NCSAM Day 2: Network Isolation

There is a nearly endless list of ways that an adversary can compromise an organization’s workstation, from USBs in the parking lot to malware laden email attachments.  We should design out environments to account for the eventuality that one or more workstations will get compromised by an aggressive adversary.

Enabling port isolation on your wired networks and client isolation on your wireless networks limits opportunities for lateral movement between workstations.  Isolation, of course, will not prevent all lateral movement opportunities, but if implemented properly, it can significantly limit the ability for an adversary to hop from workstation to workstation across a local subnet, collecting credentials, and will force the use of potentially more noisy/easier to detect techniques.  The name of the game is making the lives of adversaries more difficult, take longer to accomplish objectives, and make more noise in doing so.

I once had a discussion with an unnamed person from an unnamed agency that told me that part of the agency’s penetration testing regiment includes connecting a drop box of the pen tester’s choosing to the agency’s wireless or wired networks (including an LTE modem for out of band access), to simulate a workstation being compromised and needing to rely on other aspects of the infrastructure to protect systems and data from further compromise.  Port isolation was part of the strategy for that agency.

The downside implementing isolation is that it requires much more deliberate design of common services, like the placement of printers and scanners.  Coincidentally, one of the other upsides to implementing isolation is that it also requires much more deliberate design of common services, like the placement of printers and scanners.

Limiting Lateral Movement Options With Port Isolation

I had a meeting with some network team members from a government entity recently.  They described a configuration where all of the network ports that workstations connect to are configured with port isolation, which prevents workstations, even on the same VLAN, from communicating with each other over the network.  This feature is available on most network switches.

There are not many use cases I am aware of where workstations need to directly connect to each other.  At least not many that we want to encourage.  Isolating systems in this way seems like a good way to limit lateral movement.  Lateral movement is limited to systems that are “upstream”, enabling a convenient opportunity to monitor for and detect such attacks.

I was initially thinking about this in the context of mitigating impact of network worms in the wake of WannaCry.  However, it seems like the utility in this extends far beyond just worms.