For years now – decades, really – the idea of whitelisting, in one form or another, has pervaded the infosec community’s thinking as to what constitutes a
best practice. We use firewalls to allow only those ports and protocols we have approved. We use email whitelists to only accept email from vetted sources. We deploy 802.1X to ensure only those devices we’ve blessed can connect to an Ethernet port. We have MAC address whitelists on wireless access points. We have even started to embrace the idea of application whitelisting and configuration management – limiting what is allowed to run on a host to a pre-approved list of pre-installed software.
Our approach to local area networking, on the other hand, is stuck in the Stone Age: When you connect to a network, you are one of many on that (perhaps virtual) LAN. Almost without exception, if another device inhabits that network segment, you may direct traffic to it and receive traffic from it, even if you have absolutely no justification for so doing, modulo various broadcast traffic.
I’ve been toying with this idea now for a few weeks, and I think it has merit: Each host on a local network should only be allowed to communicate with other hosts for which it has a pre-approved need to communicate. There are a number of ways this could be accomplished. The point is not necessarily the method used, but the result: limiting inter-host communication flows to only those that need to exist. This way, if an endpoint becomes infected, its only possibly contagion vectors are the nexuses in the network – those machines with which it communicates, which more than likely communicate with multiple hosts. This in turn would allow staff to focus on hardening these nodes, as they would be the most vulnerable (and the highest-value targets) in such a scenario.
What we’d get in return would be a drastic reduction in the utility of endpoint compromise, along with a drastic reduction in the ability of a threat actor or his software agents to move laterally in the network, along paths of least resistance of which we were previously unaware (or of which there were too many to effectively manage).
We would instead be making conscious choices about every path on the network.