Just a quick post to readers to make sure that everyone (and I mean everyone), who reads this blog should be using a DMZ, enclaved, network segmentation approach for any and all Internet exposed systems today.
This has been true for several years, if not a decade.
Recently, I have talked to two companies who have been hit by malicious activity that compromised a web application and gave the attacker complete control over a box sitting INSIDE their primary business network with essentially unfettered access to the environment.
Folks, within IT network design, DMZ architectures are not just for best practices and regulatory requirements, but an essential survival tool for IT systems. Punching a hole from the Internet to your primary IT environment is not smart, safe, or in many cases, legal.
Today, enclaving the internal network is becoming best practice to secure networks. Enclaving/DMZ segmentation of Internet exposed systems is simply assumed.
So, take an hour, review your perimeter, and if you find internally exposed systems — make a plan and execute it.
In the meantime, I’d investigate those systems as if they were compromised, regardless of what you have seen from them.
At least check them over with a cursory review and get them out of the business network ASAP.
This should go without saying, but this especially applies to folks that have SCADA systems and critical infrastructure architectures.
If you have any questions regarding how you can maintain secure networks with enclaving and network segmentation, let me know. I’d love to help!
Cross-posted from State of Security