Being a great fan a of a wee analogy, it felt apt to start this post with one. Imagine if you can, a large security building filled with all your most critical items in the world, however, for your convenience they have installed thousands of perimeter doors to allow you to get access to your stuff with relative ease. The poor security guard must check every single door making sure they are locked every single night…inevitably a door gets missed and before you know it your prized possessions are available to all from the local Cash Converters care of dodgy Dave. It certainly would not be where I would choose to secure my items and I am sure you my glorious reader would agree.
So, with that in mind why do we have considerable numbers of alleged IT professionals that approach their network design in this manner? While most firewalls are relatively secure from external sources they are often wide-open playgrounds for those inside the network going out…sure this is certainly convenient for the users, but this is horrendous for protecting the network and the company’s intellectual property.
One great example (and one of my biggest bugbears) is when I find client networks with DNS fully open and no proxy for the internal network, while they are configured to use the internal DNS servers on active directory they can still utilise any external DNS service should they desire. Certainly, most end users would have no concept how to achieve this, but this is not where the risk is, the real risk comes from malicious applications leveraging this to get a foothold on your network…one which can be exceedingly hard to track down.
If you consider the most common attack vector used by malicious applications is through emails (attachments, links etc), once that file or link has been clicked the intrusion attempt begins. It quietly installs itself on the computer with no clue to the end user, it will then create its own internal DNS server to bypass the AD DNS and begin the process of downloading its malevolent toolkit from the command and control servers. Next thing you know the old IT bat phone starts ringing and you are faced with a dreaded ransomware infection or similar.
By securing your internal network you add considerably more control to prevent this form of attack, restricting access for external DNS queries to a single server (ideally in the DMZ) you force any malicious application to utilise the AD DNS service that remains in your control. By utilising a sink hole approach on your DMZ server with a list of known command and control servers you ensure it never reaches its intended destination, even better is to utilise an internal webserver and have all attempts to connect to a known C&C server redirected to this webserver…you now have a reporting solution to identify the infected client computer.
Please, please, please (yes three pleases) given serious consideration to the security on your internal network, while it’s easy to say we have Antivirus software or malware software…but as can be demonstrably proven by the endemic levels of ransomware there are significant risks to it. Protect your clients, protect your intellectual property and protect your reputation…given the significant fines that have been introduced by the GDPR it is more critical than ever.