Data Loss Prevention Step 4: Prevent Network Cross-Connect

Wednesday, January 11, 2012

Rafal Los


I'm writing a series of posts to follow up on my blog post titled "Data Loss Prevention - Without the New Blinky Boxes" which addressed some of the silliness that comes with believing that DLP comes in a box, or is a product you can buy to solve your DLP needs. Welcome to part 4 (part 1 here) (part 2 here) (part 3 here)...

Welcome to the 4th installment of the 7-part series on doing better, smarter, and more effective Data Loss Prevention without the typical "network appliance solution" approach.  I will start out by telling you there is no easy way to implement this recommendation.  There are no easy ways to implement the prevention of network cross-connect except for mainly vigilance... and perhaps a few suggestions here.

It's almost amusing that yesterday as I was sitting in the doctor's office waiting room, watching the news I hear some analyst talk about the Stratfor breach and the "evil hackers" and one of the biggest suggestions was - and I can't say this without laughing out loud - that the United States should build a separate Internet for itself to separate ourselves from the evil hackers from other countries like China... again I sat there with what I can only imagine was my jaw dropped to the floor in amazement as other patients probably looked at me funny. 

The truth is, there are (as my colleague Chris Hoff pointed out) many other "Internets" inside the US including Internet2, which are physically separate - but which all suffer from the same problem.  That problem is that people keep plugging devices into them that manage to bridge dirty and 'clean' networks together. 

The sad fact is that you can't patch human behavior - but you can make it difficult for packets to jump from one network into another.  Even if you manage to plug an infected USB drive into a top secret network, let's assume accidentally, and it infects the machines in that network - that infection should not be able to reach home base which is probably out there somewhere on the Internet.  Makes perfect sense... right?  If only it were that easy.

The reality is that network segmentation is rarely as easy as putting an air gap between two networks.  Imagine trying to do that at the office. Sure, you can put your corporate computer system inside your office on a totally separate network... but do realize that it would mean that you have to disconnect absolutely from the Internet and everything that is connected to it - even over private links.  Odds are your employees depend on the Internet or other network access to do their jobs not just surf their Facebook pages over lunch. 

So let's be realistic then... if the only practical application for a completely separate and air-gapped network is a private lab, or DoD type network then you're probably stuck with a limited-access-network connection as most of us are through the use of firewalls, proxies and other devices such as VPN, etc.  Worry not, you can still achieve a relatively good degree of segmentation and prevent network cross-connect even in this real-life scenario.

First, analyze your network traffic needs.  You'll probably need to use one of those firewall rules analysis tools (lest you go insane analyzing the 1,000+ firewall rules on each of your boxes) that I'm sure will be suggested to you.  You can get this as a service, or as a piece of software but I do suggest you have one of these things handy because they will be one of the best security tools you'll ever own. 

Analyze your traffic needs between all your networks - your applications, your corporate network, your partner links, your VPN endpoints.  A thorough analysis will usually yield what years of acquisitions, divestitures, rapid growth and contraction, new employees and satellite offices will yield - lots of dead endpoints and open pipes which should have long been closed. 

Take care to focus on the Internet as a target for exfiltration.  Think about how you can get to the Internet from any and all devices that you consider high value.  You'll likely find that there are ways out of your secured networks into the Internet you probably aren't comfortable with, everyone does.  Unless you have perfect change control odds are things have changed without your knowledge (or maybe before you were an employee, or at your current role, or...) and that often leads to confusion which leads to a state of insecurity. 

Draw yourself pictures, use detailed diagrams but simplify things as much as possible - I know that sounds mad but remember that complexity is harder to follow and thus easier to screw up.  Take your diagrams in steps, from simple blocks, to exploded views of each component down to the rule level but in steps so that someone who needs to see only the top-level can do so without getting all the confusing details.

Next, simplify.  Consolidate device, human, and application access.  While everything may need its own port and path at first glance, configurations can often change.  Let's be realistic though - you can't change the way an enterprise application accesses a 3rd party overnight so these changes take time... make sure you plan for that.  

Consolidate as much as you can into as few 'holes' as you can - this is the thing you learn in security 101 on day 1... but some of us still need an occasional reminder.  I recommend you put your hacker hat on and think about stepping stones and how systems or network segments can be used to traverse from a high security segment to a low security segment (or the Internet, the ultimate low security network). 

As you start to simplify you'll notice that those routes begin to fall away because the less complexity you have the less likely you are to have one-off or unaccounted routes allowed.  Preventing network cross-connect is less about physically separating networks and more about how to keep an attacker from traversing security zones.

Speaking of security zones - you should already have those clearly marked from your analyze step above, but in case you do not - go do so!  Things to keep in mind - you should restrict low security > high security traffic, but also high security > low security just as well. 

The days when we could trust the things coming out of our networks is over, because even if your network is impenetrable from the outside over the network, it's virtually trivial for an infected USB stick to make its way onto your hardware and to the phone home.  Make sure you're accounting for that sort of behavior either through IPS signatures (where possible), anomalous behavior detection, or some other method you've devised! 

It used to be that preventing network cross-connect was as simple as making sure your VPN client wasn't able to perform split-tunneling so malware on your work laptop (at home) couldn't bounce into your corporate office... but when your corporate office is virtual and on the web that all stopped mattering almost overnight. 

Now you're left worrying about data leakage and data loss prevention in a whole new way - and preventing network cross-connect has taken on a completely new dimension... luckily it's still possible.

Look for the last 3 installments of this realistic approach to data loss prevention series soon...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Access Control Virtualization Data Loss Prevention internet VPN Network Security DLP Exfiltration Rafal Los split-tunneling
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.