It is close to impossible to read any security publication without seeing a phrase like, "The majority of successful hackers come from the insides of networks, not the Internet," and this book is no exception to this standard. Protecting internal networks is a very different task than that of protecting the perimeter. With our perimeter, we can define specific chokepoints and consolidate security measures; on an internal network, we are dealing with everything as a whole. There is no firewall that we can filter everyone through, and there is no IDS that will adequately monitor the average internal infrastructure. On top of it all, we have to grant much higher levels of access to internal systems and users than to external customers and vendors. Lucky for us, good internal defenses still conform to the rules of security. Can it Really be Done?Certainly, the answer to this question is, "Yes, it can be done." To have a highly secure internal network is achievable and I have seen organizations accomplish this on a minimal budget. Again, the real key to securing an internal network is to focus on the virtues and rules in everything. Security at the perimeter is simply a warm-up; the internal network is where we really get our hands dirty with the concepts of the security mind. Let's face it: There is no technical solution for securing the inside of a network. Yes, there are thousands of products, each with their own little piece of the internal security pie, but securing an internal network is a prime example of where focusing on the details will cause failure. At least with the Internet, we had a firewall chokepoint, and those who focused purely on the technologies could remain somewhat in control. When we progress to the internal network, however, such methods simply do not work and a great many organizations end up leaving the internal network vulnerable. Securing the internal network requires a much broader vision and the ability to see the rules of security in everything. The Need for Internal SecurityThe need for internal security can be seen everywhere, and simply leaving the internal network vulnerable should never be considered. A bank does not just put guards at the front door and let all the money pile up behind the tellers. There are layers and layers of security between the lot where we park our cars and where we touch our first coin. If we choose to launch an attack from the outside, the hallway, the lobby, or from the vault itself, there will be security measures to stop us. In information security, we need to adopt similar practices. An attack could come from anywhere and under any set of circumstances. A hacker could find a hole in the perimeter defenses, in which case, an attack will surely come from inside. Likewise, a hacking employee, consultant, or anyone to whom we extend a high level of trust will have direct access to the internal network. In these situations, we need to be prepared. Employee AttacksEmployees within an organization are under constant temptation when it comes to internal access. Even employees without direct motivation often become curious and desire to perform some form of prohibited action. But it is when we have employees with some motivation and some technical abilities that we are really in trouble. I talked about employee hackers at some length in Chapter 7, Know Thy Enemy and Know Thyself. Here, I would make an educated guess and say that the average organization with five or more technical employees has probably employed at least one person who has attempted to gain unauthorized access to resources at some point in time. In general, when someone knows that they are NOT going to get caught, there is a much greater chance that they will perform illegal actions. The temptation to gain unauthorized access to resources within organizations that deploy no internal security is incredible for many employees. Internal security not only applies direct protection, but also keeps honest people honest and greatly reduces the temptation to take unauthorized action. Successful External AttacksEventually, someone will break into the network. Eventually, there will be an unseen entry point opened into the network. Eventually, a worm will crawl through all defenses. Eventually, the perimeter security will fail. What happens next depends completely on the defenses we have deployed internally. A worm that finds its way through external defenses has not yet done any damage. If the worm, once inside the network, finds that all systems are patched, protected, and monitored, we will probably not suffer any damage. This is also the case with hackers who work themselves through a perimeter only to find themselves locked down in a secure environment. By applying internal defenses, we are essentially layering overall security. When an individual or group manages to penetrate the outer defenses, the amount of damage they can do directly corresponds to the degree of protection deployed on the inside of the network. Internal RulesThe rules of security are going to be our best allies when working with internal defenses. There are no canned solutions for protecting an internal environment; protection can only come from layering different forms of security measures to comply with the corresponding rules. Every decision about the internal environment should reflect back on the practices already discussed. I have pulled from the following rules because they are often the most useful when securing an internal environment: Put the Rules in WritingEarlier in this book, I mentioned that our ability to enforce the rules is highly dependent on the rules being in writing. Proper internal security requires rules to be written and formally accepted by everyone within the organization. The rules should be incorporated into internal security policies and acceptable use policies. Writing internal policies should be performed by policy experts with the guidance of information security staff, or drawn from a good working template. In particular, written rules should commonly include:
Authorized Use BannersAfter policies have been established, it is important to create a short summary statement that refers back to the full security policy. This short statement should then be placed in as many locations as possible, including every system and device that allows for a display banner. Common areas where banners should be deployed include:
Rule of Least PrivilegeInternal security practices should enforce the Rule of Least Privilege across the entire network. Since we are not dealing with specific chokepoints, the Rule of Least Privilege will need to be placed on individual systems, devices, and applications. These objects should be built and maintained with the idea that access will not be given unless required. Since there are literally hundreds of places where the Rule of Least Privilege should be practiced, it must be a part of our thought process in everything and dealt with through higher security practices. The following is a small set of examples of where the Rule of Least Privilege could be enforced:
It cannot be said enough that the Rule of Least Privilege is vital for maintaining proper security practices. The Rule of Least Privilege should be practiced in all aspects of internal security. If access is not required, do not grant it. Rule of the Three-Fold ProcessThe Rule of the Three-Fold Process is not limited to specific devices or project implementations; the entire internal network and its security as a whole are subject to this rule as well. Many organizations create internal networks and never provide any form of maintenance or monitoring. The maintenance and monitoring tasks associated with the Rule of the Three-Fold Process are often pushed out to the perimeter, leaving the internal network vulnerable as time passes. Using the Rule of the Three-Fold Process for internal systems and devices has a dramatic effect on the security of an organization. Internal AuditingSome of the most powerful security tools available for internal security are the assessment, audit, and penetration testing processes. The goals of such measures are to:
Of course, performing a full risk assessment or hands-on analysis of each workstation would not be a practical solution. As such, an internal audit must balance effectiveness and practicality. I have already covered one such audit process in Chapter 8, Practical Security Assessments. Internal MonitoringInternal logging and monitoring are ways we can gain insight as to what is going on within a network. Most modern devices and systems include logging capabilities that can be included in an organization-wide monitoring effort. More specifics on monitoring techniques are included in the later section titled Logging and Monitoring. Here, I will simply point out important areas for internal network monitoring:
The Concept of Internal ZoningNetwork-based zoning practices should not be thought of as belonging to the perimeter only. Creating a chokepoint and isolating devices in their own zone is a great way to enhance security for other critical services, especially those on the internal network. Devices on the internal network are directly exposed to all other systems on the network, which makes it more difficult to maintain network-based security. Organizations that host critical internal services should consider placing such services behind an internal firewall, helping to layer defenses, separate access, and otherwise protect them from internal hackers.
Figure 11.1. Example of internal network zoning.Rule of ChangeUncoordinated changes within the internal environment often lead to disastrous security issues. With all the potential variables that can lead to vulnerabilities, it is vital that changes be managed in accordance with the Rule of Change. Likewise, it is important to avoid the guinea pig effect and to work with a standard set of applications, tools, and devices. Rule of Preventative ActionPracticing proactive security in the internal environment requires us to spend time each day researching new security issues. We must prepare ourselves for new worms, viruses, and new types of attacks by keeping up with security news. We must then look back at our own environment and evaluate it for these vulnerabilities and weak links. It is important to stay several steps ahead of hackers by performing vulnerability scans and other checks regularly. Considering Desktop Management PracticesA great tool for enhancing internal security practices is a desktop management system. Many vendors have developed different types of desktop management products; many include security options that conform to the rules of security. In particular, a desktop management implementation can assist in:
|