The Myth of the "Trusted Network"
I was talking to a friend who uses a non-ISA Firewall to protect his network and he was talking about some of the configuration settings on his firewall. He said he was having problems with configuring traffic going through the "trusted" network interface. Just to confirm, I asked him what a "trusted network" was, and he said without hesitation that it was the internal network, in contrast to the Internet, which is an untrusted network.
This got me to thinking how slow change comes in our business. In the 1990s, there was a concept of the untrusted Internet and the trusted internal network. You didn't trust the Internet because there were millions of people out there just waiting to hack into your network. In contrast, you could trust the internal network, because it was assumed that there weren't any malicious users or software running on your well managed corporate network. In fact, many firewalls were designed with this concept in mind and didn't apply stateful packet and application layer inspection on the "trusted" interface.
With 20/20 hindsight, it's hard to explain why we were so naive about network security in the 1990s. Why would we believe that we could trust the users on our network? Why would we make the assumption that we could trust all the software running on our network? Was this a leftover from the days of non-Internet connected networks, where "sneaker net" and simple LAN-only networking was all that was available? Was it because viruses were rare, and network worms almost non-existent?
Whatever the reason, it's clear that in the 21st century, the concept of the trusted network needs to be disposed of. There are no trusted networks. There may be variable levels of distrust for one network compared to another, but no network can be trusted. There is too much connectivity between all networks, due to the Internet, to ever consider a network to be a trusted network.
Why is it important to do away with the concept of a trusted network? Because if you believe your network is trusted, you won't suspect that any potential attackers exist on that network. A good security posture to take is to assume that an attacker is already on your network, and work from there.
What's one of the most important things you can do in order to deal with the risks of your untrusted corporate network? Encryption. One of the most dangerous aspects of the belief in trusted networks is that data moving over the wire is secure from interception. If you believe that there are no trusted networks, you'll realize that the data moving over the wire can be intercepted, read, replayed and used against you in an attack.
So what can you do? The answer is actually quite simple. You can use IPSec with ESP AES encryption to secure all data moving over the network. Or, at least use IPSec with ESP AES encryption for all communications between clients and servers that contain sensitive information. It's quite easily to set up IPsec policies of this kind using Windows Vista and Windows Server 2008 - the nightmare of the Windows 2000/2003 IPSec policy wizard is (almost) gone and IPsec policies are no-brainers to set up now.
IPsec is good for securing traffic that moves between clients and servers on your network, but what about protecting information that moves between your network and the Internet? In that case, you'll have to either secure the session stream using SSL/TLS technologies (such as HTTPS, SMTPS, POP3S, IMAP4S, etc), or encrypt the data in the application stream (S/MIME for email, encrypted archives, Rights Management, password-protected, encrypted office docs using AES256-bit encryption, etc).
Bottom line: Don't assume that you can trust your network. Assume that you can't trust your network and take steps at encrypting as much data as possible that runs over your network.
For more information about IPSec, check out:
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)