If you want to take your cyber-security to the next level, consider network hardening and segmentation.
NIST security publications encourage ‘defense in depth’ as a best practice. They recommend creating multiple network segments with strong firewalls in between. The diagram above shows a cost effective segmentation design that is appropriate for small and medium businesses.
Deny-by-default DMZ Firewall
A secure DMZ is the first improvement you should consider. It is also an important step for PCI compliance. Your externally-facing servers are at high risk from Internet-based attacks. Once an internal server is penetrated and taken over by a hacker, they “pivot” to attack the rest of your network. Any penetration tester will tell you that once they are inside the network, the hard work is done.
Examples of servers that should be in a DMZ:
- Outlook Web Access and Outlook direct (Exchange Client Access Server)
- Remote access (Citrix terminal servers and Remote Desktop for users or IT staff)
- Application servers that transfer data to-or-from other companies
- Proxy servers
- Spam filters (Barracudas etc)
- Electronic faxing
- Any web server that can be reached from outside
- Servers that synchronize with “the cloud” or other businesses
How does a DMZ deny-by-default policy work?
The outside firewall (between your company and the Internet) should already be using deny-by-default policies, at least for traffic coming in from the Internet. We will review this to see if it is possible to tighten up any of the policies. For example, many companies allow remote access to a terminal server from anywhere on the Internet. This is extremely risky. We would recommend reducing this remote access to specific network addresses (such as vendor networks) and using VPNs for traveling employees.
Where it makes sense, we also want to restrict outbound communication through your firewall. Once a hacker has accessed your sensitive information, they generally want to make a personal copy of it. They do this by sending it through your firewall. Blocking unusual traffic makes it harder for the bad guys to perform a data breach.
Creating a DMZ adds a second firewall layer between your externally-facing servers and your internal network. This restricts the network traffic that moves between DMZ servers and the rest of your network.
How is a DMZ with strong firewall implemented?
Very carefully. This is not a fast process. The last time we created a DMZ for a medium sized business (500m/year revenue and 10 servers inside the DMZ), it took three weeks, about 100 billable hours, and a two-month on call period to complete. But we researched and tested everything thoroughly as we went, which minimized user impact. If anyone tells you that this is a fast or easy process, they are probably leaving allow-all rules between the segments, which defeats the entire purpose.
- Research and planning phase: Carefully review each server, and each server that they communicate with, to identify normal communication channels and port usage. Create written back-out plans so that if business is impacted, we can flip a switch and get the servers communicating until we find a solution.
- Establish DMZ network: Migrate server networking to the DMZ. Other servers will need to update their connection information for the migrated server. Test thoroughly.
- Enforce deny-by-default policies: Create a firewall policy set for each DMZ server which allows only necessary communication between the outside and the inside. Test thoroughly (this includes restarting services and servers to trigger startup communications).
- Monitoring and responsiveness: Engineer is on-call for at least a month to assist with infrequent situations such as month-end accounting jobs.
- Documentation and training: Provide configuration management information, firewall and switch configs, and train your staff to manage the new systems.
Sensitive systems internal layer
The next segmentation improvement is to set up a sensitive systems internal layer. This network layer is for the most critical systems: high value targets such as your customer database, proprietary designs, and backups. Core IT systems such as VMware, switch, and firewall management can also be protected here.
How is internal segmentation implemented?
The process is essentially the same as the DMZ, but for the most sensitive systems rather than the least sensitive systems. Servers are only good candidates for this if they have limited communications. For example, an ideal database server would only have one communication channel open – between it and an application server.
A server that is accessed on multiple ports by regular users (such as a file server or directory server) cannot be fully secured, so it should stay on the internal network.
Do I need to buy multiple firewalls or switches?
Most of the time, if you are working with business-quality firewalls and switches, we do not need to buy any new hardware. Most professional firewalls / routers such as Cisco, Sonicwall, FortiNet, and WatchGuard have built-in capability for multiple network segments. Most professional switches have VLAN capability, which we can configure for DMZ and sensitive network segments.
What is the next step?
Please consider Kieri Solutions for your network hardening and segmentation project. Our focus is on integrity, carefulness, and responsiveness. Our employees are trusted by the US military, universities, large, medium, and small corporations. We love after-hours work, change management, configuration management, and testing because they reduce risk and keep users working.
Kieri Solutions provides onsite cybersecurity services to businesses in Maryland and Northern DC. Silver Spring, Rockville, Gaithersburg, Frederick, Baltimore, Columbia and other nearby cities in MD. We provide remote cybersecurity and technical writing assistance to businesses throughout the United States.