Beware the Firewall, My Son! The Jaws That Bite, The Claws That Catch!* *With apologies to Lewis Carroll
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Dec 05, 2014
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Beware the Firewall, My Son!
The Jaws That Bite, The Claws That
Catch!*
*With apologies to Lewis Carroll
Who Am I?
• Michele Chubirka, aka Mrs. Y. • Senior security architect. • Blogs and hosts Healthy
Paranoia, information security podcast channel of Packetpushers.
• Researches and pontificates on topics such as security architecture and best practices.
Discussion Points
• Firewall State of the Union • Current Design Models • Challenges • Security Vs. Compliance • Recommendations
Beware the proxy server, and shun The frumious packet filter!
Recent Findings
According to Trustwave’s 2012 Global Security Report: • Customer records make up 89% of breached data
investigated. • The most common password used by organizations is
“Password1” because it satisfies the default Microsoft Active Directory complexity setting.
• Anti-virus detected less than 12% of malware samples collected during 2011 investigations.
• SANS Institute declared the “death of AV.”
Findings Con’t Only 16% of compromises were self-detected and attackers had an average of 173.5 days before detection.
Verizon Data Breach Report 2013 “WHEN YOU CONSIDER THE METHODS USED BY
ATTACKERS TO GAIN A FOOTHOLD IN ORGANIZATIONS—BRUTE FORCE, STOLEN CREDS, PHISHING, TAMPERING—IT’S REALLY NOT ALL THAT
SURPRISING THAT NONE RECEIVE THE HIGHLY DIFFICULT RATING. WOULD YOU FIRE A GUIDED
MISSILE AT AN UNLOCKED SCREEN DOOR?”
“…three-quarters of breaches are of low or very low difficulty for initial compromise, and the rest land in the moderate category.”
Verizon Data Breach Report 2013
Figure 43: Percent of breaches discovered external to victim
!!
!
!!
!
75%69%
61%
86%92%
69%<2008
20082009
20102011
2012
Figure 42: Percent of breaches that remain undiscovered for months or more
67%55%
44% 41%
55%66%
<2008
20082009 2010
20112012
!
!
!!
!
!
Verizon Data Breach Report 2013 Figure 41: Timespan of events
Overall
11% 13%
60%
13%2% 1%
15% 18%
36%
3%10%
18%
0% 1%9% 11% 12%
62%
4%
2% 2%18%
41%
14%22%
Compromise (n=180)Exfiltration (n=39)
Discovery (n=221)Containment (n=49)
Seconds Minutes Hours Days Weeks Months Years
Financial Espionage Other
High Profile Attacks • Major news media organizations compromised. • DDoS attacks against financial institutions. • Breach of processor Global Payments went
undetected for over a year with 7 million accounts compromised.
• Prominent defense contractors penetrated via information stolen from RSA Security.
Do you think they had firewalls?
Why Do We Use Firewalls?
• Infosec design “best practice.” • Because compliance rules and auditors say
so. • To protect applications, servers and user
systems from attacks. • FUD
Why Do We Still Use Firewalls? • According to Infoworld’s Roger Grimes, they
“…need to go away.” • Most attacks are client-side (http and https)
and can bypass the firewall rules. • Network choke-points. • Rules are a mess, often breaking access. • Management is difficult, at best. • More of a problem than a solution.
April Fool’s RFC 3514
Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header.
April Fool’s RFC 3093
We propose the Firewall Enhancement Protocol (FEP).… Our methodology is to layer any application layer Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets over the HyperText Transfer Protocol (HTTP) protocol, since HTTP packets are typically able to transit Firewalls. … FEP allows the best of both worlds: the security of a firewall, and transparent tunneling through the firewall.
She took her vorpal sword in
hand: Long time the
TCP flow she sought --
Definitions Defense-in-depth According to the Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, it is defined as: IA [information assurance] strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks.
Defense-in-depth is comprised of multiple types of controls, not only
multiples of the same controls.
Definitions Con’t Firewall From The Oxford American Dictionary: A wall or partition designed to inhibit or prevent the spread of fire. Any barrier that is intended to thwart the spread of a destructive agent.
A firewall does not prevent a fire.
So rested she by the DMZ,
And stood awhile in thought.
Current Model: The Sandwich
Typical Network Security Segmentation
• INET : Public facing, the internet. • CORP : Corporate network, aka the user community. • DATA : Database segment, might be subdivided into PCI
and non-PCI. • APP: Application segment, might be subdivided into PCI
and non-PCI. • DMZ : Anything requiring public access; web-front ends,
mail, DNS, might be subdivided into PCI and non-PCI segments.
• MGMT : management segment providing access between user/corp and production segments.
• BKUP: backup network.
Typical Data Classification • Routine: Information not presenting a risk to the business if it
were compromised. The lowest degree of protection. • Confidential: Information not of value to an attacker, but it
might provide information that could be useful in an attack. • Business-Critical: Data containing details about how the
organization operates its business. Could affect the organization's competitive advantage or have a financial impact if it were compromised.
• Private: Private data is information that the organization is required to keep secure, either by regulation or to maintain the confidence of its customers. This data is the most secure information on the network.
What You Really End Up With
And, as in uffish thought she stood, The firewall, with eyes of flame,
The Challenge
• A Network Security team is responsible for managing the technical or logical controls for accessing data.
• They are data custodians for the data owners.
• The challenge is to ensure that they closely align the network security segmentation design with an information classification matrix.
Came whiffling through the Ethernet, And burbled as it came!
Security Vs. Compliance
• Adherence to PCI-DSS, SOX, HIPAA or any other compliance standard does not equate to organizational security.
• Compliance is conformance to a standard dictated by a governing body.
Definitions
• Compliance - the act of conforming, acquiescing, or yielding. A tendency to yield readily to others, especially in a weak and subservient way. Conformity; accordance: in compliance with orders. Cooperation or obedience.
• Security - freedom from danger, risk, etc.; safety. Freedom from care, anxiety, or doubt; well-founded confidence. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc.
From The American Heritage Dictionary
Compliance or Security?
Compliance != Security
Venn diagram courtesy of @grecs
One, two! One, two! And
through and through
The vorpal blade went
snicker-snack!
Information Classification Best Practices
• Data represents the digital assets of a company. • Different data has varying levels of value, organized
according to sensitivity to loss, disclosure, or unavailability.
• Data is segmented according to level, then security controls are applied.
• An information classification matrix represents the foundation of a security design.
For additional information, see “Understanding Data Classification Based On Business and Security Requirements” by Rafael Etges and Karen McNeil
Implementing Good Network Segmentation: Phase One
1. Establish a new network segmentation model, based upon some of the existing or implicit standards from your security team.
2. Verify that this will meet current compliance needs, proactively.
3. Document this fully and get sign off, so that there is an agreed upon model or standard for all divisions.
4. Build new systems and networks on this design, migrating legacy systems where possible with minimal impact to customers and when required for compliance.
Implementing Good Network Segmentation: Phase Two
1. Build a business and service technical catalog, then a full data classification matrix.
2. Develop the next generation of network segmentation based upon the data classification matrix.
3. Document this fully, so that there is an agreed upon model or standard.
Implementation of phase one, will make phase two feasible. The goal is a thoughtful design that meets the needs of all customers and divisions within an organization.
She left it dead, and with its NAT policy, she went galumphing back.
Operational Security To Do List • Focus on containment. • Improve standardization and documentation. • Gather metrics. • Event monitoring (and no, that doesn’t mean
email alerts). • Consolidate when possible. • Consistently audit access. • Emphasize a proactive over reactive posture.
The Goal: Enterprise Security Architecture
• Integration of security into the enterprise architecture.
• Design driven by business needs. • Built in, not bolted on. • Utilize frameworks or models such as:
OSA (Open Security Architecture) SABSA (Sherwood Applied Business Security Architecture)
OSA Design Principles
The design ar5facts that describe how the security controls (= security countermeasures) are posi5oned, and how they relate to the overall IT Architecture.
SABSA Framework
A New and Improved DMZ Sandwich
Actor: Security Operations
Default rule: DENY ALLEnable specific portand IP addresses/rangesStateful inspection
ExternalFirewall
OSA is licensed according to Creative Commons Share-alike.Please see:http://www.opensecurityarchitecture.org/cms/about/license-terms.
AC-04 Information FlowEnforcement
AC-06 Least Privilege
AC-07 Unsuccessful LoginAttempts
AC-12 Session Termination
AU-02 Auditable Events
AU-03 Content Of AuditRecords
AU-04 Audit StorageCapacity
AU-05 Response To AuditProcessing Failures
AU-06 Audit Monitoring,Analysis, And Repor..
AU-07 Audit Reduction AndReport Generation
AU-08 Time Stamps
AU-09 Protection Of AuditInformation
AU-10 Non-Repudiation
AU-11 Audit RecordRetention
CA-03 Information SystemConnections
CA-04 SecurityCertification
CA-05 Plan Of Action AndMilestones
CM-07Least Functionality
RA-05 VulnerabilityScanning
SC-05 Denial Of ServiceProtection
SC-07 Boundary Protection
SC-10 Network Disconnect
SC-20 Secure Name /Address Resolution ..
SC-21 Secure Name /Address Resolution ..
SC-22 Architecture AndProvisioning For Na..
SC-23 Session Authenticity
SI-03 Malicious CodeProtection
SI-04 Information SystemMonitoring Tools An..
SI-05 Security Alerts AndAdvisories
SI-06 SecurityFunctionality Verif..
SI-07 Software AndInformation Integri..
SI-08 Spam Protection
Default rule: DENY ALLEnable specific portand IP addresses.Stateful inspection andDOS protection Load balance/Highavailability
InternalFirewall
DNS IDS/IPS
BastionHost
Trusted networke.g. CorpNetUntrusted public network
e.g. Internet
Proxy/Gateway/Web-minimal services-hardened configuration-management/monitoringby seperate networkinterfaces/VLAN
InternalServices
ExternalServices
Configuration ofenvironmentMonitoring and responseto emerging threats
http://www.opensecurityarchitecture.org/cms/images/OSA_ima...
1 of 1 4/16/13 3:50 PM
hBp://www.opensecurityarchitecture.org/cms/en/library/paBernlandscape/286-‐sp-‐016-‐dmz-‐module
Tips To Improve a Network Security Architecture Or “Mandiant Said So”
• Document and understand critical applications’ network data flows
• Periodically validate network device rulesets • Implement network segmentation • Implement web application firewalls to reduce the risk of
web application vulnerabilities • Implement web proxies for all users, restricting access to
“uncategorized” web sites • Build restricted, high security zones for critical data and
applications From the Mandiant M-Trend 2012 Report
And, has thou slain the Firewall? Come to my arms, my beamish girl!
O stateful day! Callooh! Callay!' She chortled in her joy.
Where Am I?
Spending quality time in kernel mode practicing and refining my particular form of snark. www.healthyparanoia.com Twitter @MrsYisWhy Google+ MrsYisWhy [email protected] [email protected]
References Covert, Edwin. Using Enterprise Security Architecture S to Align Business Goals and IT Security within an Organization. Tech. Columbia: Applied Network Solutions, n.d. Print. Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15 May 2012. Web. 15 May 2012. <http://www.infoworld.com/d/security/why-you-dont-need-firewall-193153?page=0,1>. Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-payments-breach-window-expands/>. Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-payments-breach-now-dates-back-to-jan-2011/>. Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012. Web. 16 Apr. 2013. <http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results>. M-Trends 2012: An Evolving Threat. Rep. Alexandria: Mandiant, 2012. Print.
References Con’t "Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17 Apr. 2013. Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog. Antian Security, 3 Jan. 2013. Web. 16 Apr. 2013. "SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013. Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web. Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web. Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S. Computers to Chinese Military." Washington Post. The Washington Post, 19 Feb. 2013. Web. 16 Apr. 2013. <http://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html>. Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting Compromise." Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr. 2013. <http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/>.
Related Documents
