Designing a network is an iterative process between threat modeling and policy development. Network threat modeling is the part of that process that evaluates which threats your network may be facing , how your architectural mitigations deal with them, and whether your policy is sufficient. That means that you have to start with a security policy, and you must have an initial network design and a high-level threat model. If you do not have a policy, you will find yourself understanding a series of threats, but with no guidance for ranking these threats by importance and deciding which to mitigate. If you do not already have a security policy, you should consider reading Chapter 4, "Developing Security Policies," first and develop one, before you get deep into this chapter.
Threat modeling is commonly used in application design. For example, Howard and LeBlanc spend a chapter on threat modeling in Writing Secure Code , 2nd Ed. (Microsoft Press, 2003). In the summer of 2004, Swiderski and Snyder's book on threat modeling for applications was released (Microsoft Press, 2004). These tomes cover threat modeling from an application development perspective. Applications are subject to a set of threats all by themselves , and all those threats, obviously, also translate into threats to the networks where those applications are deployed. In an application threat model, the objective is to understand what a bad guy might want to do with a particular application and how that might be possible. It is focused on tracing data flow through an application and understanding where adversaries may inject problems in processing that data.
Although there are threats to an individual application exposed by an application threat model, there are also threats to the hosts on which the applications are deployed, and to the network in which those hosts reside. These threats often stem from how the networks are designed. These threats are derived more from the operational practices in the networks, not the application vulnerabilities themselves. Furthermore, threats stemming from operational practices ultimately are caused by people not doing what they should (knowingly or not). Although a threat to an application many times can be eliminated with a patch, it is considerably harder to patch people. Therefore, we must design the network to encourage sound operational practices and discourage dangerous ones.
Network threat modeling has three stages:
Document Model the applications on the network, the systems they run on, and the services they provide.
Segment Divide the applications into logical groups.
Restrict Enforce the divisions defined in the segmentation stage.
In the rest of the chapter, we look at each of these in turn .