With enough time and the right skills, it is only a matter of time before a targeted attack surface cracks.įigure 5 – 1: Flat Network – Single Broadcast Domain This provides potential access to every system attack surface. In other words, an attacker can see all servers in the data center.
Any device sending an ARP broadcast looking for an IP address in the data center will receive a reply if the address is assigned to an active server or other device. The assumption here is that perimeter controls prevent unauthorized access to system attack surfaces… a bad assumption.įinally, the flat data center network is one large broadcast domain. Locally connected devices have full access to the data center network once the user authenticates. A DMZ and SSL VPN appliance provide protection from unauthorized access, but they do little once a threat agent enters the data center network. In our example, the trust boundaries are located either on or external to the data center perimeter. No system attack surface defense is perfect eliminating unwanted access significantly reduces the risk of a system breach. Once on the wire, an attacker has free access to system attack surfaces.
Perimeter defenses protect the data center from external threats with little protection against internal threat agents. Traditional networks resemble Figure 5-1. I use the term packet instead of frame to refer to transmission entities at both the network and the data link layers. In this chapter, we step through a description of VLAN technology, how to secure it (including basic switch security), and how to control packets to increase the overall strength of attack surface defense. By segmenting a network, and applying appropriate controls, we can break a network into a multi-layer attack surface that hinders threat agents/actions from reaching our hardened systems.
Traditional flat networks present a single surface to the outside and almost nothing to internal threats. The next step is moving out from systems to the network attack surface. In Chapter 4, we examined system attack surface reduction.
This is Chapter 5 in Tom Olzak ‘s book, “Enterprise Security: A practitioner’s guide.”Ĭhapter 4 is available here: Attack Surface Reduction – Chapter 4Ĭhapter 3 is available here: Building the Foundation: Architecture Design – Chapter 3Ĭhapter 2 is available here: Risk Management – Chapter 2Ĭhapter 1 is available here: Enterprise Security: A practitioner’s guide – Chapter 1
0 kommentar(er)
