I have had a couple of discussions recently regarding what constitutes good network segmentation. Apparently, my original post was just too cryptic, so I’m going to use some examples in this post to hopefully clarify where people are going wrong.
The PCI DSS gives very little guidance on network segmentation. In fact, the only statement near a definition says. “Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network.” But those are the mechanics of network segmentation. This definition does not specify or illuminate the additional controls required to ensure segmentation which is why I wrote the original post.
In my first example, the network in question is segmented by VLANs. The cardholder data environment (CDE) is contained in one VLAN and there are another eight VLANs defined. All VLANs are internal and none face the Internet. Access control lists (ACL) have been implemented to control the communications between the various VLANs and the CDE VLAN. Monitoring of all of the VLANs has been implemented through a variety of methods including network monitors, host monitors and system/event log monitoring and analysis. Network administrators monitor consoles that bring up any critical alerts that could indicate a potential attack or compromise. This definition sounds pretty good does it not? The problem is that it is all in the details and the details tell a different story.
In reviewing the VLANs’ ACLs we determined that two of the VLANs have TCP and UDP ports 1 through 65535 open to the CDE VLAN. Whoa! Every port is open to the CDE VLAN from these two VLANs? Yes, that is correct. This is not what the PCI SSC thought was “strong access control lists.” In digging further, we inquire as to why this condition exists. We are told that, ”We were unable to determine what the applications needed to have open between these VLANs, so rather than break anything, we just opened everything to be safe.” To be safe? Safe is a term that has different meanings relative to each person’s view that uses it. In this case, because the two VLANs were internal, apparently the other VLANs were considered also ‘safe’.
But a lot of network administrators would point to the monitoring as the way they control things. Are you serious? I do not care how much monitoring you do. With every port open, that monitoring is going to likely generate enough false positives to make identifying the real threats like finding a needle in a haystack. And this was confirmed later on when we observed the network administrators that monitor the network. They were ignoring almost everything that came up on their screens. When we questioned them about this, they said, “We have tried to tune the alerts, but have not been able to significantly reduce the false positives. We get around 10,000 to 25,000 alerts a day. So we do the best we can to find the real threats.” The best we can? Security is not forgiving, let alone for people that are doing ‘the best they can’.
The moral of this example is that if you have every port or close to every port open, you cannot consider your network properly segmented. I do not care what the other controls are that you believe are in place. You have to be realistic. And justifying having all of those ports open has to be more than implying you were too lazy and did not want to make the effort to find the real answers.
My other example involves a network that does have a limited number of ports open between their CDE VLAN and their other VLANs, albeit there are quite a few open ports. They also have monitoring in place and their network administrators are very diligent in ensuring that alerts are addressed as quickly as possible. Unlike my first example, these folks are seeing around 300 to 500 alerts of which 10% to 15% are false positives. The problem is with their documentation. In reviewing the firewall rules that segment the VLANs we documented all of the ports open to/from the CDE VLAN to the other VLANs. We interviewed the Manager of their network management and administration department and inquired as to the business reason for each of the open ports. Of the 100 or so ports defined in the ACLs, they can only give us business reasons for about 20% of them. Heaven forbid they should document the reason in the configuration file, but there is no other documentation available. The Manager even tries to find documentation in the help desk system where they log all of their changes, but even after refining the search criteria, there are just too many records to sift through in our one hour meeting to find what we need. Not even proof that management knows that these ports are open, the risks that are involved with these ports being open and that management approved that these ports be opened.
The moral here is that documentation is the foundation from which you build. If you have a shaky foundation, you will have shaky security and are likely a candidate for a compromise and breach. This is why documentation is important. If you cannot remember why ports were opened, users were allowed access to data and other security relevant issues, how can you even think you are secure? The answer is you cannot be secure if you cannot answer basic questions.
But it gets better. This same individual earlier in our meeting had confirmed that they were the one that reviewed the firewall rules quarterly and showed us emails to prove that fact. Then as we are going through the CDE ACLs, they say, “Oh, that rule should be removed. It was for a business partner that we have not done business with in more than four years.” Now, do you think I seriously believe that you are really reviewing these firewall rules quarterly when you admit that a given rule should have been removed four years ago? We document four more firewall rules that should have been changed or removed. It is situations like this that cause a QSA to shudder and then wonder what other ugly things are under the rocks and just how far you need or want to dig to find them.
Our moral here is telling the QSA what they want to hear when you know you will have to contradict yourself later on. All it does is make you look incompetent. But this situation also points out a good point regarding the duties of a QSA in conducting their assessment. QSAs not only rely on interviews and documentation, they also rely on observations to ensure that organizations not only talk the talk but also walk the walk.
So what then is proper network segmentation? A properly segmented network is much more than just technology.
The foundation of a properly segmented network starts with the control triad of preventative, detective and corrective controls. Preventative network controls are going to be firewall rules and VLAN ACLs and any other controls that prevent or control access. Detective network controls are going to be related to the monitoring you implement. Monitoring can be real time and/or log analysis after the fact, but it should not be limited to just access to/from the CDE. Monitoring also needs to include monitoring the network traffic for anomalous traffic. Finally, you need corrective controls to ensure that any issues discovered with the preventative and detective controls are addressed as soon as possible. Corrective controls are usually generated as action items created from such things as the lessons learned from an incident response plan or findings from an audit.
Once you have decided on the controls you will implement, you then need to create documentation that supports those controls. For networks, the documentation that is key is to document every port that is open inbound to or outbound from the CDE environment. Each of those ports will have been formally approved by management with the risk presented by having the port open. And that risk analysis needs to include not just the port in question, but any other relevant ports, if necessary, as certain combinations of ports may increase or decrease the risk. This risk analysis is important for a number of reasons. First, it documents the basic analysis of risk and provides the rationale for having made a decision at that time. That documentation can also save you if a breach occurs as you can understand what the people were thinking when they originally opened the port and also understand potential methods that might have been used to cause the breach. This documentation is also important for the quarterly reviews as you can use the documentation to refresh your memory as well as assisting you in making changes to the rules if business conditions change. Yes, I know firsthand that documentation is the last thing anyone wants to do. But without it I will guarantee you will not remember six months or more down the road why you did what you did and for whom. And in the security business, it is that sort of knowledge that can mean the difference between being secure and being a target.
The next item that needs to be documented is the users, programs, services and organizations that have access to the CDE. In the case of programs and services, this should be tied to the aforementioned list of ports open. In a breach, this documentation will reduce the number of likely suspects of where the breach came from. As a result, you can see why it is important to limit the number of people, programs and organizations that have access to the CDE.
The final piece of documentation that needs to exist is what should be done in the event a problem or an alert is generated. If people do not know what their responsibilities are in regards to providing feedback, then alerts will be missed or ignored and problems may not be addressed as quickly as they should. Responses to problems or alerts should include detail regarding the conditions that created the problem or alert, the steps take to address the problem or alert and any issues that may have resulted from addressing the problem or alert. If the problem or alert is not addressed in the timeframe required, there needs to be an escalation process so that the problem or alert receive the necessary visibility of management should they go unaddressed.
I hope this provides the additional examples of network segmentation.