Even our terminology reflects what we think about security. Case in point; the very name of what we call the first line of perimeter defense – a firewall – shows our antiquated thinking regarding the defensive postures of the network. Somehow, we are still in the realm of thinking about moats and castle walls while we have people paratrooping from a jet.
In a similar analogy, the way I like to design networks is to take out the aspect of it being a “building” and start thinking about it as a submarine. Submarines are designed to take a hit, withstand a certain amount of attack damage even in the deep sea, and it takes into account the high possibility of being breached. A sub may be breached by uncharted depths, or by being torpedoed or attacked, but it is designed to ensure that not everything will fail in case of a breach.
Submarines are designed to acknowledge the fact that a breach may happen, and operates on the idea that the breach must be contained. A submarine crew understands, “this part of our environment is compromised. We have to sacrifice this part so that the submarine stays functional, so that it survives. We need to quarantine the area until we can make it habitable again.”
So why don’t we acknowledge that in InfoSec? For example, wouldn’t it make sense to have the accounting department compartmentalized from the rest of the company? Why not have certain channels with chokepoints? This is a practice savvy security folks have accomplished, but looking at it from the submarine perspective allows you to design a network with the same mentality.
Stop using firewalls as the external perimeter that “can’t be breached,” and start using airlock doors which can be sealed off within a submarine.
Implementing the Submarine Mentality
We have to start evolving – and understanding. I think people have really shied away from treating their networks as untrusted or potentially untrusted because human nature tells you to believe that bad things aren’t gonna happen to you. But we need to start looking within and thinking: what would happen if this part of the network was compromised or contaminated? How I would I be able to stop them from getting the keys to the kingdom?
I’m not saying that I don’t trust my defenses – I just recognize that defenses get breached. Every network I’ve designed in the last decade is not just: how do I find the breach? It’s: how do I contain it?
There’s something great about this being on the Pwnie Express blog, because it’s absolutely vital to look at indicator warnings. A device detection technology like Pwn Pulse will help you detect when a breach is imminent, when something is off or might be faulty. Using your Intrusion Detection Systems or looking at the loads on your system can help with detection as well. You have to look not just at what is on your network or is coming onto your network – take more time to inspect what’s leaving your network. If you don’t know your submarine is leaking, how do you contain it? How do you stop it before you’ve sunk?
In addition, there are a lot of technologies out there (though I won’t get vendor specific), but I think most application-level firewalls have Domain User Role Access. Otherwise, based on how you’ve logged in to the network and logged in to the domain you have lots more access.
Granted, this is not a cheap solution, but it is a secured solution. It’s one of those things I recommend you use internally first for your biggest assets. In security, it’s vital to think to yourself: what do you need to protect the most? Once you’ve figured that out, you protect it not only from the outside world, but from your internal network as well.