A Layered Approach to Support Extranet Security

A Layered Approach to Support Extranet Security

Ralph SantitoroDirector of Security Solutions - NortelEntNet @ SUPERCOMM 2005 Panel 2 Session - June 6, [email protected] http://www.nortel.com/security

© 2005 Nortel Networks. All Rights Reserved. -2-

What are you trying to protect?

> Business Continuity• Protecting the network, hosts and applications from threats or vulnerabilities• Protecting outsourced services, e.g., Call Centers, Customer Service

Business ContinuityBusiness Continuity

Information SecurityInformation Security Information Privacy Layer

Network, Host, and Application Defense Layer

> Information Security• Controlling the usage of information• Auditing the movement of information

© 2005 Nortel Networks. All Rights Reserved. -3-

What’s Keeping the CxO Up at Night?

> Computer worms, viruses

> Regulatory compliance

> Online fraud

> Early warning of cyber attacks

> Data Privacy

- Top 5 Security Concerns for 2005*

80% of CSOs report that cyber attacks had a 80% of CSOs report that cyber attacks had a bottom-line financial impact on their organizations*bottom-line financial impact on their organizations*

* Source: CSO Interchange New York December 2004

2

3

4

5

1

© 2005 Nortel Networks. All Rights Reserved. -4-

Regulations will Drive Security Deployments - Regulations will increase the focus on Security

> Sarbanes Oxley

> Health Insurance Portability and Accountability Act (HIPAA)

> Gramm-Leach-Bliley (GLB)

> California Database Breach Notification Act (SB1386)

> Data Protection and Misuse Act (UK)

> Personal Information Protection & Electronic Documents Act (Canada)

> Safe Harbor Act – EU Data Protection Act (Europe, U.S.)

Business Continuity- Protecting the Network, Hosts and Applications- What are the Threats ?

© 2005 Nortel Networks. All Rights Reserved. -6-

Business Continuity- Must maintain reliable services

> Conduct business without outages of critical services

> Maintain communications• Internally and with customers, suppliers, partners

© 2005 Nortel Networks. All Rights Reserved. -7-

What are the Threats ?- Malicious Software (Malware) : Viruses, Worms, Trojans

> Typically infect computer by exploiting “vulnerabilities” and social engineering• Steal passwords (e.g., cookies)• Destroy documents• Steal confidential data (e.g, Phishing, Scam)• Impede host or network device performance• Distribute SPAM

> Infected computers threaten security of the network

> How to stop Malware• AntiVirus software• Intrusion Detection software or appliances• Traffic Management devices• Security policies

© 2005 Nortel Networks. All Rights Reserved. -8-

Denial of Service and DDoS attacks

> Targets known “vulnerability” in devices

> Can cause devices to completely stop working

> Denial of Service• one hacker targeting one network device or host

> Distributed Denial of Service (DDoS)• One or several hackers taking over multiple hosts on the Internet.• These machines then target a single network device or host

© 2005 Nortel Networks. All Rights Reserved. -9-

Extranet Challenges- Threats from Encrypted Traffic

> Sensitive data, VPN traffic, secure multimedia and eCommerce rely on encryption for security• Encryption hides malicious code

> Threat prevention devices must:• Decrypt the traffic • Scan traffic for Malware• Report or take action on the traffic

• E.g., report the threat, drop the traffic, reduce the bandwidth, etc.

• Re-encrypt the traffic

© 2005 Nortel Networks. All Rights Reserved. -10-

ANATOMY OF A REAL-WORLD ATTACK A sophisticated attacker will leverage trust relationships to gain access to more valuable information assets.

Base camp

A target server is attacked and compromised

The acquired server is used as vantage pointto penetrate the corporate net

Further attacks are performed as an internal user

External attacker’s system

5 P’s • Probe• Penetrate• Persist• Propagate• Paralyze

© 2005 Nortel Networks. All Rights Reserved. -11-

Threat Prevention

> Extranet Treats require similar protection to other internal or external threats

> Similar technologies and procedures used

> Intelligent traffic management is critical

Configure

Capture

Analyze Signatures

Violations

BehaviorScan

Patch

Policy

Log

Alert

Block

Monitor Detect

ActMitigate

MonitorMonitor

DetectDetect

ActAct

MitigateMitigate

© 2005 Nortel Networks. All Rights Reserved. -12-

Enterprise Security Challenge- A Dynamic Situation

Infrastructure Attacks

Unknown Connections• Wireless access points• Unused active ports• Unauthorized use

Extranet• Compromised • Malicious• Unintentional

Unknown attacks Engineered attacks

• Passwords compromised• Sessions intercepted

X

X

X

X

X

Intranet• Compromised • Malicious• Unintentional

X

X

XX

Understand the network. Detect the vulnerabilities. Protect the assetsUnderstand the network. Detect the vulnerabilities. Protect the assets

© 2005 Nortel Networks. All Rights Reserved. -13-

Security Policy Layers- Why Deep Packet (L3-L7) Inspection and Intelligent Traffic Management are so important

IP A

cces

s Pro

tect

ion

Denia

l of S

ervi

ce

Attack

Pro

tect

ion

Applic

atio

n

Insp

ectio

nApp

ly P

olic

ies

Anti-Spoofing

ScanSynFin DoS Attack

Worms, Viruses, Trojans …

Peer-to-Peer

Instant Messaging

VoIPGuaranteed

Limited

Reporting and LoggingM

alw

are

Insp

ectio

n

Example Traffic Flows

© 2005 Nortel Networks. All Rights Reserved. -14-

Remote End Point Compliance

> Remote end point devices (PCs, mobile devices, etc.) accessing Extranet are assessed prior to network access• To determine if they are compliant with security policies

> Example policy compliance rules• AntiVirus installed, AntiSpyware installed, Operating System

security patches and Application security patches must be installed

> Compliance Policies Choices• Block All, Quarantine, Allow Some, Allow All

End point devices accessing the network are made End point devices accessing the network are made compliant with corporate security policiescompliant with corporate security policies

© 2005 Nortel Networks. All Rights Reserved. -15-

Remote End Point Security Challenges and Solutions for Extranets

> Masquerading: How do I know the user hasn’t stolen a user ID & password?• Use a Token-based or 2-factor authentication, e.g,. RSA SecureID card or User ID /

Password + VPN ID / Password

> Negligence: A user walks away from her desk leaving an open VPN session• Use an auto-logoff timer to terminate VPN session after a period of inactivity

> Residual Data: A patient’s medical data is cached on a PC and becomes accessible to the next user

• Use cache cleansing to clear browser history and cached data once VPN session is terminated.

> Trust: I don’t want sensitive applications accessed from any unknown PCs• Use dynamic access policies enabling varied access depending on configured

parameters at login, e.g., allow Email, but no file access or deny access completely

© 2005 Nortel Networks. All Rights Reserved. -16-

VirusIDS AntiSpywarePFW

Remote Endpoint Security Compliance and Remediation for Extranets

> Example Extranet end point security policy to access network:• AntiVirus must be installed• AntiSpyware must be installed

Client-based Extranet access

Quarantine / RemediationVirusIDS AntiSpywarePFW

Client-less Extranet access

Extranet VPN connection

© 2005 Nortel Networks. All Rights Reserved. -17-

Summary

> Extranets require multiple layers of protection to ensure business continuity and protect information privacy• Secure access (VPN) with user-based Security Policies

• Threat Prevention at Layer 3-7 • Deep Packet Inspection and Intelligent Traffic Management

• End Point Security Compliance and Remediation