PROTECTED ENCLAVES

The data exfiltration method used in the Target breach offers an excellent example of the value of establishing Protected Enclaves for internal network segments that contain confidential information. The Target attackers compromised an internal server to collect cardholder data from the compromised POS terminals. There was no legitimate reason for cardholder data to be moving from the POS terminals to this server. A good next generation firewall with granular policies that included zone, application, port, and protocol would have denied this traffic and prevented the cardholder data exfiltration. We recommend using next generation firewalls because they enable you to establish this whitelisting, Positive Control Model from the network layer up through the application layer.

The concept of Protected Enclaves is not new. The idea is to segment your internal network such that once someone is on the internal network, he/she does not have unlimited access to every resource. These Protected Enclaves could be within the corporate datacenter or in the cloud. This is analogous to submarines that are compartmentalized so that a breach in one compartment does not mean the sub will sink. Today, the best technology for establishing Protected Enclaves is next generation firewalls.

As more details of the Target breach are made available, we have learned that the attackers compromised an internal Target server as the central point to collect the compromised cardholder data from the POS terminals. The question is, why was this traffic not blocked? Obviously, Target has one or more servers in their data centers that collect transaction information from the POS terminals using a specific application on one or more specific ports. A firewall policy could have been implemented that “whitelists” the specific zones, ports, protocols, and applications that are allowed to communicate POS transaction data. Using a Positive Control Model means that any attempt by the POS terminals to communicate with a non-whitelisted server would have been denied, thus blocking the attackers’ exfiltration method.

Here is a diagram published by Brian Krebs in his blog post, New Clues in the Target Breach:

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

Previous approaches to Protected Enclaves include Router Access Control Lists and port-based stateful inspection firewalls. The problem with these is that they work at the network layer only.

Now, it’s true that many of the stateful inspection firewall manufacturers have added application awareness. However, for most of them, the application awareness functionality is not actually in the firewall, but is built as an add-on using an intrusion prevention system. The problem with this is that IPSs use a negative enforcement model. This means it will block apps that you define as bad. Unfortunately, the result is that you have to itemize every application you don’t want a user or user group to use. When application awareness is built into the firewall, you can establish a positive control model, i.e. a white list approach where you simply define the applications that are allowed and automatically block everything else. This way you don’t have to worry about every new application that your users might want to try. Those will be blocked.

There are other benefits to having application awareness built into the firewall. One is that you can build more granular policies that combine user or user group, zone, port, protocol, and application entities into a single policy. This is important because you want to make sure that each allowed application is running only on the port(s) you specify, and that no other application can run on those ports. For example, outgoing email. You normally have port 25 open for SMTP to allow email to be transmitted. However, you would not want any other applications to run on port 25. You can do this with a good next generation firewall.

A second benefit is that once the firewall detects a specific application running, it can notify the coresident IPS engine so the IPS engine can automatically bring to bear only the signatures related to that application. This means better performance and less work for your administrators.

As discussed above, retailers have a special situation with their POS terminals. These terminals need to be treated like users in the sense of defining which servers the POS terminals are allowed to talk to. I wrote a blog post about the Target cardholder data exfiltration could have been prevented.

In summary, the key to establishing Protected Enclaves is deploying next generation firewall technology between users and resources. The NGFW enables you to take a “white list” approach (Positive Control Model) from the network layer up through the application layer.