In-Depth

Compartmentalize Your Network to Improve Security

An often-overlooked layer of defense can provide last-ditch protection against malicious software threats.

• By Frederick Felman
• 03/03/2004

Malware is on its way toward "zero-day" threats—the time between the announcement of a vulnerability and the implementation of its exploit is shrinking to mere days, even hours. For example, in the case of SQL Slammer, the time from published vulnerability to exploit was half a year; but for MS-Blast, that period was a single month. With dwindling timeframes, there's less chance of a patch being released or deployed before the exploit appears.

As if that weren’t alarming enough, recent threats have shown an unprecedented compression of transmission time. Recently, MyDoom became the fastest-spreading malware threat ever—possibly accounting for as much as 30 percent of all e-mail traffic at its peak. Couple the shrinking vulnerability-to-exploit period with lightning-fast transmission, and you have the greatest worry for many of us in IT: an immensely destructive threat that spreads unchecked, and for which there are no fixes—until it's too late.

Against these zero-day threats, reactive security is helpless. Reactive security solutions such as anti-virus patterns and patches can be created only after a threat strikes. This vulnerability gap is unavoidable with reactive security solutions. Unfortunately, it means that there are always victims to every threat. You could say that the very model of reactive security allows a certain amount of "acceptable losses." If it's your network that's lost, that's hardly acceptable.

But there is a solution: a proactive approach to security.

The Proactive Approach

Unlike anti-virus, IDS, and after-the-fact patches, a proactive approach to security protects your assets against even unknown threats. Case in point: the Sobig.F worm caused the greatest damage at the start of its outbreak, before corporate IT departments could test and deploy the patches and AV patterns that were issued in response. In contrast, companies that had the foresight to employ proactive solutions like endpoint firewalls and well-planned network architecture were much less vulnerable to Sobig.F, even during the height of the epidemic.

Let’s examine Sobig.F's propagation vectors. It traveled via infected e-mail and proliferated within networks by copying itself to open network shares. From there, the threat often spread unchecked across the entire network. Infection via shares is rapidly becoming the most predictable feature in worms and viruses, and obviously, enterprises are particularly vulnerable to it. It strikes right at the heart of the difficult balance we attempt to strike between keeping our users protected and productive. No one actually assumes their internal network is 100 percent trustworthy any more, but many of us still don't take the steps we should to protect the network—from itself.

In addition to the standard layers of protection against malware attacks—for example, firewalls and anti-virus software—you should also reduce your vulnerability by compartmentalizing your network. In essence, segregate your higher-risk network endpoints—put all your similar shares onto the same subnet, and set appropriate access rules. For example, put all PCs with shared drives on a separate subnet (or subnets), and set that subnet as "untrusted" for all users. Depending on your security tools, you can do this either by restricting outbound access from the high-risk subnet or by restricting other subnets in the connections they can accept from the high-risk subnet. Another example: because very few worms target shared printers, you should be able to safely place all printers on one subnet and make that subnet "trusted" to all users.

If you happen to be planning your network now, it will be easy for you to implement these suggestions. If you've already built your network, the last thing you want to hear is the dreaded "R" word: rearchitect. But not to worry—even at this stage, segregating your shares is not a huge amount of work. If it's not feasible to engage in actually changing your subnets, you can still get some protection by compartmentalizing your network with VLANs. Placing all your high-risk endpoints onto a VLAN is a relatively quick process, and applying the access rules described above to a VLAN should also be fairly painless. Plus, you can use VLANs to compartmentalize your network along other useful lines, such as keeping valuable servers separate from often-infected PCs.

Segregating network shares is certainly not your first line of defense. The idea of using VLANs for security is controversial; after all, it's not too difficult to make them fail open. But security is, after all, about layers. No single solution stops all threats. Considering the minimal investment required to move your shares onto a different subnet or VLAN, it's a good investment if it turns out to be the tactic that prevents the next MS-Blast, Sobig, or MyDoom from rampaging through your network. To that end, don't forget these additional sometimes-overlooked proactive layers of protection:

• If you have to share drives, share with read-only access whenever possible. Don't forget to password-protect your shared drives to keep them safe from automated threats.

• Restrict access to sensitive network resources and bandwidth on a user- and group-specific basis.

• Constrain network rights according to access location and method. For example, remote and mobile users, whose PCs are more likely to be compromised, should generally have access to fewer resources than users who reside "permanently" inside the perimeter.

• Prevent your employees from introducing rogue, unauthorized wireless access points into your network environment.

• Track network usage by individual. Spikes in traffic from users can reveal initial virus outbreaks.

Reactive security solutions are essential in preventing "flare-ups" of viruses and worms, so you should certainly deploy them. Just don't let them lull you into a false sense of security. Invest in proactive defenses now, before you have to spend ten times the money and time cleaning up after a security incident.