Mastering Whitelisting: Simplified Network Security Architecture Explained for Cybersecurity Instructors
For more than two decades, cybersecurity professionals have preached and promoted the concept of defense in depth, specifying the importance of having multiple devices that work in tandem to provide the best possible security. We promote firewalls, access control lists on routers, demilitarized zones (DMZ) for public-facing systems, role-based access control, and similar methods to lock down systems.
These have been, and continue to be, great ideas, but the complications involved in configuring a viable defense-in-depth strategy have left many networks in a vulnerable state. The reality is that, except for larger organizations, corporate budgets do not allow for the equipment and personnel necessary to establish a viable defensive posture. Just one missing security device can leave a network vulnerable. Even worse, having poorly configured devices or poorly trained personnel can create a false sense of security which does little to keep the hackers at bay.
This is why students of cybersecurity need to be aware of how to simplify network security without all the complications that require a well-trained team to manage. Read on to learn a four-step approach to teaching students about simplifying network security architecture.
Most Cybersecurity Professionals Will Need to Get Creative
It is likely that most cybersecurity professionals will start their careers in smaller organizations which will not be able to acquire the many different and expensive devices necessary for a more traditional security posture.
This will force them to either be creative with what is available or cross their fingers and hope an attack never comes their way.
The best thing to teach students to do in these situations is to simplify the security posture without sacrificing protection. We can do this by getting back to the basics of internet security.
The simple idea behind network security is to keep bad actors out while allowing normal and expected traffic to traverse across a network. This is a foundational concept every student should be aware of. It is the primary principle of network security. They should then be taught about the many different ways traffic can be blocked from traversing the network under their control.
Whitelisting…If It Ain’t Broke…
One of the simplest ways is to implement a whitelisting strategy that limits external inbound connections to a small list of IP addresses. When budgets are tight, the old method of allowing by default and denying by exception needs to be replaced with the opposite method whitelisting provides.
Why does this matter? Major failures in implementing defense-in-depth strategies have resulted in successful hacking activity which has stolen countless amounts of personal private data from retail stores and government organizations. Either the methodology does not work, or people are not using it. The latter is most likely to be true.
This is where teaching about whitelisting comes into play. Whitelisting is an incredibly effective methodology that can block 99 percent of known and unknown threats because it inherently limits connections from the locations on its pre-approved list.
For example, a company that does not do business with China does not need to allow connections from that nation. So, a hacker in China cannot hack a network if the entire nation of China is blocked from gaining access. This is the simplicity students should be aware of.
A Two-Pronged Approach to Simplifying Network Security Architecture
To this point, I have addressed the first part of a two-part approach.
Combining whitelisting with the outsourcing of common internet-facing services is the second piece. The two most common internet-facing services are public websites and email. Both of which can easily be outsourced to a third-party organization.
Before the days of the DMZ, the web server was the most commonly targeted device because it often provided a great launching point to attack other devices on the network. Students should understand that moving these services off the network greatly reduces the number of necessary inbound connections. A small network with zero internet-facing services will likely not need to allow any inbound connections and this makes the security posture incredibly simple.
Of course, a poorly designed whitelisting strategy can also create problems, so students should be given opportunities to think through the addresses that should comprise one of these listings.
“Necessary” and “Morale-Based”
Two categories of addresses should be included on a whitelist: “necessary” and “morale-based.” The necessary addresses are those needed to conduct business operations. Blocking access to and from these locations will disable the capabilities of the organization. This category is a no-brainer. The morale category is where students will need to think a little deeper.
Employees are often afforded the opportunity to connect to websites from work that provide them with news, sports, social media, personal email, and similar services. These are not necessary, but companies often allow this activity because it can be a morale booster. A savvy student will recognize that it is highly unlikely any hacking activity will come from well-known websites that provide this common type of content. Those can be considered safe inclusions.
The challenge here is what to cut off. A good whitelist should be under 100 addresses to be the most effective and that may not include everything an employee may want to access.
The beauty of whitelisting is that smaller networks rarely need all the bells and whistles to protect a few systems. It is often more efficient to implement a simpler strategy that accomplishes the goals of the more complex ones. When working on networks with large databases connected to web applications and user portals, the security footprint can become much more complex, and necessarily so.
However, the smaller networks used by so many small businesses around the world can be protected using this much more streamlined methodology. Students should be encouraged to think outside of the box when considering security solutions for different types of networks. Assignments that require security designs for different types of networks will stretch students and make them much more effective once they move beyond the classroom and into the corporate arena. Remember, cybersecurity is only as effective as the one managing the capabilities.
We need professionals who can practically apply what they learn in the classroom to a variety of networks and scenarios. Challenging students in this way will make them invaluable in the future.
Fundamentals of Communications and Networking, Third Edition
While displaying technical depth, Fundamentals of Communications and Networking, Third Edition presents an evolutionary perspective of data networking from the early years to the local area networking boom, to advanced IP data networks that support multimedia and real-time applications.
Request Your Digital Review CopyAbout the Author:
Dr. Gene Lloyd is an adjunct professor at Liberty University. He teaches computer science and cyber security programs for undergraduate and graduate students with a focus on applied cryptography, digital forensics, ethics, legal issues and policies, web security, ethical hacking, security operations, risk management, network security, access control systems, and advanced topics in computer security.
Related Content:
- Teaching Students Data Security and Data Privacy: A Brief Comparison
- The Importance of Teaching Meaningful Cybersecurity Metrics for Management Reporting
- Top Cybersecurity Trends for Educators to Watch
Related Products: