The Critical Role of Network Security in Zero Trust

/by

The National Security Agency’s (NSA) Cybersecurity Information Sheet (CIS) entitled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar” outlines how organizations can enhance their network security within the Zero Trust model. This involves leveraging advanced cybersecurity strategies to mitigate risks of lateral movement by malicious actors within networks.

In a recent SCmagazine article, the creator of the Zero Trust concept, John Kindervag, pointed out the industry’s current overemphasis on identity management, cautioning against neglecting network security’s critical role. This viewpoint complements the NSA’s guidance on implementing Zero Trust within the network and environment pillar, underscoring the need for a balanced approach that values both identity and network infrastructure. Kindervag’s insights advocate for not only recognizing the network as a foundational component of Zero Trust, but also actively engaging in strategies like data flow mapping, macro- and micro-segmentation, as well as leveraging software-defined networking (SDN) for enhanced security measures​​. This balanced focus ensures a comprehensive and resilient Zero Trust model, and RedSeal can address those network-related challenges effectively.

RedSeal can play a crucial role in implementing these strategies:

  • Data Flow Mapping: RedSeal’s capabilities in mapping the network and understanding how data moves across it align with the document’s emphasis on understanding data flow to identify and secure unprotected data flows. RedSeal can help organizations visualize their network paths and flows, which is foundational for recommended effective segmentation and isolation strategies.
  • Macro Segmentation: RedSeal’s Zones and Policies feature directly supports the concept of macro-segmentation, which is about segmenting the network into different security zones to control access and movement between them. By defining and enforcing network policies, RedSeal can help prevent unauthorized access between different parts of the network, such as between departments or between the IT environment and operational technology systems.
  • Micro Segmentation: While the document discusses micro-segmentation’s role in further reducing the attack surface within network segments, RedSeal’s detailed network models and policy management can assist in the detailed enforcement of policies that control access to resources within these segments. RedSeal’s analytical capabilities can help identify where micro-segmentation can be most effectively applied and help manage the policies that enforce this segmentation.
  • Software-Defined Networking (SDN): Although RedSeal itself is not an SDN solution, its network modeling and risk assessment capabilities are complementary to SDN’s dynamic and adaptable network management. RedSeal can enhance SDN implementations by providing a detailed understanding of the network structure and potential vulnerabilities, thereby aiding in the creation of more effective SDN policies.

RedSeal can significantly aid an organization’s efforts to advance its Zero Trust maturity, particularly within the network and environment pillar outlined in the NSA document. By providing detailed network visibility, facilitating effective macro- and micro-segmentation and complementing SDN strategies, RedSeal helps limit potential attack surfaces, enhances network security posture, and supports continuous verification of all elements within the network environment.

You can find out more by getting a demo of RedSeal and attend one of our monthly free Cyber Threat Hunt workshops.

Tales from the Trenches: Network Backdoors — Lions, and Tigers, and Bears…

/by

Today’s tale from the trench is brought to you by Brad Schwab, Senior Security Solutions Consultant.

One of the greatest concerns for professionals in Network and Security Operations is the potential existence of a backdoor in their network—let alone the presence of numerous backdoors! Identifying backdoors can be a daunting challenge, as they might exist beyond the confines of the configured routing table or take a longer path than the optimized routing path typically followed by traffic. Consequently, conventional traffic mapping tools seldom uncover the presence of a backdoor.

RedSeal is unique in its ability to identify and display all paths through a network, regardless of routing protocols and network address translation (NAT)—therefore exposing all potential backdoors.

While working with a power generation company that managed many extremely remote renewable energy sites, I performed RedSeal data collections on network device configurations across the organization, including company headquarters. From there, I began to perform RedSeal data collections on the power generation farms networks. With this data, I was able to model their network and gain visibility into all the access across their network fabric.

Once all data was collected, we initiated an examination of access vectors into the local generating networks. While engaged in this process, one individual began discussing how the heightened global threat levels had prompted the implementation of a company policy mandating a firewall at each site. This measure aims to safeguard Operational Technology (OT) devices and SCADA Systems. SCADA (Supervisory Control and Data Acquisition) is a software application used for controlling industrial processes by gathering real-time data from remote locations to control equipment and conditions.

As we began verifying that access controls were in place, we concluded there were indeed firewalls present with Access Control Lists (ACLs) blocking and filter inbound traffic. However, because RedSeal shows ALL access vectors, we also noticed that each generation site had two available paths to the internal network—one controlled and limited by the firewall and another that was wide open through the on-site router — a backdoor!

Through RedSeal’s security methodology of “Discover, Investigate, Act” we were able to uncover the backdoors and found that though we started with a small sample of sites, we now knew what to look for and each one had backdoors into the power generation network.

During our investigation we discovered that the secondary wide open access had been set in the case of a site lockout on the firewall. I have seen networks set up like this in the past, although not quite at this scale. It is not terribly uncommon in remote locations to set up a backdoor enabling remote access – however, we learned that with this set up even a firmware upgrade would cause problems. I explained how RedSeal could help verify changes before deployment and then verify implementation with ongoing monitoring for the entire generating network to ensure all sites were always in compliance and no backdoors were in place.  I like to think of it as an always on, always up-to-date audit.  Thus, avoiding any “negative compliance drift” between yearly scheduled audits.

In summary, RedSeal was able to show all the paths through the network—not just the ones that traffic is currently traveling on.  For each path of interest, in this case the backdoors, RedSeal shows every device along the path (hops), and all the ports and protocols that are available for traffic to transit.  Finally, such access can be monitored on an ongoing basis to ensure it does not stray from company policy.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.