Maksim Kabakou - Fotolia
Security Think Tank: How to realise the benefits of security zoning
What are the security benefits and challenges of segregating IT environments, and how best are these challenges overcome?
Flat, layer two switched networks are often preferred by network designers, as they require fewer routers and switches and are seen as easier to manage and more efficient.
However, from a security point of view, they provide a challenge because flat architectures make internal monitoring more difficult, attacker lateral movement and persistence easier, and hence detection and incident response slower and more costly.
I like to use the analogy of a bank. When you enter a bank, the tellers are behind a screen in a secure area and the money is stored in a secure vault well out of site. If you walked into a bank and the tellers were sat at desks in an open room with piles of money stacked beside them, would you use that bank? Probably not, so why build IT environments like that?
When your system is targeted, typically an attacker will use a phishing email or compromised website to get a foothold and then escalate privileges on the compromised machine. Their next step will be to scan the environment to identify servers and other user hosts that can be compromised to maintain persistence.
In a flat network, an attacker will be able to see everything on the network and there are no obvious points where monitoring could be deployed to detect this recognisance and lateral movement. The attacker can therefore easily identify target servers and establish persistence through compromise of other hosts without being detected.
Zoning in on security
segregation or zoning is often seen as simply allowing monitoring by creating layer 3 inter-networking points to limit lateral movement and increase visibility.
However, while simply creating zones can be valuable, it also allows other defensive measures to be implemented and should be seen as the first step in a strategy to make the environment hostile to the attacker. This is essentially achieved by limiting the functionality of the network so as to eliminate connectivity that can be exploited by an attacker without affecting legitimate use.
Zoning is typically achieved by creating different security zones within the environment based on subnets or IP address ranges, and implemented using virtual local area networks (VLANs) to reduce infrastructure cost. The mapping of IP address ranges to security zones then simplifies the rule sets needed at the interconnection points and simplifies maintenance.
Zoning allows user hosts to be grouped into one or more zones, while other zones containing externally facing services, internal servers, development team workstations and administrator workstations may also be created. This allows access between the different zones and to and from the internet to be controlled and monitored using Layer 3 routers, firewalls, or intrusion detection systems (IDSs).
For example, internal servers do not need direct access to the internet, only to an update server either in a DMZ or within another zone. Therefore, if an attacker could install malware from a user workstation onto a server, they could not establish a direct command and control channel to it.
This approach also enables other controls to be activated to disrupt an attacker. For example, user hosts will need to access internal servers and the internet, and administrators will need to access user hosts. User hosts however do not need to connect to other user hosts, and should not accept administration traffic (WMI and remote PowerShell commands, for example) other than from administrator workstations.
As there is no need for a host to communicate inside their own security zone, host firewalls can simply be configured to block any traffic from within their own security zone and any administrator traffic other than from known administrator workstations. There are many other examples where such measures can be taken and these are simple to implement and manage in a properly designed zoned network.
Costs and savings
Similar principles can be applied using software-defined networks (SDN) and in hybrid networks with both on premises and cloud services, where the concepts need to be extended to the cloud.
Measures of this kind severely restrict the ability of an attacker to establish persistence and make their activities much more visible, but in practice are rarely implemented to the full.
The objections raised to implementing such a strategy are normally the cost of extra routing and monitoring equipment, increased management overhead and impact on performance or functionality.
If implemented properly, there should be no loss of functionality, but performance may be an issue where cloud services are included, as there needs to be as little infrastructure as possible between the user and the cloud to maintain performance levels for users.
There will be a cost to add the routing and monitoring points, such strategies can be implemented using basic routers and firewalls and the security features built in to operating systems.
Zoning is therefore suitable for small and medium-sized enterprises (SMEs) and may allow larger enterprises to reduce their reliance on expensive endpoint and network detection capabilities.
Once in place, there should not be an increase in management workload if implemented correctly. However, the policies need to be clear and practical, as admins will have less opportunity to use workarounds.
However, there will be an ongoing saving in terms of incident response costs, which could be considerable, because any intrusion is likely to be detected earlier and there will be much less opportunity for the attacker to gain persistence. This and reductions of other costs attributable to countering and responding to an attack are likely to outweigh any extra costs.
Implementing zoning may have an effect on performance because of the extra routing between zones where users need to access large volumes of data. In these cases, careful network design will be required, but for most networks, users should not experience any additional delays or performance issues.
In practice, the main challenges to implementing zoning come from the need to re-architect existing IT infrastructures, together with the lack of a strategic approach targeting the clear benefits that can be gained.
While it can be difficult re-engineering an existing environment, it can be worthwhile and cost effective if done properly, and there is no question that when creating a new network infrastructure, a strategic approach to zoning should be developed and implemented and will reduce through life costs.
The strategy needs to be developed jointly by the relevant security, IT and business stakeholders so that there is buy-in to the value of the security benefits and consequential business benefits, as well as to ensure that the final solution has positive security and through life cost benefits, without affecting its purpose or the user experience.
