Werner Schmidt
Enterprise Networking and Security Expert

Corporate networks more vulnerable than the Titanic

SingleZone
During assessment reviews, one of the common architectural design flaws I still see quite a lot of is no network DMZ. The Titanic had 16 watertight compartments and it still sunk. We wouldn’t even think of having something as important as a large cruise ship today with a single compartment and yet I run into corporate networks that do exactly that, corporate networks with one security zone. Whether it is a port redirect based NAT (VIP in Juniper Networks terms) or a one to one address NAT (MIP in Juniper Networks terms), the effect is the same. Either a single public port or single public address is allowed to a single target server in the internal network. At first glance, this seems innocent, after all, access is only being explicitly given to a single resource, what can be the harm in that? The problem is that a flow has been allowed from the Untrust (Internet) into the Trust (internal) network. If that server can be breached through a vulnerability, brute force password or just misconfiguration, then it can be used as a beachhead to attack and gain access to other systems in the network. This is referred to as a leapfrog attack. Access is somehow obtained to an accessible system that is then used to leapfrog to other systems not externally accessible, but accessible from the breached system. Since this system is in the internal network and there is no firewall separating it from other devices in the internal network, it can do this relatively unhindered except for whatever endpoint protection may be in place on every single system in the entire network. Telnet, RDP, http, ssh and other methods can be used to access other internal systems.

DMZ design
Now lets take a look at a better design using a DMZ (literally a demilitarized zone). In this case we place exposed public assets in a separate security zone from the internal network. Consider anything in the DMZ a sacrificial system. We then strictly control access with the following session flows:
  • Allow Untrust (Internet) to DMZ
  • Allow Trust (internal network) to Untrust (Internet)
  • Possibly allow Trust to DMZ (optional restrictions)
Now we are protected from breached servers in the DMZ. While leapfrog attacks can be used in a zone, it cannot be used to cross zones where access is denied. This is a fundamental benefit of compartmentalizing access with security zones and policies.

With zone based firewalls and multiple ports, this is a very easy and highly recommended design change. I recommend multiple DMZs and additional segmentation of networks amongst users and servers. The key concept is containment. Limit the exposure of the risk from a cyber threat that enters your network by maximizing segmentation and zoning. Even the smallest
Palo Alto Networks firewall (PA-500) has 8 ports on it. When combined with threat inspection for detecting viruses, spyware and other malware, this becomes a very powerful security gateway.

PA500


SSL VPN or IPSec client?

Remote users are a real challenge to embrace and secure within a corporate network. Can we really extend the internal network into an untrusted or unknown personal residence? There are the details of managed or unmanaged devices on a managed or unmanaged network and what that means from a security perspective. Couple that along with the concerns of lost devices and more and more PDAs and other devices like the Apple iPad, and things can be downright confusing and concerning.

Traditional IPSec clients were always the preference for dealing with remote endpoints which were either desktops or laptops. They were ideal for managed devices across unmanaged networks. The IPSec connection is encrypted for securing the unmanaged network. For the most part, we were used to having managed devices. IT would install a client and an authorized and managed device would be given or sent to the end user.

As users changed, we got more laptops into the mix and access would start happening from unmanaged devices and unmanaged networks. Deploying and provisioning IPSec clients became challenging, along with the need to restrict where these untrusted unmanaged devices could go in our networks. SSL VPN became the solution for dealing with these problems.

Now we have a world of personal devices, large amounts of sensitive data on devices that are prone to being stolen and an intolerance with the users to only use corporate supported and approved devices. We need to be able to support a wide variety of platforms to allow them to connect to our corporate resources while making sure these often unmanaged personal devices meet our security requirements.

We have to look more at the provisioning problem separate from the access problem. The choice is no longer so clear. We need ubiquitous access and we need it to be secure. SSL VPN still offers a lot of choices with granular control, extensive logging and easy provisioning. IPSec clients have also come a long way and we offer two worthy of consideration. We offer Juniper
Pulse for a variety of smart phones. It offers cloud based provisioning and several enterprise features for managing the devices while allowing them to connect as secure VPN clients. We also offer an individual or enterprise based IPSec client (more info soon on the web site, contact me) that works with laptops and phones. It can work with existing AD directory infrastructure and offers a centrally managed desktop firewall application to provide granular access for the endpoint and runs on corporate managed devices (real or virtual).

The good news is that we’re finally seeing robust solutions to manage the unmanaged endpoints while giving the kind of security oversight that is required. Whether it’s SSL VPN or IPSec VPN clients, we have solutions available today to choose from.

5,000 Square Feet of Heaven

For those that have been reading my blog, you know that our youngest son joined the U.S. Marine Corps a while ago now and went into boot camp this past summer. Since then he graduated that and went to Camp Pendleton for combat training. Every single Marine is trained as a rifleman. For those that feel the same way as an individual, you might want to checkout the Appleseed project for your older kids or yourself. We got to see our son and a couple of other Marines during Thanksgiving and a couple of liberties (on base, off base and restricted to one portion of base). Camp Pendleton is huge! One of the most relaxing liberties was the one restricted to one area on the base, specifically, we spent it all around one cement picnic table. Of course the boys enjoyed the KFC Chicken, donuts and drinks we brought. It was an outstanding day. As for our son, food, phone, newspaper and liberty, it doesn’t get much better than that, even while on base and especially away from the squad bay.

We were very blessed to be able to spend the time with him and his two other liberty buddies. In the midst of all that and his stay at Camp Pendleton, our son got rather sick and with much coercion (Marines and guy thing), we got him to see a doctor during his off base liberty. He was diagnosed with pneumonia, which put a damper on his activities during liberty. He was absolutely zonked and fatigued. He did have to travel to Pensacola Florida out of San Diego in the wee hours while still being quite sick. In that process, he checked out the local
USO at the San Diego Airport with some prodding. All I can say is that it was 5,000 square feet of heaven. We arrived later in the morning to see our son during his long airport wait. From the moment we pulled up to the curb to meet a spry, energetic, thankful senior volunteer with more life and zeal than most teenagers, it was an uplifting experience. The USO has been around for almost 70 years, perhaps you know of them from Bob Hope. Their goal, via thousands of volunteers, is to lift the spirits of America’s troops and their families. They did that and then some. Comfortable chairs, kitchen area, TV, children’s play area for the kids, Internet access and loving caring people. It was quiet and relaxing. I can’t begin to describe the blessing of setting off our son in the right spirits even while being dismally sick. On the other end in Florida, it also meant a shuttle ride to the base. We’re members of the USO, it’s a non-profit and non-political organization. Please check them out. I know of at least one of our customers personally involved with this superb organization.