This blog is a continuation of our blog series on the CIS Critical Controls.
Key Principle: Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
What Is It?
Boundary defense is control 12 of the CIS Critical Controls and is part of the network family. There are ten subsections to this control that cover your DMZ, firewalls and proxies, IDS/IPS, NetFlow, and remote access.
Boundary defense is typically an organization’s first line of protection against outside threats. Today, many attackers focus on exploiting systems that they can reach across the internet; they are constantly probing perimeters for vulnerabilities and information needed to build their attack plan.
Your boundary defense strategy should not just be about keeping the attackers out, but also keeping sensitive information in. I am going to take you through how you can strengthen your perimeter and police the traffic flowing into and out of your network by implementing a comprehensive boundary defense strategy.
How to Implement CIS Control 12
Segment Network and Control Flow
The key to boundary defense is a multi-layered approach focused on efficiently segmenting your networks and controlling the flow of your data. Network segmentation can be strengthened by the use of firewalls and proxies.
A DMZ should be setup between your internal network and the internet. To minimize the impact of an attacker pivoting between systems, configure your DMZ systems to communicate with the internal network via application layer proxies. Configure outbound proxies to filter malicious websites from being visited by end-users. Apply blacklists to block traffic to known malicious IPs, or whitelists to ban access to everything not needed for approved business purposes. There is much debate on blacklisting vs. whitelisting – which is better? Blacklists are restricted to known variables (IP addresses, documented malware, viruses, etc). Blacklisting is simpler to implement, because it blocks the known bad and allows everything else. Blacklists can be automatically updated via scripting. Whitelisting, on the other hand, is fundamentally a better security solution, but it is also an exhaustive process that takes more time, tuning, and resources to monitor and update. Whitelisting can help block things like 0day threats, as these are not known.
Proxies should support the decryption of network traffic and logging of individual TCP sessions to ensure sensitive information is not being exfiltrated out of your network. At your firewall, block all outbound traffic except approved business applications you wish to permit. DO NOT Configure your firewall’s outbound services to allow ANY. It is important that ALL inbound AND outbound traffic is filtered and monitored.
Network-based Intrusion Detection and Intrusion Prevention tools are a great addition to your defense-in-depth strategy. A network-based Intrusion Detection System (IDS) should be setup to alert on attacks. IDSes sniff the traffic flowing through your network in what is called “out-of-band” or “promiscuous mode”. In promiscuous mode, the IDS receives a copy of the packets instead of sitting inline on the network. IDSes use signature-based detection to alert on potentially dangerous or malicious activity and are very helpful in providing visibility into the traffic flowing through your environment.
Where should you place IDS sensors? Consider asking yourself these three questions: What is my risk? What am I trying to monitor and protect? How does the traffic flow in my environment? Major areas include just inside the firewall, on servers at the DMZ, between business partner networks, between untrusted networks (remote access), at wireless access points and between different internal groups/VLANs inside the network.
A network-based Intrusion Prevention System (IPS) should be deployed to complement your IDS. Where IDS devices are “listen-only” passive solutions, an IPS actively defends and blocks unwanted or malicious communications from getting in. IPSes are typically placed “in-line” with your network. In-line mode positions the IPS in the packet flow and allows for real-time responses to stop attacks/violations. IPS devices can drop malicious packets, block traffic based on source address and reset connections. IPS solutions detect attacks based on signatures and anomaly-based behavior. IPSes typically sit directly behind the firewall. The main reason to have an IPS is to block known attacks and control traffic flow on your network.
To be effective, IDS/IPS devices must be tuned and monitored. As mentioned, finely tuned IDS/IPS systems will be a great addition to your defense-in-depth strategy. However, a poorly set-up IDS/IPS will be noisy and may be disruptive to users or degrade network performance. Some open source IDS solutions we recommend are Snort, Suricata, and BroIDS. Most commercial firewall tools offer a network-based IPS.
Collect, Analyze, Monitor
Tying in to CIS Control 6, logs from your firewalls, IPS/IDS, and DMZ should flow through your SIEM solution for correlation, monitoring, and analysis. At the DMZ, full packet headers of traffic flowing through the network border should be recorded, and NetFlow collection and analysis tools should be deployed. There are many uses of NetFlow including monitoring network bandwidth and traffic patterns, monitoring which applications and protocols are using the most bandwidth, detecting Denial-of-Service attacks, and so on. NetFlow is ideal for monitoring communication behaviors over time and detecting attacks without signatures.
Important things to look for when monitoring and analyzing logs from boundary defense tools include:
- Back-channel connections
- Unusually long TCP connections
- Unusual SSH activity
- Unusual RDP activity
- Connections to undefined ports
- Large transmissions over UDP
- Unauthorized VPN connections
- Network sweeps
- Systems interacting with known botnets or bad IPs
- Other network behavior anomalies
Remote Access Control
Another subsection of Boundary Defense is remote access. Remote access to the organization’s internal network should also be monitored and tracked. Devices configured for remote access to the internal network should be managed by the enterprise. When connecting to the internal network, the security profile (configuration policies) should be scanned to ensure security configurations and patch levels are up to date.
Additionally, all access allowing users to remotely log in to the internal network should require two-factor authentication. According to the 2017, Verizon Data Breach Report, 81% of security breaches involve weak or stolen credentials, which highlights why authentication is often the weak link in the security defenses of organizations. There are a number of security vendors offering Access Management and Multi-Factor Authentication solutions.
- SANS Whitepaper: Infrastructure Security Architecture for Effective Security Monitoring
- Read more on how to implement the rest of the CIS Critical Security Controls set here: https://blog.rapid7.com/2017/04/19/the-cis-critical-security-controls-series/