Instrumenting Network Segmentation with Verodin SIP

One of the most foundational capabilities of Verodin SIP is measuring, managing, improving, and communicating the effectiveness of network segmentation. Many environments leverage network segmentation to improve security. Often, certain network segments are disallowed from communicating with certain other network segments. Communication may be unidirectional between network segments or may be limited to specific ports or protocols across segments.

While network segmentation is common across all industry verticals, for illustration let’s consider a critical infrastructure environment that consists of traditional IT Zones, a SCADA Zone, and an Industrial Control System (ICS) Zone.

In the image below there are various network zones including Internet, Partner, DMZ, IT/Desktop, and Server. There are also zones that are specific to industries like oil & gas, power & energy, pharmaceutical, and manufacturing, just to name a few. These industry-specific zones include SCADA and ICS but for simplicity, think of these individual zones as network segments. Of course, each zone can be further segmented within itself.

Networking tools and security tools are used to divide the network, which can be physical or virtual, into segments. Other security tools will provide capabilities, such as incident prevention and incident detection, for IT and OT on top of that, which is shown below.

There are rules to these network segments. Perhaps the Internet Zone can only communicate with the DMZ Zone over HTTP (80) and HTTPS (443). Maybe the Partner Zone is limited to specific domains and IP addresses from the Internet. The Server Zone may only allow encrypted communication such as SSH (22) from the IT/Desktop Zone. From the IT/Desktop Zone to the SCADA Zone, and the SCADA Zone to the ICS Zone, there may only be a few assets that are allowed to communicate. Their communication has limited ports and protocols and some communication may only be unidirectional. It’s possible that the zones may even be totally air gapped.

Verodin SIP helps validate, illustrate, monitor, alert, report, and remediate network segmentation issues. Based on the examples above, perhaps:

  • A firewall misconfiguration now allows inbound telnet (23) from the Internet to the DMZ
  • The Partner Zone now has direct and full access to the ICS Zone because a patch applied to a proxy altered the configuration
  • Traffic inspection might illustrate that non-HTTP (80) traffic is actually flowing across HTTP ports
  • The fail-open design of a directional diode separating the SCADA and ICS Zones has resulted in unfettered, bidirectional communication

Validate and Illustrate

Let’s take a look at Verodin SIP to see how this plays out in the platform. Pictured below is the Verodin SIP Director; more specifically, you’re looking at the Map View. This view illustrates the various Verodin SIP Actors, as shown on the map as black circles with the Verodin logo inside.

The white circles are discrete zones and the lines show connectivity while the arrows at the end of the lines show directionality. Auto discovery populates the map with security controls that might exist across endpoint, network, email, and cloud security tools. For illustration purposes, I’ve kept this network very simple and have only included a single Palo Alto Firewall and Snort IDS.  

The map is automatically drawn by Verodin SIP and is based on the actors communicating with each other via user-defined tests. In general, these tests can include behaviors like port scans, C2, beaconing, lateral movement, data exfiltration, malicious host activity, malware detonation, and everything in between.

Through the Actors, Verodin SIP identifies communication paths and directionality. Verodin SIP then leverages its Advanced Environmental Drift Analysis (AEDA) capability, which we’ll cover in more detail later in this piece, to ensure that what’s supposed to be segmented stays segmented. Ad-hoc testing and AEDA also leverage traffic inspection to validate that communication ports are operating as intended and HTTP (80) traffic, for example, isn’t flowing across HTTPS (443) ports.

We can see on the bottom right in the green circle that there is at least one network segment completely air gapped from the rest. In the red oval, the arrows show us communication connectivity and directionality between the DMZ Zone and the Desktop Users Zone. Because of environmental drift, it is very common to find communication paths that shouldn’t exist or paths previously in a known good state drifting because of physical network infrastructure changes or software configuration changes, updates, etc.

The Verodin SIP Map View helps validate and illustrate network segmentation; it shows how each exact segment is connected. Once you are in a known good state, you then need to concern yourself with environmental drift.

Monitor and Alert

Verodin SIP helps monitor and alert with the AEDA capability. The image below shows the AEDA Dashboard within Verodin SIP, which monitors your environment in perpetuity based on a user-defined schedule.

When something shifts from a known good state because of malicious behaviors being allowed, segmentation issues, lack of incident detection, traffic inspection anomalies, issues in the management stack when it comes to correlation, etc., an alert is created that basically says, “Hey, this thing was working and now it’s not. Let’s go fix it.”

In this case, we have nine alerts that are turning links red. In addition to illustrating the alerts within the AEDA Dashboard, SIP notifies security analysts through email or events sent to a SIEM, the ticketing system, incident response system, etc. Analysts can drill into these events on this dashboard to pull up the technical details.

Report and Remediate

Finally, Verodin SIP offers a number of integrated reporting capabilities. Below is the Verodin SIP Heat Map. In this example, we can see that the Verodin SIP Actors used some scanning behavior between the Internal Servers Zone and the Internet Zone. This activity shows that Web Attack Traffic was allowed, causing the test to fail because that type of activity should be prevented and/or detected.

While this is a high-level view, an analyst can drill into the supporting data, just like with AEDA, to find out exactly what is causing the issue, such as a problem with network segmentation. Based on the details, Verodin SIP also offers up prescriptive tests to amend the issue. Once amended, you can revalidate to make sure the fix worked. And once it’s working and you are in a known good state, you can add that test back into AEDA for automated testing so that should it ever stop working again, you’ll be alerted.  

Verodin SIP offers a number of capabilities that are well designed to help validate, illustrate, monitor, alert, report, and remediate network segmentation issues. To learn more about Verodin SIP, request a demo.

*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: