Critical Control 16: Secure Network Engineering
Last Updated: 2011-10-24 23:52:20 UTC
by Johannes Ullrich (Version: 1)
We are now down to the last 5 controls, which are also labeled "Additional Controls". The reason they are labeled "additional" is not because they are less important. However, these controls are more processes that are harder to measure and automate. Controls 1-15 focused on issues that may be automated.
Control #16 illustrates the automation problems pretty well. Secure Network Engineering is a process that relies on qualified humans designing and maintaining a network with security in mind.
Many issues we discussed before are easier if the network was designed securely. For example the last control, data leakage prevention, works best if egress points in your network are clearly defined and regulated. A good network design will also make it easier to block access to devices if they are found to be infected with malware, and it will make it harder for malware to spread internally.
Another problem that has come before: How do you apply secure network engineering to an existing network? I have run into this many times before. A network is supposed to be "re-designed" on the fly without interrupting current operations. Usually I have to say that this is just not possible without immense costs, and in some cases, it may be simpler and cheaper to build a new network from scratch.
There are some possibilities to automatically monitor at least part of this process. For example, if we receive an alert about a new server or a change to the network configuration, we may be able to automatically compare this to a change control system to ensure that the change was properly approved and went through a process reviewing out network design. In short: Make sure your actual network matched the network design and don't allow the actual network to deviate from the secure design.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute