Twice in recent weeks, I've been onsite at a company where a sizable division of the organization has been hit by a fast-roving computer worm. All that prevented the worm from quickly spreading across the enterprise was the company's isolated security zones. These scenarios served only to strengthen my belief that establishing isolated security zones is among the few strategies that reap a return on the investment of planning, resources, and money.
In one of the instances, a foreign subsidiary of the company I was visiting had been infected with the Conficker worm. Nearly every computer at the particular location was compromised. Outside the location, however, only eight additional machines were infected.
[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
At the other company, I discovered that vast majority of the network traffic was malicious. If you're looking for malware to experiment with, this place was your dream. Still, even within the same VLAN segment, no one was infected. Even though the company had hundreds of bug-spewing workstations, none of them could talk to anyone else or even each other. While the network was the dirtiest I've ever come across, 99 percent of its production systems remained unaffected.
Isolating security zones (known as Server and Domain Isolation at Microsoft) isn't a new concept by any measurement. Firewalls and the traditional three-legged domains (Internet, DMZ, and intranet) have been around at least since the 1970s, and I bet some readers could remember earlier instances.
Although not yet completely abandoned, the traditional firewall segmentation concept is quickly becoming an old way of thinking about network security. Most of these traditional boundaries have so many ingress exceptions -- VPNs, wireless networks, trusted partners, home users, open management ports -- that it's hard to say which is the rule: the firewall ACL or the exceptions.
More and more, companies are beginning to think of their networks as permeable. They assume their bastion network boundary is compromised and that the intruder is already inside -- because it's often true. But this doesn't mean that you should give up on the idea of security boundaries. Quite the opposite -- you should take the staid model of an N-legged firewall and extend it to your workstations.
In a nutshell, most workstations don't need to talk to most other workstations. Most servers don't need to talk to most other servers (although there are plenty of legitimate connections made server to server). Most workstations in your enterprise don't need to talk to every server in your enterprise, and vice versa -- so don't let them.
Figure out which hosts in your network and enterprise should talk to each other, and forbid the rest by default. If you can accomplish this type of security zone isolation, you can provide an incredible amount of bang-for-the-buck protection.
There are many ways to accomplish this, but each of them starts out by determining acceptable use policy and defaults, then mapping what should be allowed. You must create a reliable, fast way for people to request additional legitimate access when they need to expand past the current segmentation. Then use the different technologies available to you to separate security zones. As a general rule of thumb, I try to use the dumbest (and, therefore, often the fastest) technologies and devices first. For example, a packet router's ACL is normally far more efficient and faster at blocking and allowing traffic than a firewall -- which often has a lot more rules and is often involved in session-oriented, application-layer inspection.
Here are the devices and technologies I normally work with, in order of preference:
- Application proxy
- Application authentication
- Air gap
You can probably think of others that I missed, but you get the idea.
Security zone isolation is a lot of work, at least initially, but it can easily stop one bad end-user or a weak branch office from compromising the whole network.
This story, "Isolated security zones yield stronger network protection," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.