The “Internet” attack vector is always relevant to take into consideration unless the architecture has no connection to the outside world what so ever, in essence, is protected by a so-called “air gap”. (Air gaps can be overcome by attackers as well, but we will look at that situation separately.)
In essence, we are looking at a situation where we assume that an attacker is present in a certain network zone like Internet or different kinds of guest and employees’ home network zones.
To start with, the simplest way to model a connection to the Internet network zone is as follows;
In the “Internet” attack vector example, we say that the attacker is starting from the “Internet” network zone, or actually the network zone where the outside interface of our firewall/router/gateway is connected. Attenuating this doesn’t make much sense since we can expect the attacker to be constantly present on the internet. We will discuss attacker attenuation in the coming examples instead.
In the above model, arrows are added to show how the attack is being carried out. The success rate of this attack is dependent on if the parameter KnownRuleSet on the firewall object is set to True or to a probability. If it is not entirely true (i.e. there are a certain probability that there might be firewall rules unknown to the system administrator), these unknown firewall rules may present an entrance opportunity to the attacker.
(A short note on the KnownRuleSet parameter is that sometimes firewall administrators say that “not even the admin interface of the firewall shows all firewall rules”.)
As mentioned earlier, the attack vector here is not only useful for analyzing attacks actually coming from the Internet, but is more often used to answer questions like “How vulnerable is this architecture to threats coming from a particular sub-zone of a network environment?” In such cases, simply connect the attacker to that zone and investigate the attack paths presented.
Updated 9 months ago