Pub. 6 2016-2017 Issue 1

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S July • August 2016 13 Implementing Segregation Segmenting and then segregating a network is a challeng- ing task. Good network-architecture design skills, alongside working with third party vendors and application vendors, will be necessary. Extensive testing is also a must. However, there are several quick wins that can significantly improve overall network security and take away attack paths employed by attackers. First, it is necessary to segment the network into categories by device. Some suggested categories are: • Workstations • Servers • Printers • VOIP Telephones • Automated Teller Machines • Auxiliary (all other devices). Segmentation requires creating separate subnets for each category andmoving devices to those subnets. For segregation to be complete, once the devices reside on the appropriate segment, access control rules must be applied. A basic set of access control rules that could be applied to workstations is: • Deny all workstation-to-workstation traffic within the workstation subnet. • Allow all traffic from the workstation subnet to the server subnet. • Allow ports TCP 515, TCP 9100, UDP 161, UDP 162 to the printer subnet. • Allow all traffic from the server subnet to the workstation subnet. • Rules for specific access to devices in the Auxiliary subnet. • Deny all remaining traffic that has not been explicitly allowed (applied as the last rule). Restricting access betweenworkstations is critical, because it removes the ability for an attacker who has compromised one workstation to pivot to other workstations. Two of the rules allow all traffic from workstations to servers and from servers to workstations. These should be replaced with more granular rules after further analysis of ports and protocols needed for applications are completed. The rules above are implemented easily by utilizing the free host-based firewall built-in to Microsoft Windows Operating systems, and it can also be managed by utilizing Group Policy Objects. Network segregation is the separation of devices and control of the traffic between those devices. Just as firewalls became necessary to protect frommalicious Internet activity, network segregation is now a necessary and critical part of a secure network architecture. n Ty Purcell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security test- ing, and tandem — a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com to learn how CoNetrix can improve your Cybersecurity maturity.