Critical control 13: Boundary defence
Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines. Establish multilayered boundary defences by relying on firewalls, proxies, demilitarised zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).
How do attackers exploit the absence of this control?
Attackers focus on exploiting systems that they can reach across the Internet, including not only DMZ systems but also workstation and laptop computers that pull content from the Internet through network boundaries. Threats such as organised crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and Internet-accessing client machines to gain initial access into an organisation. Then, with a base of operations on these machines, attackers often pivot to get deeper inside the boundary to steal or change information or to set up a persistent presence for later attacks against internal hosts. Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organisation’s network to another, exploiting vulnerable systems on extranet perimeters.
To control the flow of traffic through network borders and police content by looking for attacks and evidence of compromised machines, boundary defences should be multi-layered, relying on firewalls, proxies, DMZ perimeter networks, and network-based IPS and IDS. It is also critical to filter both inbound and outbound traffic.
It should be noted that boundary lines between internal and external networks are diminishing as a result of increased interconnectivity within and between organisations as well as the rapid rise in deployment of wireless technologies. These blurring lines sometimes allow attackers to gain access inside networks while bypassing boundary systems. However, even with this blurring of boundaries, effective security deployments still rely on carefully configured boundary defences that separate networks with different threat levels, sets of users, and levels of control. Even with the blurring of internal and external networks, effective multi-layered defences of perimeter networks help lower the number of successful attacks, allowing security personnel to focus on attackers who have devised methods to bypass boundary restrictions.
How to implement, automate and measure the effectiveness of this control using the sub-controls below
The boundary defences included in this control build on critical control 10. The additional recommendations here focus on improving the overall architecture and implementation of both Internet and internal network boundary points. Internal network segmentation is central to this control because once inside a network, many intruders attempt to target the most sensitive machines. Usually, internal network protections are not set up to defend against an internal attacker. Setting up even a basic level of security segmentation across the network and protecting each segment with a proxy and a firewall will greatly reduce an intruder’s access to the other parts of the network.
13.1 - Quick wins: Organisations should deny communications with (or limit data flow to) known malicious IP addresses (black lists) or limit access to trusted sites (white lists). Tests can be periodically carried out by sending packets from bogon source IP addresses into the network to verify that they are not transmitted through network perimeters. Lists of bogon addresses (unroutable or otherwise unused IP addresses) are publicly available on the Internet from various sources, and indicate a series of IP addresses that should not be used for legitimate traffic traversing the Internet.
13.2 - Quick wins: Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors may detect attacks through the use of signatures, network behaviour analysis, or other mechanisms to analyse traffic.
13.3 - Quick wins: Network-based IPS devices should be deployed to compliment IDS by blocking known bad signature or behaviour of attacks. As attacks become automated, methods such as IDS typically delay the amount of time it takes for someone to react to an attack. A properly configured network-based IPS can provide automation to block bad traffic.
13.4 - Quick wins: On DMZ networks, monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) should be configured to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured SEIM system so that events can be correlated from all devices on the network.
13.5 - Quick wins: To lower the chance of spoofed e-mail messages, implement the sender policy framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers.
13.6 - Visibility/Attribution: Define a network architecture that clearly separates internal systems from DMZ and extranet systems. DMZ systems are machines that need to communicate with the internal network as well as the Internet, while extranet systems are those whose primary communication is with other systems at a business partner. DMZ systems should never contain sensitive data and internal systems should never be directly accessible from the Internet.
13.7 - Visibility/Attribution: Design and implement network perimeters so that all outgoing web, file transfer protocol (FTP), and secure shell traffic to the Internet must pass through at least one proxy on a DMZ network. The proxy should support logging individual TCP sessions; blocking specific URLs, domain names, and IP addresses to implement a black list; and applying white lists of allowed sites that can be accessed through the proxy while blocking all other sites. Organisations should force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. Proxies can also be used to encrypt all traffic leaving an organisation.
13.8 - Visibility/Attribution: Require all remote log-in access (including VPN, dial-up, and other forms of access that allow log-in to internal systems) to use two-factor authentication.
13.9 - Configuration/Hygiene: All devices remotely logging into the internal network should be managed by the enterprise, with remote control of their configuration, installed software, and patch levels.
13.10 - Configuration/Hygiene: Organisations should periodically scan for back-channel connections to the Internet that bypass the DMZ, including unauthorised VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms.
13.11 - Configuration/Hygiene: To limit access by an insider or malware spreading on an internal network, organisations should devise internal network segmentation schemes to limit traffic to only those services needed for business use across the internal network.
13.12 - Configuration/Hygiene: Organisations should develop plans to rapidly deploy filters on internal networks to help stop the spread of malware or an intruder.
13.13 - Advanced: To minimize the impact of an attacker pivoting between compromised systems, DMZ systems should only be allowed to communicate with private network systems via application proxies or application-aware firewalls over approved channels.
13.14 - Advanced: To help identify covert channels exfiltrating data through a firewall, built-in firewall session tracking mechanisms included in many commercial firewalls should be configured to identify TCP sessions that last an unusually long time for the given organisation and firewall device, alerting personnel about the source and destination addresses associated with these long sessions.
View CPNI advice and guidance on how to implement, automate and measure the effectiveness of this control.