Mar 24 2022

NSA Urges Agencies to Diversify Vendors as They Segment Their Networks

The National Security Agency recently offered agencies guidance on enhancing the security of their networks.

The final federal strategy on zero-trust security endorses a shift by agencies to segment their networks. Although that strategy will be implemented in varying ways at agencies, the strategy notes that “agencies must move away from the practice of maintaining a broad enterprise-wide network that allows enhanced visibility or access to many distinct applications and enterprise functions.”

Network segmentation enhances agencies’ cybersecurity by preventing an attacker who compromises a system on one network segment from pivoting to other sections of the network, limiting the scope and damage of an initial compromise.

Now, as agencies move to implement zero-trust strategies, including network segmentation, the National Security Agency is advising agencies and other organizations to avoid relying on a single networking vendor. In a recently released technical guidance report, the NSA stresses the importance of vendor diversity in organizations’ networks as a way to bolster security.

“Implement multiple layers of next-generation firewalls throughout the network to restrict inbound traffic, restrict outbound traffic, and examine all internal activity between disparate network regions,” the report states. “Each layer should utilize different vendors to protect against an adversary exploiting the same unpatched vulnerability in an attempt to access the internal network.”   

RELATED: How to get your agency started on the zero-trust journey in 2022.

How to Harden Networks Against Vulnerabilities

The NSA document notes that its crucial for agencies to maintain up-to-date operating systems and stable software to protect themselves against “critical vulnerabilities and security issues that have been identified and fixed in newer releases.”

“Devices running outdated operating systems or vulnerable software are susceptible to a variety of published vulnerabilities, and exploiting these devices is a common technique used by adversaries to compromise a network,” the document adds.

The NSA recommends that organizations update the software on all network devices to the latest stable version available from vendor partners, which might require more new hardware or memory upgrades. Additionally, getting the new software version might mean agencies need to strike a new maintenance or support contract with the vendor.

“Most network infrastructure devices do not support an auto-update feature, so it is necessary to implement a requisition and installation process for the latest software with the vendor,” the NSA notes.

As Nextgov reports, earlier this month the Cybersecurity and Infrastructure Security Agency’s national cyber awareness system promoted the NSA’s report alongside CISA’s recently released infographic on network segmentation

“Creating boundaries between the operational technology (OT) and information technology (IT) networks reduces many risks associated with the IT network, such as threats caused by phishing attacks,” CISA’s document states. “Segmentation limits access to devices, data and applications, and restricts communications between networks. Segmentation also separates and protects OT network layers to ensure industrial and other critical processes function as intended.”

If agencies properly implement network segments and include both “demilitarized zones” and firewalls in between them, they can “prevent a malicious actor’s attempts to access high-value assets by shielding the network from unauthorized access,” according to CISA.

“Firewalls can be configured to block traffic from network addresses, applications, or ports while allowing necessary data through,” the infographic adds. “Policies and controls should also be used to monitor and regulate system access and the movement of traffic between zones.”


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.