Network segmentation and optimizing validation for PCI DSS
The local network is defined as, a set of computers that belong to the same organization connected to each other by a network, in a small geographical area. According to Forouzan (2008), devices interconnected in an office, building or campus form a local network, in a very simple way. For example, when connecting two computers and a printer, or when extending the network to the entire company and including other devices.
So, the main purpose of a corporate network is to allow connectivity to the company’s devices. These networks extend as far as where employees and data are located. Therefore, the implementation of this type of connectivity is generally carried out in a linear manner.
Now, there are more and more devices are being added to these networks: cell phones, tablets, and the adoption of IoT (Internet of Things) strategies. However, with them also comes the increase in the surface of the network and an enormous amount of new security holes that must be analyzed correctly. The growth of the network and the increase in devices, quickly make it impossible to handle it. In addition, they make monitoring processes more difficult as well, the amount of information that travels makes it impossible to quickly detect problems. Thus, it is difficult to create access controls to resources.
An attacker, who can access a device, will not have a major impediment to travel over the network, as he is able to map much of the resources. Consequently, it can go from device to device, accessing the company’s important information, systems, and assets. So, ransomware attacks can exploit the network’s linear characteristics very well, with its ability to spread to other machines (figure 1).
Therefore, the segregation of computational resources can mean the difference between having all the network’s assets compromised and the possibility of containing threats that could compromise the business continuity.
What is segmentation?
Network segmentation consists of dividing a computer network into subnets, each one being a network segment. With this, it is recommended to create groups that have specific characteristics, for example, network segment groups for human resources, commercial and web application servers, among others.
Basically, segmentation modifies the phrase “divide to conquer” in “divide to defend”, because in fact, it is more effective to manage assets and promote security, when the network is divided into small segments that are easy to deal with in isolation.
For better understanding, it is possible to draw an analogy with the operation of a large ship. In this way, the segmentation of networks works the same way as their compartments. When there is a problem in a compartment, it is closed to prevent the threat from spreading throughout the ship and thus not compromising its operation.
However, segmentation is not just the subdivision of the network. There is no point in separating devices by areas with certain characteristics and allowing elements of segment X to still communicate with elements of segment Y. It is necessary to implement firewalls and security policies to establish communications between different devices. (figure 2)
It is important then, that there are collaboration between security and network analysts to implement network segmentation, as well as the management and monitoring of resources and the actions to be taken to contain threats, essential mechanisms to maintain access and availability of data ensuring integrity, for example limiting the spread of malware over the network.
Benefits of segmentation
- Improves performance: Decreases local traffic. Each segment has few hosts, minimizing the traffic of broadcast packets;
- Facilitates network management: Enables more effective access controls; it is easier to manage which resources users can access;
- Effects of problems and network failures only affect the segment where they occurred;
- Improves security: Enables easier monitoring. We can easily identify network segments that have anomalies in the logs and identify the affected machines;
- Reduces the effort of security audits. It is easier to set audit schedules for certain segments of the network;
- Decreases the area of contamination and the spread of malware. Side attacks can be contained in the same segment where they occurred without affecting others.
Considerations on the application of Segmentation
Business processes in which it is necessary to allow external individuals to access various resources on the internal network can complicate access segmentation processes.
Even with the implementation of network segmentation, security controls such as anti-malware, prevention, and intrusion detection systems, must still be implemented within each segment, as there are still considerable risks.
Companies that handle sensitive information such as credit card data, must correctly map their systems and environments to properly apply the standards and controls required by the credit card industry, such as the PCI DSS standards.
“If segmentation is used to reduce PCI DSS scope, perform penetration tests at least annually to verify the segmentation methods are operational and effective. Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls.”- PCI DSS Quick Reference Guide 3.2.1
The application of segmentation helps in defining this scope, as it allows the separation of the environment into CDE and No-CDE segments, thus reducing the PCI DSS scope and facilitating security management and audits in these environments. Without proper segmentation, hosts that do not have any contact with the card data flow may be mistakenly scoped, increasing the amount of effort required for their audits and security checks in accordance with PCI DSS requirements.
For the validation of segmentation controls according to the PCI SSC recommendations, it is necessary to perform connectivity tests to prevent the improper communication of No-CDE systems that can compromise the security of the CDE systems and thus, validate that they are being implemented correctly and effectively, the segmentation controls.
In view of the need to validate the segmentation controls, I created a tool that assists with the test and provides the security analyst with different ordered informations to facilitate the analysis and understanding of communication in the segmented environment.
“El Segmentador” is a script created in bash, easy to use providing direct information about the current state of communication in the segmented environment (figure 3).
“El Segmentador” needs three pieces of information to be executed: the directory to store the information generated during its execution, the network interface of the No-CDE environment that will be used to validate the segmentation and the scope file containing the IPs or ranges network of the CDE environment to be validated (figure 4).
The first step of “El Segmentador” is to validate the connection with the informed scope. The program performs different ping techniques, using nmap to generate reports (figure 5) separated from each applied technique. It also adds all the IPs that were detected as visible by any ping techniques in the “alivemachines” file.
The “alivemachines” file will be used to perform a deeper validation, using the nmap TCP and UDP port scanner (figure 6). In this way, it generates separated reports for each host. Therefore, the security analyst must analyze these reports to verify the current status of the segmentation and eliminate the false positives that may appear.
“El Segmentador” was implemented to run the scanner on several hosts at the same time by dividing the scope into several parts and running each one in the background. Thus, it decreases the total time required to complete the validation of the segmented environment. In addition, by generating reports of each scanned host separately, it minimizes losses and rework in case the script execution is interrupted. In this way, you just need to check which hosts have already been processed and remove them from the scope by running “El Segmentador” again.
The tool is simple, easy to use and very effective. In this way, it allows the verification of segmentation controls in the environment to be carried out correctly providing us with the necessary information to be able to generate conclusions about the current state of the environment.
References: M389O Marulanda, Yozer Esneider Garcia — Otimizando o teste de segmentação para auditoria de PCI DSS. Rio de Janeiro, 2020.
