019
ENTERPRISE SECURITY BLUEPRINT
ENFORCEMENT LAYER
01
The following segment boundary protections could have disrupted the attack:
Access Control
1.
The malware should have been blocked at the atomic segment boundary from entering the host via the
USB interface. Endpoint host and LAN segment boundary controls could have prevented establishment
of P2P connections between infected hosts. Once detected, the infected hosts could have been contained
by limiting their outbound network connections to authorized network services only.
2.
As mission-critical components, operator PCs should not have been accessible over the network. A
segment boundary firewall could have prevented access to these PCs.
Threat Prevention
3.
IPS at the LAN segments and WAN boundaries could have detected the infected hosts and prevented
the malware from spreading to other segments via known vulnerabilities. Once the worm was detected
and analyzed, the IPS could have applied dynamically distributed custom IPS signatures to fully
contain the worm by preventing exploitation of previously unknown vulnerabilities.
4.
Outbound access from the LAN to C&C servers on the Internet could have been detected and
blocked at the site boundary and at the organizational perimeter.
The fact that the Stuxnet worm successfully infected a high number of targets demonstrates that there
were insufficient security control mechanisms between entities with varying security characteristics,
including mission-critical operator PCs with access to nuclear-control PLCs.
Enforcement Layer Summary
The SDP architecture Enforcement Layer consists of enforcement points that act as platforms
for executing software-defined protections. Enforcement points may be implemented as network
security gateways, host-based software, mobile device applications or virtual machines in the cloud.
The main principle behind the Enforcement Layer is segmentation. Segmentation is critical for the
survival of an organization under attack as it prevents threats from proliferating within the network.
Implementing segmentation starts with defining the “atomic” segments in the network. Enforcement
points are introduced at the boundaries of each atomic segment to enforce defined protection logic.
Atomic segments can be grouped to allow for modular protection. Finally, trusted channels are
established to protect interactions and data flow between various network segments.
This segmentation methodology facilitates gateway consolidation and can be applied to many network
infrastructure configurations, from traditional and physical configurations to modern and dynamic
configurations using network and security virtualization, Virtual LANs and SDN infrastructures.
The SDP Enforcement Layer relies on this segmentation approach as an effective defense
against network infection from the most complex Advanced Persistent Threats (APTs).
