Network safety? We live here and now! An interview with Tomek Sroczynski (pt. 1)

Full network protection is not possible now and I think that it’s never going to be. ICT systems (understood as the network, computers, servers, databases, applications etc.) is too complex a stack of hardware and software. Simply imagine some super-efficient and expensive software, based on machine learning, for penetration testing of a given box or application, before their market release. Even if technological progress lets us avoid the emergence of any “leaks” in all blocks, the man and unreliability of human thinking processes are still at the top of the stack. This results either from wider spread of information or from attacks based on social engineering. For instance, phishing, resulting in distribution of ransomware or interception of bank account data, and recently also wiperware, is an increasingly frequent method for paving the “career” path among e-criminals. As a species, we are evolving much more slowly than technology which we create. Therefore, some things are going to stay – on the scale of generations, centuries or even subsequent millennia – unchanged. You might even be tempted to reflect whether removing people from this jigsaw is possible and desirable, and whether transhumanism is the right direction for the development of our silo for example but, in my opinion, it’s a waste of time. 😉 We live here and now. Our businesses and our private life is threatened by numerous traps in technology here and now.

I think that, contrary to interpersonal relations, prevention and anticipation of problems is possible and desirable as a direction of development. In the end, nobody connects their corporate network to the Internet without any firewall filter, assuming that only in case of attack will they look for its source and chase the evildoers. Their business may completely lose its rationale in the meantime. And so – it is possible to prevent the underlying threats and anticipate problems. I was very happy to see that there is a class of software for protecting terminal devices (computers) which does not look at the signatures of known threats but detects and blocks the exploitation techniques. However, their increase is much smaller than the increase of every single programme making use of a given vulnerability. We can see action detection here yet at a stage when nothing is going to happen. Plenty of mechanisms focus on prevention if they are implemented properly. However, it is more difficult to act preventively in case of APT attacks for instance. So the existence of SOCs, constantly monitoring what is happening in the network and reacting when necessary, seems really justified. It’s good to remember one thing – we can have a whole bunch of software and hardware existing on the market for securing the network and connected components but their suboptimal configuration and/or social engineering is enough to put us in a situation when we need to explain why we have purchased equipment that has not protected us…

In my opinion, a firewall to protect it against external threats, network access control system protecting against internal threats (network edge, virtualised environments) and a privileged access control system to prevent abuse of privileges by IT staff or anyone impersonating them should be an absolute minimum. Of course, appropriate methodology in infrastructure design is essential. In bigger networks, it will definitely be justified to place some traffic in a DMZ and pass it through additional filtering systems, and to invest in SIEM-type systems, allowing for spotting any subtle signs of potential security incidents. I would consider an IPS class system as the icing on the cake because of the expenses and the complexity of implementation.

In the ecosystem of secure network, we can’t do without proper approach to the human factor, indeed. So I think that transition to authentication in access is a must. The mechanism popularly called 802.1X is going to work well here – preferably using certificates, although domain authentication can make it too. It’s worth noting that implementation of devices for this model can be troublesome, so it’s good to carry out your own risk analysis and choose more convenience (MAC authentication) or more security. However, please remember that authentication, even 802.1X, is not a universal remedy to everything. Some successful methods of MitM attack on a network based on this authentication model are described (the key: the process of authentication in the network itself – regardless of what the NAC system uses to decide on the assigned access profile, based on MAC addresses). There also are methods detecting such attacks or an approach in terms of procedures and architecture (the project and its physical implementation) which allow for minimisation of the risk of their occurrence. However, better safe that sorry so I would suggest the “least privilege” approach (in this case and in relation to the multitude of other potential problems) in granting network access to end devices, such as computers, cameras, access points, telephones, virtual machines, printers etc.

By default, we block all network traffic at every access point of our network infrastructure, only allowing the protocols and target resources that are necessary for the organisation’s operation. Do users need ports on which online games are based? Do they need an SMB? Do they need a SSH and Telnet? Should they communicate with each other at all in the layer of data links or in the network layer? Consideration and implementation of such a model will allow for significant narrowing of the range of potential attackers gaining access to the network and making the initial exploration. Similarly, bearing in mind the stories of NotPetya and WannaCry (using a vulnerability patched a few months before!), blocking of unnecessary ports and network segmentation will also reduce the risk of malware propagation using vulnerabilities available in “exotic” ports, and those more well-known yet not necessarily needed in the connected devices. Implementation of the least privilege model was certainly less convenient at the time of access control lists only. Today, we know well that we can do this efficiently using elements from Extreme’s portfolio. I mean XMC and Policy mechanism, along with Extreme Access Control.

Of course, just like off-network aspects of IT infrastructure security in the organisation. What’s the point of having a well-secured network when the employee uses his laptop to connect to a public Wi-Fi in a shopping mall and comes back with a “surprise” or uses portable memory of a stranger? The network should minimise the range of impact of such an incident – so probable now that business laptops are always on the move and companies find it beneficial to offer work-life balance to their employees by the opportunity to work anywhere, anytime.

If someone has to choose one of these solutions only, it should be firewall obviously – unless the service provider guarantees secure contact with the Internet. But apart from hard choices, both systems complement each other because they serve different purposes. A firewall will filter everything that is entering our network (e.g. botnets, attempts to establish an RDP session to the domain controller, large amounts of YouTube videos and traffic from torrents etc.) and what comes out of it (e.g. P2P services, network games, cloud storage, botnet ( ͡° ͜ʖ ͡°) ). As a principle, it does not affect what is happening between the users and devices in the network. At one time, I discussed a NAC class system in network infrastructures in schools at all levels of education. Because what will be the consequences (adding the GDPR to this now) when the student peeks at their teacher’s login details or obtains them some other way and then gets access to e-diary to improve the grade average? The example is trivial but shows that bots, spies and petty “e-thieves” from distant countries are not the only ones who can target our network. The threat can also come from the inside. It doesn't even need to be conscious and voluntary. Just like in the aforementioned WannaCry.

Sure, even more than one per department, even in a small company. Is there a point to let computers of accountants communicate directly with each other? Previous possibilities in this area were pretty interesting. For instance, in the first generation of Extreme switches with EXOS system, the authentication server, along with the decision to admit the device to the network, could send the name of the script to be called on the switch. So, theoretically, you could do anything – e.g. assign the VLAN, QoS and ACL to the port for the period of the authentication session. This approach, however, required the development of access control lists and scripts, and their propagation to all edge switches each time. It was also crucial to remember about it in the case of any modification of the script or ACL. A few years ago, following the acquisition of Enterasys, Extreme Networks worked intensely on implementing the acquired Policy model in purple silicone. It was successful and, in my opinion, the outcomes of integration of both solutions form a strong added value to the switching itself. Implementation of the security model based on Extreme Policy consists in defining the unique roles of devices and users in the organisation, and then the determination of protocols and resources that are to be available to each of them. Everything is based on “clicking” on the graphic interface of the Extreme Management Center, which is much nicer and less prone to mistakes than writing an ACL and scripts. Another advantage is that simultaneous propagation of the entire policy domain to all assigned network devices so synchronisation and updates are not a challenge and don’t take much time. Finally, policies in Extreme devices, depending on the device family, have lots of more easily implemented functions, e.g. redirecting of specific packages to another VLAN, generating of a syslog or SNMP Trap message, mirror package or port disabling or quarantine! And so we come to the point here. Extreme Access Control, among the basic pillars of action, enables restraining these policies and assigning a specific type of access on a given port or for a given device in our Wi-Fi network in a dynamic way. We don’t need a rigid schedule for filling ports on switches, configure VLANs and the ACL, we don't need to create separate WLANs for each group in the organisation. The policy can also be different for the same person (the role in the politics domain) depending on the type of device or the place of connection to the network. Also, I really like the fact that it’s relatively easy to use Extreme Access Control in networks based on devices from other manufacturers.