What type of device would be the most convenient for interconnecting two or more physically separated network segments?

Network Segmentation

Network segmentation can go a long way toward reducing the impact of attacks. When we segment a network, we divide it into multiple smaller networks, each acting as its own small network called a subnet. We can control the flow of traffic between subnets, allowing or disallowing traffic based on a variety of factors, or even blocking the entire flow of traffic if necessary. Segmented networks can boost network performance by containing certain traffic only to the portions of the network needing to see it, and can help to localize technical network issues. In addition, network segmentation can prevent unauthorized network traffic or attacks from reaching portions of the network to which we would prefer to prevent access, as well as making the job of monitoring network traffic much easier.

Another design factor of assistance in the name of securing our networks is to funnel network traffic through certain points where we can inspect, filter, and control the traffic, often referred to as choke points. The choke points might be the routers moving traffic from one subnet to another; the firewalls or proxies controlling traffic moving within, into, or out of our networks or portions of our networks; or the application proxies filtering the traffic for particular applications such as Web or email traffic.

4 Enterprise Segmentation

One of the most exciting trends in cybersecurity is the notion of virtualized containment to protect workloads from attacks. Each virtual container thus becomes a so-called microsegment and offers a useful alternative to the types of network segmentation that enterprise security teams are most likely trying to implement. The motivation for such segmentation is the risk of east–west enterprise traversal by malicious actors.

A network segmentation approach will generally involve the establishment of different enterprise network domains within a perimeter-defined infrastructure (Fig. 67.3). Each domain will be separated by a physical demilitarized zone (DMZ) segment, which will include the usual list of hardware-based protections such as firewalls and intrusion

An Agenda for Action for Implementing Security Recommendations for the Hypervisor

The following security recommendations for the hypervisor itself include the following key activities (check all tasks completed):

Install all updates to the hypervisor as they are released by the vendor.

Restrict administrative access to the management interfaces of the hypervisor.

Protect all management communication channels using a dedicated management network, or make sure the management network communications is authenticated and encrypted using validated cryptographic modules.

Synchronize the virtualized infrastructure to a trusted authoritative time server.

Disconnect unused physical hardware from the host system.

Disconnect unused network interface controllers from any network.

Disable all hypervisor services such as clipboard or file sharing between the guest OS and the host OS unless they are needed.

Disable all hypervisor services such as clipboard- or file-sharing between the guest OS and the host OS unless they are needed.

Consider using introspection capabilities to monitor the security of each guest OS.

Consider using introspection capabilities to monitor the security of activity occurring between guest OSs.

Carefully monitor the hypervisor itself for signs of compromise.

prevention appliances. Operating many different network segments reduces the east–west traversal threat but is not convenient to manage, administer, or support. In stark contrast, by creating enterprise segmentation using virtualization, the advantages of east–west attack prevention can be obtained without the commensurate management, administration, and support challenges.

Implementing virtual segmentation on an enterprise network requires design decisions regarding the scale and size of the segments. On one end of the spectrum, the segmentation could be dynamic and fine-grained, in which segments are small and created on-demand, and could be physically scattered across disparate underlying hypervisor support. On the other end of the spectrum, the virtual segments could be more substantial and more stable, perhaps supporting a complex cloud workload over a sustained period.

Regardless of the size and scale decision, advantages of using virtualization to segment a network are substantial, including the ability to change components quickly in the virtual DMZ, the ability to gain immediate telemetry from multiple devices, and the ability to quickly patch and restore components that are vulnerable. In virtual environments operating SDN technology, the SDN controller can provide holistic oversight of these maintenance activities.

Higher layer segmentation

While network segmentation is traditionally enforced at Layer 2 (VLANs) or Layer 3 (subnets), the concepts of segmentation—the containment of certain network activities—can be implemented at essentially any layer of the OSI model, often to great effect. For example, by limiting sessions and applications at OSI Layers 4–7 instead of Layers 2–3, it becomes possible to isolate certain communications between carefully defined groups of devices, while allowing other communications to operate more freely. This is defined in Table 5.3.

Table 5.3. Types of Segmentation

Note

This concept is often referred to as “protocol filtering” or “network whitelisting” because it defines the network behaviors that are allowed, and filters the rest—essentially limiting the network to specific protocol, session, and application use. This can be enforced generally (only PROFINET is allowed) or very granular (PROFINET is allowed, only between these specific devices, using only explicitly defined commands). This level of control usually requires the use of a network-based IPS or a “next-generation” firewall (NGFW) that is able to inspect and filter traffic up to the application layer.

One point worth mentioning is that the more security that you can deploy at the various layers of the OSI model, the more resilient your architecture will be to attack. The attack surface within the communication stack typically decreases as you move “down” the stack. This is one reason why data diodes and unidirectional gateways provide one of the highest levels of segregation control because they are implemented at the Physical layer. Another example is that by implementing static MAC address tables within the Layer 2 switches, communication between devices can be restricted irrespective of any IP addressing (Layer 3) or application (Layers 4–7) vulnerabilities that may compromise the network. MAC addresses and IP addresses can both be discovered and spoofed, and application traffic can be captured, altered and replayed. So at what layer should security be implemented? Risk and vulnerability assessments should help answer this dilemma. The first step is to focus on protecting areas that represent the greatest risk first, which is usually determined by those areas that possess the greatest impact and not necessarily those that contain the most vulnerabilities. Subsequent assessments will then indicate if additional layers of security are required to provide additional layers of protection and offer greater resilience to other cyber weaknesses.

VLAN segmentation is common on networks where performance is critical as it imposes minimal performance overhead and is relatively easy to manage. It should be noted that VLANs are not a security control. VLANs can be circumvented, and can allow an attacker to pivot between network segments (see “VLAN Vulnerabilities,” in this chapter). More sophisticated controls should be considered in areas where security is more important than network performance.

The relative benefits of various network segmentation methods are summarized in Table 5.4.

Table 5.4. Characteristics of Segmentation

In order to realize the benefits of security from an application layer solution shown in Table 5.4, it must be able to recognize and support those applications and protocols used with ICS architectures. At the time of publishing, there are still relatively few devices that provide this support, and the number of applications and protocols included is very small in relation to that observed in a variety of ICS installations. Consideration must always be given to any restrictions in place regarding the installation of third-party or “unqualified” software and controls on ICS components by the ICS vendors. ICS components are subjected to rigorous stability and regression testing to help ensure high levels of performance and availability, and for this reason, ICS vendor recommendations and guidelines should always be given due consideration.

VLAN Vulnerabilities

VLANs are susceptible to a variety of Layer 2 attacks. This includes flood attacks, which are designed to cripple Ethernet switches by filling up their MAC address table, Spanning Tree attacks, ARP Poisoning, and many more.

Some attacks are specific to VLANs, such as VLAN Hopping, which works by sending and receiving traffic to and from different VLANs. This can be very dangerous if VLAN switches are trunked to a Layer 3 router or other device in order to establish inter-VLAN access controls, as it essentially invalidates the benefits of the VLAN. VLAN Hopping can be performed by spoofing a switch, or by the manipulation of the 802.1Q header.

Switch spoofing occurs when an attacker configures a system to imitate a switch by mimicking certain aspects of 802.1Q. VLAN trunks allow all traffic from VLANs to flow, so that by exploiting the Dynamic Trunking Protocol (DTP), the attacker has access to all VLANs.

Manipulation of the VLAN headers provides a more direct approach to communicating between VLANs. It is normal behavior for a VLAN trunk to strip the tag of its native VLAN. This behavior can be exploited by double tagging an Ethernet frame with both the trunk’s native VLAN and that target network’s VLAN. The result is that the trunk accepts the frame and strips the first header (the trunk’s native VLAN ID), leaving the frame tagged with the target network VLAN.

VLAN Hopping can be countered by restricting the available VLANs that are allowed on the trunk or, when possible, disabling VLAN trunking on certain links. VLAN trunks allow multiple VLANs to be aggregated into a single physical communication interface (i.e. switch port) for distribution to another switch or router via an uplink. Without VLAN trunking, each VLAN resident in a switch that needs to be distributed would require a separate uplink.

Application Layer Firewalls

Firewalls can operate at many layers, and have evolved considerably over the years. As the firewall is able to inspect traffic “higher up” in the layers of the OSI model, they are also able to make filtering and forwarding decisions with greater precision. For example, session-aware firewalls are able to consider the validity of a session, and can therefore protect against more sophisticated attacks. Application layer firewalls are application-aware, meaning that they can inspect traffic to the application layers (OSI Layers 5–7), examining and making decisions on the application’s contents. For example, a firewall may allow traffic through to “read” values from a PLC, while blocking all traffic that wants to “write” values back to the PLC.

Similarly, the degree to which a network should be segmented requires both consideration and compromise. A highly segmented network (one with more explicitly defined networks and fewer nodes per network) will benefit in terms of performance and manageability.

Tip

Implementing IP address changes to accommodate routing or address translation may be difficult or even impossible in many existing industrial control environments. While many firewalls provide routing and/or network address translation features, firewalls that can operate in “transparent mode” or “bridge mode” are often easier to deploy.

Virtual DMZ

Concisely, a virtual DMZ solution requires the use of:

Physical network segmentation with firewalls to maintain stateful traffic inspection of production and nonproduction traffic (for more information, see the Firewall Virtualization section in Chapter 3)

Port profiles to maintain separation of duties (between server and network administrators) and policy enforcement (for more information, see the Whose Turn, Server or Network Administrator? section in Chapter 2)

Authentication, authorization, and accounting (i.e., AAA) model to define access rights and maintain accurate logs

VLANs and PVLANs for isolation of VMs and applications (for details see the VLANs and Private VLANs sections)

ACLs to limit access between DMZ VMs, production networks, and management networks (for details see the Access-Control Lists section)

ERSPAN and NetFlow to increase operational visibility in the virtual DMZ environment (for details see the Port Mirroring and NetFlow sections)

Rate limiting to reduce the effect of malicious traffic generated by denial-of-service (DoS) attacks mounted from compromised VMs or hosts elsewhere

In addition, some general rules-of-thumb to bear in mind are as follows:

Maintain security (e.g., intrusion detection and prevention, firewalling to prevent unwanted traffic, DoS prevention, and so on) as in a physical nonvirtualized environment.

Maintain detailed documentation for virtual and physical network interconnections

Enforce clearly defined change management controls

Enforce a clear separation of roles and responsibilities

Perform ongoing auditing (i.e., logging and audit trails) and monitoring

8.2.2.1 Input level adaptation

A first strategy is to perform adaptation at the input level, directly on images before they are fed to the segmentation network (as shown in the leftmost part of Fig. 8.2). The idea is to force data samples from either domain to reach an uniform visual appearance, meaning that they not only have to carry high-level semantic similarity, but their low-level statistical discrepancy should be matched as well. This because low-level domain dependent attributes, even though they do not define the semantic content of the input image, can still be captured by the prediction model, thus leading to incorrect predictions when a domain change alters them. A clear example of this is the synthetic to real adaptation; although it may be quite realistic, synthetic data can mimic real-word properties up to a certain extent. Thus, it is usually possible to find synthetic peculiar traits, however small, which can undermine the efficacy of a model trained on synthetic data in a real-world environment.

The common approach to address domain adaptation at the input level is to map the data to a new image space, where the projected source (or target) samples carry an enhanced perceptual resemblance to target (or source) ones. This is normally achieved with the help of style-transfer techniques, whose objective is turned into matching source and target marginal distributions in the image space. By feeding in input supervised data from the new domain-invariant space to the segmentation network, the predictor should now able to retain consistent results across domains.

An upside of this approach is its complete independence with respect to the segmentation network currently in use that does not require any modification. This, however, comes with a cost, which is that, in its vanilla scheme without any extra regularizing factors, marginal alignment may be performed without the class-conditional distributions being simultaneously matched. In other words, it may be possible to end up with domain invariant representations, which yet lack the semantic coherence with the original data crucial to solve the segmentation task. To get past this problem, multiple solutions have been proposed to achieve semantically consistent image translations, for example through image reconstruction constraints or additional loss components enforcing the coherence of segmentation predictions.

8.4.3 Multimodal volume segmentation

The second parallel task we address in our method is to make use of synthetic data for improving the generalization of segmentation network, which is trained together with generators. From the segmentor view (Fig. 8.2) of SA and SB, the synthetic volumes {GB(xA),yA} and {GA(xB), yB} provide extra training data to help improve the segmentors in an online manner. During training, SA and SB take both real data and synthetic data that are generated by generators online (see Fig. 8.2). By maximizing the usage of synthetic data, we also use reconstructed synthetic data, {GA(GB(xA)),yA} and { GB(GA(xB)),yB}, as the inputs of segmentors.

Note that the most straightforward way to use synthetic data is fusing them with real data and then train a segmentation CNN. We denote this as an ad hoc offline data augmentation approach. In comparison, our method implicitly performs data augmentation in an online manner. Formulated in our optimization objective, our method can use synthetic data more adaptively, which thereby offers more stable training and thereby better performance than the offline approach. We will demonstrate this in experiments.

Static Routing

When the FortiGate is deployed as a perimeter device, static routing is the most common routing implementation. This is particularly true when there is limited internal L3 network segmentation. Typically, one default route points toward the Internet and any other routes exist to route internal traffic toward the internal routers.

When running in Transparent mode, this is the only method of routing supported. In some situations, particularly when there are internal routers, you will need to be careful about how you define the static routes. If you use a single default route pointing toward an Internet router, it may become possible for the FortiGate’s firewall engine to view the data path as asymmetric. This will result in dropped packets. To avoid this, it is wise to always configure an internal static route that uses the correct internal interface of the FortiGate and a default route that directs Internet traffic to the external interface. The default route toward the Internet is also required for the FortiGate to be able to retrieve service updates from the FortiGuard network (see Figures 4.1 and 4.2).

When you initially change a FortiGate to operate in TP mode, you will be prompted to enter a default gateway. When using the CLI, adding additional static routes as required is no different than when routing in NAT/Route mode. However when running in TP mode, you must add the required static routes under System → Network → Routing Table (see Figure 4.3).

Dedicated Administrative Networks

Similarly, interactive access can be restricted to a small number of workstation and access points through the following technologies:

Dedicated physical interface or virtual local area network (VLAN) segmentation: If any interactive or administrative access is limited to separate networks, preferably disconnected from operational networks, the potential attack surface is significantly reduced.

Logical interface: If no physical or VLAN infrastructure is available, UNIX networking stack typically allow the assignment of additional IP addresses to a single physical networking interface. Although it is more susceptible to lower-level attacks, this approach may be sufficient for the effective separation of networks.

Routing and firewall table design: As a fairly high-level approach, administrators may limit access to specific services from preconfigured IP addresses or networks through careful design of the host-based firewall and the routing tables of the IP stack.

Yale University has an old but useful UNIX networking checklist at http://security.yale.edu/network/unix.html that describes a number of general security settings for UNIX systems in general, and Solaris specifically. A similar, older checklist is available from Carnegie Mellon University's Software Engineering Institute Computer Emergency Readiness Team (CERT) at https://www.cert.org/tech_tips/unix_configuration_guidelines.html.

Special topics in system administration that also address security issues such as auditing, configuration management, and recovery can be found on the Usenix website at https://www.usenix.org/lisa/books.

Apple provides a detailed document on locking down MacOS X 10.6 Server: http://images.apple.com/support/security/guides/docs/SnowLeopard_Server_Security_Config_v10.6.pdf.

The US Federal Government operates US-CERT at https://www.us-cert.gov, targeted at technical and nontechnical users in both the government and the private sector. In addition to general information, US-CERT provides information from the National Vulnerability Database, security bulletins, and current threat information.

Finally, let us briefly look at how to improve the security of Linux and UNIX systems. The following part of the chapter describes how to modify Linux and UNIX systems and fix their potential security weaknesses.

Flat LDP Core and Aggregation

The flat LDP core and aggregation architecture model applies to small geographies where core and aggregation networks may not have distinct physical topologies. They are integrated under common operations, and network segmentation is not required for availability reasons. This type of architecture assumes a non-MPLS IP/Ethernet or TDM access being aggregated in a small scale network.

The small scale aggregation network is assumed to be composed of core and aggregation nodes that are integrated in a single IGP/LDP domain consisting of less than 1000 nodes. Since no segmentation between network layers exists, a flat LDP LSP provides end-to-end reachability across the network. All mobile (and wireline) services are enabled by the aggregation nodes. The mobile access is based on TDM and packet microwave links aggregated in aggregation nodes that provide TDM/ATM/Ethernet VPWS and MPLS VPN transport. This architecture is presented in Figure 4.4.

Network Configurations

The design and implementation of a network can create vulnerabilities that should not exist. Although an attacker might be able to find an access point to a network, it does not mean that the attacker should get access to every system on the network.

The term, flat network, means that there is no network segmentation or hierarchy. If you can access one system on the network, you can access all of them. The absence of access controls, network segmentation, and similar configuration principles can leave a network much more vulnerable than it is.

Additionally, it is not uncommon to lose track of a network design and for individual departments to add devices to a network. Some locations acquire their own Internet connections, without the knowledge or approval of the appropriate IT staff. This is known as Shadow IT.

Shadow IT systems are not only unknown, but also frequently poorly maintained and are therefore extremely vulnerable.

Sometimes IT organizations lose control of their network configuration during mergers and acquisitions. When an organization acquires another entity, they traditionally connect the new organization directly to their network. Unless there is a knowledgeable IT staff with the authority to isolate the new network until the network can be brought up to security standards, the IT department will lose control of the network configuration by default.