In my last blog I discussed how to create and implement a security policy to reduce steps and lower the cost of securing your business. Now I’m tackling Step 2.
Step 2: Divide and Conquer
Local area networks should not be wide open spaces. Managing networks, in fact, is much easier if they are comprised of a number of smaller subnets that are logically defined. Implementing defensive network segregation actually serves two valuable purposes with regard to security. First, it simplifies access control and access monitoring by creating natural boundaries for adding control. Second, it limits the scope of any incident, which can minimize some of the effects of a potential breach. Partnered with the fact that this can also help mitigate other management and congestion issues, this is a valuable step in minimizing the time and cost of protecting your network which can be implemented without having any significant effects on usability.
There are a few side notes here that are worth mentioning that can go a long way toward helping secure the network while saving costs:
- Maintain good network switching security best practices. Most security professionals would have lost count of the number of times an incident or outage was traced back to someone connecting a wireless router, or personal device (PC, game console, Raspberry Pi) to a secure network in order to increase efficiency or pass time. Disabling unused ports, adding MAC security features, and implementing some sort of routing loop mitigation will go a long way toward simplifying management and security
- Move any guest access, including employee devices such as phones and tablets, to a separate guest LAN. These devices are often exposed to public wifi, random package installs, and prying hands. Do we really want these on your secure network?
- Minimize the use of DHCP for static resources, or implement static leases whenever possible. This one is more of a suggestion than a security best practice, but will benefit you in the long run. Many security processes rely on tracking a baseline for devices. This gets much easier for device logs and network traffic when your addresses do not change over time.
- Move printers, appliances, and consumer devices to severely restricted LANs, preferably with all outbound access blocked. Printers are a perennial source of security discussions due to their notorious susceptibly and/or sensitivity to bad traffic. Of course, this pales in comparison to recent news about consumer devices recording conversation and sending it over the internet in an insecure manner.The best way to mitigate risk from unmanaged appliance-type devices is to remove their network access, blocking all outbound traffic to other subnets by ACL.
Remove the Patchwork from Patch Management
A striking number of network intrusions and exploits that do not involve social engineering are the result of a leveraged vulnerability for which there is an existing patch. This is in spite of the fact that patch management is a core part of all aspects of the product lifecycle. This is probably the most prominent example of the important of using proactive management as opposed to a response method. Patch management, however, is often dismissed or not even considered. This is one of the most important steps to maintaining a stable and secure environment. It is also among the most cost effective steps that can be taken to secure the network. The SANS institute has published a well written paper on developing a patch management strategy which is worth review.
I’ll be back with another installment in the series in a couple of weeks.