Network Access Errors of Titanic Proportions

July 1, 2015 |
Photo of the Titanic sailing

Restricting network access to only those applications or resources necessary for someone to do their job makes sense. It’s similar to restricting water from entering an entire hull so that the ship doesn’t sink. It’s easy, if you’ve ever been on a boat of any size, to think of water racing through the hull as a very bad thing. Kind of like a fraudster who has easy access to the far reaches of your network.

The question is, “is your ship unsinkable?” Are your network assets so well guarded that a single point of failure cannot cause catastrophic harm?

If you’ll buy my notion that it’s comparable to ship construction, the concept behind network segmentation is pretty old. The Titanic was by no means the first ship to feature supposedly watertight compartments. Chinese ships from the Eastern Jin Dynasty featured bulkheads, and that was around 410 AD. By the time the Titanic and her sister ship the Olympic were built, they were outfitted with a fairly sophisticated system to keep them afloat with 16 major watertight compartments and 15 transverse watertight bulkheads that ran clear across the ships. These boats could remain afloat with any two adjacent watertight compartments completely open to the sea without impacting the safety of the ship. Because no one considered anything worse than a collision near the juncture of two the compartments, they were considered “practically unsinkable.”

Image of "Titanic side plan annotated English" by Anonymous - Engineering journal: 'The White Star liner Titanic', vol.91







What type of access control measures would make your network “practically unsinkable?”

What type of access control measures would make your network “practically unsinkable?” One would think that access control to networks should have evolved to a point where catastrophic failures should be rare, just as hull construction not only includes proper thickness, appropriate fasteners, but then segments the hull in case of a breach.

Most identity and access management (IAM) and network access control (NAC) solutions function well and you’re well advised to consider adding them to your security arsenal. In addition, you may want to consider next-gen firewalls, intrusion protection/prevention, SSL VPNs, IPSec VPNs, and monitoring behavior patterns of all users.

Why are boats still sinking?

Why was 2014 the year of the breach? Rather than think about what current security measures do, let’s think for a minute about key gaps. What don’t they do? Most solutions are designed to restrict access to the perimeter or analyze behavior over a period of time to identify and then stop fraudulent activities. Once credentials have been used to access a jump host to slip through network defenses, attackers access unsecured ports or management tools, gaining a foothold in otherwise secure environments. Using traditional methods, attackers gain access and then over a period of several months become trusted users who steadily gain access to more and more resources.

Given this new attack paradigm, how can you protect your network? What’s missing (up until now) is access controls that take user, role, and attributes (device, location, time) into consideration and limit network access and visibility to only those services that are required by that specific user before access to precious resources occurs.

In a sense, what you need to do is assume that your hull is going to leak, and then restrict access once inside to only those resources that users are entitled to (while making all other resources invisible and inaccessible) so that your network assets are safe.

Learn more about how segmenting your network with AppGate can help you guard your network assets.


Image: “Titanic side plan annotated English” by Anonymous – Engineering journal: ‘The White Star liner Titanic’, vol.91

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *