Jason Mikolanis, Vice President of Security ServicesDaniel Bruss, Senior ConsultantVirtual Innovation, Inc.

Network Segmentation 201

October 5, 2018 | 1

Introduction• Virtual Innovation, Inc.

– Chesterton, Indiana– Information Technology & Security Consulting Firm– Serving Financial Institutions in Indiana since 2010

• Jason Mikolanis, CISSP– Senior Consultant and Information Security Specialist– Former CSO for First National Bank of La Grange

• Daniel Bruss– Senior Consultant and Networking Specialist– Former Network Administrator for Bank of Highland

October 5, 2018 | 2

Class is in Session!

October 5, 2018 | 3

Rules of the Class

• No playing on your cell phone

• No passing notes or texting

• No napping

• No tough questions to make me look bad

• Everyone will laugh at my stupid jokes

Syllabus / Agenda• Network Segmentation 101

– Prerequisites– What is network segmentation?– Why should we do it?

• Network Segmentation 201 – Getting started– Types of connections – Logical vs. Physical– Open book test – Where to start in your network– Technical information – How do we do it?

• Next Semester 301 – Micro-segmentation • Extra credit• Final Project • Cliff Notes

Network Segmentation 101 – Prerequisites

• Everyone knows the basics of a subnet – Logical subdivision of an IP network

• Everyone knows or has heard of the OSI model – “All people seem to need data Processing”– Layer 2 (data link) is non-routable – typically switches – Layer 3 (network) is routable – Routers, Firewall and layer 3 switches

• Everyone has basic knowledge about routing

• Everyone understands the concept of a DMZ

• Everyone understands virtualization – at least conceptually

101 - Prerequisites• Everyone understands the basics of a VLAN

• Everyone understands what we mean by the “Cloud”

• We are community bankers – we have limited resources

• Feeling lost or confused? Check out the vendor management speech!

101 – What is Network Segmentation?

• The physical or virtual separation of a network into sub-networks typically for security purposes

• Isolating or grouping systems with similar security or compliance requirements– Keeping the critical and non-critical systems separated

101 – Why Should We Segment?

• Defense in Depth– Another way to limit users access to only access systems or services

they need.

• External vs Internal segmentation is flawed – Internet is considered bad– Inside the network is safe

• Limits the exposure if a portion of the network becomes compromised.– Prevents attackers from hopping between servers or systems

• Lateral Movement in the Network

• Improves performance – Less broadcast traffic

101 – False Sense of Security

101 – Why Should We Do It? • If an attacker were able to compromise an internal system,

they could move system to system inside the network

101 – Why Should We Do It? • Limit the damage!!

101 - Why Should We Do It?• Traditional security does not always work

– New attack vectors through Phishing and Social Engineering

• Security controls in the wrong place– Too much on the perimeter and not enough on the interior

• Weak systems put strong systems at risk– Compromise one weak system and conduct man in middle attack. – Get credentials instead of cracking them

• Assume you will be breached!

R2-D2 Space Hacker

Downfall of the EmpireLack of segmentation in the empire’s network allowed the rebels to “hack” the Death Star

Episode 4 – Star Wars - A New Hope

• R2-D2 was able to interface with the Death Star network to:

– Find out how/where to shut off the tractor beam– That the princess was on the Death Star and she was scheduled to be

executed– Details on what detection block she was being held– Shut off trash compactors to save the Rebels

Downfall of the EmpireEpisode 5 – Empire Strikes Back • R2-D2 talks to the Cloud City network to find out the hyper

drive was disconnected on the Falcon• R2-D2 opens up the security doors in Cloud City

Downfall of the Empire

• Episode 6 – Return of the Jedi– R2-D2 unlocked the doors to power station for the shield generator on

the forest moon

• Thankfully the Empire didn’t implement network segmentation!

Network Segmentation 201 – Getting Started

Examples of Segmentation• Traditional network segmentation – Separated by routers or

Firewall.• Private, Semi-Private, Public

– Strong controls on the internet segment (Firewall)

• DMZ – Used to protect externally facing systems that need to access data inside the network. (Horizon View Server for remote access, web servers, email)

• Wireless segmentation (Wi-fi)– Public network – Private network – Shared with current ISP or separate segment

• Server drive mappings

201 – Where Do We Start• Know your network

– You can’t secure what you don’t know– Develop strong documentation

• Server • Network (LAN/WAN)• Devices

• Data Flow Diagram – Know where your data is stored – Baseline Requirement for the CAT

• Data Classification – How valuable is the data?– Baseline requirement for the CAT

201 – Where Do We Start• What are my high risk systems?

• Where are my high risk systems?

• What systems can logically be grouped together

• What traffic is needed for least privilege access – What ports need to be opened

201 – Where Do We Start• Set the scope

– Start small and build

• Develop Project Plan • Set a manageable timeline

– Be realistic

• Have the technical resources you need– Know what you are doing and test

• TEST! TEST! TEST! – Did I mention TEST?

• Engage auditors to validate security

201 – Type of Connections - Physical• Separation of devices through physical connectivity

– Cord connected to network device (switch, router, or firewall)

• Separation of devices from all other systems – Top secret – Typically has own internet access or not connected at all

201 – Type of Connections - Physical

201 – Types Of Connections - Logical• Using virtual LANs (VLANs) to create multiple network

segments on one physical device.

• VLANs– Group network resources together logically– Operate at Layer 2 of the OSI model– Logically separate network segments

• Nodes in one VLAN cannot talk to nodes on another VLAN without going through a Layer 3 device such as a router

201 – Types Of Connections - Logical•

201 – Types Of Connections - Logical• Because VLANs operate at Layer 2 of the OSI model, nodes on

one VLAN cannot directly communicate with nodes on a different VLAN so a Layer 3 device is required to facilitate that communication (routing).

• All VLANs on Layer 2 switch would be added to one interface using 802.1q encapsulation (VLAN “trunking”).

• On Layer 3 device, the same VLANs would also be added to an interface using 802.1q encapsulation and then the switch interface and router interface would be physically connected.

• As the switch sends data to the router, VLAN “tags” are added to the header so that the router knows which VLAN the traffic came from.

201 – Types Of Connections - Logical

201 – Types of Connections - Virtual • Virtual software – Through the use of VMWare, network admins

can logically separate networks within the virtual infrastructure. • Segments networks on the same hardware using virtual switches• Virtual machines attached to same vSwitch can communicate

directly (below, ubuntu1 and ubuntu2 can talk to each other and any physical nodes beyond the vmnic0 physical uplink.

201 – Types of Connections - Virtual• Through the use of port groups, VMware vSwitches can be segmented

just like a physical switch using VLANs. VMs attached to one port group can communicate with each other but VMs in one port group cannot communicate with VMs in another port group without being routed.

• In example below, Win2003-1 and Win2003-2 can communicate directly (both are on VLAN100) but to reach Win2003-3 on VLAN200, traffic would need to get sent out the physical uplink vmnic1 to a router outside the VMware system.

201 – Types of Connections - Cloud

• Cloud computing – Hosting data or an application in the “cloud.”

• Information is segmented from the inside of your network.

• Only connects to the hosted site over specific protocols and applications

201 – Types of Connections - Cloud

PC PC PC

Printer

File Server Database Web Server

Microsoft 365

Core Processor

Loan Application

Trust Application

201 – Open Book Test! • Everyone loves when the answers are given to them• Let’s get started on some quick and easy places to start

201 – ATM’s• The Bank should not have their ATM connected to the User

network.

Printers

Server

Layer 2Switch

Layer 3Router

Server

ATM

Bank’s Core Processor

Server

Production VLAN

ATM VLAN

201 – Voice Over IP / Phone Network• Can your data network access the voice network?

– Is the phone system security > or = data network?

Data Network

Voice Mail Server

Phone Network

Phone Server

201 – Cloud Computing• You may be already doing this!

– System and data are housed physically offsite and the only access is through the web or application connected over specific ports.

• Managed services / Systems in the Bank

– Email system

– Loan systems

– Trust systems

– HR Systems

201 – Non IT Systems • Industrial Control Systems –

– Security systems – Third party security systems are insecure. • Security camera systems.

– Vendors historically do not have strong controls on legacy systems .

– HVAC systems – Target • Hacker entered through HVAC and navigated to POS

– Internet of things• Casino was hacked through FISH TANK!

201 – DR / Test Environment • Typically will use virtual environment to segment production and

test environment

• Allows testing of DR servers on the same devices as the production network

– Bring up collection of backup servers and test interconnectivity on isolated network

201 - Printers• Relatively insecure • Large number of vulnerability findings

Layer 2Switch

Layer 3Router

GigE 0/0

Servers

Workstations

Printers

Server

Server Server

Server

Server

Server

201 – Servers / Virtual Appliances• The most difficult and time consuming.• Need to determine least privilege specifications • Separate or group systems based on criticality

– Domain controllers – File servers – Management Servers– Web Servers– Database servers – Virtual Appliances

• RSA• Security systems (IDS/Log Management)

201 – Server / Virtual Appliances

Layer 2Switch

Layer 3Router

GigE 0/0

Application Servers

Server

Server Server

Server

Server

Server

Server

Server Server

Server

Server

Server

Server

Server Server

Server

Server

Server

DC / File Servers

IT Management Servers

September 27, 2018 | 40

201 – Technical Information

Technology Needed for Network Segmentation Assignment

• Routers• Layer 3 switches• Firewalls

• All of these devices operate at Layer 3 (or higher) of the OSI model and all of them facilitate communications between VLANs

201 – Routers • Routers operate at Layer 3 of the OSI model and are

sometimes referred to as “Layer 3 devices.”• Routers are typically installed near the hub or the center of

a network because they help connect network segments together. For this reason, they are sometimes called “core” networking devices.

• As indicated before, nodes on one VLAN cannot communicate directly with nodes on a different VLAN and so routers act like traffic cops to get traffic from one VLAN to another.

• Routers are often called “gateway” devices because they are typically the default gateway device for a given network segment.

201 – Routers • In more advanced configurations, routers can also be

programmed with access control lists or ACLs. ACLs are responsible for allowing certain types of network communications and denying other types of communications.

• ACLs get applied to router interfaces in either an inbound or outbound direction.

• ATM example:– With an ATM isolated on its own VLAN, you would want to prevent

that ATM from communicating to any of your internal segments or the Internet but you would want to allow it to communicate with the host provider.

– Conversely, you want to prevent your internal segments or the Internet from reaching the ATM but you would want to allow traffic coming back from the host to reach the ATM

201 – Layer 3 Switches • Layer 3 switches are essentially multi-port routers. They

combine the elements of a Layer 2 switch and a Layer 3 router.

• Layer 3 switches operate at (you guessed it) Layer 3 of the OSI model

• Layer 3 switches, like routers, often get installed at the hub or the center of the network and therefore, they are often referred to as “core switches” whereas Layer 2 switches, which typically get installed near end devices, are typically referred to as “access switches”.

201 – Layer 3 Switches • Typically, a Layer 3 switch gets configured by defining all of

the VLANs that will be used. Then, virtual VLAN interfaces are created and IP addresses are assigned to the VLAN interfaces. These interfaces are sometimes referred to as “switched virtual interfaces” or SVIs.

• In most cases, the SVIs will be the “default gateways” for each segment that is connected to the Layer 3 switch.

• Just like with routers, the Layer 3 switch acts like a traffic cop and gets traffic from one VLAN to another.

• And, also like routers, ACLs can be applied to the SVIs to filter network traffic.

201 - Firewalls• Traditionally, firewalls are installed at the perimeter of the

network and they separate the network into two (or sometimes three) segments: inside, outside, and (sometimes) DMZ.

• A traditional firewall is configured so that the inside networks are the most trusted, the DMZ networks are somewhat trusted, and the outside (typically Internet) networks are untrusted.

• The firewall is then configured with access rules to allow most traffic to flow from the trusted networks to the untrusted networks and to allow select traffic to flow from the untrusted networks to the trusted networks.

201 - Firewalls• Next-generation firewalls (NGFWs) have become very popular

in recent years and in certain cases, these devices can be installed at the core of the network to replace a device like a router or a Layer 3 switch.

• NGFWs can be configured with “zones” so that trusted networks on the inside can be logically grouped together. The overall goal is to set up the network such that only VLANs that need to talk to each other can do so and then, only allow certain nodes on one VLAN to talk to certain nodes on the other VLAN.

201 - Firewalls• A NGFW at the core of a network that is configured with

zones is like a router or Layer 3 switch on steroids. Whereas a router or Layer 3 switch using ACLs can filter traffic based on source and destination IP addresses and ports, a NGFW can provide full scanning capabilities at the Layer 7 application level as that traffic passes from one VLAN to another.

• The downside to this approach is that the NGFW can become quickly overwhelmed and so the device needs to be configured with adequate resources in order to avoid creating a network bottleneck.

301 – Next Semester – Micro-segmentation

• Micro-segmentation - is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It's aimed at making network security more granular.

• Admins can define a security policy based on type of workload (Website, applications or DB’s) where it might be used (Development, staging, production) and what kind of data it will be accessing (financial, HR, etc.)

301 – Next Semester – Micro-segmentation• Third party products:

– VMWare NSX – Cisco ACI– vArmour DSS– Illumio

• Network virtualization is the foundation on which these security measures can be implemented.

301 – Next Semester – Micro-segmentation• In 2009 Forrester created “ Zero Trust” model of network

security .

• Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything insideor outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

Extra Credit• Make sure to address monitoring and security in the

segmented areas

• Have your auditors or a third party validate the security

• Review regularly to ensure security requirements haven’t changed– Check, check and recheck whenever everything changes

• Giving this talk a 5 star rating!

Final Class Project – Take Away• Update your documentation• Classify your data • Identify critical systems – Risk Assessments• Develop project plan • Determine how will you route the traffic? • Make sure network / system security controls are updated• Test – Test and then Re-test • Follow up and evaluate whenever changes occur • Engage with third parties (Auditors) to help validate security

controls

Cliff Notes (Resources )• Additional resources for further learning:

– CISCO • https://www.cisco.com/c/en/us/about/security-center/framework-

segmentation.html

– US-Cert – Establishing Network Segmentation, Firewalls and DMZs• https://ics-cert.us-cert.gov/Standards-and-References

– VMWare• (PDF) https://www.vmware.com/techpapers/2008/network-

segmentation-in-virtualized-environments-1052.html

• Micro-segmentation – https://www.vmware.com/products/nsx/security.html

Cliff Notes (Resources )• NIST

– Virtual Network Configuration for VM Protection• https://csrc.nist.gov/publications/detail/sp/800-125b/final

– Network Segmentation Techniques in Cloud Data Centers• https://www.nist.gov/publications/analysis-network-segmentation-

techniques-cloud-data-centers

• FS-ISAC– Check the forums and talk to your piers!

• Call/Email Virtual Innovation!

Question & Answer

October 5, 2018 | 56

Thank you!

Virtual Innovation, Inc.Contact – Jason MikolanisEmail - JMikolanis@vi-mw.comPhone - 219-793-6745