IT infrastructure defense in depth part 3

 
In this previous two articles about IT infrastructure in depth:

we talked about IT infrastructure security concerning physical security and network perimeter security. This time we are going to peel another layer of our cybersecurity onion and talk about internal network and host security.

Internal Network Security

 

Internal network security is as crucial for your company’s overall data security as the security of your public-facing services mentioned in the previous article. Many IT departments do not pay enough attention to this aspect of their network security, thinking that if they have their perimeter network protected, then there is no need to worry about the internal network security which is as important as any other layers of our cybersecurity onion.

While your perimeter network can be breached, only proper internal network security measures can effectively halt the attacker’s lateral movement within your network. Attacker’s lateral movement is understood as a movement involving the attacker going through the compromised environment and increasing his privileges to gain access to sensitive data and other high-value assets).

Internal network security can be more physical like securing your LAN network by filtering which devices can connect to the RJ45 ports or Wi-Fi networks inside your company building using MAC addresses, user accounts, certificates, or other means of authentication.

It can also be more digital like VLAN (virtual LAN) segmentation to separate the networks or subnets used by guests or internal users from the networks used by your IT infrastructure servers to which only IT staff should have access.

Another important topic is network traffic encryption, often services running inside LAN are using unencrypted communication which allows an attacker who gets inside the network to capture network packets and extract credentials or important information from them. It’s important to treat the LAN traffic the same way you would treat traffic on the public Internet and use encryption (HTTPS, certificates, secure protocols) wherever possible.

You can also use various specialized network auditing and monitoring tools that can help you keep an eye on your network traffic and networking devices. One tool like that is Splunk which is a SIEM (Security Information and Event Management) system, it collects data from various points in your internal network (network devices, IDS/IPS systems, firewalls, etc.) and can notify you when a suspicious action is detected.

SIEM systems can often be configured together with NIDS (Network Intrusion Detection Systems) which provide continuous network monitoring across your entire IT infrastructure and can help detect malicious activity, policy violations, lateral movement, and data exfiltration.

All those tools and techniques can help you protect your internal network not only from attacks from the outside but also from the inside (like MAC address spoofing, rogue access points, rouge DNS servers, and rogue DHCP servers).  

Host Security

 

Host security is related to your servers and end-users’ devices security.

Properly securing hosts in your internal network is crucial for stopping any unauthorized access or lateral movement done by attackers.

All hosts in your network should be accessible only by authorized users, whether via remote or physical access. Additionally, ensure that all hosts have their firewalls enabled and configured to allow only necessary network traffic. It’s also crucial to keep hosts up to date with security updates for both operating systems and applications.

All your servers should be kept in a locked room that only authorized employees can access, and users’ computers shouldn’t be left unlocked unattended. It can also be a good idea to disable USB ports on all devices (both servers and user computers) using local configuration or GPO (Group Policy Object) if you have a local active directory domain.
It will defend them if someone tries to transfer malicious software to them, which is often done with preconfigured USB sticks that can infect the host in seconds.

Speaking about domains, your domain controllers (or other identity providers) should be secured with the greatest care in mind because if they are hijacked, the attacker will have access to your entire infrastructure (e.g. after taking hold of the domain or global admin account).

All of your infrastructure should also be monitored, even simple real-time resource utilization alerts can help you notice any unusual behaviors inside your network (like a long-lasting high CPU utilization on a server that shouldn’t do any CPU-intensive tasks). Additionally, historical reports from IT monitoring solutions can help you in forensics analysis after a data breach has occurred.

Most IT monitoring systems can be tailored and expanded to do much more than only resource utilization monitoring, it’s good to look into the solution documentation (and community forums). The most notable monitoring solutions are:

Other systems to protect your hosts from a security standpoint are HIDS tools (Host-Based Intrusion Detection Systems), those are systems that require an agent running on the host and sending real-time data to a central server which then analyses it and reports any unusual behavior to IT administrator or IT security team. There are a lot of systems on the market that can warry in their toolset and capabilities, but a good open-source solution that can be recommended is OSSEC .

Doing a periodic vulnerability assessment of your IT infrastructure is also a good idea.
Vulnerability assessment is a systematic review of security weaknesses in your IT systems, the security scanning tools will scan your server externally (or internally if you provide credentials or install a local agent) and will evaluate the data collected with global databases storing information about known vulnerabilities and exploits, they will then assign a severity level to those found vulnerabilities and recommend remediation or mitigation if needed.

Reports like this can help a ton when it comes to securing your servers and it’s a good idea to scan not only publicly available systems but also those in the internal network to keep everything defended properly. A good VA tool that I can recommend is Greenbone OpenVAS (Greenbone www, Greenbone GitHub).

Summing up:

 

I hope that this article helped You understand the importance of internal network and host security and that you’ve discovered a new tool or solution to assist you in achieving it.

Jędrzej Boguszyński
Macrix IT Systems Administrator