SecCore Essentials - Network Layer Security

Summary

This blog post highlights essential security controls for the network layer in enterprise environments. The network layer plays a crucial role in preventing attackers from moving laterally and limiting the impact of breaches. In order to implement this SecCore Essential and protect against common attacks, the following settings should be enforced:

• At least the following VLANs should be implemented:
  • Office VLAN: Standard user endpoints (clients, workstations, laptops)
  • Untrusted Devices VLAN: Printers, IoT devices etc.
  • Server VLAN: Services such as file servers, application servers and databases
  • Management VLAN: Administrative systems such as monitoring platforms, jump hosts and management interfaces
  • DMZ VLAN (if applicable): Systems reachable from external networks (e.g., public web servers, mail gateways, VPN endpoints)
• At least the following stateful firewall Access Control Lists (ACLs) between these VLANs should be configured:
  • Server VLAN → Office VLAN: DENY all connections
    • Servers cannot initiate sessions toward clients
  • Untrusted Devices VLAN → Any VLAN: DENY all connections
    • Traffic must be restricted to explicitly approved services, such as print servers.
  • Office VLAN → Management VLAN: DENY all connections
    • End-user systems cannot access management infrastructure
  • DMZ VLAN → Any VLAN: DENY all connections
    • DMZ systems cannot initiate traffic into internal networks
  • Office VLAN → Server VLAN: ALLOW only strictly necessary traffic
    • Application-specific ports and protocols are required for business operations
• Network Access Control (NAC) based at least on MAC-addresses should be implemented.

Introduction

The network layer connects all devices in an organization. Several important measures need to be implemented in order to stop attacks from reaching sensitive systems such as backup or financial servers.

Common Attack Vectors

The following sections describe common attack vectors on the network layer.

Missing Network Segmentation and ACLs

Without network segmentation and Access Control Lists, attackers can easily move between devices and systems within the network. This lack of separation allows threats such as ransomware to spread quickly, increasing the risk of data breaches and unauthorized access.

Sensitive resources are exposed to unnecessary risk and malicious actors can exploit vulnerabilities across multiple systems with minimal resistance. This is especially critical for devices that are accessible from outside the network, such as web servers, which are under constant attack from the internet and may be compromised by just a single successful exploit.

A sensible network segmentation approach could look like this:

Note: A general DENY rule is implied here, only connections that are allowed are in this diagram.

Missing Network Access Control

When no modern Network Access Control solution is implemented, attackers or even unwitting employees can easily connect malicious devices to the internal network. In environments where network ports are readily accessible, attackers can conduct attacks remotely by connecting a device that provides remote access to the network.

There are usually two possible methods of implementing NAC: By using MAC addresses or via certificates over 802.1x.

A MAC address based solution offers little protection against malicious attackers, but can help against employees trying to plug in their own routers or other devices. MAC addresses can easily be copied by a knowledgeable person, thereby bypassing this form of NAC.

A NAC implemented using certificates is a much stronger solution since an attacker would first need to obtain a valid device certificate. While 802.1x is not completely secure, exploiting it requires significant preparation and cannot be done easily or 'on the fly', so it is considered secure for most scenarios.

Attack Scenario

This section should demonstrate how attackers exploit missing network layer segmentation. The setup of this attack scenario is as follows:

• Network segmentation is not configured, every device is in the same VLAN
• Network Access Control with MAC address filtering is implemented
• The attacker has a foothold in the internal network without credentials
• The attacker has no considerations regarding OPSEC, the most straightforward approach is used

The attacker has gained a foothold in the internal network via MAC address spoofing of a disconnected printer:

Since no network segmentation is in place they now have access to the entire internal network, including sensitive servers and management systems. This access can be used to scan the network to identify other devices using Nmap¹: This revealed other interesting devices, such as a system called openmediavault.lab.local. This is a NAS system running the open-source software OpenMediaVault. The attacker can now try to access this system using default credentials, which are publicly available on the internet: After logging in into the NAS system, the configurations can be examined. This revealed an installed backup task which was configured with the domain administrator's credentials: When opening the backup task, the domain administrator's password can be seen in cleartext: These credentials can now be used with tools such as NetExec² to gain access to the domain controller:

Mitigation

When the above-mentioned security controls are implemented, the attack would have been mitigated in the following ways:

• The attacker would not have been able to connect to the internal network without valid credentials, since a NAC solution with 802.1x would have been in place.
• Even if the attacker had managed to connect to the internal network, they would not have been able to access the NAS system, since network segmentation and ACLs would have prevented this.
• The attacker would not have been able to access the domain controller, since the NAS system would not have domain administrator credentials stored in its configuration.