Nicholas Schmidt

Nicholas Schmidt

Dad, CTO, and lover of all things 1's and 0's.

Closed Network != Security

4 minute read

To this day I am flabbergasted by the assertion that because your network is not connected to the big “I” Internet you can practice lax security. Countless places I have walked in the door to find unencrypted email traffic, no antivirus, and zero firewalls. Like the Masons of the middle ages they draw the boundary around the castle/network and assume they are safe. As architects and security professionals it is up to us to remind the Castle Builders that the threat of today is not warded off with simple walls of rock…

  1. Unencrypted Emails – As I have shown in past posts it is possible to encrypt emails with your mobile phone, but in today’s world I still find IT and InfoSec companies unable to send encrypted mail. They freely pass contract negotiations and proprietary data among organizations with nothing more than worthless clause on the end of their signature block. It is seemingly worse in the closed-network space as companies believe that since the network is closed their susceptibility to such attacks are not an issue. I took the following packet capture using tcpdump and SMTP. If you click the link and squint your eyes a little bit (it isn’t a magic eye poster..sorry) you will see my Top Secret Message woven between the packets. This is the raw form, but other tools can simply parse out entire messages and then save them into a folder for later reading. This was in my lab before you get too excited to hit my domain: SMTP Capture In many cases if you are using Exchange it is simply a matter of enabling encrypted RPC between Outlook and Exchange. This will help cut down some of the MiTM attack vectors. Some possible solutions:
    1. Pretty Good Privacy
    2. GNU Privacy Guard -Free
    3. S/MIME if you are using AD Certificates – Free
    4. Enable Encrypted RPC from Outlook to Exchange – Free
  2. Antivirus/Malware/Patch Installs – The best part about a closed network for a pen-tester is knowing that all the patch levels will be way behind and the virus definitions either missing or the ones that came with the machine. The reason isn’t that administrators don’t want to update, but rather the policies needed to execute do not allow. The CONOPS should be the first thing you create before closing a network to the outside world, not the last. Ask yourself “Can I safely sneaker-net or otherwise download updates and virus definitions daily/weekly and distribute them to my machines?” If not then maybe you should keep the network on your main infrastructure. In security theater the mere act of closing a network off provides us a sense of comfort. In security reality it should scare you more than before. If you are moving a network to a closed enclave without patching, AV, or auditing I would argue you should just keep it on your enterprise architecture. The products below allow for offline sneaker-net transfer via USB drives or DVD-R.
    1. WSUS for Windows Patching – Free
    2. Monthly ISO of Microsoft Patches – Free
    3. YUM/APT Linux – Free
    4. McAfee EPO
    5. Symantec AMS
  3. Firewalls – But firewalls are to protect me from the internet?!?! No Firewalls are to control your boundaries. Why do we make the general assumption that the secretary needs access to the Citrix Farm? Why does the desktop user need access to the Tape Backup System? Why do you trust your users? John Donne had it incorrect in that “No Man is an Island.” We should strive to place every user on their own little island or at least small continent. In the Federal space there is the mantra of “Need to Know.” Do your users have any need to know where your admin servers are? What the DFS root is? etc? If you plan your enclaves from the initial design you can rely on central tools and policies to enforce what could end up a logistics nightmare. The pay-off being that even if your user’s machine is compromised they can only access those limited resources that you have allowed. Just make sure your admin workstations are locked in a vault :)

The days of hiding behind our moats and castle walls are over. As countless news articles and break-ins have shown us this past year we must treat everything as a threat. The kid sitting in his parents basement waiting to hack your extranet is not the commonplace it once was. In today’s world the hacker is the employee you just passed up for a raise, the employee you had to let go, or the VP soon to retire with some secrets. The things listed above are not difficult to install or create for your own networks. It is these first small steps that keep you off CNN or the SEC’s RADAR.

Update:

After posting this article on Reddit, I received some great feedback from vME2NRYup5 I should have made it more clear that this discussion centers around non-routable networks. These are not the machines that allow you to access google.com, but rather those that are segmented off for protection of the data. In addition the networks in question should ALWAYS be evaluated by their risk. In NIST 800-30 and DCID6/3 we focus on the CIA-Triad for protecting the data. It may be that your segmented networks are deemed low-risk and the practices above are not needed. If you are segmenting the network for security reasons though, you most certainly do need to evaluate the above against your own baseline.

Updated: