Protect Your Enterprise from Ransomware – Part II
In our first post, we discussed the big idea of Setting Up an Administrator Clean Room to separate all of your company’s security personnel and security-purposed devices from all of its non-security personnel and unsecured devices.
This post shows how you can additionally secure your environment with network segregation.
Most System Admins understand the need for a Local Access Network (LAN) that’s totally inaccessible from the Wide Access Network (WAN) or Internet. You also need a peripheral network or Demilitarized Zone (DMZ) for a Web Server, for FTP servers and other types of service that need to be accessible from the WAN.
So, here are some tips on how to segregate your networks to prevent attacks:
- You should separate systems into their own networks. Two different systems should never share the same LAN or DMZ networks. Separation keeps a second system from getting penetrated if the first system is breached.
- Don’t allow LAN networks to have ANY internet access whatsoever. You don’t want to give a hacker who has breached the database server anywhere to go with stolen data. With internet access denied, the hacker’s only option now is to find a path backwards from the entry point OR a path through the Web Server. This makes exfiltration of data quite a bit more difficult. This is especially so if you maintain an Administrator Clean Room for all admin activities. Since that room has no Internet access or email, there really is no way for a hacker to exfiltrate the data from that user’s desktop.
- Do not allow any FTP, SFTP or SSH type of traffic on ANY network with your webserver. Segregate that traffic into a separate DMZ network as well. It is amazing how much data exfiltration happens simply because the outbound traffic looks like legitimate FTP transfers. If you don’t even allow FTP or SFTP traffic on those networks, it becomes much harder to get unauthorized data transfers done. Also, if you monitor your network for those protocols you can raise alarms if anyone attempts to make such transfers.
- Don’t allow any UDP or connection protocol traffic out of your DMZ networks. Trigger alarms if you find any. Again, it will make the hacker’s life much more difficult.
- Be sure to monitor the perimeter of the LAN using your Security Information and Event Management (SIEM) system. And be sure to raise alarms whenever you find ANY attempts to get traffic out. You should monitor traffic from the Web Server cluster to see whether traffic going out is not coming from direct responses to web requests. Setting up a SIEM properly so you get real alerts and not a zillion alerts all day is a black alert. If you don’t know how to, find someone who does.
- If you’re unlucky enough to have a Windows Server in your DMZ, be sure to put a Web Application Firewall (WAF) in front of it. Microsoft, in our long experience, is incapable of making a secure product. Simple as that. Leaving your Windows server on the WAN without a WAF is like securing it with a wing and a prayer.