066
ENTERPRISE SECURITY BLUEPRINT
APPENDIX
A
Special consideration should be given to domain name resolution (DNS) as
maliciously crafted DNS responses can deceive internal assets into interacting
with malicious entities on the Internet or allowing C&C interactions with
compromised internal hosts. DNS tunneling is often used to bypass Access
Controls
Guest Wifi networks will often be connected to the Internet Access segment
to allow guests to connect to the Internet, but with no access to internal assets.
Depending on the enterprise security policy, the introduction of an enforcement
point between guests and the Internet may be appropriate for guest asset
protection and security policy enforcement
If a proxy server is used for caching or for other functions, it should be placed
in a DMZ to protect the internal network against potential attacks from the
Internet on the proxy server itself and to provide an enforcement point that sees
network interactions as transmitted by the user before aggregation by the proxy
Protections
The following security controls are typical for the Internet Access design pattern:
Inbound Access Control
Firewall prevents attacks from the Internet
IPS enforces protocol and data compliance
Outbound Access Control
Firewall allows authorized outbound interactions. Application control prevents
access to known malicious sites and use of applications associated with malware
and data loss
Network Address Translation (NAT) provides information hiding
Pre-infection Threat Prevention
IPS blocks exploitation of known application vulnerabilities
Anti-malware blocks exploitation of data-driven application vulnerabilities.
Threat emulation is used to emulate application behavior in order to identify
and block malicious active content
DoS protection blocks attempts to overload system resources
Post-infection Threat Prevention
Interactions with bot C&C servers are blocked
Data Protection
Data loss prevention controls block leakage of classified data to destinations
outside of the organization
