So why is it that most organizations struggle when it comes to defining, implementing and enforcing effective network segmentation?
In this webcast, AlgoSec and expert penetration tester Mark Wolfgang examine common segmentation mistakes and review best practices for defining and enforcing effective network segmentation.
View transcript
hello everyone and welcome to the alga SEC webcast on segmenting your network for security the good the bad and the ugly segmenting your network is one of the foundations of the sound securities that strategy but very few organizations get it right today we are going to uncover some common segmentation mistakes and provide actionable insight to define an enforce effective network segmentation my name is Joanne Godfrey and with me today are mark wolfgang president at shore break security and expert penetration tester and nimmy Reichenberg VP of strategy at alga sec gentlemen thanks for joining us today before we get started I'd like to run through a couple of housekeeping items if you have any questions please submit them through the Q&A box in the GoToWebinar panel we will try to answer as many questions as we can during the hour but any that we cannot respond to on this call we will follow up with you afterwards via email additionally we are recording this session and it will be made available to you after the event so let's get started Nimmi would you like to kick off yes thank you Joanne thank you everybody for joining us at admit that the response for this webinar pleasantly surprised us it's obviously a very pertinent topic that's on everybody's plate I also want to thank Mark for joining us thank you and as you know the topic today is segmentation which is I think a very important topic and one that I classify together with the very basic things that we must execute as part of a sound security strategy but like so many of those basic things like patching like removing excess rights it's something that organizations know they should do it certainly common knowledge but it's not common practice or very very few organizations are doing it well and if you've been following us on our blog and I and other bloggers have blogged a lot about security basics and how to get the basics right and how the impact of doing getting the basics right can really advance your security strategy and your security posture sometimes more than those latest and greatest shiny toys that everybody's rushing out to to deploy and really one of the recent case in points is is the target breach that I'm sure everybody is aware of that happened recently and here's just some things I picked up from the you know numerous articles that were written about the target breach and analyzing it and and as if you don't know then you know the target breach most likely started by by discovering a vulnerability and basically taking over the credentials of an HVAC render right a heating ventilation and cooling vendor who was able to get some access to the network but we were able to get from that procurement portal to car total data to the court mobile data environment and that is a very long road but a properly segmented network should have made it very very difficult to compromise the credentials of the HVAC vendor and get to call cardholder data from there and I think about if memory serves me right about 80 million credit cards were compromised as part of that breach and of course had that network been properly segmented it would take a really highly skilled hacker to find their way around this segmentation and Mark is going to get know who basically now plays a white hat hacker for a living is going to share some of his experience from how network segmentation could make or break the difference when you're trying to penetrate a network and here's one final quote from from some of the coverage around the target breach if target gave the vendor too much access to the network then the blame lies firmly within target so it's just one breach and I'm not necessarily picking on on target so to speak their many well-publicized breaches recently but i think this does go to show that just basic security practices around segmentation in this case can really go a long way you might not you may not be able to completely prevent the attack but certainly going to be able to contain it and limit the damage and with that in mind maybe join we can now launch our first poll of the day you here you go can everybody see it I hope you can I'm just going to read out the questions so how would you describe your network segmentation so my network what we mostly set it and forget it we periodically revisit segmentation usually around audit time and we strategically segment on my network around business drivers or the latest threats okay so I see many of you are answering maybe we'll give it a few more seconds as votes are still coming in and all right maybe we'll close the poll throw in and share some of the results okay okay we able to i'll close it and share okay so while you're waiting for the results six percent have been honest enough to say my network what and i think between the other three options about set it and forget it periodically revisited and strategically cementing around another business requirements in the latest slits about equally split between the other three mark any commentary on what you expected to find in this ball um no not really no it's that's informative alright so with that mind lets up hand it over to you alright thank you and me appreciate it i'm waiting for the slide to pop up on my screen that sells there's tied to pull and we should here we go it's FR three afternoon and thanks for joining us everyone i really appreciate the opportunity to talk to you about network segmentation which is a topic that is near and dear to my heart believe it or not I feel like I've been preaching the virtues of a properly segmented network now for well over a decade pretty much every security engagement we do whether it's a vulnerability assessment a penetration test or social engineering engagement network segmentation comes up it's always an issue a little bit about myself founded short break security with a purpose of providing very high quality security testing services I've got spent the vast majority of my IT career in information security and specializing in security testing that's really all it focused on it's such a deep field it requires a lot of time to gain expertise in it and I've just kind of specialized in so short break security is a small boutique consulting company and we specialize in really just that this one a field within in information security and that's testing so our job is to conduct penetration tests vulnerability assessments risk assessments pretty much anything that an attacker does to test your network we want to also do the same thing our security engineers our team are very experienced individuals that have also specialized in security testing most of them have top-secret SDI clearances cissp bunch of other certifications and are pretty impressive this pretty impressive individuals so what is penetration testing I'll just kind of give a brief overview of penetration testing at is hard it is a form of security testing where we emulate a variety of different threats to determine the risk to your networks and systems but really we want to determine the risk to your business or organization that's what really matters not necessarily the risk to an IT asset but how does that translate into your business or your organization's mission pentesting is not just the use of one or two tools like vulnerability scanners or exploit frameworks it's really a methodology we really follow as closely as possible the same methodology that a hacker would because we want to be as realistic as possible obviously we can't break into college systems or other businesses and then launch our attacks from those systems but we try to emulate the threats as closely as possible so we look at threats it's originating from within your organization but we call those internal tests which could emulate a visitor or a contractor or malicious employee and then the largest threat source obviously would be the internet or an attacker so we enjoy testing from those various different perspectives at different skill levels once again the objective is to give to provide a very realistic picture of IT risk and how that translates into business or organizational risk so let's going to wait to the slide catches up it's taking a little bit longer than I expected there you go so what is network segmentation now this is this is my very simplistic view of network segmentation so it may not be tech the textbook answer but essentially it's classifying and isolating or protecting different categories of of of things so for example IT assets whether they be servers or workstations or network infrastructure it's classifying data such as PII or cardholder information or medical records it's classifying the personnel who holds the keys to the kingdom who are the network administrators who are the system administrators etc I think it's helpful if we sorry the next slide is title we understand basic segmentation and most organizations do understand segmentation to some degree we know that we shouldn't allow internet hack excuse me we know that we shouldn't allow the Internet community to come directly into our internal networks years ago before the concept of a DMZ we did we kind of just opened up a whole and surprisingly now some organizations still do this that their web server might be in that internal corporate network cloud I have seen that actually not too long ago but the vast majority of organizations do have a special network segment called a DMZ and that's where they stick all their internet accessible servers like their web servers and the mail servers in their other web caching servers and so forth and then once they have those systems in that DNZ they protect them differently they don't allow their they don't allow random people on the internet to be able to connect to remote desktop or SSH or what have you hopefully they have a default than I firewall policy that says you know the essentially block all access but permits very very few levels of access excuse me I think it's helpful if we think about in terms of network segmentation think about it in terms of the real world I always try to think about banks and how they protect money how they protect valuables they don't just erect the wall to the bank and stick the big pile of cash or valuables in the middle it's very segmented you could say there's different rooms involves and they employ a defense-in-depth strategy on the slide that's coming up is a room of safety deposit boxes and the safety deposit box isn't on the street it's within a big vault and the vault is within the bank doors and I'm pretty sure from my experience that most of the time you can't just walk in off the street and walk in right to the vault and access the safety deposit boxes you probably need to be on an access control list of some sort that says yes mark Wolfgang has the authority to go inside the vault where the safety deposit boxes are and those are the terms the same kind of terms that we need to think about when we're talking about network security because you really can't implement a defense-in-depth strategy unless you have these different rooms established all right so with that said it's really helpful if you're going to defend a network it's really kind of prudent that you understand how attackers work and we security testers and penetration testers we function pretty much the same way that attackers work we work the same way so it all starts with the initial chink in the armor the initial vulnerability like Nimmi said with with the target breach it all started off with one initial vulnerability and it starts there the attackers they find the chink in the armor that they Jam their crowbar and they start prying away essentially that's what we do in the IT world as well we gain an initial foothold and then most of the time austin's attackers we know very little about the system that we got into we have no idea what it does who uses it what data is contained on it and we kind of have to figure all that out we gather and analyze information do things like dumping the password files cracking passwords and then we we try to expand and leverage and move laterally throughout the network use what we have to gain access to other systems sometimes we totally hit a dead end we just end up getting into a system and we really can't use it for anything it doesn't further our attack whatsoever that's pretty rare however more often than not the case is that we can use something that we learn from this one system to gain access to others so let me walk through an example of a real assessment that we did a year or two ago maybe a little bit longer so you can kind of see how this plays out we conducted a full scope assessment of a large city in the United States this city was probably it's probably within the top ten as far as population size so there's if you think about all the functions of city does fire police emergency operation center red light cameras City Council the mayor all the city services it's pretty important this city had multiple buildings spread out over several miles in the end we were able to obtain full control and access of the building access and control system the computer that controlled the badging system so for anybody that had a proximity card that that allowed them to enter and enter different buildings and rooms and buildings we were able to control resulting in you know access to the police gun locker the police evidence Locker the narcotics fault the holding cell the mayor's office is the server rooms literally any door any building excuse me any door in the entire city complex that had a proximity card reader we could simply disable it we also obtained access and control of the guard workstations every building has a guard by the front desk and they sit sit there and they monitor the CCTV systems and do whatever else they do and we were able to identify those guard workstations and completely control them so you think about some kind of Mission Impossible kind of attack where you can disable the video cameras which we could have done disabled the guard workstations you know computers crash all the time and then radio our buddies and say okay the lock is disabled on the narcotics vault in you go so it was really I kid you not just like that we also we actually didn't end up getting a domain administrator privileges on this particular engagement well that's usually the goal the bigger goal is what can we do how can we impact this organization so the most scary thing was is that all this was possible from the public wireless network in the library that really kind of scared us and in the link between the public wireless network and the internal network you know that's that's a segmentation issue for sure so a couple more details about this particular assessment just kind of crystallized it a little bit better the initial entry point was there actually two of them Microsoft's equal servers running with no password on the essay account this is a vulnerability that's been around since about two thousand two I believe so it's an ancient vulnerability really hate to even see it out there on the network anymore but it still exists unfortunately so we were able to so we initially got access became a local administrator on the windows windows systems and then we started doing the gathering and analyzing determining what is a system who uses it how can we leverage access so we don't the passwords and cracked all the crack the windows local passwords we then you know did some port scanning and found all the other windows hosts on the network it's pretty simple to do as an attacker you just have to say you just have to tell your port scanner to show me the systems on the network that are that have you know TCP port 445 open 135 139 they're obviously windows systems or have some aura running samba whichever systems I can identify and touch that have those ports and protocols then I'm going to try to log on using these practice words so we did in fact gain access to a couple hundred different systems on the network and like I said us an attacker we really don't know what we have it's then a process of logging on manually looking at the hostname looking at the network configuration determining what it is every organization uses unique naming conventions so their host names might be kind of a bit of a puzzle to figure out sometimes it's pretty easy people use names like win seven dash Wolfgang to indicate somebody's workstation sometimes a little bit more obscure anyhow this same password was used on the guard workstations the CCTV systems and computer that controls the badge of the building access among you know a bunch of other ones so I always I always ask once I you know gain this level of access we always kind of ask ourselves you know how and why I think to myself how is this surfer guy from Cocoa Beach Florida able to break into a city's Network and obtain this level of access it really shouldn't be possible you know what about a really formidable adversary such as a nation state what could they do so I asked myself you know why could I even identify these critical components of this of the city's Network why could I number one identify which server well which workstation out of thousands of computers on the network was the badging workstation it's probably because I had a pretty unique excuse me pretty obvious hostname and then okay I could identify why could i touch it why could I even see it why wasn't it completely invisible from the network at layer three how is it that i was able to log on and do what i did i really shouldn't have been able to do that but you know come to find out when we when we kind of ran this down and talk to the administrators we saw this computer this computer was sitting in a locked room and only two people on the entire two people in the entire city had the key to this room that controlled the badging server yet everybody literally everybody on the internal network could access it in a different way they could attempt to log on if they knew the password this network was not segmented at all it was just very open the security cameras yes their IP based but that doesn't mean everybody should be able to pull up the browser and try to log on or view the cameras same thing with the dispatching server so almost always the case is the lack of proper network segmentation it's almost always a finding in our penetration test reports so I'm waiting for the next slide hopefully I was kind of informative view of how attackers work how we take advantage of segmentation errors really I shouldn't have been able to see those cameras I shouldn't available see those I should have been able to identify them but I definitely shouldn't have been able to log on remotely at the network layer so some common network segmentation mistakes the first one would be not segmenting at all I've seen this several times the city is definitely not alone I've visited I use the word visited loosely but I've conducted an audit of you know the vast majority of organizations do not segment too much they in fact don't segment at all surprised sometimes to see it a for example a 100-plus year old manufacturing global manufacturing a leader surprised to see their HVAC systems accessible surprised to see their badging systems their video cameras their control systems their process control systems computers that control manufacturing processes just sitting out there on the open internal network accessible and available for any number of attackers not segmented not segmenting enough kind of goes with the first one it's pretty self-explanatory and I have actually seen a case or two of over segmenting which you might think how can you over segments network but I once did an assessment on a network that had a hundred and thirty two different vlans or network segments and they only had 110 hosts on the entire network some vlans had no hosts and others had just one and it was an extreme pain to do an assessment because I literally had to plug in to every single VLAN 132 of them and then do the full discovery scan and network port scans and vulnerability scans you know as we all know security is a balancing act security slows things down just as the lock on the door to your house slows you down entering it's always a balance so you can get a little bit two segments to segmented but I don't think this is really a huge risk and I think mark I think you hit the nail right on the head with the balancing act you know we're at algo psych here we always start a balance between security and agility and I think part of the reason why organizations don't segments are under segment is because they're afraid of this additional complexity that if not handled correctly can slow you down can lead to outages and can even potentially make you more secure let's re less secure than you intended to be because if you now can't manage all those segmentation points and firewalls that segment between the networks in a proper way you may be opening up the network to access that you didn't even intend so I think a lot of it is the need to balance the additional potential complexity and due to balance on security and agility and just one other mistake that I've seen with some customers is submitting for compliance um that you've seen that so those who have to comply with PCI typically have to submit off the PCI zone so they do what the regulation asked them to do and they fall into the same on a mistake that security and compliance are two very different things you know passing the audit and making it difficult for an attacker are two very different things so if you have to submit for compliance obviously need to do it but just keep in mind that compliance is not security you also have to think about how to submit securely which may require you to do different or additional things and what a specific regulation requires you to do yep good good additional points or enemy so let's get into some basics about how to segment for security it is a pretty complicated process and it's it's not a short process it's a lengthy longer term project that you need to undertake first of all you really do need to have a good grasp of your business that you work at or the organization that you work why does it exist what you know why is it around what are we trying to do here so for a for-profit business how does revenue enter the business stream what are the key components of that perhaps you sell car insurance over the web that's pretty easy to figure out probably which are the critical components and which are the pennant components to back in databases and other type of systems that interrelate if it does take some work so which IT assets data and personnel are critical to ensure the continuity of the business or the mission once you kind of have a decent understanding of that you can start to do some planning and essentially we want to group an inventory three different things that's assets personnel and data so for an example for assets and you can get as granular as as you like here you could have a network segment just for Windows Microsoft Windows sequel servers but here's some examples for assets windows servers infrastructure could be grouped into one network segment or one group security appliances and devices financial HR other other types of assets that we're talking about here in groups a large enterprise organization may have a hundred different asset groups next we're going to a group and inventory personnel so once again you can go as fine-grained as you like here but you can definitely start at some broader groupings I'm looking for the slide to catch up it should be any second now okay so for example this is grouping personnel so we've grouped our assets and with with our first asset group was Windows servers so it kind of makes sense to group our personnel maybe you could have a windows server admins maybe they could be owed you admins or or ad admins workstation admins are frequently different than server admins and larger organizations unix administer their security administrators network admins maybe you want to have a separate group of personnel for your executive management team another one for our d depending on you know your organizational type so we've got our assets grouped now we have our personnel Group and you can do the same thing with your data grouping these systems contain HIPAA information these systems contain pci that's one of the good one of the good things that pci does a lot of the times force some segmentation because if your card holder that cardholder data systems are not in their own network segment then you have to do the assessment on your entire network so it definitely does help alright so once we've determined our groupings that's our assets our personnel and our data then we need to determine who can access one and this should all be based on business need I first heard this kind of firewall rule set translation to business need not probably back in 2002 I was at a large independent system operator which is a entity that controls a power berry for a very large region and I was reviewing their father all sets and we noticed that they would just wholesale bloc countries and regions so for example act apneic was blocked the entire IP address space lack Nick afrinic so we asked them you know why are you guys blocking this entire region and they said they have no business need to ever talk to our systems so they're blocked and kind of lightbulb moment went off in my head and said that's absolutely brilliant everybody should block if your business never ever ever does business with China perhaps you should just block them at the IP layer layer so we want to determine the level of access based on business need so it's as you ask a bunch of questions who has a business need to administer the routers and switches perhaps you know in some organizations I'm kind of sounded perhaps going back to the city example in the CCTV systems perhaps only three people in the entire organization had a business need to be able to go to any specific video camera on this web server on port 80 yet the entire internal network was permitted by default to do this so who needs access to the cameras who needs access to the UNIX servers and to start locking start walking it down so we determine who needs access to what based on the business need and if there is no business need you simply don't get access the goal here is to have a default deny policy for each network segment ideally it would be a default than I inbound and a default than I outbound but obviously the default that I outbound would be very advanced egress filtering most organizations still struggle with implementing egress filtering in general but / network segments that would probably be a heck of all the work alright so implementing visits he's been implementing segmentation like I said before it's a big it's a big task it's a long term project but you've got you can start somewhere I suggest you not start with your executives or your administrative personnel or anybody that is going to kind of make some noise if they all of a sudden can access something which inadvertently does happen so I suggest starting with network administrators perhaps or even windows servers just pick pick some acid group say it's the windows servers or let's go with my example in the slide say it's the network administrators and the network devices so we've got our two different VLANs all the network administrators work stations along in a VLAN called network admins all the management interfaces for the routers and switches sit in a VLAN called network devices begin by logging all traffic to try to determine you know what traffic is normal what traffic is needed okay so maybe you didn't realize that they use SNMP still so so so the whole idea here is don't just shut down access right away begin to log and determine what's necessary the goal obviously is default and I so that only the network administrators can access the network devices everybody else is shut out so then you want to make sure you have the controls to ensure that segmentation is actually enforced successful segmentation really does shut down attackers in our paths why should say they're past but i kind of consider myself an attacker for our engagements it really does completely shut us down imagine you were you know you are trying to penetrate the bank you breach the outer wall you got into the lobby and then next thing you know there's this massive fault that you have to somehow penetrate and then behind that involved is the safety deposit boxes it significantly raises the bar and really slows attackers or completely shuts us them successful segmentation is successful segmentation really enables defense in depth you really can't have an effective defense in depth program unless you have segmentation it will be kind of like the bank without walls or the bank without rooms you can't isolate things if they're not in their own little segments it really does provide a foundation for a secure Network it's not easy nor is it quick and I I really think that you know successfully segment segmenting your network is as important if not more important than you know patching your systems years ago it was pretty common in the SCADA dcs process control system world to have network of systems that never got patched these were ancient computers running antiquated software and very custom software and they never got patched and the big thing was they never connected the internet number one and that we're not connected to any other networks so you can really mitigate and reduce the risk by properly segmenting printers I see this printers I see this is someone has issues printers printers are notoriously difficult here you may have a hundred fifty words on your network each of those has you know five or six different services that are kind of insecure by default they have guessable passwords guess bull SNMP community strings the web interface is kind of guessable you know the answer to that a lot of in a lot of cases is set up a printer VLAN and only allow the printer ports inbound nobody else can access any other ports all right so this diagram popped up on the screen that shows kind of an example of a well segmented internal corporate network basically you just have a bunch of different clouds with smaller subnets or vlans and we're just restricting access so that the only person the only groups of people like an access EHR servers are you know the those that administer the servers in the HR department everybody else sorry you have no business need you're not accessing the network I know it Markov in a we you and I talked about this now you mentioned printers and the potentials of attack vector and with this internet of things that everybody is talking about we're not that far from the day that every every thermostat is going to be IP address of all right I don't know about your coffee machine being IP address of all anybody's talking about that for years but certainly more and more IP address herbal things are going to find their way onto your network and if you don't segment those you know that can be impossible to manage because yeah you may have a hundred fifty printers but in a large building you may have no a thousand thermostats and if you took each of those r.i.p addressable they're not properly cemented off the network that's a whole new attack vector that you may be opening out yeah that's a really good point and it's been a very valid there's there's some even owner hvac systems that have IP addresses and communicate but yeah you throw in everything else and you're you could be in real trouble five years down the road when those businesses go out of business and they're not updating the software and next thing you know you got a bunch of vulnerable systems just lumped in with everything else right okay so thank you very much mark for this I want to talk a little bit about defining and enforcing network segmentation and show you how you can actually do that because at the end of the day so you sit down you have a great blueprint of how your network is segmented but it's got to be enforced right and the devices that enforce it are typically your firewalls and the policies that you configure on these firewalls and at the end of the day your network segmentation is only going to be as good as the firewalls and their policies and all it takes is one miss considered any any any rule and there goes your blueprint right I meant for these two subnets to be segmented but I just put in a wrong firewall rule and and now everything's accessible and I didn't need to and obviously these are some of the challenges that we help our customers deal with every day and I want to throw in this one last poll before I kind of show you how this is a achievable so we can launch this bowl Joanne e yeah I think it's launched so you guys are are in this gun yes you see the hole yes look I take yes I believe make the seed and uh you know what as a another process and the firewall rule gone wrong ever did in your network did it created an outage maybe a security breach maybe an audit violation may be more than one of the above and you know scouts on or hold up your fingers when you say none of the above is has ever happened in not in my network so I see people are filling this in and let's see what you answered i'm going to go ahead and close the poll and share the results so first of all eleven percent of you are you know holding up their fingers as ain't none of this has ever happened to them so congratulations you may step off the webcast now but I vast majority this is what we see you know and out it certainly is something that's very noticeable so it's not surprising that a lot of people know that an outage was caused a security breach you know you maybe maybe are causing security holes or implications and not knowing about that's the nature of security you don't always know that you have a security breach you don't know what you don't always know if you've been breached and outages and audits are certainly more easy to detect and know that you've experienced it but basically ninety percent of you almost ninety percent I have experienced at least one of the of the following issues an outage a security breach or an audit violation which kind of leads me to this demonstration of showing you how the other six security management's we can help you not only define your network segmentation but I also enforce it and for those of you who are not familiar with Allison we're basically set up at this intersection that mark talked about the intersection between security and agility on the one hand we help you make sure that the firewall policy the network security policy is properly configured because as you can see it's a very known fact that ninety-five percent of the firewall breach is out there are the the Miss configuration they're not a result of some vulnerability somebody simply do not configure the device properly and somebody was able to get in on the other hand the process of making changes and configuring the security policy is a very manual time-consuming and very error-prone process unlike the rest of the data center and IT which is a lot of disciplines are very automated now you can spin up a new server in about in a minute using tools like VMware and others but configuring the security policy is still very manual takes a long time can take days and sometimes even even weeks in organization to figure out what they need to do to deploy a new application for example right so this is the type of challenges at al Bozek in the Aqua six we help customers with every day we basically help you solve the following challenges and I'll go over these fairly quickly a one is the complexity of course although in fear in a large organization you've got dozens maybe hundreds of firewalls thousands of access rules the different applications need to communicate and and connected in ways that are hard to track and manage there's a lot of change I am in the device in the cells in the network and new applications being spun out it's not easy to collaborate between the different stakeholders you've got your business owners that don't always that are not always very good at communicating what they need in ways that you can go ahead and implement on the network you've got the networking team that is very good about thinking about IPS and services but as Mark mentioned very few actually know how to tie those back into the business requirements and then you've got security teams which want to make sure that everything is implemented in a secure way in accordance with the security policy in accordance with any compliance that regulations that you need to comply with so all of this multiple stakeholders are very it's very difficult to get them all to the same table for an agile security process and finally compliance we all know that we need to apply with a lot of regulations internal and external audits are very time-consuming so how do we manage all of this so the alga sex security management suite for those who are not familiar with it is prize of three components starting with a business flow on the left hand side which can really take your security policy and tie it back into the applications the business applications that it supports and can help you with provisioning the connectivity for those applications and also securely decommissioning that connectivity when an application is removed from the network which is something very few organizations are able to do you kind of leave all those access rules and firewall rules in place because you don't know what you're going to bring right on the right-hand side we have firewall analyzer which connects to your security policy and your devices like firewalls and routers and load balances and really give you this visibility on what the policy is doing analyzes it audits it simplifies audits automates a lot of the ongoing operations and in the middle you see fire flow which is really our change workflow solution that helps automate the entire process end-to-end from understanding when a change is required to make it true doesn't add any risk it doesn't violate segmentation and help you design it in the optimal way and push it out so it really saves you a ton of time when you're trying to implement firewall changes and also increases the rate of accuracy this automation prevents a lot of them annual mistakes that happen every day in organizations so let's say look at a quick demonstration and i want to show you first of all i want to show you how we think about network segmentation here at algo sec and i've got a very simple spreadsheet here that defines a very crude obviously network segmentation for our purposes will call them net1 net to net 3 but of course you can give give them meaningful names like mark suggested and you can see this very simple matrix decides what you allow on the network so for example from the partner network I can only connect using something called partner services to these subnets and I can only connect using secure services to the PCI zone right if you want understand want to know what partner net is its defined in this tab so obviously each network you can specify the range and IPS that make up that network and if you're wondering what partner services or secure services are these are also defined in this next tab so here are secure services these are partner services obviously I'm using just one example then you can make this as customized as you'd like okay so this is how you think about network segmentation you basically take you know you define your segments just like Mark said and then you upload it into the into the tool into the algo six weed and what happens then okay what you see happens then now this is the other six we if you're not familiar with it we can obviously model and understand your network and we actually connect to all the firewalls routers and you can actually build this nice model of your network and we understand how traffic traverses the network so if you're on this side of the network and you want to understand if you can ftp into this side we will allow you this visibility and you can you can actually query anything on the network in terms of segmentation what I want to show you is a risk report for this checkpoint firewall here and you can see there's a lot of risks in the policy that we've uncovered some of those are kind of best practices that you shouldn't be doing such as any service can enter your network that's probably not a good idea you know any day of the week seem to write a firewall policy that allows any service down to your network but you can see that some of these risks over here are specific to the network segmentation that you've defined so for example here is unauthorized traffic between other and the net one night two partners on pc iso right so something in this firewall policy breaks the segmentation that i define if i click on details i can see all the rules that have violated my network segmentation policy okay and of course I can drill down to each rule and understand what is it about this traffic that violates the policy okay now I want to show you one other thing which is our our business local product as I mentioned we are very good at tying the security policy and traffic flows as we call them to the security to do sorry the business applications that require them so in this case you can see that this helpdesk application requires all of this connectivity from the network right it requires for example HTTPS between these two sources of these destinations and not only do we know what's required we also know if the security policy the underlying security policy is enabling the recording requested connectivity the required connectivity in this case you can see that this HTTP access between the helpdesk portal and the SMS server is actually blocked then you can very quickly see why is this required connectivity block in my example you can see that i want to get from this point i go through the router here and you see all the vlans around it but this evil evil cisco a sa firewall is actually preventing traffic that is required for a business service to run from getting to the required destination ok so once you have this visibility you can start making changes and you can also ensure that these changes are not violating the security policies so I'm going to open up this payroll application which is all read very no everything's up and running and I'm going to request a new change i'm actually going to request ftp access to a new server and we're gonna clip this one and i'm going to request see request ftp access to this new server and i'm going to save the changes but i apply this trap so what happens now behind the scenes is that elbow SEC is going to automatically compute any changes that are required to the security policy and open up a change request you can see here I've actually opened up this change request that was open up automatically I can see again what is missing for this traffic to work you can see I'm trying to get from here I'm going through different areas of the network and I actually going to have to make changes to two devices both this checkpoint firewall here and this juniper firewall here okay so i can actually see that i'm going to have to make changes to two devices but what alba sec is going to do is also i hope i did not time out here is also analyze the risk levels in making that so we do a proactive risk analysis to make sure that this change is not going to introduce any unwanted risk and I hope that I haven't timed out of the software while we're while we were waiting we're having fun talking network segmentation on the webcast but if all goes well here we should be able to see that the change that was requested is actually going to break my network segmentation and flow give it just a second it's going to calculate the risk and that's really the key to keeping your not just to network segmentation intact because you get visibility of every rule and and the impact of every proposed change but you also get compliance visibility I can guarantee that this is not going to break pci compliance I can guarantee that it's not going to break my security policy and if we give it probably another 10 15 seconds going to finish crunching all the numbers and seeing and letting you know that this rule will violate my my network segmentation so let's give it another few seconds and now by the way is a very good time to submit any questions that you have which we will take up until the the end of the hour this is the beauty of doing live demos will try to give it another second or two I'll review some of the some of the questions okay here we go so you can see that this access that was required first of all it's a bad idea because ftp can into your network but it also violated my segmentation traffic not allowed by pc i can reach the pci zone you can see that there's an unauthorized traffic from other to net 182 partners on pci zone so this is again a very bad idea and violates my segmentation and of course I can go ahead and reject this change send it back to the owner etc etc so that was a very very short demonstration I'm going to return to the presentation so before we take any questions the first thing this is how you can reach mark if you want to risk the chance of him telling you how you can hack into your network and where your vulnerabilities are mark can be reached at market short break security you can also see my email here and if you go to Alba set com there's a lot of useful resources that we have to help you better manage the security policy in general you can see for example our security policy management in the data center for dummies book the tips for how to manage next-generation firewall policies these are all tips by fellow security practitioners so there's also loads of other useful resources that you cannot you can check out so with that in mind let's try to take some questions I think the first question is for Mark Wright was a question about how can i encourage management to put money into a segmentation project that's a really good question and let me change the question a little bit and say how can I put how can I convince management to put on e into any security project because it's a hard thing to do and you must justify it and I can't tell you how many times I've gone into an organization and made a recommendation to the security manager and the security manager says yep I made the same recommendation a year ago or six months ago it just takes an independent third-party often to come in and say the same thing that you've been saying to be effective which is unfortunately just it's just the way things are so one of the things that a penetration okay so there's two ways you can really convince management to spend money number one get hacked if you get hacked they will be forced to spend money to recover and to put up defenses to prevent the next attack the second way is to undergo undergo a really good penetration test because ideally a really good penetration test will produce kind of similar results will come up with the same kind of outcome as an attacker would although of course we won't be destructive then you can go in and say this is what's possible and that's why a penetration test is very useful because we don't just say there's a vulnerability in your web server we're able to translate that to business risk do what an attacker would do and instead tell management that we could shut down your business oh we could ruin your reputation or your intellectual property is now gone hopefully I'd answer the question yeah so by the way we've got loads and loads of interesting questions we won't be able to get to them also will try to pick up a few more and we'll do our best to just answer you after the webinar over email so there's some take maybe a couple of easy ones and then maybe a little bit more of a difficult ones a few questions about the alga since we'd is a platform-independent the answer is yes it's it doesn't depend on any firewall vendor we support cisco juniper checkpoint palo alto fortinet mcafee i hope i didn't forget anything so we support all the major firewall vendors also somebody notice that the risk check is slow I am running a local vm on my little dell pc here so please excuse the the time this took obviously when you're running this off a powerful server or an algo sick appliance the results will be different so again all i did is a run a vm of a laptop on kind of an emulated environment so it's a no it's not it's not the type of computations that a laptop is geared up to to handle so please excuse that and one other questions about alga second I'll shoot another one to mark is you need to register the routers in firewall and find fire flow detergents at all the routers in tap so the short answer is if it's if it's a router that you would like routing information and can and you need that for the accuracy of accuracy of the query and then the answer is yes it depends on your network but of course it the more routers you register if we need that routing information to give you a correct response regarding the devices that you need to change then the answer is yes and by the way we can also recommend or or realize it you need to change router ACLs it's not just or just change routing tables it's not just limited to the firewall rules in firewall policy so there's more questions about algo sick which I'll try to answer every email that may be some questions to mark so what about segmentation in virtualization do you want to talk about how you sick mentor should or should not segment in virtualized environments sure um and really when we talk about network segmentation we're really talking about layer 3 networking so virtualization really and it lives above that so segmenting in the cloud could be a little bit different of a topic but the basics are all the same the you know knowing what you have knowing who has authorized or business need to access them in implementing access controls so virtualizing non virtualizing there's not a huge difference all right and then there's some talks if you listen to some to VMware and other vendors about micro segmentation I absolutely argue agree with mark that the concepts for blueprinting a good segmentation policy or the same student to classify a ceiling to make sure that somebody has a business need to access whatever it is they want to access some of the underlying technology may change though it may not be a big box that's you know a firewall it may be something at the hypervisor level there are some tools out there if you're going into cloud it may be something like an Amazon security group but again the enforcement technology may change and obviously here at Alice eckle will keep up with with with everything that you may need now or in the future but the methodology for segmentation is not going to change try to sit sit still its basics it hasn't changed for years right just the the the complexity may have increased the tools may have been different etc but giving somebody with no business reason access to a system was never a good idea nor will it be a good idea in the future I see let my baby we'll take one more question I see we're just over the hour and I want to be respectful of everybody's time so maybe we'll take one more question from mark um okay give us one second okay so mark maybe one last question for you how should I prioritize segmentation by network or by identities taking into account that there are many mobile users as well my network or identity I think the general question is about mobile users right how do mobile users fit into segmentation with all the bring-your-own-device trend that's error well that's a whole different you know asset category that you know probably most definitely should be grouped into their own network segments and at least one network segment that maybe is mobile devices and how does that what I would probably recommend there for that specific group of assets I would definitely look at outbound firewall rule sets so more than likely those devices ipads phones what have you only need to speak a few different protocols outbound you could definitely reduce a lot of risk if malware gets on those devices that they don't need access outbound or inbound of all 65535 tcp UDP ports so it can definitely help to reduce the risk of those type of devices on the network okay before we conclude there is a
