Tech Notes

Segregate Network Shares to Reduce Vulnerabilities

Summary
Placing all your high-risk network shares on a separate subnet reduces your vulnerability to malware attacks that target shares.

Background
A common propagation method for malicious software is to copy itself to open network shares. Enterprises are particularly vulnerable to this propagation vector: often (and mistakenly), network administrators view the network "within the perimeter" as trustworthy. In practice, they protect against threats from outside the network, but not from inside. This is, of course, dangerous. If malicious software does enter the network, it can then spread unchecked across the open shares.

In addition to the standard ways to protect against malware attacks-endpoint firewalls, antivirus, et cetera-you can also reduce your risk by rearchitecting your internal network. Put all your similar shares on the same subnet, and set access rules accordingly. For example, because shared printers aren't generally vulnerable to these malware attacks, put all your printers on one subnet, and make that subnet "trusted" to all users. Using Check Point Integrity, you would set that subnet as part of the "Trusted Zone" for all users. In the case of endpoint PCs with shared drives, put all of them on a subnet, and make that subnet "untrusted". With Integrity, you would set that subnet as an untrusted "Internet Zone" for all users.

If a malware outbreak does occur, at least the damage will be minimized.

Date Published
July 6, 2003