Hey man you disrespecting me?
Take him out
You gotta keep ’em separated
– The Offspring, Come Out and Play
Whoda thunk it? Dexter Holland, network security evangelist. This morning’s musings were stimulated by this article in Computerworld, entitled “Target breach happened because of a basic network segmentation error”.
The title of this article is technically correct, but it makes the issue sound much more complicated than it actually is. Part of the problem is that, in the vernacular, we use the term “network” as a generic term for all of your computer stuff, while network has a very specific meaning within the TCP/IP protocol stack. For the nerd who has forgotten, a network is a set of devices connected at Layer 2, meaning there is no need for a router to mediate communications between two devices on the same network. For the non-nerd an example: the “acoustical network” of my house. When my son is in my house, he is in my acoustical network, so when I yell his name he should receive the message, if his aural firewall is not currently configured to drop the Dad protocol. When my son is not in my house, I require a separate device (e.g., a telephone) to mediate my communications to his cellphone.
According to the Computerworld article, the initial access vector in the late 2013 Target data breach was via remote access using the credentials of an HVAC company that used the access to perform monitoring at several Target stores. Of course the attacker should not have access to these credentials, and in principle shame on the partner for being compromised, but the fact is that credential compromises do happen, and the wise security professional makes contingency plans.
Apparently the wisdom of Target’s security professionals is a bit suspect, because the HVAC credentials let the attackers work their way into the payment processing network. Is it fair to say those systems were “on the same network”? Not clear. People often think machines on separate networks are isolated from each other, but this couldn’t be further from the truth. The internet is called the “INTERNET” because it “INTERconnects NETworks”…it’s not just a clever name Al Gore came up with. So if the HVAC systems and payment processing systems were on the same network, that’s really, obviously, shame-on-you bad. If these systems were on different networks but each still accessible from the other, it’s a different, more subtle failure.
There are two main points I want to make here. When becoming a Certified SCADA Security Architect, the single most important lessons you learn is segmentation with firewalls, DMZs, and mediation servers. As an architect, you absolutely need to understand that network segmentation is not sufficient, because routers will gleefully pass packets between networks. You have to use a firewall, and ideally more than one, to keep unwanted actors out of certain network segments. More importantly these firewalls are not configured like a gateway firewall typically is; for these dedicated functional networks, the architect needs to study the technology and learn what sorts of traffic need to be entering and leaving the network and whitelist that traffic, blocking everything else. Though Target is not a power company, the principles are identical.
The second point I want to make is that this should serve as an object lesson to SDN evangelists. A true believer in SDN would look at this problem and think: the reason this failure occurred was because installing all of the firewalls and other filtering devices needed requires numerous costly hardware installations which SDN could avoid through intelligently routing flows to centralized security devices. The skeptic’s view is different: Target’s lifeblood is payment processing, and for whatever reason they didn’t segment their network sufficiently to protect their most important systems. Why should anyone think that they would secure their network management traffic with any more care? Even the most dedicated SDN advocates admit that SDN management traffic needs to be secured to at least the same standard we discussed above.
As details leak out, the posturing is already beginning, and I’m probably going to complain about that tomorrow. Nothing brings out the stupid like Congressional hearings.