Network Access Control: Strengthening Your IT Infrastructure Security
by Wictor Olsson 2023-04-25
Our team routinely conducts offensive engagements and security assessments on the infrastructure of our clients as well as their suppliers. Additionally, we also evaluate the security of network-enabled products and systems that are designed for various industries and markets. Through this experience we have gained valuable insight into common issues that affect a wide range of targets.
A systematic issue - seemingly independently of what we are tasked to analyze - is networking and network-based access control.
This blog post aims to discuss a few statements, from a security perspective, that are probably relatable to organizations employing IT infrastructure either through suppliers or by themselves.
"Bob says our network is a fortress!"
Many of our clients often ask themselves before reaching out to us: "Has our supplier really fulfilled their responsibilities?" It's important to adopt a "healthy paranoia" mindset when it comes to IT security, especially if you've outsourced the maintenance and operations of your IT/OT/PROD environment to a third party. Trust is crucial, but it's also necessary to verify the work being done. Implementing a defense-in-depth strategy will offer a sense of security during those restless nights, especially in the event of an active attack.
"Where does this thing go?"
Whether it's your on-premise IT setup, your MSP/distributed IT, supplier VPN link, VPC, cloud instance, OT network, embedded/on-board system, shiny new Kubernetes cluster, ISP, switch stack, or even your firewall, the common issue that they all share is the likelihood of suffering from misconfigured network access control.
For example, your switches are probably exposing management interfaces, maybe even running SNMP with a default community name of "public". Possibly, the network enabled product you are shipping has a firewall with inadequate forwarding and input rules.
Networks which are not supposed to be connected often are; we often end up in strange places during an engagement while performing network archaeology. No fancy exploits or attacks required, just persistence and a little bit of know-how is needed to draw the map. Once the attacker knows your infrastructure better than you (or your supplier) things usually get interesting.
Client computers on the same network rarely need to talk directly with each other. Nor do they need to talk to that production database server where Bob put your backups in a publicly readable fileshare. A strict host-based firewall might save you from an attacker jumping through your client laptops dumping credentials using the same services that your admins regularly use.
"The cloud will save us!"
One might think that things would be different using the cloud or cloud-centric services. In some sense there's an improvement but generally when we're performing audits on cloud deployments we frequently find issues related to network access control which often result in exposing internal services directly on, you guessed it, the internet.
The traditional "internal" network perimeter is steadily disappearing through integration/dependance of cloud-based services creating hybrid environments where in some cases an entire company might have outsourced all its services and infrastructure, extending the potential attack surface and impact of not restricting and monitoring user resources.
"We'll see them coming from far away!"
Network monitoring is rarely implemented properly. Would your EDR/magic-box be able to detect if your switches and network infrastructure get compromised? What if an attacker starts to tunnel into your network through your own internal switches/routers?
Misconfigured traffic flows can result in both access control issues and lacking insight into the packets being flung through your network. Good thing you bought that expensive next-gen firewall, too bad you don't actually send traffic through it nor do you send the alerts anywhere 😕.
"I reconfigured the VPC so now we have a k8s cluster on the internet!"
Rogue IT is a common issue in where your users are starting to act as their own IT department, more of a rule than an exception in development organizations. No policing of this will inevitably result in an ever expanding attack surface; coupled with nonexistent monitoring it's bound to become a so called "target rich" environment. It's common that this kind of activity affects networking where people plug in "things" or reconfigure access control to their current needs.
The previously mentioned issues can be summarized into the short but non-trivial list of misconfigured or insufficent:
- Network access control
- Asset inventory/control
- Logical resource restriction
Help! What do I do?
Isolating computers/resources/assets/services from each other on a network level is often an effective way to reduce attack surface and making it harder for an attacker to move laterally through your environment (usually with the goal of escalating privileges or accessing resources). This, in turn, will aid any efforts of trying to detect an attacker moving about.
Consider the following questions:
- Protecting assets which you don't know you have is hard, where's your inventory?
- What is required and who/what should access it?
- Where are you sending your traffic? Can you see it?
- Forwarding/routing is a thing; maybe your switch/server/device actually is a router?
Additionally, these principles and strategies will help strenghten the security posture of your IT infrastructure:
- Restrict egress traffic
- Remove unused assets
- Trust, but verify (healthy paranoia)
- Defense in depth
- Principle of least privilege
Performing continuous asset inventory and segmenting your network-based on device types and business functions with access control rules that only allow relevant traffic to flow between each network or device might sound obvious. However, the reality is often more complicated, as maintaining a network of any kind requires much planning and a lot of work.
We hope this blog post has provided valuable insight into improving your IT infrastructure security. If you have any questions or need assistance in assessing the security of your on-premise or cloud-based infrastructure, please don't hesitate to contact us. Our team of experts is ready to help you navigate the complex world of securing network infrastructure and assure your organization's security. For more information check out our services and our areas of expertise.