Understanding network segmentation

runZero multi-homed asset detection

Network segmentation is a critical security control for many businesses, but verifying that segmentation is working correctly can be challenging, especially across large and complex environments. Common techniques to validate segmentation, such as reviewing firewall rules and spot testing from individual systems can only go so far, and comprehensive testing, such as running full network scans from every segment to every segment, can be time intensive and are hard to justify on a regular basis.

For businesses subject to the PCI DSS requirements, validating cardholder data environment (CDE) segmentation is an important part of the security audit process. The image below is from the PCI guidance on scoping and segmentation and demonstrates a common CDE administration model.

The network bridge detection in runZero is opportunistic and far from perfect, but it may highlight areas where segmentation is broken, and can cut down on the number of surprises encountered in a future security audit.

Using the bridge report

The bridge report shows external networks in red and internal networks in green. This view is not a typical network map, but instead shows possible paths that can be taken through the network by traversing multi-homed assets. Assets where runZero only detected a single IP address are not shown in order to keep the graph readable.

Zooming in will show asset and subnet details. Clicking a bridged node once will highlight the networks it is connected to, and clicking it a second time will either take you to the asset page. Clicking a network once will highlight the connections to bridged nodes, and clicking a second time will perform a CIDR-based inventory search.

Bridge detection is useful when validating network segmentation and ensuring that an attacker can’t reach a sensitive network from an untrusted network or asset. Examples of this include laptops plugged into the internal corporate network that are also connected to a guest wireless segment and systems connected to an untrusted network, such as a coffee shop’s wireless network that also have an active VPN connection to the corporate network.

runZero detects network bridges by looking for extra IP addresses in responses to common network probes (NetBIOS, SNMP, MDNS, UPnP, and others) and only reports bridges when there is at least one asset identified with multiple IP addresses. Typical hardening steps, such as desktop firewalls and disabled network services will usually prevent multi-homed assets from being detected by runZero. The screenshot below shows how to search for multi-homed assets in the runZero inventory.

Using the asset route pathing report

Enterprise

Network segmentation is a foundational security control that can be easily undermined by network misconfigurations and multi-homed machines. runZero Enterprise users can now visualize potential network paths between any two assets in an organization using the asset route pathing report.

This report generates a graph of multiple potential paths by analyzing IPv4 and IPv6 traceroute data in combination with subnet analysis of detected multi-homed assets–without requiring access to the hosts or network equipment. This unique methodology identifies surprising and unexpected paths between assets that may not be accounted for by existing security controls or reviews.

With a view of potential paths, security professionals can verify whether a low-trust asset, such as a machine on a wireless guest network, can reach a high-value target, such as a database server within a cardholder data environment (CDE). The new feature highlights potential network segmentation violations and opportunities for an attacker to move laterally from one segment to another.