Security Proximity, Distance and Complexity
08/03/15 Category: Security
Here's a simple approach to security to consider: Keep your crown jewels close and your public data far away.
It may seem like a simple concept, but it works as a general guideline.
For instance, lets say you have a website that presents only public information and doesn't access any back end systems or databases. Do NOT house that on-site. Keep it far away. That's a great use of a cloud. Help secure that data from DDoS attacks by using additional cloud services. Simple and effective. The idea is that there is no possibility that those public systems can be used to breach internal systems. They are no different than any other system out there in the internet.
Some people do self host and put those web servers in their internal network and punch a hole to allow web traffic (http and https, port 80 and 443, perhaps ping too) to access the web server and think it's just fine. WRONG, very, very wrong… If that web server is in the internal corporate network it has even just ONE vulnerability that can be exploited even including ping, then it's a breeze to skip on over to any other system on the same network and then jump elsewhere. It's a simple leapfrog attack. Do NOT assume that the firewall will secure the other systems, it will NOT protect your other systems from an attack that can now originate from your web server. This includes mail servers, ftp servers, SharePoint, RAS servers and the list goes on. Do not put publicly accessible servers in the internal network.
Alright, so lets say you've gone the extra single mile of create a DMZ to separate the public servers from internal resources. Great, but what else is in the DMZ? Are there ANY rules from DMZ to the internal trusted network. There should not be… What about an AD rule, a backup rule, etc.? After many reviews we continue to find problems with firewall rules with temporary or long forgotten access from the DMZ to internal trusted networks.
Here's another thought, use multiple DMZs. Don't intermingle RAS, email and ftp servers. Segments are cheap, firewalls have lots of ports. This isn't the challenge it once was. Add some more complexity in terms of different password domains, use different authentication servers for different parts of the network. Basically add complexity, you want multiple borders and multiple credential challenges sometimes.