffic and improve the service perfomance.
In this Network are hosted the http proxy and the Security Gateway.
Security Gateway is a simple linux or windows system with putty and other software installed like database client to use for management sessions: ssh, http, sql, snmp.
This system can make auditing of all connections and of all managements commands executed. The system is closed to internet: it permit to avoid the threat propagation due to client attacks versus the back end and front end servers.
I also suggest to browser the web critical services also exposed to internet from this gateway: attacks like clickjacking, main in the browser, session hijacking attack and others are not permitted.
The best way to authenticate to security gateway is to use a approach rsa token based with a centralized and secure identity management system. For that I suggest to use freeipa. Read please my article how to integrate freeipa with Active Directory for any help: http://www.securityandit.com/network/freeipa-active-directory-integration/.
The http proxy is also present in this network. I suggest to integrate it with an Antivirus and a web filter. A good antivirus proxy can be implemented using pfSense with HAVP. All the internet connections from inside are permitted only by http proxy. You can read this article for that: https://turbofuture.com/internet/How-to-Set-Up-an-HTTP-Anti-Virus-Proxy-Using-pfSense-and-HAVP.
In this network I also suggest to put a internal DNS configured in master-slave way with the principal DNS server rechable from internet.
Now the inside network: the most vulnerable network of any company.
Inside Network is the week point of the network of any company. The administrator systems are committed to making sure the company’s servers but they forget that the hosts become Trojan horse for attacking the internal systems.
I already explained how is possible to attack windows client for taking control of active directory server (http://www.securityandit.com/security/exploit-an-active-directory-system/). In the same way it’s possible to use the client as Trojan horse for attacking the internal services of company.
Let’s suppose to access to ssh server by single sign-one authentication. For hackers it’s possible to impersonate the kerberos ticket for login to ssh servers with the same credentials of the user hackered. If the user has sudo su – enabled, the hacker will become root in a simple way.
This teaches us to block the authentication traffic to critical systems from normal desktop device in the inside network. That why I suggest to use the security gateway for all the management jobs.
The system dba for example must use their sql client tool only from security gateway that is a system closed to internet and more protected that inside network.
This provides authentication, confidentiality and integrity. Authentication because only the right users can login to security gateway, confidentiality and integrity because by a simple ssh tunnel all the management traffic can be crypted versus back-end servers. Moreover all the actions can be logged and this allow us to configure and administer auditing of all commands executed.
The remote users connected by vpn belong to inside network. They must follow the rules below with more filters present in the firewall that give them the right permissions in function of the groups of membership. The integration of the FW with an external AAA servers must be present.
For all the devices of the company with wifi or cabled connection is best practice to have 802.1x (PEAP) authentication. This authentication is robust and simple to configure in the switches. The only requirement is to have a radius server integrated to Active Directory or freeipa.
Now the last segment: DB Network.
This network is business critical and then it goes protected carefully. Only the applications server must connect to databases and for management job the only network authorized is the security gateway.
For best security it’s best practice to configure in the databases a local firewall in order to block connections from the same network.
In this network are present the identity and accounting management like Active Directory, Freeipa, Radius Server and other management systems.
The protocol opened by inside to this network are that related to Indentity and Accouting Management: kerberos, Ldap, https, radius, microsoft-ds, etc.
This network is one of most attacked. The hackers try to use the device controlled by phishing campaign or other vector attacks for exploiting the active directory services. How to do this is explained in following my article:e http://www.securityandit.com/security/exploit-an-active-directory-system/.
I suggest not to use the kerberos authentication with users that have high privileges: it’s less cool to insert every time the password but more secure than Single Sign-on authentication.
Network segmentation makes difficult to malware to spread through the network company. This is fundamental because the malware is easily spreading by phishing and social attack.
Anyone in a weakness moment can click on the attach received by email or on link received by facebook or twitter and If the Antivirus doesn’t detect it the malware will be present in the network. A good network segmentation helps us to mitigate the effetcs of this attacks.
I hope you enjoyed the article. Don’t hesitate to contact me for any suggestions.