Pre-Conference Tutorial T-3: May 4, 2004 Making the Right Choices for Your Secure Network Infrastructure George G. McBride Senior Manager, Security Practice Lucent Technologies Professional Consulting Lucent Worldwide Services Security Practice
Jan 11, 2016
Pre-Conference Tutorial T-3: May 4, 2004
Making the Right Choices for Your Secure Network InfrastructureGeorge G. McBrideSenior Manager, Security PracticeLucent Technologies Professional Consulting
Lucent Worldwide ServicesSecurity Practice
Lucent Technologies – Copyright 20042
Secure Network Infrastructure:Making the Right Choices
What the Web-Site Says: Firewalls, intrusion detection systems and other security devices play a vital role
in securing networks against malicious traffic from untrusted networks. Nevertheless, most firewall systems contain inherent design flaws and limitations that hinder even the most diligent efforts of IT staffs. These weaknesses often exist because the firewall has been created by stretching the capabilities of another device, which was not originally designed for network security. As a result, vulnerabilities remain, which hackers can exploit as they continue to develop new techniques to cripple or break through networks. The limitations of these firewalls also add to capital and operating costs, as an IT staff puts in additional time and effort—and purchases additional equipment—to compensate for inherent flaws. What are the technical features you need to pay special attention to, in order to ease security concerns and lower costs? How do you educate your IT staff to take advantage of key next-generation firewall features available today? This session will include a review of some of the crucial features and capabilities, which include: centralized management platform, bridging instead of routing, powerful packet processing, high availability, robust security, Quality of Service (QoS) and full support for virtual firewalls. With these features in place, firewalls can reduce design and management time, and minimize the total cost of ownership of a security infrastructure. It will also illustrate how governments and service providers, can achieve savings from shorter installation time and fewer management hours to keep their network protected at all times.
Lucent Technologies – Copyright 20043
Secure Network Infrastructure
What we are going to cover this afternoon:
– What are the components of a “Secure Network Infrastructure”
• Policies, Awareness, People
• Network Components
• The key role of a Firewall and how our “Perimeter” continues to blend.
• Risk assessments and their value to your network
– And a lot more!
– Q&A / Discussion
Lucent Technologies – Copyright 20044
Secure Network Infrastructures: Definition
The architecture and implementation of a design that balances business requirements with a holistic security program.
This includes:– The concept of least privilege
– Segmented networks on the inside
– Addressing as many concerns as possible through technical controls with the remainder addressed through policy
– Authenticating requests and encrypting of all sensitive information
– Encompassing a strong perimeter security
Lucent Technologies – Copyright 20045
The Holistic View
Security from the top-down and bottom-up:– Formalized methodology to determine what assets you are
trying to protect
– Formalized methodology to identify threats against those assets
– Formalized program to conduct pro-active and ad-hoc risk assessments to identify vulnerabilities and measure risk
– Formalized program to conduct penetration tests
– Security program including policies, awareness, and expectations of security staff communicated
– Monitoring of network traffic and events including a formalized and rehearsed Incident Response Plan
– An effective anti-virus infrastructure
– Program to regularly distribute application and operating system updates. This also implies an inventory exists!
Lucent Technologies – Copyright 20046
Key ingredient to a “Secure Network”: People
You’ve got to have the best people available:
– Skilled
– Educated
– Happy
– Doing what they do best (in the right job!)
Need senior management approval and support for all activities
Lucent Technologies – Copyright 20047
Asset Identification & Valuation
Types of Assets:
– People
– Buildings
– Systems
– Processes
– Applications
– Intellectual Property
– “Product”
Valuation Determination:
– Business Impact
– Replacement Cost
– Cost to re-train
– Downtime
– Cost to rebuild
– Value to your competitors
Cost to protect <= “Value”
Lucent Technologies – Copyright 20048
Asset Determination
Asset determination is a “subjective” approach.
– “All of my systems are critical”
– Should include an enterprise-wide review
– Can be completed via surveys, interviews, previously conducted Business Impact Analysis studies
– Review of Business Continuity Plans / Disaster Recovery (BCP/DR) documentation
– Ranking and ordering
– Executive-level approval
Lucent Technologies – Copyright 20049
Threats?
Categories of threats that can strike at an asset:
– Industry specific
– Human
• Intentional/Malicious vs. Accidental
– Environmental
– Physical
– Logical
– Mother Nature
Lucent Technologies – Copyright 200410
Risk Assessment Program
Develop a Risk Assessment Program:
– Takes Assets and Threats as an input
• You need to know what you are protecting and “what” is trying to attack the assets
– Should allocate resources for assessments
• People
• Tools & Equipment
– Development or adoption of a methodology
– Include a mechanism to track findings and closure
Lucent Technologies – Copyright 200411
Risk Assessment Methodologies
Provide an end to end process for conducting comprehensive technical and business risk assessments
– Information Security Forum
• FIRM, SARA, SPRINT
• FRAPP
• COBIT
• OCTAVE
• NSA
• Many others, including derivatives of those above
Lucent Technologies – Copyright 200412
Securing the Network
A number of concepts introduced into the network design and operating philosophy will increase overall security
These concepts include:
– Network Segmentation
– Least Privileges
– Policy
– Authentication (Identify Management)
– Logging, Auditing, and Review
– Strong perimeter security
Lucent Technologies – Copyright 200413
Network Segmentation
It does not refer to segmenting your Intranet from the Internet. It is logically segmenting your Intranet
Often implemented through VLANs or through Firewall segmentation
Can be used to segment by location, by business unit, or most often, by critical asset
• Payroll
• Research and Development / Engineering
Restricts malicious activities by malicious users and applications such as worms.
Lucent Technologies – Copyright 200414
Intrusion Detection Systems (IDS)
IDS Has Three Primary Functions:
– Monitor
– Detect
– React / Respond
An IDS can be based on the host or the network:
– Host Intrusion Detection System (HIDS)
– Network Intrusion Detection System (NIDS)
Lucent Technologies – Copyright 200415
IDS Types
Intrusion Detection Systems can use two different mechanisms to “detect” malicious behavior:– Anomaly Detection
• Uncovers abnormal patterns of behavior by establishing a baseline of normal usage patterns and noting any anomaly as a possible intrusion. What is considered to be an anomaly can vary, but any incident that occurs with a frequency greater than or less than two standard deviations from the statistical norm raises an eyebrow.
– Misuse Detection or Signature Detection
• Uses specifically known patterns of unauthorized behavior to detect malicious activity. These specific patterns are called signatures.
Lucent Technologies – Copyright 200416
Segment, Then Monitor!
Where to monitor?
– Each segment?
– Critical/Sensitive/High-Value segments?
– Inside the Firewall?
– Outside the Firewall?
– VPN and Remote Access Gateways?
– Partner connections?
– Wireless connectivity points?
– Areas with “transient” employees?
Lucent Technologies – Copyright 200417
Intrusion Prevention Systems (IPS)
Can be host or network based, an IPS has the capability to stop malicious traffic before it is successful.
An IPS is usually installed “in-line” between two network segments and will:
– Monitor
– Detect
– Block
An IPS does more than just send a “RST” packet to a misbehaving host.
Lucent Technologies – Copyright 200418
IPS and IDS Features
There are several “features” to look for with an IDS or IPS:
– IPS Operating “In-Line”
– High level of granular control
– High reliability and availability
– High performance
– Low Latency
– Accurate detection (low false-positive and false-negative rates)
– Advanced alerting and reaction mechanisms
Lucent Technologies – Copyright 200419
The Least Privileged Concept
“Anything that is not expressly permitted is denied”.
Permitting individuals access only to required resources when required.– Do users need access to WWW resources? File Servers?
Applications?
Unix ROOT level Example:– Reviewing if ROOT level is truly required
– Only providing ROOT level access to persons who require it
– Providing those users with regular level access and only using ROOT level access as required
Lucent Technologies – Copyright 200420
Technical Restrictions and Policy
A thorough computer and network security policy must be established and publicized through the company.
– Should provide specific requirements, guidelines, configurations, and expectations of users and administrators
– Should clearly indicate the consequences for non-compliance
– Should be authorized by the compliance officer or CEO/President
Whenever possible, technical controls must be enabled to ensure compliance with policies
Lucent Technologies – Copyright 200421
Authentication and Identity Management
Essentially, “Are you who you claim to be?”
– The use of two factor authentication, such as having a PIN code and a hand held token
– Biometrics such as fingerprint, facial patterns, or retinal scans
– Secure enrollment process
– Use of Single Sign On (SSO), Lightweight Directory Access Protocol (LDAP), or Active Directory (AD)
– Automated (Cost Savings!) and secure password resets
– Takes the “Asset” into consideration:
• Biometric authentication may be excessive for authentication at the cafeteria, but not the ISP’s data center
Lucent Technologies – Copyright 200422
Logging, Auditing, and Review
Develop a program to identify which needs to be logged
– Assets, Threats, Risks will determine what is logged and appropriate retention policies
– Logs are completely useless, tape up space, and slow the systems down …… When not reviewed
– Centralized monitoring provides a holistic view and provides vision into trends and attack patterns
– Provides additional forensics and incident response details
– Helps identify systems and processes that have gone haywire
– Provides accountability
Lucent Technologies – Copyright 200423
Perimeter Security
Can it be strong enough?
– Corporate Remote Access
• Dial-Up (pcAnywhere!)
• VPN (PPTP, IPSec, and SSL) and SSH
– Wireless
– DMZ Connectivity
– Inbound Telnet?
– Dual-homed machines that straddle the network perimeter
Lucent Technologies – Copyright 200424
And the Perimeter continues to get fuzzy…
Applications (usually in the DMZ) provide an entry point into the network.
– SQL Injection
– Bad Coding Logic
SSL VPN’s are relatively new and have a variety of commercial and open-sourced solutions
– Client side security issues
– Server side security issues
Lucent Technologies – Copyright 200425
The Firewall
So many vendors and different types, which one is the best?
– Software only solution or a packaged hardware and software solution
– Microsoft Windows or UNIX (including variants such as Solaris and Linux)
– Bridging versus routing connectivity
– Centralized management and monitoring solutions
– High availability and redundant solutions
– What functionality do you want in the FW?
Lucent Technologies – Copyright 200426
Software vs Hardware Based Firewalls
A software based firewall is an application add-on that sits on top of the computer’s operating system.
– Installed as an aftermarket item or integrated into the OS
– Must update OS and FW software and ensure interoperability so nothing breaks
– Efficiency of the firewall will be dependent on the actual characteristics of the machine chosen
– May be able to purchase add-on functionality to increase performance or add features
– Priced from $0 and up
Lucent Technologies – Copyright 200427
Software vs Hardware Based Firewalls
A hardware based firewall is a physical device that is plugged into the network.
– Usually pre-configured from the vendor
– May allow for the purchase of add-on hardware or software to increase performance or add features
– Usually look towards the vendor as a single point of contact for updates
– Hardware based appliances are optimized for speed by design as circuits, chips, logic, and processes are designed for a particular application.
– OS may be proprietary, but generally comes “hardened”
Lucent Technologies – Copyright 200428
What OS To Choose?
Obviously, not a consideration on hardware based firewalls as they come pre-configured.
Software Firewalls:
– Do you have a choice?
– Is one OS inherently more “secure” than another?
– What OS are you familiar with?
– Is the FW Software optimized for a particular software platform?
Lucent Technologies – Copyright 200429
Routing Firewalls
Routing Firewalls traditionally have the following characteristics:
– Acts as a router with filtering capability
– Has 2 or more interfaces that inspect and filter traffic prior to deciding whether to forward the packet to another interface or to drop it
– Each interface has an IP address layer 3 presence
– Packets that are forwarded would decrement the TTL, have the IP address changed (NAT), and then routed to the destination
Lucent Technologies – Copyright 200430
Routing Firewalls
There are several “disadvantages” of the traditional routing firewall.– It may not be easy to install a routing firewall between
two networks as you will need IP addresses for each interface and the “awareness” of hosts to know that the Firewall is the gateway
– While firewalls may be configured not to respond to certain types of “malicious” or “exploratory” traffic, it is often easy to not only detect that a firewall exists, but the type of firewall it is
– Has an IP address at it’s interface which could be addressable by a malicious person
– May require more processing power than a bridging firewall as it must bridge and route
Lucent Technologies – Copyright 200431
Bridging Routers
Rather than “routing”, how about inspecting the packet and then moving them to the proper interface?
– Works at the OSI model layer 2 – the Data Link Layer
– AKA: Transparent, In-Line, Shadow, or Stealth FW
– Data comes in one interface and out the other, after passing through any filtering
Lucent Technologies – Copyright 200432
Bridging Routers
Bridging routers have several advantages:– Zero Configuration: The bridging firewall can be placed
in line with the network (or segment) that it is protecting. A bridging firewall can be placed:
• Between two routers
• Between a router and a switch (which may protect a group of sensitive machines)
– Because the bridging router operates on Layer 2, it has no IP address and becomes un-addressable and unreachable by IP address
– Bridging routers require less processing overhead and can be a simpler device or incorporate more functionality when compared to an equivalent firewall
Lucent Technologies – Copyright 200433
Management And Monitoring
In the beginning, each Firewall had a console where the alerting, logging, and rules were managed.
– Firewalls were managed as individual entities
– Logs were kept separately. Rules managed individually
And then firewalls began to log to the SYSLOG, a way to centrally manage the logs and alerts.
And then when the logs and alerts were centralized, then the management of the firewalls was also centralized
Lucent Technologies – Copyright 200434
Management And Monitoring
Centralized Monitoring:
– Provides a holistic view of the corporate Firewall infrastructure
– Centrally manage logs
• Event Correlation
– Centrally administer systems
• One workstation to administer all Firewalls
• Easy to ensure consistency and uniformity
• Allows for FW policy and procedures verification
– Requires less hardware and software
• Cheaper!
Lucent Technologies – Copyright 200435
Outsourced Management of Firewalls
Centralized firewall management has several key advantages:
– Generally not a company’s “core competency”
– Staffing levels
– Rule set Management
– 24x7 Support Requirements
– Generally requires a “formal” FW Change Policies and Requirements
– You pay for economies of scale.
Lucent Technologies – Copyright 200436
What is QoS
QoS: Quality of Service is the prioritization of network traffic for certain applications and services.
Can be implemented through:– MPLS: Multi-Protocol Label Switching
• Used to establish “fixed bandwidth pipes”. Packets are generally market at certain ingress routers and un-marked at egress routers.
– DiffServ: Differentiated Services
• Utilizes the IPv4 Type of Service (ToS) field.
• Typically “applied” at border routers
Lucent Technologies – Copyright 200437
Why is QoS Important?
QoS is a necessity for Voice Over IP (VoIP)
– Must have a “bandwidth pipe” available for VoIP traffic to help facilitate VoIP availability and PSTN quality calls
– QoS will help minimize:
• Packet Loss
• Latency
• Jitter
– And QoS can help increase security by throttling down worm, virus, and mal-ware propagation
Lucent Technologies – Copyright 200438
QoS And Firewalls
Where do you put the QoS management devices?
– Inside?
– Outside?
What do you look for in a QoS management system?
– QoS Assignment
• All types of traffic (Critical/NAT’d/Encrypted Traffic)
– Transparency & Ease of Use
Lucent Technologies – Copyright 200439
QoS Device Placement: External
Consider a QoS Device on the Internet side of a Corporate Firewall.
Internet
FirewallQoS Device
DMZ Machine DMZ Machine
Intranet
Lucent Technologies – Copyright 200440
QoS On the External Side: Issues
There are several issues with this solution:
– QoS Device cannot consistently classify or encode the information based on IP Header information as some of the data may be encrypted.
– When devices are NAT’d, setting the QoS based on IP Address is difficult.
• The QoS may see the “Intranet” as a single IP due to NAT’ing issues.
– QoS cannot classify traffic by groups or users
– QoS device is unprotected by the corporate firewall and is susceptible to attacks.
Lucent Technologies – Copyright 200441
QoS Device Placement: Internal
Internet
Firewall
DMZ Machine DMZ Machine
IntranetQoS Device
Consider a QoS Device on the Intranet side of a Corporate Firewall.
Lucent Technologies – Copyright 200442
QoS On the Internal Side: Issues
There are several issues with this solution:
– QoS device does not know the level of traffic on the Internet link as it has no visibility to congestion levels between the QoS device and the gateway (such as a link-to-link VPN).
– As such, the QoS gateway cannot prevent unacceptable traffic levels from saturating the gateway.
Lucent Technologies – Copyright 200443
Wrap-Up
Secure Network Infrastructure:
– More than just a firewall
– Requires a “Security Program” as a foundation and includes:
• Policies and awareness training
• Technical controls whenever possible
• Assessments, reviews, penetration testing
• Incident response plans and drills
– Requires continual vigilance
Lucent Technologies – Copyright 200444
Contact Information
Please feel free to contact me with any questions or comments:
Lucent TechnologiesBell Labs Innovations
Lucent Technologies Inc.Room 2N-611J101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]
George McBride, CISSPSecurity Practice
Lucent Worldwide Services