To properly secure a network and its assets, a layered approach is preferred. This method is more commonly known as defense-in-depth and it can be likened to the metaphor of a castle on a hill. The castle is set upon a promontory with the village spread out below.
To attack the castle invaders must fight their way through the village first then up the steep hill to the castle itself. The castle then has many fortifications: a moat with a drawbridge and the ramparts that are manned by skilled marksmen.
Additionally, the castle is built from stone and iron, materials impervious to assault by blunt force and fire. There are watchmen to look out for invaders who can see them coming for miles. The king does not rely on one barrier alone to protect his inner circle of priceless jewels and nobility.
A Layered Approach
Consider the elements of a network and their likeness to this metaphor. There is the DMZ that, like the village, is part of the outer perimeter and enjoys some protection from the king. If invaders take the village, though, they still do not have access to the castle and the crown jewels. Then there is the IPS/IDS like the watchmen on the ramparts and the firewall like the castle itself with a drawbridge, inspecting everything and everyone that comes into the inner circle. Any unused ports of entry or holes in the castle are fortified or barricaded for further protection. Pretty much every cybersecurity defense in this model has its real-world counterpart in the castle metaphor.
Many of the terms found in cybersecurity come from real-world applications, such as military strategies that have been tried and tested over time. Defense-in-depth is a military strategy designed to impede the progress of attackers rather than stop them entirely, thus buying the defensive position time to formulate a plan of attack. This also gave the front lines a fallback position where they could continue to fight from after the outer defensive line was breached. Defense-in-depth as a cybersecurity strategy takes a similar holistic approach to defense, rather than a specific one-to-one control vs. threat style.
Address the Obvious
The first part of this layered approach begins with the identification of critical assets. The value and worst-case scenarios for a breach of these assets should also be considered and compared to the business’ tolerance for risk. To determine the criticality of assets it is important to know what other processes or assets are dependent on that asset and what compensating controls are available if there is no technical solution for its protection. It is also important to know the precise function of critical assets and the resources they depend on. Inventorying all assets and documenting this information will guide the development of security architecture.
Physical security is layer 1 of the perimeter defense. Defensive protections in this layer include controlling access to actual physical assets, as well as locking down the assets themselves. Having a security guard check identification and sorting out the staff from the tailgaters and visitors who don’t need access to the heart of the operation is the outer bound. Using video cameras to survey the site and the entrance can allow remote observation of card reader activity. Placing physical locks on doors to server rooms and locks on laptops to thwart physical access should an intruder succeed in breaching the entrance security is an effective way to keep intruders out of critical systems. Once in the server rooms, console access should be locked down. Any unused physical ports around the facility should also be disabled as well as unused ports on switches.
The Demilitarized Zone
The demilitarized zone (DMZ) is also known as the outer perimeter network, and this is where public-facing servers such as the webserver, wireless access point, and remote systems reside. The DMZ provides both physical and logical separation from the internal networks. When configured properly, the DMZ never sends communications to the inner network. It can only receive communications from there. However, devices in the DMZ are able to send communications out to the Internet to serve up web pages and information required by users that aren’t deemed critical to operations. Should a device on the DMZ be compromised, that is as far as the intruder will get. The DMZ is a dead end in an attack because of its one-way communication configuration toward the Internet. All communications back to the internal network are blocked. A typical firewall can be placed outside the DMZ with public and private interfaces that connect to the insecure devices in the DMZ.
Some specific high-level considerations for developing a DMZ especially in an environment that contains industrial control systems include:
Need-to-Know Role-Based Communication
System administrators and other asset “owners” need to make sure that logical access to the DMZ is limited to only those users who need to have access. Additionally, only applications and services that need to communicate to the DMZ should be allowed. To protect the DMZ further, a heuristic evaluation may be necessary. Observation of typical traffic patterns to develop a baseline of behavior can be compared to events on a daily basis. In this way, the anomalous events are easily noticed. However, this takes constant monitoring, which is one of the main tenets of a secure system. It can never be a set-it-and-forget-it control, but must always be observed and improved where possible.
Data should only be pushed to the DMZ and never flow back into the more secure control or operations levels. Data is only made available to authorized users, and these users are only ever allowed to pull from a DMZ application server, for example. This type of DMZ exists deeper in the network structure and creates a logical separation to prevent intruders from exploiting the trust given to communications that make it through the firewall. This prevents threat actors from pivoting from a DMZ into the crown jewels, such as the control system in a network where IT and industrial control processes are intertwined.
System administrators who manage assets often use DMZs for remote access. It is known that remote access creates serious risks to any system. This risk should be defined and evaluated before even developing remote access policies and procedures. If a threat actor is able to gain access through the less secure environment of a user’s home or even the user’s work environment, they can use the captured credentials to connect to critical assets. A virtual private network (connection) can become a vector for an infected computer into deep enterprise or industrial control system networks. Access should be based on the need to know and hardened to mitigate risk to acceptable levels.
A best practice for remote connections to internal assets is for system administrators to limit the types of connections external users can make. Authorized external connections should only be made to intermediary authentication servers. Multi-factor authentication (MFA) should be required as well as the monitoring of defined rules and connection states. Access is role-based and need-to-know. The servers in the DMZ that allow remote access are called “jump boxes.” This is a slang term that alludes to the fact that the jump boxes allow connectivity to other remote machines less secure than themselves, thus allowing a threat actor to jump into the protected network from an insecure environment. Any applications or services not required for remote access need to be removed or disabled to harden the jump boxes.
Network firewalls are the gatekeepers of the castle. It is typical to have several firewalls within a network protecting each zone that requires controlled access. There may be one before the DMZ and after it. There may be one before an industrial control zone and one before an enterprise zone. It all depends on where the assets are and the degree to which they require communication with specified users. The basic rule of thumb with a firewall is to deny all traffic and then specify which ports, applications, and IP addresses are allowed through. So ultimately, after specifying all the specific allowed traffic, the final rule is to deny all.
A basic network firewall’s particular function is to inspect data at the packet level, monitoring and logging all traffic permitted in and out of the connection. This kind of firewall creates boundaries, segmenting the network into separate domains which also improves the efficiency of communication by decreasing the number of domain collisions. Firewalls can also stop users from accessing networks without proper authentication and more.
Host firewalls protect hosts as their name implies. Most operating systems come complete with their own firewalls, which can sort communications in and out of the host based on the same criteria of a basic network firewall — IP addresses, applications, and port numbers can all be screened at the host level. Other assets require hardware firewalls in line with the asset. Again, to lock down a host, everything that is not explicitly allowed and necessary for host functioning should be denied.
Firewalls can be of several different or combinations of many types. The first, which has already been mentioned, is the packet-filtering firewall. This type of firewall filters traffic based on configured rules and controls traffic at Levels 1-3 of the open systems interconnection (OSI) model. This article is not going to get into a discussion of the OSI model of communications, but for a quick refresher, Layer 1 is the physical layer, Layer 2 is the data link layer, and Layer 3 is the network layer. Layer 1 filters bits, Layer 2 filters frames, and Layer 3 filters packets. Layer 4, or the transport layer can also be employed, which filters by qualities of information segments. This is why these types of firewalls can filter by both media access code (MAC) addresses and IP addresses, as well as by logical port numbers. Though MAC addresses, IP addresses, and port numbers of a message’s origin can all be spoofed, this is still a good first-line defense.
Next are circuit-level gateway firewalls that filter at Layer 5, the session layer, and allow only specified sessions to communicate. They control session access by monitoring the TCP-IP handshake that must occur to establish a session. For a refresher, the TCP 3-way handshake involves SYN, SYN-ACK, ACK. That is, when a client wants to establish a session with a server, for example, the client initiates the communication with a synchronization segment and establishes the connection. This segment also helps synchronize sequence numbers between devices. The server sends its acknowledgment back, which is the client’s sequence number incremented by 1, plus the server’s sequence number. This effectively confirms transmission was received and specifies the sequence number the devices use to begin communicating. Finally, the client sends back its acknowledgment, which is the server’s sequence number incremented by 1.
Level 7, or application layer, firewalls are also known as an application or application-level proxy firewalls. This involves an application that runs on top of a firewall, which can be hardware or software, between two networks. For example, if a client makes a request to a server for a service that sits behind the proxy, it will not be allowed to communicate directly with the server. The proxy inspects all packets and handles the flow of information to and from the server. In this way, the client is never allowed to directly interact with the server. Thus it cannot even “see” the server. This kind of firewall is very costly in terms of processing power and memory, though. That is why even though it is a very secure type of firewall, it is less often used than its counterparts.
A stateful inspection firewall is commonly known as a stateful firewall. It is called stateful because it takes the context of the communications between clients and servers or services into account in deciding whether to permit communication to an asset, as well as by the rules that have been defined by the administrator. It does this by examining the types of packets and comparing them with the IP addresses, ports and sequence numbers of packets, etc., going over the connections. Because it operates by inspecting packets, it is a Layer 3 or network firewall. Records of these packets and their states are kept in a table, and once communication is established, there is no more need for the processor to expend itself comparing packets to the table. In this way, it’s less resource-intensive than a proxy-level gateway firewall.
Intrusion Detection Systems (IDS)
Network Intrusion Detection Systems (NIDS) are usually what is thought of when using the term Intrusion Detection Systems. Of course, there are host-based intrusion detection systems (HIDS), as well, but those should be considered when locking down individual assets. For now, NIDS and IDS will be used interchangeably. Also, an IDS should be placed inline with Firewalls.
So, an IDS works by analyzing the network traffic passing through it to determine anomalous behavior. The types of behavior monitored can include originating IP addresses, their destinations, certain protocols, and packet sizes, etc. The most well known and used is a signature-based IDS. The IDS monitors network traffic and can be used to determine a baseline that is then compared against data flows. The IDS can alert when it “thinks” an attack is happening or maybe about to happen, and it can provide records of what did happen during an attack.
What is really cool is that for an industrial control system, sometimes the engineer creators of hardware and software control systems already know what their instrument signature should look like. Loading these signatures into the IDS makes it easy to quickly detect and report anomalous behavior.
However, an IDS has its limitations. It cannot stop attacks from happening. It cannot tell you whether or not a system was exploited. It requires human analysis to determine what happened, and it does not monitor system console activity.
Intrusion Prevention Systems (IPS)
Intrusion prevention systems have the same operations, benefits and limitations of IDSs, but with the added ability to actually thwart what it thinks is an attack. The IPS stores data about the typical operation of a network or a control system and compares traffic to that data. If the traffic doesn’t match, the IPS can block it. As mentioned previously under IPSs, the IDS has the capability to exist in line with industrial controls and can be tuned to react only in extreme circumstances where the deviation from the baseline signature varies greatly, thus limiting the number of times a control system might stop unnecessarily due to a false positive.
This paper has only addressed top-level design considerations with the major types of equipment found at the perimeters of inner and outer networks. There are many and more detailed controls that exist within these networks and on the hosts and servers themselves that should be employed to create a secure architecture. For example, any secure machine should have all ports and services disabled that are not in use. Patches should be kept up-to-date, and anti-malware should be installed. Configure the host-based firewalls to block anything not explicitly permitted, and use host-based intrusion detection/prevention systems where possible or applicable considering the risk of the asset being protected. All policies and procedures should reflect the principles of least privilege and need to know access. ACLs should also reflect this. And so on.
For an in-depth comprehensive evaluation of your security architecture, it is important to turn to someone who has expertise in your particular industry who knows what specific controls should be part of your security posture. These controls are implemented on top of the existing network architecture and can be modified or added to meet various compliance framework requirements. Often, businesses do not have these experts in-house. But there is an easier way to get your business what it needs.
RSI Security has been helping companies large and small for over 10 years to achieve their desired security postures and gain compliance under multiple complex frameworks. These requirements are often dictated by the law, which means there are penalties for negligence and deficiencies that can lead to data breaches. Those breaches can also be very costly to both the brand reputation and the business coffers. To find out more about what your company should be doing to prevent a breach and stay compliant with laws and regulations, contact RSI Security for a FREE consultation today.