Notes from the Field: Center for Internet Security Control 12 – Network Infrastructure Management

by Greg Halpin / November 17th, 2023

In our increasingly busy lives, we often find ourselves making promises we can’t keep. We promise to start our diet on Monday, but order in on Tuesday. We promise that this will be the year we take our dream trip, or finally learn French, or run a marathon. Maybe we promise that we’ll implement the perfect network infrastructure. But life, as it often does, gets in the way.

A company I audited last fall had an insecure design for its Amazon Web Services architecture, which hosted a financial web application. The web servers were public facing PostgreSQL servers. Prime targets for attackers. In most information security audits I perform, companies usually protect their web servers with layers of protection that include DDoS, reverse proxy services, and AWS load balancers. The web servers and database servers are assigned private IP addresses, not directly exposed to the internet and attackers.

The client agreed that their architecture was not ideal. They had been in a hurry to get the web application into production and they were new to AWS at the time. They promised themselves that they would fix it later, but they never did. There was always some new project or priority that caused them to delay the redesign. Sound familiar?

Unfortunately, this scenario is more common than you might expect. While most of the clients I work with have skilled and experienced network/cloud architects and systems administrators who have implemented secure infrastructures, many still don’t. They do what works and hope to secure it later, but that will eventually catch up with them. 

Implementing strong network controls, while perhaps intimidating or time consuming, really is a critical part of any information security program. In this blog, I’ll explore the controls your program needs to have and provide practical advice on how to best implement them.

What is Network Infrastructure Management?

The Center for Internet Security Critical Control 12 – Network Infrastructure Management defines the controls needed for protecting your network infrastructure. The Center for Internet Security Controls are 18 critical information security controls all organizations should implement and all information technology and security employees should be familiar with to protect their networks, systems, and data. 

The overview for Control 12 isEstablish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

Control 12 includes 8 safeguards: 

12.1  Ensure Network Infrastructure is Up-to-Date
12.2  Establish and Maintain a Secure Network Architecture
12.3  Securely Manage Network Infrastructure
12.4  Establish and Maintain Architecture Diagram(s)
12.5  Centralize Network Authentication, Authorization, and Auditing (AAA)
12.6  Use of Secure Network Management and Communication Protocols
12.7  Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
12.8  Establish and Maintain Dedicated Computing Resources for All Administrative Work

Why is this control critical? 

Secure network infrastructure is essential in defense against cyber attacks. Organizations must have an appropriate architecture that they can effectively secure.  Securing company and customer data should be the highest priority for information security and technology professionals. Data breaches can cost companies tens or hundreds of millions of dollars from lost business, fines, legal settlements, and reputational damage. The 2013 Target data breach cost the retail giant at least $200 million in legal and other fees. Equifax agreed to pay $575 million as a result of its 2017 data breach. Both companies paid out more to recover from the breaches.   

But the good news is by implementing the safeguards listed above, you can strengthen your network infrastructure. Let’s discuss a few of the safeguards listed above.

Safeguard 12.1 – Ensure Network Infrastructure is Up-to-Date

Safeguard 12.1 overlaps with Control 07 – Vulnerability Management. It boils down to using supported network gear and services and installing the latest security patches and firmware updates. It may seem clear enough, but in on-premises environments, clients often have firewalls with firmware that has not been updated in years, leaving them vulnerable to attack. As important as firewalls are, people forget to maintain them. If you rely on a firewall to protect your perimeter, you must also be dedicated to properly managing the firewall.    

Safeguard 12.2 – Establish and Maintain a Secure Network Architecture

I refer back to the example of the client about which I opened this post. How should companies design their AWS environments for their web application? Here’s a good document and diagram from AWS advising how to properly architecture an environment. It includes additional services to leverage that you can optionally use, such as a WAF, Content Delivery Network (CDN), and an Elastic Load Balancers (ELB) to better protect your web, applications, and database servers or RDS instances. It does a good job of visually demonstrating the levels of protection and the different subnets companies can use for the different types of systems and services. 

Safeguard 12.4 – Establish and Maintain Architecture Diagram(s) 

Some industry professionals I’ve worked with believe architecture diagrams to be a waste of time. They either don’t have diagrams or they are outdated. Architecture diagrams are used to visually represent your network, systems, location of data, and the flow of data in and out of your environment. The diagrams often list the ports that are open to which systems from the internet internally. You can look at it and generally understand what’s going on. You can then compare the diagram to your actual network, inventory, and firewall and security rules to determine if they align. 

Do you know what happens when companies don’t have network diagrams? There are usually some forgotten firewall or security group rules allowing traffic in where it shouldn’t be permitted. Or there’s a server sitting in the DMZ that shouldn’t be there. But the infrastructure director didn’t know about it because they were told by staff that everything was set up right. Without a diagram, they have to get under the hood themselves to check things out. And they may never do that.  You must document your entire infrastructure in order to protect it properly.  

Safeguard 12.8 – Establish and Maintain Dedicated Computing Resources for All Administrative Work 

This is one of the controls that distinguishes secure and insecure environments. If this safeguard is in place, many of the others are as well. In secure environments, companies require VPN access to their backend on-premises or cloud environment. Administrators then connect to a jump box, a server used for administrative tasks for the company infrastructure. The jump box is on a separate subnet from the production systems. From the jump box, the sys admins can SSH or RDP to the server they need to administer. In less secure environments, administrators can SSH or RDP directly from the internet to the servers they need to administer, no VPN or jump box. This is a dangerous practice as attackers can attempt to SSH and RDP to those same servers if they are not protected by VPN and jump box layers.

Periodic Firewall and Security Group Rules

Companies should conduct monthly or quarterly reviews of firewall and security group rules to verify they are appropriate. Network staff often test different services and tools before implementing them. That usually requires a change in firewall rules, such as opening a port for a new service or testing remote administration. Unfortunately, companies don’t always don’t disable or delete the rule after the testing is completed or when the technology is no longer used. The port that was opened for one technology is now open for a different server, leaving it vulnerable to attack. 

Work with KirkpatrickPrice to Implement an Unstoppable Network Infrastructure

At KirkpatrickPrice, we understand that implementing these controls is a lot easier said than done. For more details on the safeguards to protect your network to prevent a data breach, see the Center for Internet Security Controls document

For help implementing these safeguards into your own network, connect with one of our experts today.  We’re committed to making sure your organization feels ready to face today’s threats confidently.

About the Author

Greg Halpin

Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He has experience and additional
certifications in Amazon Web Services, Azure Cloud Services, Linux and Windows systems administration, vulnerability scanning, intrusion detection/prevention, and project management. He enjoys working with people and organizations to help them secure their networks and systems.