Given the cyberattack surface area presented by networks, it’s little surprise that network security professionals try to adhere to network security architecture best practices. A network must have security embedded in its very design. However, while best practices like network segmentation and device hardening are wise and worth pursuing, they are becoming increasingly deficient. This article examines the strengths of network security architecture best practices while offering insights into how to remediate their emerging problems.
What is network security architecture?
Network security management makes a metaphor out of physical architecture in their design of network security infrastructure. Just as a building needs a blueprint for its foundation, framing, walls and so forth, so too does a network need a design that allows for proper functioning and strong security. And, in the same way that a building’s architect places fire exits in his or her design, a network security architect designs security features into the structure of the network.
In practice, network security architecture is the end result of a systematic thought process. The architecture thinks through the network’s security needs. He or she then designs in the various systems, processes and tools that will mitigate cyber risks. These elements of network security architecture might include firewalls, access control lists, monitoring software, intrusion detection systems and so forth. The network topology itself—where the network goes, who has access to it, and for what purpose—are also part of network security architecture.
What is the purpose of security architecture?
Network security design is intended to make the business of security easier and more effective. The goal is to design security countermeasures into the network, rather than have to rely on last-minute fixes to vulnerabilities. It’s like designing a fire escape into a building so people don’t have to run around looking for an escape ladder if there’s a fire.
For example, a consistent firewall policy provides a basic defense against intrusion. It’s present at all points of entry into the network. The policy is an architectural element. That doesn’t make it flawless, but its very existence and presumed enforcement adds to the baseline of security for the network.
How do you build a security architecture?
One does not have to invent a security architecture design from scratch. Rather, network security architects have their pick of frameworks. These frameworks provide a way to think through network security issues and organize the resulting architectural elements in a coherent and practical way.
The Sherwood Applied Business Security Architecture (SABSA) framework offers a good example. It consists of a matrix with two axis, of which the “X” axis asks the “five Ws” (who/what/when/where/why) and the “How” of network security architecture. The “Y” axis covers the context, concept, logical, physical, component and operational layers of the architecture.
SABSA requires the architect to answer questions like “What are we protecting, and why? How will we do it? Who will do it? Where will the work take place? When will it take place?” Then, for each answer, there will be six different sub-answers, dealing with the operational, the physical, the logical and so forth. A thorough working out of the SABSA framework will yield the essential elements of the network security architecture.
The Value of Network Security Architecture Best Practices
Network security architects realize their ideas through a combination of frameworks and best practices. In some cases, best practices and frameworks overlap. The following are some of the most commonly followed best practices.
- Segment the network—Also known as network security segmentation, this practice involves creating privileged areas of the network for sensitive digital assets and administrative controls.
- Build a secure network topology—The network topology comprises the physical and logical makeup of the network. Physically, network topology refers to where people are located and the correlated placement of network hardware. The logical aspects of network topology deal with access controls and rules for network segmentation.
- Create and enforce Access Control Lists (ACLs)—An ACL is a database of users that determines who is allowed into each segment of the network. They are often supplemented by virtual routing rules that protect the network from malicious traffic.
- Adopt Privileged Access Management (PAM)—PAM solutions create special controls to manage privileged users, the people who can set up or reconfigure the network.
- Harden the network—In this context, hardening means removing possible entry points such as unused or neglected servers from the network. These might include networked printers, which are just servers hooked up to printing devices. This is sometimes known as endpoint architecture.
- Deploy management Virtual Local Area Networks (VLANs)—These create separation between network users by grouping them into virtual local networks. It’s a virtualized form of network segmentation.
- Lock down devices—This is the partner to network hardening. Devices connected to the network must be similarly hardened. This includes all patch management, installation of endpoint protection software and the like. It also means establishing rules for “least privilege” and minimum services available on firewalls. These steps reduce the network’s attack surface area.
Deficiencies in the Best Practices
Each of these best practices has been proven over the years. However, they now find themselves weakened by unforeseen deficiencies. These are mostly due to the increasing sophistication of attackers, which makes some of the assumptions that undergirded the practices less reliable. For instance, best practices tend to presume a high level of security for the network user’s device. There can be less certainty about this now, compared to even a few years ago.
The risks arise due to a combination of inherent device insecurity and user behavior. Hackers who use Advanced Persistent Threats (APTs) and other advanced techniques can hijack devices that have access to the most sensitive network segments. Once attackers have compromised endpoints in this way, they can negate the purpose of most network security architecture best practices.
One countermeasure to this risk is to lock the endpoint so it cannot perform any tasks other than logging into the network. This is known as creating a “privileged device.” In many corporations, network administrators and other privileged users are issued a privileged device such as a laptop in addition to their regular corporate machine. They may only log into the network using this privileged device. The device is configured to prohibit the user from performing basic corporate work like checking emails, opening documents or browsing the web. Such activities expose the device to malicious actors and APTs.
The privileged device approach is effective when users adhere to the policy. However, reality tends to intrude on this scenario. People don’t want to lug two laptops around with them everywhere they go. Instead, privileged users may occasionally—or frequently—use a general corporate machine, or even a personal laptop, to access the most restricted network segments. This is very risky. An attacker that’s taken up residence in the corporate machine can easily bypass best practices meant to keep them out of the network’s sensitive segments. They’ve obviated device hardening and network topology. They can cross over VLANs, outwit PAM solutions and more.
Strengthening Network Security Architecture Best Practices
It is possible to deploy a privileged workstation as part of the network security stack, but do so in a way that’s reliably effective and aligned with human nature. The practice is known as operating system (OS) sandboxing. OS sandboxing technology runs on bare metal hardware. It’s below the device’s operating system.
A machine running OS sandboxing splits into multiple, local virtual machines (VMs). Each has its own operating system. One can be a general-purpose corporate machine. The other can be extensively hardened, just like a privileged workstation. There is full separation. The end user can switch back and forth, depending on the task at hand.
The corporate machine’s operating system does not “know” that there’s another VM running on the same hardware. If an attacker compromises the corporate VM, he or she cannot cross over and infect the privileged VM. Neither VM is able to access the corporate network directly. Rather, each connects through an invisible network virtualization layer. The sandboxed device applies the best practice of network segmentation on the endpoint.
OS sandboxing does not solve every problem related to network security architecture best practices. But, it goes a long way to preserving the efficacy of best practices related to network segmentation, access control, VLANs and the like. Use of the technology is on its way to becoming a best practice in its own right.