Jun 2014

Fewer Doors and Windows


There are many analogies used in describing network defense. In this case, imagine that a large network is your house but in a less-than-stellar community. Before you go to bed, you have to check all the doors and windows and make sure the house is locked up and ready for the night. The larger the network or house, the more doors and windows there are, until the point that there are so many that by the time you get to the last few doors and windows, you can't remember if you checked the first, or what there status was.

How many windows were there? Did you remember them all? What if you forgot one? Some of the windows had better locks than others. Which ones were the weakest? will you remember to reinforce them later? Or replace them with better/newer locks?

The house analogy only goes so far because of the reality of the enormous complexity of even a small to mid-size network. Each door or window may have dozens of different "locks" (security controls) but it may be that only one needs to be defeated to open the window and gain access to the house.

Unlike most houses, most networks are in a constant state of fluctuation. HR needs a new web application installed and accessible to employees for timecards and payroll. The helpdesk needs a new ticketing solution available to customers. In most cases the old solutions are left online as well, during the transitions. Many times, those old systems are left online, abandoned, forgotten during the migration. Forgotten systems go unpatched and create greater vulnerability.

It is such an obvious point that it goes forgotten too often in day-to-day network operations, upgrades and re-engineering: the fewer entryways there are into the network, the harder it will be to gain access in the first place.

Obviously, this should be used in conjunction with zero-trust models, not a replacement, but removing access to unnecessary services enhances security posture in a number of ways:

  • Less exposure on the outside
    • sheer numbers
    • different vendors/different vulnerabilities
  • Less to maintain/patch/scan/test
  • Maybe even less hardware

Action List

  • Scan your external and internal address space for open services
  • Review whether each service is absolutely necessary with a valid business use case
  • Remove or block access to all other services
  • If a service does not need to be accessible to the entire public internet, add ACL controls to block access to all but known address space that users will originate from