Firewalls, segmentation and disposalWritten by Jens Brogaard
A common technique for improving the security of corporate networks is to break them down into smaller segments by department. The communication between these subnets is monitored, controlled and logged by firewall routers. Attackers and malware that manage to penetrate one of the subnets are prevented from spreading through packet filters. A goal of further enhancing security is the targeted isolation of individual systems and functional entities in their own network segment. This means that even the most vulnerable units can be effectively protected.
Segmentation: Subdivision In Secure Subnet
Internet Protocol IP makes it possible to exchange data across network boundaries. The information encapsulated in IP packets is routed across different routers to their destination.
This routing feature is used by network administrators to split corporate networks into interconnected subnets. The administration computers are assigned to the administration subnet, and also machines in the production get their own network segment as with computers in the department's research and development.
Each of these network segments is connected to the surrounding corporate network via a router. Any communication between the subnet is sent via the routers.
Package Filter For More Security
It is sensible to examine the bypassed data packets at the router and to forward only allowed data packets.
It could be something of interest to the corporate management that employees in the department are free to access websites on the Internet while at the same time, but if sensitive data such as pay or contracts remain inaccessible in the corporate network and the internet. These are available in Windows networks through File and Printer Sharing.
A package filter installed on the router is now examining whether the passing network traffic contains connections used for file and printer sharing. These are TCP connections to ports 139 and 445. If the packet filter detects IP packets containing TCP communication with these ports, they are not forwarded but discarded. While file and printer sharing within the subnet remains functional for administration, it cannot exceed the segment boundaries. Files such as payslips cannot be obtained from other network segments.
A router that filters the data stream in this way is called a card firewall or firewall.
Outline: Targeted Segmentation Of Individual Systems
Firewall rules for large subnets can quickly become confusing. If they are too generous, they can be exploited by the attackers. If they are too narrow, functional limitations may occur. Each terminal in a segment is also a potential source of unwanted access.
Especially units and systems with high protection requirements - eg. Machine tools, medical devices, but also older control computers or computers with obsolete software - sometimes have exploitable vulnerabilities that are no longer subject to the rules.
Dissection means identifying these vulnerable systems in the network and isolating them in a separate network segment - on a secure island - using small firewalls such as Microwall. The necessary connections between systems on the island and the surrounding network are captured in advance and described by a positive list of rules. Only explicitly approved data packets are forwarded, all others discarded and logged if necessary. Insured systems are thus effectively protected against hackers or malware attacks as well as against human error.
There are few systems in these safe islands. The fact that these are protected by a narrow set of rules tailored to the task at hand ensures significantly increased security.
Microwall milling is easy to implement and effectively enhances the security level of your corporate network. This especially benefits small businesses, because if a comprehensive segmentation by department is not worthwhile.
Latest from Jens Brogaard
Leave a comment
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.