Secure Network Engineering is #16 of the Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines and the first of the five not directly supported by automated measurement and validation. Cymbel provides professional services in support of all five.
Secure Network Engineering as introduced by the SANS 20 Critical Security Controls:
Many controls in this document are effective but can be circumvented in networks that are poorly designed. Without a carefully planned and properly implemented network architecture, attackers can bypass security controls on certain systems, pivoting through the network to gain access to target machines. Attackers frequently map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation. Therefore a robust, secure network engineering process must be employed to complement the detailed controls being measured in other sections of this document.
Cymbel can help you meet the SANS 20 Critical Security Controls prescribed standards:
- Standardize the DHCP lease information and time assigned to systems, and verbosely log all information about DHCP leases distributed in the organization.
- To support rapid response and shunning of detected attacks, the network architecture and the systems that make it up should be engineered for rapid deployment of new access control lists, rules, signatures, blocks, blackholes, and other defensive measures.
- DNS should be deployed in a hierarchical, structured fashion, with all internal network client machines configured to send requests to intranet DNS servers, not to DNS servers located on the Internet. These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to send requests to the Internet.
- Segment the enterprise network into multiple, separate trust zones to provide more granular control of system access and additional intranet boundary defenses.
The SANS 20 Critical Security Controls goes on to say:
Organizations should prepare network diagrams for each of their networks that show network components such as routers, firewalls, and switches, along with significant servers and groups of client machines.
It is Cymbel’s experience that maintaining network diagrams manually is impossible. Therefore automated generation of network diagrams should be a feature of your discovery solution. Beyond basic network diagrams, you should be able to graphically represent Business Services and the devices associated with each one.