Watch Your Backdoors: Evaluating Connections and Reducing Attack Surface

Backdoor Medium

The Evolution of Business Connectivity and High-Speed Internet Access

Over the past several years, the nature of business connectivity has evolved. Due to the growth of cloud-based technologies and an increased reliance on remote or web-based resources, the availability of high-speed Internet access has become increasingly important. Historically, only a small subset of an organization had Internet access, namely those who required this access to do their job. Now, Internet access at work is no longer a luxury for employees but a necessity - everything from research and development, to sales and marketing efforts, rely on this vital connection.

The increasing demand on Internet connectivity has changed the face of corporate network design. Many networks initially provisioned a centralized Internet egress point for all company traffic, frequently through a main datacenter. Access at this egress point would (hopefully) be well controlled and monitored with a firewall and intrusion detection/prevention system. Any remote sites would connect through the main office using a dedicated circuit such as a point-to-point link, or a T1, or an MPLS connection. Remote sites would not have a local Internet connection.

This centralized access model results in a limited number of vulnerable connection points to an organization – as long as the main Internet connections were well-protected and monitored, most external access (both incoming and outgoing) could be managed. The attack surface of an organization to the Internet was only as great as the number of connections that were available.

With Every New Connection Comes a New Potential Attack Vector

As Internet access has expanded, so too have the number of Internet connections that exist within an organization. With every new Internet connection, a new potential attack vector is introduced.

Where do these connections come from? I thought you'd never ask. I generally see three main factors that increase the number of connections an organization may have:

  1. Internet breakouts
  2. Circuit redundancy/resiliency
  3. Acquisitions

A Connection Added for Resiliency/Redundancy: Best Controlled and Least Risky

Out of these three, a connection added for resiliency, or redundancy, is most frequently the best controlled and least risky. These connections may serve as a backup connection for a point-to-point or MPLS connection, and may only carry a VPN or dynamic VPN connection when the primary link is down. If such a connection exists and is configured correctly (and any directly connected devices are appropriately locked down), adding this type of Internet circuit should not significantly increase the risk to an organization.

One of the most popular trends in corporate WAN design is the provisioning of Internet breakout sites, where a remote site will be able to leverage a commodity Internet connection to provide local access to Internet resources. Since this traffic must no longer traverse the corporate WAN, there can be a significant benefit in terms of increased throughput and reduced latency by moving to this model. However, adding these connections can introduce risk to your network.

A primary concern would be the traffic that is passing through this connection – what traffic is allowed outbound, and what traffic is allowed inbound. Generally, an Internet breakout is considered an outbound-only connection, whereby all incoming traffic sourced from the Internet is dropped by a firewall rule or router ACL (return traffic is allowed through stateful packet inspection/tracking). While this is the most common deployment standard, occasionally a breakout site will also offer limited incoming external access for resources such as a client VPN or public facing server. Any of these sites should be secured and evaluated using the same methods as your main datacenter Internet connections. Outbound access should be restricted to explicitly defined services, and not simply any service whatsoever.

Internet Breakout Sites: The Lack of Control Problem

Internet breakout sites also introduce a further risk that is not often explored – a lack of control. Many business connections are assigned a larger external subnet, which provides for additional public IP addresses for devices connected to the circuit to use.

An example of a connection with this configuration would be one where the external subnet mask is something other than a /30, or 255.255.255.252 – such as a /29 (255.255.255.248) or /28 (255.255.255.240) and so on. These circuits can become a problem due to the availability of unused public addresses in a relatively uncontrolled segment of your corporate network. I have seen several cases of local IT staff using otherwise unused public addresses for unapproved purposes, such as dual-homing a machine for remote access to corporate resources using Remote Desktop over the Internet. While such actions may be in violation of an organization's security policy, these are often not detected until after the unauthorized device is compromised and begins sending malicious traffic to the internal network or Internet.

The Scariness of "Wild West" Acquisitions: Common and Very Real

Acquisitions are even scarier – I like to consider these sites as the “wild west” of corporate networking. Many organizations grow thorough acquisitions, and there is an ever-relentless push to bring newly acquired companies (and their associated networks) into the network of the parent company as soon as possible.

While network design and security standards vary quite significantly, I have not found many of these sites to be pillars of excellent network and security design (in other words, they are generally pretty awful). Care must be taken to ensure that integrating another network into yours does not also result in integrating all of that network's backdoors and compromised systems as well, and giving them complete and unrestricted access to all of your network's resources.

Unfortunately, these issues are all too common and very real. Organizations can be compromised for years, especially those relying on basic or nonexistent security controls. Many companies have seen breaches or attacks that did not stem from a compromise of their systems, but of a compromise that previously existed in a company they acquired.

So, What Can Be Done?

First and foremost, make an inventory of every external connection in your organization. This may not be an easy task, given that these may number in the hundreds or thousands and be managed on a site-by-site basis.

Once this inventory is created, establish what devices are connected to each external subnet and their purposes. Any devices that are connected which are unauthorized will need to be addressed, which may be a difficult process. While this may be as simple as removing the device, some of these systems may have evolved into quasi business-critical systems that cannot simply be decommissioned. The best way to handle this sort of situation may involve the addition of a firewall and a DMZ to better monitor and control any access between these systems, the Internet, and the corporate network.

Once the external address space is inventoried and baselined, regular scans should be performed to alert the security team of any changes or additions, so that appropriate action may be taken.

By evaluating your Internet connections and ensuring that backdoor access is minimized, you can significantly reduce the attack surface that your organization faces.