Balancing functionality with security to ensure the business booms without compromise is half the fun and all the challenge of network security. The easiest and most effective security means? Wire cutters! Of course, business operations and cutters don't make good bedfellows. Yet, businesses often need a virtual wire cutter: a closed network (think air gapping). The focus here will be introducing and securing it.

If you're unfamiliar with the concept of closed networks and their challenges, I suggest reading Cliff Varnadoe's excellent solution brief, How Secure is Your Closed Network? This blog won't duplicate Cliff's fine work but augment it by introducing additional challenges and methodologies for implementing his recommendations. But, first, a closed-networks refresher.

Closed Networks Refresher

Networked systems and their infrastructures often need to be isolated from others for security assurance. I don't mean layer-2 or virtual instance separation-I'm talking downright wire-cutter-like, more-or-less physical separation! Who does this, and why? The Department of Defense (DoD) first comes to mind. You'll find closed networks throughout the DoD to protect sensitive or classified information. Other advantages besides data isolation and protection include limiting or eliminating the risk of data leakage, malware, intrusion attempts and denial-of-service attacks. Removing connectivity to other systems or entities inside an enclave or between gateways (e.g., for internet access) introduces challenges.

Closed Networks Challenges

Cutting a network connection to the outside world, physically or virtually, doesn't guarantee cybersecurity nirvana! You still need to implement controls and best practices south of the gateways. And your people remain a viable inside threat as they creatively find ways to infect your systems, probably unaware of what they're doing.

How? They were lucky to find it in the parking lot by clicking on an irresistible email link or plugging in that USB drive. Unpatched systems are another vector for cybersecurity breaches. People and patching problems can be mitigated through training programs, least-privileged access and effective patch management. There are other possible non-cybersecurity-related challenges or considerations with closed networks.

• Backend Communications: Closed networks must not communicate with backend servers (e.g., for signature updates or license information). This can be a problem for systems expecting connectivity by default. An explicit configuration to turn this function off may be required. SonicWall firewalls make this easy by presenting administrators with a unique 'diag' page for exceptions like turning off backend communications.
• Registration: Automatic device registration won't happen in a closed network. Therefore, an administrator may need to download or copy a registration keyset or license file from a backend service such as MySonicWall.com and paste it into an appropriate window during the initial registration process.
• Licensing Updates: A network or security device will likely regularly check a backend service such as MySonicWall.com for license updates. However, this isn't possible in a closed network, so licenses must be manually updated by exporting and importing a license file. Find out whether the individual owning the account must be the person who exports/imports the license file. Closed network SonicWall administrators recently discovered this requirement.

• Signature Updates: Like licensing, signature updates for an antivirus gateway or botnet filter must be downloaded and imported into the security device. SonicWall administrators retrieve these from their MySonicWall.com account.

Read Cliff's paper on securing closed networks (linked in the first paragraph) - you'll find additional challenges and strategies. SonicWall firewalls can mitigate many of them.

Securing Closed Networks with SonicWall

First, strong multifactor authentication (MFA) will help secure your closed network by ensuring that only proper individuals access the correct data. To that end, SonicWall firewalls offer Multifactor Authentication (MFA) through One-Time Passwords (OTPs) and smart cards.

Second, least-privileged access is critical to protecting resources inside a closed network. SonicWall firewalls offer various administrative postures, ensuring that only the least privileged access is granted. Additionally, resource access for remote users is explicitly and easily granted.

Third, SonicWall firewalls offer many options for strong encryption of data and communications sessions, which can be via IPsec (Internet Protocol Security) or TLS (Transport Layer Security).

Fourth, SonicWall firewalls contain a robust intrusion detection and prevention (IDS/IPS) engine that detects malicious behavior by signature or behavior and stops it dead in its tracks.

Fifth, even within a closed network, network micro-segmentation is a breeze with a SonicWall next-generation firewall solution because all interfaces (real or virtual), security services, and traffic flows are tied to discrete security zones that are easy to configure and manage.

Sixth, SonicWall firewalls can export logs and real-time event information in several formats, such as SYSLOG and IPFIX. Additionally, they integrate with security information and event management (SIEM) solutions like Splunk to aggregate and analyze activity flowing through the firewall.

Finally, SonicWall's Network Security Manager (NSM) on-premises offering allows an organization to centrally manage many firewalls in a closed network through a single pane of glass. NSM handles certificate, patch, and license management without contacting services outside the closed network.

Closed networks may be needed to isolate or secure infrastructures, systems, and data. Although you may be tempted to use wire cutters to do the job, a network device or virtual disconnection may be better! Nevertheless, closed networks must be secured to protect against DoS attacks, malware, or intrusion attempts. SonicWall can help through easy-to-configure security services, robust encryption, micro-segmentation, and SIEM integration.

Contact us for additional information about our solutions.