Additional Gateways — Description

What I mean by “additional gateways” is when a host inside the architecture is opening an extra gateway to external networks like the Internet. Depending on the configuration of the work stations, this might be possible. Situations, when this might happen, is for instance when employees like office users or IT managers need to access external resources that are blocked by the ordinary gateway/router/firewall of the company (fetching external e-mail via IMAP if disabled, accessing repositories of updates, downloading non-company-standard software for testing and so on). Depending on the configuration of their hosts, it might be possible to connect the host to the Internet using a cell phone or a similar mobile broadband router.

Model

Created with foreseeti’s Threat Modeling tool securiCAD

Attack Vector Attenuation

Attenuating this attack vector is a bit tricky since it is representing a network- and firewall related attack path which means it is better to look at this scenario with an approach like “What would happen if an external communication path were to be opened by a host in this network zone?”.

Conclusions

When introducing an extra gateway like this, it is up to the configuration of the external gateway (the mobile broadband set-up of the work station) to take responsibility for the gateway protection parameters i.e. the “Enabled” and the “KnownRuleSet” parameters of the “Mobile GW FW” object. Actually, the user starting this external connection has more or less the same role as the IT staff running the main external gateway of the company.

Both the “Administration” and the “Communication” connections of the “Mobile GW” router shall be connected to the “Local WS Net” zone since the connection is managed by the work station.

In this attack scenario, the attacker is not gaining access to the “Internal Zone” network immediately/only by bypassing the “Mobile GW” protective mechanisms. Instead it will first arrive at the extra gateway (virtual) interface of the work station and then will have to continue the attack from there. This is not considered hard, but the attack needs to traverse the work station before reaching the other network zones it is connected to.