Review of NIST Publication SP 800-215 "Guide to a Secure Enterprise Network Landscape"

Ruslan Rakhmetov, Security Vision

The modern cyber landscape has undergone significant changes recently: the development of cloud infrastructures, the blurring of the perimeter, the transition to microservice architectures, as well as a significantly expanded attack surface and increased sophistication of cyber attacks, which have become extremely destructive, are influencing the choice of relevant information protection measures, including network-based IPS. NIST SP 800-215, ‘Guide to a Secure Enterprise Network Landscape,’ which as of September 2022 is undergoing public comment and is being prepared for adoption, lists the major traditional networking classes of solutions with their inherent limitations and provides a list of modern network security solutions and approaches.

In summary, today's IT environment consists of subscriptions to multiple cloud services (including IaaS, PaaS, SaaS), enterprise business applications distributed across multiple offices and data centres and hosted on heterogeneous platforms, and often IoT devices. Such an infrastructure involves multiple interconnections between IT systems and resources, including data, cloud services and users connecting remotely. Consequently, the diversity of data and application sites, the heterogeneity of environments, and the speed of software development make it necessary to focus not on internal or external networks, but on users and devices: today, it is impossible to authenticate an entity based only on a single identifier or location (network segment). All access requests must be continuously validated beyond the start of a network session or the launch of a web application, and a decision must be made based on a context-aware approach.

NIST publication SP 800-215 provides a description of the functionality of some current network-based NWIs:

1. CASB (Cloud Access Security Broker) implements security policies for access to cloud data and applications by analysing where documents are stored, controlling access to them, detecting anomalies in user and entity behaviour, and identifying flaws in cloud infrastructure configurations. CASB solutions are placed between cloud service customers (cloud service customers, CSC) and cloud service providers (CSP). Initially, CASB solutions were used to identify cloud resources and SaaS applications (software-as-a-service), including to address the issue of ‘shadow IT’, which means unauthorised use by users of IT solutions and software, such as file-sharing, VCS systems, collaboration tools, which have not been approved. CASB solutions then evolved into systems for enforcing IS policies in cloud infrastructures, including protecting corporate data in SaaS and IaaS (infrastructure-as-a-service) solutions, analysing behavioural anomalies and detecting malicious actions of users and entities, and identifying cloud configurations that do not meet the company's IS requirements and cybersecurity best practices.

2. WAF (Web Application Firewall) prevents web-based attacks by monitoring attempts to exploit web vulnerabilities (such as SQL injection, XSS, OS-level command injection, etc.) and by implementing virtual patching functions (blocking attempts to exploit vulnerabilities in unpatched web components).

3. firewalls have not lost their relevance either. They have gone through the following approximate evolutionary path of functionality expansion:

- packet filtering and network address translation (NAT translation) to monitor and control network packets, enforce network security rules, and hide internal addresses from the ‘outside world’;

- stateful inspection, also known as dynamic packet filtering, to monitor the state of network connections and make decisions based on the current state of each network connection;

- detection and response to cyber threats such as VPOs, exploits, malformed packets, with reporting to SIEM systems and correlation with other IT/IS solutions in the infrastructure;

- capabilities for advanced logging and auditing of network connections, control of various types of network connections and traffic exchange points, use of Open API for integration with other network protection systems;

- UTM (Unified threat management) solutions that combine several security functions: firewall, IPS/IDS functionality to prevent/identify network intrusions, VPN gateway, antivirus, content filtering, load balancing;

- NGFW (Next-generation firewalls), which provide granular control of network activity at the application level (L7), internal segmentation, integration with sandboxes for inspection of suspicious objects, inspection of encrypted traffic (so-called SSL/TLS inspection), and also implement SD-WAN (Software-defined wide area networks);

- network filtering capabilities at the application level, which appeared in the class of WAF-solutions, allowing URL analysis to detect malicious links and resources, including with the help of machine learning technologies, providing the ability to create a permissive list of network services, controlling the compliance of web content with the declared protocol, filtering out unauthorised network protocols.

4. More advanced network security solutions include the following types of products:

- WAAP (Web Application and API Protection) solutions, which are an extension of WAF functionality to protect WebAPI interfaces and counter botnets and DDoS attacks;

- SWG (Secure Web Gateway) solutions, which protect enterprise users connecting from multiple locations from Web threats by analysing HTTP/HTTPS traffic.

NIST Publication SP 800-215 also focuses on a network micro-segmentation strategy to contain the spread of threats across the network and reduce the impact of attacks. The concept of micro-segmentation involves dividing an organisation's LAN into many small network segments, with traffic flow between them logged and controlled, and network rules that allow only explicitly allowed network connections configured through network security policies.

To practically implement micro-segmentation, you will first need to:

1. Create application identifiers: in today's world, identification based only on the mapping ‘IP address + port’ is no longer sufficient, as the vast majority of modern web applications run on the same TCP:443 port. Thus, for each network application, it is necessary to construct its unique fingerprint that will characterise only it.

2. The created identifier should be digitally signed by a trusted certificate authority to prevent attackers from unauthorisedly modifying the application identifier or creating their own malicious application identifier.

3. All resources that a particular web application uses, including services, applications, etc., should be identified to account for these relationships when profiling the application's behaviour.

4. It is recommended that similar and trusted applications be grouped together to reduce the burden on hardware resources and simplify administration.

5. It will then be necessary to map the created application groups to specific physical or virtual infrastructure elements, taking into account the network topology.

The following approaches can be used to implement world segmentation:

1. Segmentation-based approach: applications and resources with similar security requirements are grouped into separate segments, and firewall rules are applied to these segments. Network gateways installed at segment boundaries monitor and log traffic between segments, detect and prevent the spread of network threats.

2. Virtualisation-based segmentation: the hypervisor controls traffic flowing between virtual guest machines.

3. Host-based micro-segmentation: an agent is installed on devices that uses the built-in features of the host firewall to enforce granular network policies that are centrally set.

4. Identity-based micro-segmentation: all network applications exchange signed identifiers, mutually authenticate and authorise each other, and then determine whether they can connect to each other each time a connection is established. With this approach, there are no IP addressing or subnets, so connections are independent of specific subnets, independent of infrastructure, can be implemented as policies in CI/CD (Continuous Integration, CI/Continuous Delivery, CD) processes to accelerate software development and updates, and allow for the most accurate and granular networking policies possible.