DAVE TASKER
Senior Solutions Architect, addresses SANS Critical Control #13, Boundary Defense
Our team of security Solutions Architects continue to review each of the 20 SANS Critical Controls and provide advice for addressing each control in a typical enterprise organization.
Boundary Defense and its established tenets, like the use of firewalls to secure the perimeter, has evolved over the last decade. Today, attacks from outside the enterprise have a more communicative nature, usually spreading laterally once within an organization, and compromised or compromising devices often have direct access to the corporate network. A greater level of inspection and control needs to be applied to the boundaries that delineate areas of differing privilege.
While often misconstrued as Internet-to-DMZ-to-Internal access architecture, the application of Boundary Defense is much broader. The 13th SANS top critical control draws on the traditional principle of that DMZ, where access is controlled from untrusted to less trusted and less trusted to more trusted, then applies that across the enterprise on a least-privilege basis. When properly applied, Boundary Defense employs varying levels of restriction in a number of ways.
First, it addresses the network by firewalling off mission critical systems and limiting access from internal and external sources based upon function and requirement; policy should restrict both inbound and outbound sessions.
Second, it leverages proxies and inline sandboxing appliances to detect and restrict the access and deployment of malicious software located outside the enterprise, and to intercede when currently compromised devices try to reach back to malware control mechanisms. Entry points, like client VPN connections, should grant restricted levels of access based upon role and should be supplemented with two-factor authentication to limit exposure. In a security-minded architecture, inbound, DMZ-initiated traffic should pass through an application proxy/firewall to further inspect and restrict traffic. Intrusion Detection and Intrusion Prevention also play key roles in identifying and blocking attacks, and utilizing a security analytics tool that can capture and record traffic for subsequent inspection can provide invaluable visibility.
Ultimately, Boundary Defense’s goal is to determine and assign varying levels of trust and sensitivity to areas within an organization, and then safeguard the points at which those zones are traversed.