Changes to Network Architectures & The Security Tools required, Part 2

Part one in this two part series looked at the evolution of a network architecture and how it affects security. Here we will take a deeper look at the security tools needed to deal with these changes.

The Firewall is not enough

Firewalls in three-tier or leaf and spine designs are not lacking features; this is not the actual problem. They are fully-feature rich. The problem is with the management of Firewall policies that leave the door wide open. This might invite a bad actor to infiltrate the network and laterally move throughout searching to compromise valuable assets on a silver platter.

The central Firewall is often referred to as a “holy cow” as it contains so many unknown configured policies that no one knows what are they used for what. Have you ever heard of the 20-year-old computer that can be pingable but no one knows where it is or has there been any security patches in the last decade? Having a poorly configured Firewall, no matter how feature–rich it is, it poses the exact same threat as a 20-year-old unpatched computer. It is nothing less than a fly in the ointment.

Over the years, the physical Firewall will have had many different security administrators. The security professionals leave jobs every couple of years. And each year the number of configured policies on the Firewall increase. When the security administrator leaves his or her post, the Firewall policy stays configured but is often undocumented. Yet the rule may not even be active anymore. Therefore, we are left with central security devices with thousands of rules that no one fully understands but are still parked like dead wood.

A security administrator will always evade editing a rule he or she did not implement or a rule that is not backed up with solid “remarks” and accurate documentation. Do majority networks operate with fully documentable security policies? Not enough and this is a reality. It’s not a myth, the holy cow will continue to exist and we need to be armed with efficient security tools right at the web server application layer.

You pay oodles for the Firewall features set but you can only think you are secure. However, unknowingly you are not secure and have opened the gateway for the intruders to snake-in. The traditional physical Firewall with the most advanced features can have an old policy rule that no one might be aware of and one might be afraid to remove. This compromises the security and creates a fissure for the roaches to encroach.

Security Issues with East to West Traffic Flows

Leaf and Spine designs were introduced to support east to west traffic flow. The Layer 3 boundaries are properly designed and each service can be put into a module, known as a POD. This enables massively scalable network designs and the only way to scale a network is to modularize.

All security devices are no longer centrally located and are placed in PODs. POD 1 might group all the application servers, POD 2 contains databases, POD 3 might have all security devices and POD 4 embodies all load balancing nodes. We are able to isolate services into these PODs without increasing latency or degrading security as each node has equidistant (equal) endpoint reachability.

However, this does change security paradigms. You will now have a physical Firewall just doing the basic Layer 4 scrubbing, logically at the network perimeter but now we have mini Firewalls closer to the workloads. The security paradigm change causes team collaboration challenges. If you are ok with security paradigm changes and your team collaboration is fined tuned, then a leaf and spine and security POD architecture is a solid design choice. Traffic does not need to be filtered by a central holy cow Firewall.

The fact that triggers challenges is that to support east to west traffic patterns, not everyone can design and build and solid leaf and spine network architecture. To support the birth of east to west, you may have to stick with the traditional 3 tiered model with the incompetent central Firewall. Traffic that must stay within the network (known as east to west) has to either go up to the central Firewall for inspection which causes traffic trombones, increasing latency and degrading application performance.

Or simply, and more commonly, east to west traffic goes completely unfiltered and is not inspected by any security appliance. This is the reality, which is why beacheading; the art of an attacker moving laterally throughout the network, becomes like shooting fish in a barrel as it goes untraceable when east to west traffic is not inspected.

Data Exfiltration – Lateral Movements

Once the bad actor is inside the network and east to west traffic is not inspected, they can move laterally without any trace. A skilled attacker will know the traditional security defense mechanisms and will move silently around untraceable, hopping from one section of the network to another. To an attacker, launching an attack becomes as easy as stealing a candy from a baby. Once inside they can do anything, such as data exfiltration.

Many different techniques can be used to exfiltrate the data such as Domain Name System (DNS) tunneling, Internet Control Message Protocol (ICMP) or even more recently; the Twitter Accounts. The bad actor can encode the information into DNS or ICMP packets to extract the data to an external location. This is nothing less than allowing a bull in a China shop, which can result in enormous damage.

This often goes unnoticed by the traditional Firewall or IPS device and DNS or ICMP are not checked thoroughly as they are not used as a data transfer mechanism. Protocols such as NetFlow can weed out this type of traffic pattern and send alerts once an anomaly is detected outside the normal baseline. However, only a small number of I.T departments use NetFlow with this type of sophistication.

The Resolution?

One way to combat lateral movements in the network is by employing another human called a cyber hunter. A cyber hunter is more of a network cowboy.

With the expertise of separating wheat from the chaff, cyber hunters take on an entirely new approach to security. They fine-tooth-comb the network and search through all its dark network corners in an attempt to catch a bad actor that has gone unnoticed due to the unfiltering of the traffic.

The value of a group of cyber hunters is priceless and they are a valuable company asset. However, only certain types of I.T departments have them. They are a rare and pricey resource to have. With such a heavy price tag, it may be better to be girded with security products that are designed to scan and detect vulnerabilities or anything related to web applications.

Web Server & Applications are Designed Differently

Web servers are designed differently than most other server. For example, web servers are not like an FTP server. A FTP has configuration options but it doesn’t have the moving parts that a web server and its application can have. The configuration options for FTP server are limited, while a web application has a vast amount of configurations. For example, there are many different ways to configure the interaction between the web application and the database servers.

Each web application can be designed differently that also lays upon the infrastructure that is too designed differently. Web servers and web application are more complicated than any other protocol. It is compounded by the fact that the web application security level is left to the hands of the developer which can be secured by individual preference. How secure the web application is, depends on the developer’s configuration. The security of the web server is left to the faith of the gods.

How Acunetix can Secure your Web Applications

There are certain types of traffic that a Firewall cannot block such as Internet Control Message Protocol (ICMP), Simple Mail Transfer Protocol (SMTP), DNS and Hypertext Transfer Protocol ( HTTP). As a matter of policy, a Firewall cannot block HTTP/HTTPS traffic as it forms the foundation of many company services. Although this traffic can be monitored by Firewalls to an extent but it can never be blocked as it is required by the organisation. These holes need to be covered up somehow.

Acunetix security tools have two prime tasks. Firstly, they can identify all the links, including application programming interface (API) endpoints, inputs and forms that exist on the site. Secondly, they will litmus-test different types of vulnerabilities, over 3000 vulnerabilities at the drop of the hat.

Any issues you have on your website should be detected by you first rather than someone who has malicious intentions and detects them before you do.

Summary

Many of the Internet widely used protocols have not been upgraded, for example, ICMP and SMTP are more or less the same since inception. On the other hand HTTP has been remodeling since the exception of the Internet.

Initially, it started with text files, then to Hypertext Markup Language (HTML) and JAVAscript. Now, we have a range of new API with different frameworks. New frameworks add new values and features but on the other hand add to the complexity as well.

We have a long history of changes to network architectures, compounded by the changes in web protocols that corner your security teams if they are not armed with appropriate security tools.

---