Subnetting != Segmentation
Here at LMG Security, we do a lot of pentesting. I have performed penetration tests on organizations of all sizes, including Fortune 500 companies.
“Black box” testing tends to be the preferred methodology of most clients. In this type of testing, the pentester goes in completely (or almost completely) uninformed. Occasionally, clients will provide the pentester with a list of subnets to define, or limit, the scope of testing. This may be done for a multitude of reasons including (but not limited to) preventing testing of fragile systems, limiting testing to non-production systems, or limiting testing to only a sampling of systems for budgetary reasons. Partially-informed testing is referred to as “grey box” testing. One issue that I see again and again, regardless of methodology, is a lack of true network segmentation.
When conducting a pentest, I always start with reconnaissance, which includes network discovery and port scanning using Nmap (https://nmap.org/). I then provide the output of these scans to the client for final approval, prior to performing any actual exploitation.
Unfortunately, it is common to get scan results back with open ports popping up throughout the full port range (see accompanying figure). Finding open ports in the registered and dynamic ranges is a telltale sign that a network is not adequately segmented. In a truly segmented network, I would only expect to see these types of results on the local network segment that my scanning box is attached to – before the traffic traverses a networking device, which leads me to ask the question, “Is your network segmented?”
A response that I have received too many times is, “Yes, we have everything subnetted.” I cringe when I hear this, because subnetting is simply the practice of logically dividing up a network using IP addresses and subnet masks. I am not going to dive into the specifics of how subnetting works or how to perform IP subnet calculations. Just know that subnetting is logical network division through addressing. Subnetting alone DOES NOT equal segmentation.
Network segmentation is the practice of dividing a network into individual network segments, generally through the use of Virtual Local Area Networks (VLANs). VLANs allow for geographically-dispersed systems to communicate with each other, as if they were connected to the same local network segment. VLANs also allow administrators to group systems by function (i.e.: file servers) or by “security zone,” such as those handling Payment Card Information (PCI) or electronic Protected Health Information (ePHI). This grouping is done at Layer 2 (the Data Link layer), which is the same layer at which switches operate, and is accomplished through 802.1Q tagging.
This is where I believe many organizations often stop with network segmentation. They get everything addressed, divided up, and traffic flowing between the segments – then they call it good, because “Hey, everything’s working!” However, for network segmentation to provide realistic security benefits, traffic should be filtered between segments. This means that from a conference room network port, I shouldn’t be able to reach the Microsoft SQL service running on TCP port 1433 of your production database server.
Traffic filtering should come down to a default “deny all” statement, where no traffic is permitted, unless a specific rule exists to allow that type of traffic. Network segmentation will help in facilitating effective network monitoring practices. One example is monitoring traffic between security zones; particularly traffic from a lower-trust security zone (i.e.: a normal employee-access network segment) to a higher-trust security zone (i.e.: a cardholder data environment or “CDE,” which involves credit card information). Another example is traffic from a high-trust security zone destined for the Internet, which could be a sign of sensitive data being exfiltrated
Network segmentation and the use of filtering add additional complexity to network administration. Speaking from experience, it is paramount that accurate and up-to-date documentation exists. Inadequate documentation will cause headaches down the road and will inevitably lead to certain levels of reverse-engineering, which administrators rarely have time for when troubleshooting network issues.
From a pentester’s perspective, we can only test what we can access. Effective network segmentation limits an organization’s internal attack surface by reducing the number of accessible systems and/or services. This could be key in preventing an attacker, malicious insider, or malware from compromising systems on the network.
Mitigate risks, counter threats, make nothing happen.
If you have any questions or comments about what you can do to strengthen your layered security approach, feel free to contact us at [email protected].