Security Manager's Journal: Taking steps to better lock down the network
Our manager decides that, like users, resources on the network should adhere to the rule of least privilege.
Computerworld - The resources on our network have been given too much access to the Internet, and we need to curb that.
One of my primary security philosophies is the rule of least privilege, which can be defined as the practice of granting only the minimum amount of access necessary to get work done. Typically, the rule is met by defining role-based access to applications or data, but I extend this philosophy to all areas of business. This week, I prepared to apply the rule to resources on our network.
Consider production Web servers. They serve up Web pages to the public, so you would expect them to accept requests from the Internet. But what access is needed in the other direction? Should an administrator conducting maintenance on the server be able to use it to access his Yahoo email, Facebook or (shudder) Dropbox? In fact, except for a very small portion pertaining to business-related activity, the vast majority of the Internet should be unavailable from that Web server.
I decided to have my security engineers work with the network team to explore this issue and start to prioritize the work we would need to do. I had them focus on four areas.
The first is the production server network, which includes our DMZ, production and test (preproduction) networks. When you get right down to it, those servers need very little access to the Internet. And many security breaches are successful because a server was able to initiate a connection to a command-and-control server or some other malicious location on the Internet. Our firewalls currently allow virtually any traffic originating from the production network to the Internet. That has to be curtailed.
The next area is our R&D network. Servers on that network also have little reason to initiate a connection to the Internet, but the engineers who work in R&D need to innovate, so I'm willing to be a bit more flexible. Those same engineers, however, constantly complain that patching and antivirus software cause performance to deteriorate, and they refuse to comply with our requirements. Because of this, we isolate the R&D network from the rest of our network.
The third area is our corporate network, or what some call the PC network, since it's reserved for all our PCs. We can't completely lock it down, since we give a good deal of latitude to employees when it comes to accessing the Internet. Nonetheless, we can put some things out of bounds, and so we reviewed our firewalls' ability to block certain categories of websites and applications that could lead to problems for legal, HR or security. We already block pornography, malware and spyware sites. We will be adding phishing sites, anonymizers (which employees use to bypass our filtering), peer-to-peer sites, remote control services (such as LogMeIn), parked domains (Internet domains with no services) and personal file storage.
Finally, there's our critical zone, the area of the production network that contains our most critical resources. Currently, we allow all corporate traffic to this area of our network, when in reality, employees mostly need merely to have Web access. Now that we've incorporated user identity into our firewalls, we can create rules based on who you are and restrict administrative access to our critical resources to those administrators who need it.
Simple, right? Just configure the firewalls and block traffic. Unfortunately, in order to implement all of the changes I've mentioned, we have to conduct a business impact analysis, since we can't afford to make changes that affect our ability to deliver products or services. Therefore, the next course of action is to study the current network traffic to understand any valid business requirements before executing the plan.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!