Boundary defenses to stop these types of attack have multiple dimensions: all Internet and extranet traffic passes through managed, authenticated proxies, a DMZ is employed that is separated from internal systems either physically or through tightly monitored filtering, and securely configured firewalls and intrusion detection systems are deployed at each gateway.
How can this control be implemented, automated, and its effectiveness measured?
The boundary defenses included in this control build on the network element hardening described in Critical Control 4 above, with these additional recommendations focused on improving the overall architecture and implementation of both Internet and internal network boundary points. Internal network segmentation is central to this control because once inside a network, intruders target the most sensitive machines. Usually, internal network protections are not set up to defend against an internal attacker. Setting up even a basic level of security segmentation across the network and protecting each segment with a proxy and a firewall will greatly reduce the intruders’ access to the other parts of the network.
Enhance network access controls in conjunction with authentication controls to deter propagation through the network from business unit to business unit. Add layers of network protection to critical services on the network, creating a layered access path using application authentication and network segmentation. Implement internal ACL’s, internal proxies and firewalls to limit access to these areas. This will deter the intruders from gaining unauthorized access to these areas and could limit their activity altogether.
QW: Deploy IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These sensors should be configured to record at least packet header information, and preferably full packet header and payloads of the traffic passing through the network border.
Vis/Attrib: Define a network architecture that clearly separates internal systems from DMZ systems and extranet systems. DMZ systems are machines that need to communicate with the internal network as well as the Internet, while extranet systems are systems whose primary communication is with other systems at a