August 22, 2019

 Perimeter Security Basics (Spoiler Alert: It doesn’t start with a firewall.) – WST

When thinking of perimeter security (or the security controls that protect where your trusted network touches less-trusted networks), many of us start thinking about the obvious controls, firewalls, routers, access rules, etc.  But in many cases, we see organizations struggle with a more basic concept: Where is my actual perimeter?

We are not talking about the often-repeated mantra of “There is no perimeter anymore.” (A valid discussion, but not the goal today) but the basic question of “Where does my network touch other networks?”  Here is a fun fact: Over half of the network diagrams we review are missing many of these basic intersection points.  Backup internet connections, secondary IP ranges, vendor VPN connections, MPLS endpoints, or even entire wireless deployments are simply not always documented or accounted for.

You can’t protect, or understand the risks from, connections you don’t know about, and you can’t say all the doors are locked if you haven’t walked around the building to see how many doors you actually have.  That is why it is essential that network documentation (including those pesky diagrams we all hate to update) is complete, accurate, and thorough.  This also helps make sure that when the time comes to perform security testing on all “high risk” interfaces, you know what you need to test.

At a minimum, consider the following:

  • All interfaces or connections with other networks should be included in diagrams.  This includes backup internet connections, wireless networks, and connections to core vendors (even if trusted, they are “less trusted” than your own internal network.  Even that old wireless router that is only turned on for board meetings should be included with appropriate footnotes.
  • All public facing IP addresses should be inventoried and kept up to date, including used and unused addresses.  Again, this needs to be for all connections, even branch offices that have backup cable connections that aren’t normally utilized.
  • Have an updated list of Access Control List (ACL) entries that allow traffic between the internal network and others.
  • They say most network diagrams are already out of date before you hit the save button.  Make sure that your change control process includes steps to update applicable documentation as a final step.

Past Weekly Security Tips – WST