Bashing Bash with Network Segmentation

In September, a critical bug in the open source Bourne-Again Shell (BASH) that’s ubiquitous in Unix-based systems, including Linux and Mac OS X, displaced Heartbleed as the top network security threat. Called Shellshock, the bug allows hackers to insert code into the shell and hijack an operating system through the internet. From there, they can access sensitive information—unless a strong defense is in place.

The major operating system vendors have issued patches, but they barely begin to solve the problem. In today’s Internet of Things environment, the risk extends to pretty much any embedded system – and patches for all those devices will need to be released by each manufacturer and could take months to get to users, if they are developed at all. In the meantime, hackers have jumped into action to take advantage of the bug while they can.

So install the patches as they come out, but don’t count on them to protect your system as even the first round of OS patches had significant vulnerabilities. In today’s environment where vulnerabilities such as Shellshock and Heartbleed are popping up like mushrooms (not to mention zero day vulnerabilities which we may not be aware of) it is far more effective to contain attacks than to try and completely prevent them. This involves keeping sensitive information behind firewalls and out of the hands of hacker—i.e.  network segmentation.

Good network segmentation makes it difficult for an attacker to move from the point of compromise, whether it’s that smart thermostat or a point of sale terminal, through to the treasure trove of passwords and black market valuables, like credit card numbers or personal identifiers. It’s not quick or easy to set up network segmentation, but it’s a strong defense and worth the effort.

Here are a few practical steps to get you started with network segmentation:

1. Start by identifying how revenue comes into your business, what the key components are that support the primary functions of your company and what assets, data and people are key to the business. Now you know what you must protect.
2. Next, figure out what the most logical groupings are for each class of data, device or personnel. You’ll probably want to put your Windows servers into one. Other asset groups might include infrastructure (routers, switches, VPNS and VOIP) in one segment and security assets (IDS, firewalls, web filters and scanners) in another. Financial data typically gets its own segment and hospitals would create a separate one for patient data. Separating different kinds of administrators into their own network segments also adds an important layer of protection, but other employees without special access rights can generally be lumped together.
3. Figure out who needs to access to what – As the joke goes, “Denial isn’t just a river in Africa.” It’s a powerful defensive strategy, so deny access as a default position for each segment. Unless there’s a clear business reason for someone to access a device or data, don’t let them. If you block someone who needs access, you’ll hear about it soon enough. If you let someone in who shouldn’t have access, you may find out on the morning news.
4. Start implementing. Full scale network segmentation of a good size organization is a long-term project, so begin with the most crucial data and devices and work down your list from there. To keep the hollering to a minimum, log all traffic in and out of your segments before setting up the firewalls. That way you don’t obstruct necessary access, but can safely block access to and from everywhere else.

Now comes the tricky part. As you continue to implement segments, you’ll likely need to make some changes in the security policies for the ones already established so that they work with new applications or respond better to new business imperatives. To keep those changes from unraveling all your work to date or causing inadvertent outages, you’ll need to have automated controls that will give you good visibility across your network to help you manage the hundreds of security rules you’ll have in place at the end of the segmentation process, and alert you if changes to one rule conflicts with another. Don’t try to do this manually; it just won’t work.

Network segmentation is a significant undertaking and it’s not something that just hums along in the background after it’s technically finished. Even with an automated solution, maintaining proper segmentation requires a significant ongoing management commitment, but it just may keep your organization from being bashed.