Security Boundary Defense Solutions
Security boundary defense solutions should be leveraged to protect organizations from the infiltration or exfiltration of data by bad actors. Keep in mind that bad actors can either be external or internal to the organization.
Security boundary defense controls should also be used by organizations to protect against sabotage, espionage, data leakage, along with other insider threats. These solutions and controls are the focus of pitfall #56 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
An up-to-date inventory of all network security boundaries should be maintained in accordance with Asset Management Policy requirements for maintaining an effective asset inventory. Discovery scans should be performed on a regular basis from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.
Communications with known malicious or unused Internet IP addresses should be denied. Access should be limited to only trusted and necessary IP address ranges at each of the network boundaries. Communications over unauthorized TCP and UDP ports should be restricted to ensure only authorized protocols can cross the network boundary in or out of your organization’s networks. This applies to each of the network boundaries for your organization.
Monitoring systems should be configured to monitor network packets passing through the boundary at each of the network boundaries. Network-based Intrusion Detection Systems (NIDS) sensors should be deployed to look for unusual attack mechanisms and detect a compromise of information systems or assets. Network-based Intrusion Prevention Systems (NIPS) can be used to block malicious network traffic at each of the network boundaries.
The collection of NetFlow and logging data should be implemented on all network boundary devices. Network traffic to or from the Internet should pass through an authenticated application layer proxy that is configured to filter unauthorized connections.
All encrypted network traffic should be decrypted at the boundary proxy prior to analyzing the content. Whitelists of allowed sites that can be accessed through the proxy without decryption of the traffic can be used, if appropriate.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.