Secure Networks: Remember the DMZ in 2012

Tuesday, April 17, 2012

Brent Huston

E313765e3bec84b2852c1c758f7244b6

Just a quick post to readers to make sure that everyone (and I mean everyone), who reads this blog should be using a DMZ, enclaved, network segmentation approach for any and all Internet exposed systems today.

This has been true for several years, if not a decade. 

Recently, I have talked to two companies who have been hit by malicious activity that compromised a web application and gave the attacker complete control over a box sitting INSIDE their primary business network with essentially unfettered access to the environment.

Folks, within IT network design, DMZ architectures are not just for best practices and regulatory requirements, but an essential survival tool for IT systems. Punching a hole from the Internet to your primary IT environment is not smart, safe, or in many cases, legal.  

Today, enclaving the internal network is becoming best practice to secure networks. Enclaving/DMZ segmentation of Internet exposed systems is simply assumed.

So, take an hour, review your perimeter, and if you find internally exposed systems — make a plan and execute it.

In the meantime, I’d investigate those systems as if they were compromised, regardless of what you have seen from them.

At least check them over with a cursory review and get them out of the business network ASAP.  

This should go without saying, but this especially applies to folks that have SCADA systems and critical infrastructure architectures.  

If you have any questions regarding how you can maintain secure networks with enclaving and network segmentation, let me know. I’d love to help!

Cross-posted from State of Security

Possibly Related Articles:
14466
Network->General
Information Security
SCADA Best Practices Network Security Industrial Control Systems IT Security exposure Network Segmentation DMZ Enclaving
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.