. CIS 3500 1 Architecture Frameworks and Secure Network Architectures Chapter #11: Architecture and Design Chapter Objectives n Explore use cases and purpose for frameworks n Examine the best practices for system architectures n Explain the use of secure configuration guides n Given a scenario, implement secure network architecture concepts Implementing Secure Protocols 2 Industry-Standard Frameworks and Reference Architectures n Architecture determines which security controls are implemented and how they are configured n Architectures are intended to be in place for a long term and are difficult to change n Carefully choosing and implementing the correct architecture for an organization’s computer systems up front makes them easier to maintain and more effective over time n Generic blueprint Implementing Secure Protocols 3 Regulatory n Most industries in the United States are regulated in one manner or another n When it comes to cybersecurity, more and more regulations are beginning to apply, from privacy, to breach notification, to due diligence and due care provisions Implementing Secure Protocols 4
14
Embed
Architecture Frameworks and Secure Network Architecturesrowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter11.pdf · Web Server n Market leaders are Microsoft, Apache, and nginx
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
.
CIS 3500 1
Architecture Frameworks and Secure Network Architectures
Chapter #11:
Architecture and Design
Chapter Objectives
n Explore use cases and purpose for frameworks
n Examine the best practices for system architectures
n Explain the use of secure configuration guides
n Given a scenario, implement secure network architecture
concepts
Implementing Secure Protocols2
Industry-Standard Frameworks and Reference Architectures
n Architecture determines which security controls are
implemented and how they are configured
n Architectures are intended to be in place for a long term and
are difficult to change
n Carefully choosing and implementing the correct architecture
for an organization’s computer systems up front makes them
easier to maintain and more effective over time
n Generic blueprint
Implementing Secure Protocols3
Regulatory
n Most industries in the United States are regulated in one
manner or another
n When it comes to cybersecurity, more and more regulations
are beginning to apply, from privacy, to breach notification,
to due diligence and due care provisions
Implementing Secure Protocols4
.
CIS 3500 2
Non-regulatory
n Non-regulatory, such as the National Institute of Standards
and Technology (NIST)
n Special Publication 500 series – cloud
n Special Publication 800 series – security controls (CSF)
n The NIST CSF is being mandated for government agencies,
but is completely voluntary in the private sector
n This framework has been well received
Implementing Secure Protocols5
National vs. International
n U.S. federal government has its own cloud-based reference
architecture called the Federal Risk and Authorization
Management Program (FedRAMP)
n EU rules and regulations covering privacy issues and data
protection are radically different from those in the U.S.
n Safe Harbor Framework – not a valid mechanism any more
n GDPR – May 25, 2018
Implementing Secure Protocols6
Industry-Specific Frameworks
n There are several industry-specific frameworks
n NERC CIP (North American Electric Reliability Corporation
Critical Infrastructure Protection)
n HITRUST Common Security Framework (CSF) for use in the
medical industry and enterprises that must address
HIPAA/HITECH rules and regulations
Implementing Secure Protocols7
Benchmarks/Secure Configuration Guides
n Benchmarks and secure configuration guides offer guidance
for setting up and operating computer systems to a secure
level
n Benchmark guides from manufacturers of the software,
from the government, and from an independent Center for
Internet Security (CIS)
n Government resources from NIST and DISA
Implementing Secure Protocols8
.
CIS 3500 3
Platform/Vendor-Specific Guides
n Setting up secure services is important to enterprises
n Some of the best guidance comes from the manufacturer in
the form of platform/vendor-specific guides
n These guides include installation and configuration
guidance, and in some cases operational guidance as well
Implementing Secure Protocols9
Web Server
n Market leaders are Microsoft, Apache, and nginx
n Web servers connections between users (clients) and web
pages (data being provided) are prone to attacks
n For Microsoft’s IIS and SharePoint Server the company
provides solid guidance on the proper configuration
n The Apache Software Foundation provides some
information for its web server products as well
n Center for Internet Security – benchmarking guides
Implementing Secure Protocols10
Operating System
n The operating system (OS) is a key component for the
secure operation of a system
n Comprehensive, proscriptive configuration guides for all
major operating systems are available from
n manufacturers
n Center for Internet Security, and
n DoD DISA STIGs program
Implementing Secure Protocols11
Application Server
n Application servers handle specific tasks
n E.g. e-mail server, database server, messaging platform
n Require proper configuration
Implementing Secure Protocols12
.
CIS 3500 4
Network Infrastructure Devices
n Network infrastructure devices are the switches, routers,
concentrators, firewalls, and other specialty devices
n Proper configuration can be challenging but is very
important
n Failures at this level can adversely affect the security of
traffic being processed by them
Implementing Secure Protocols13
General Purpose Guides
n CIS controls
Implementing Secure Protocols14
Defense-in-Depth/Layered Security
n Defense-in-depth (layered security) is a security principle
by which multiple, differing security elements are employed
to increase the level of security
n Should an attacker bypass one security measure, one of the
overlapping controls can still catch and block the intrusion
n E.g. in networking: access control lists, firewalls, intrusion
detection systems, and network segregation, can be
employed in an overlapping fashion to achieve protection
Implementing Secure Protocols15
Vendor Diversity
n Having multiple suppliers creates vendor diversity
n Not only Cisco routers/switches
n Multiple operating systems, such as both Linux and
Windows
n Having multiple vendors adds to layered defense, removes
a single failure mode scenario (common firmwares)
Implementing Secure Protocols16
.
CIS 3500 5
Control Diversity
n Control diversity – both administrative and technical controls
provide layered security
n Value of policies and procedures
n If there are technical controls backing up policies, then policy
violations may still not create a complete vulnerability, as the
technical control can stop a problem from occurring
n Total reliance on technical controls provides insufficient
security
Implementing Secure Protocols17
Administrative
n Administrative controls are those that operate on the
management aspects of an organization
n They include controls such as policies, regulations, and laws
n Management activities such as planning and risk
assessment are common examples
n Having multiple independent, overlapping administrative
controls can act as a form of layered security
Implementing Secure Protocols18
Technical
n Technical controls are those that operate through a
technological intervention in the system
n Include user authentication (passwords), logical access