Pre-Conference Tutorial T-3: May 4, 2004 Making the Right Choices for Your Secure Network Infrastructure George G. McBride Senior Manager, Security Practice.

Pre-Conference Tutorial T-3: May 4, 2004

Making the Right Choices for Your Secure Network InfrastructureGeorge G. McBrideSenior Manager, Security PracticeLucent Technologies Professional Consulting

Lucent Worldwide ServicesSecurity Practice

Lucent Technologies – Copyright 20042

Secure Network Infrastructure:Making the Right Choices

What the Web-Site Says: Firewalls, intrusion detection systems and other security devices play a vital role

in securing networks against malicious traffic from untrusted networks. Nevertheless, most firewall systems contain inherent design flaws and limitations that hinder even the most diligent efforts of IT staffs. These weaknesses often exist because the firewall has been created by stretching the capabilities of another device, which was not originally designed for network security. As a result, vulnerabilities remain, which hackers can exploit as they continue to develop new techniques to cripple or break through networks. The limitations of these firewalls also add to capital and operating costs, as an IT staff puts in additional time and effort—and purchases additional equipment—to compensate for inherent flaws. What are the technical features you need to pay special attention to, in order to ease security concerns and lower costs? How do you educate your IT staff to take advantage of key next-generation firewall features available today? This session will include a review of some of the crucial features and capabilities, which include: centralized management platform, bridging instead of routing, powerful packet processing, high availability, robust security, Quality of Service (QoS) and full support for virtual firewalls. With these features in place, firewalls can reduce design and management time, and minimize the total cost of ownership of a security infrastructure. It will also illustrate how governments and service providers, can achieve savings from shorter installation time and fewer management hours to keep their network protected at all times.


Secure Network Infrastructure

What we are going to cover this afternoon:

– What are the components of a “Secure Network Infrastructure”

• Policies, Awareness, People

• Network Components

• The key role of a Firewall and how our “Perimeter” continues to blend.

• Risk assessments and their value to your network

– And a lot more!

– Q&A / Discussion


Secure Network Infrastructures: Definition

The architecture and implementation of a design that balances business requirements with a holistic security program.

This includes:– The concept of least privilege

– Segmented networks on the inside

– Addressing as many concerns as possible through technical controls with the remainder addressed through policy

– Authenticating requests and encrypting of all sensitive information

– Encompassing a strong perimeter security


The Holistic View

Security from the top-down and bottom-up:– Formalized methodology to determine what assets you are

trying to protect

– Formalized methodology to identify threats against those assets

– Formalized program to conduct pro-active and ad-hoc risk assessments to identify vulnerabilities and measure risk

– Formalized program to conduct penetration tests

– Security program including policies, awareness, and expectations of security staff communicated

– Monitoring of network traffic and events including a formalized and rehearsed Incident Response Plan

– An effective anti-virus infrastructure

– Program to regularly distribute application and operating system updates. This also implies an inventory exists!


Key ingredient to a “Secure Network”: People

You’ve got to have the best people available:

– Skilled

– Educated

– Happy

– Doing what they do best (in the right job!)

Need senior management approval and support for all activities


Asset Identification & Valuation

Types of Assets:

– People

– Buildings

– Systems

– Processes

– Applications

– Intellectual Property

– “Product”

Valuation Determination:

– Business Impact

– Replacement Cost

– Cost to re-train

– Downtime

– Cost to rebuild

– Value to your competitors

Cost to protect <= “Value”


Asset Determination

Asset determination is a “subjective” approach.

– “All of my systems are critical”

– Should include an enterprise-wide review

– Can be completed via surveys, interviews, previously conducted Business Impact Analysis studies

– Review of Business Continuity Plans / Disaster Recovery (BCP/DR) documentation

– Ranking and ordering

– Executive-level approval


Threats?

Categories of threats that can strike at an asset:

– Industry specific

– Human

• Intentional/Malicious vs. Accidental

– Environmental

– Physical

– Logical

– Mother Nature


Risk Assessment Program

Develop a Risk Assessment Program:

– Takes Assets and Threats as an input

• You need to know what you are protecting and “what” is trying to attack the assets

– Should allocate resources for assessments

• People

• Tools & Equipment

– Development or adoption of a methodology

– Include a mechanism to track findings and closure


Risk Assessment Methodologies

Provide an end to end process for conducting comprehensive technical and business risk assessments

– Information Security Forum

• FIRM, SARA, SPRINT

• FRAPP

• COBIT

• OCTAVE

• NSA

• Many others, including derivatives of those above


Securing the Network

A number of concepts introduced into the network design and operating philosophy will increase overall security

These concepts include:

– Network Segmentation

– Least Privileges

– Policy

– Authentication (Identify Management)

– Logging, Auditing, and Review

– Strong perimeter security


Network Segmentation

It does not refer to segmenting your Intranet from the Internet. It is logically segmenting your Intranet

Often implemented through VLANs or through Firewall segmentation

Can be used to segment by location, by business unit, or most often, by critical asset

• Payroll

• Research and Development / Engineering

Restricts malicious activities by malicious users and applications such as worms.


Intrusion Detection Systems (IDS)

IDS Has Three Primary Functions:

– Monitor

– Detect

– React / Respond

An IDS can be based on the host or the network:

– Host Intrusion Detection System (HIDS)

– Network Intrusion Detection System (NIDS)


IDS Types

Intrusion Detection Systems can use two different mechanisms to “detect” malicious behavior:– Anomaly Detection

• Uncovers abnormal patterns of behavior by establishing a baseline of normal usage patterns and noting any anomaly as a possible intrusion. What is considered to be an anomaly can vary, but any incident that occurs with a frequency greater than or less than two standard deviations from the statistical norm raises an eyebrow.

– Misuse Detection or Signature Detection

• Uses specifically known patterns of unauthorized behavior to detect malicious activity. These specific patterns are called signatures.


Segment, Then Monitor!

Where to monitor?

– Each segment?

– Critical/Sensitive/High-Value segments?

– Inside the Firewall?

– Outside the Firewall?

– VPN and Remote Access Gateways?

– Partner connections?

– Wireless connectivity points?

– Areas with “transient” employees?


Intrusion Prevention Systems (IPS)

Can be host or network based, an IPS has the capability to stop malicious traffic before it is successful.

An IPS is usually installed “in-line” between two network segments and will:

– Monitor

– Detect

– Block

An IPS does more than just send a “RST” packet to a misbehaving host.


IPS and IDS Features

There are several “features” to look for with an IDS or IPS:

– IPS Operating “In-Line”

– High level of granular control

– High reliability and availability

– High performance

– Low Latency

– Accurate detection (low false-positive and false-negative rates)

– Advanced alerting and reaction mechanisms


The Least Privileged Concept

“Anything that is not expressly permitted is denied”.

Permitting individuals access only to required resources when required.– Do users need access to WWW resources? File Servers?

Applications?

Unix ROOT level Example:– Reviewing if ROOT level is truly required

– Only providing ROOT level access to persons who require it

– Providing those users with regular level access and only using ROOT level access as required


Technical Restrictions and Policy

A thorough computer and network security policy must be established and publicized through the company.

– Should provide specific requirements, guidelines, configurations, and expectations of users and administrators

– Should clearly indicate the consequences for non-compliance

– Should be authorized by the compliance officer or CEO/President

Whenever possible, technical controls must be enabled to ensure compliance with policies


Authentication and Identity Management

Essentially, “Are you who you claim to be?”

– The use of two factor authentication, such as having a PIN code and a hand held token

– Biometrics such as fingerprint, facial patterns, or retinal scans

– Secure enrollment process

– Use of Single Sign On (SSO), Lightweight Directory Access Protocol (LDAP), or Active Directory (AD)

– Automated (Cost Savings!) and secure password resets

– Takes the “Asset” into consideration:

• Biometric authentication may be excessive for authentication at the cafeteria, but not the ISP’s data center


Logging, Auditing, and Review

Develop a program to identify which needs to be logged

– Assets, Threats, Risks will determine what is logged and appropriate retention policies

– Logs are completely useless, tape up space, and slow the systems down …… When not reviewed

– Centralized monitoring provides a holistic view and provides vision into trends and attack patterns

– Provides additional forensics and incident response details

– Helps identify systems and processes that have gone haywire

– Provides accountability


Perimeter Security

Can it be strong enough?

– Corporate Remote Access

• Dial-Up (pcAnywhere!)

• VPN (PPTP, IPSec, and SSL) and SSH

– Wireless

– DMZ Connectivity

– Inbound Telnet?

– Dual-homed machines that straddle the network perimeter


And the Perimeter continues to get fuzzy…

Applications (usually in the DMZ) provide an entry point into the network.

– SQL Injection

– Bad Coding Logic

SSL VPN’s are relatively new and have a variety of commercial and open-sourced solutions

– Client side security issues

– Server side security issues


The Firewall

So many vendors and different types, which one is the best?

– Software only solution or a packaged hardware and software solution

– Microsoft Windows or UNIX (including variants such as Solaris and Linux)

– Bridging versus routing connectivity

– Centralized management and monitoring solutions

– High availability and redundant solutions

– What functionality do you want in the FW?


Software vs Hardware Based Firewalls

A software based firewall is an application add-on that sits on top of the computer’s operating system.

– Installed as an aftermarket item or integrated into the OS

– Must update OS and FW software and ensure interoperability so nothing breaks

– Efficiency of the firewall will be dependent on the actual characteristics of the machine chosen

– May be able to purchase add-on functionality to increase performance or add features

– Priced from $0 and up


Software vs Hardware Based Firewalls

A hardware based firewall is a physical device that is plugged into the network.

– Usually pre-configured from the vendor

– May allow for the purchase of add-on hardware or software to increase performance or add features

– Usually look towards the vendor as a single point of contact for updates

– Hardware based appliances are optimized for speed by design as circuits, chips, logic, and processes are designed for a particular application.

– OS may be proprietary, but generally comes “hardened”


What OS To Choose?

Obviously, not a consideration on hardware based firewalls as they come pre-configured.

Software Firewalls:

– Do you have a choice?

– Is one OS inherently more “secure” than another?

– What OS are you familiar with?

– Is the FW Software optimized for a particular software platform?


Routing Firewalls

Routing Firewalls traditionally have the following characteristics:

– Acts as a router with filtering capability

– Has 2 or more interfaces that inspect and filter traffic prior to deciding whether to forward the packet to another interface or to drop it

– Each interface has an IP address layer 3 presence

– Packets that are forwarded would decrement the TTL, have the IP address changed (NAT), and then routed to the destination


Routing Firewalls

There are several “disadvantages” of the traditional routing firewall.– It may not be easy to install a routing firewall between

two networks as you will need IP addresses for each interface and the “awareness” of hosts to know that the Firewall is the gateway

– While firewalls may be configured not to respond to certain types of “malicious” or “exploratory” traffic, it is often easy to not only detect that a firewall exists, but the type of firewall it is

– Has an IP address at it’s interface which could be addressable by a malicious person

– May require more processing power than a bridging firewall as it must bridge and route


Bridging Routers

Rather than “routing”, how about inspecting the packet and then moving them to the proper interface?

– Works at the OSI model layer 2 – the Data Link Layer

– AKA: Transparent, In-Line, Shadow, or Stealth FW

– Data comes in one interface and out the other, after passing through any filtering


Bridging Routers

Bridging routers have several advantages:– Zero Configuration: The bridging firewall can be placed

in line with the network (or segment) that it is protecting. A bridging firewall can be placed:

• Between two routers

• Between a router and a switch (which may protect a group of sensitive machines)

– Because the bridging router operates on Layer 2, it has no IP address and becomes un-addressable and unreachable by IP address

– Bridging routers require less processing overhead and can be a simpler device or incorporate more functionality when compared to an equivalent firewall


Management And Monitoring

In the beginning, each Firewall had a console where the alerting, logging, and rules were managed.

– Firewalls were managed as individual entities

– Logs were kept separately. Rules managed individually

And then firewalls began to log to the SYSLOG, a way to centrally manage the logs and alerts.

And then when the logs and alerts were centralized, then the management of the firewalls was also centralized


Management And Monitoring

Centralized Monitoring:

– Provides a holistic view of the corporate Firewall infrastructure

– Centrally manage logs

• Event Correlation

– Centrally administer systems

• One workstation to administer all Firewalls

• Easy to ensure consistency and uniformity

• Allows for FW policy and procedures verification

– Requires less hardware and software

• Cheaper!


Outsourced Management of Firewalls

Centralized firewall management has several key advantages:

– Generally not a company’s “core competency”

– Staffing levels

– Rule set Management

– 24x7 Support Requirements

– Generally requires a “formal” FW Change Policies and Requirements

– You pay for economies of scale.


What is QoS

QoS: Quality of Service is the prioritization of network traffic for certain applications and services.

Can be implemented through:– MPLS: Multi-Protocol Label Switching

• Used to establish “fixed bandwidth pipes”. Packets are generally market at certain ingress routers and un-marked at egress routers.

– DiffServ: Differentiated Services

• Utilizes the IPv4 Type of Service (ToS) field.

• Typically “applied” at border routers


Why is QoS Important?

QoS is a necessity for Voice Over IP (VoIP)

– Must have a “bandwidth pipe” available for VoIP traffic to help facilitate VoIP availability and PSTN quality calls

– QoS will help minimize:

• Packet Loss

• Latency

• Jitter

– And QoS can help increase security by throttling down worm, virus, and mal-ware propagation


QoS And Firewalls

Where do you put the QoS management devices?

– Inside?

– Outside?

What do you look for in a QoS management system?

– QoS Assignment

• All types of traffic (Critical/NAT’d/Encrypted Traffic)

– Transparency & Ease of Use


QoS Device Placement: External

Consider a QoS Device on the Internet side of a Corporate Firewall.

Internet

FirewallQoS Device

DMZ Machine DMZ Machine

Intranet


QoS On the External Side: Issues

There are several issues with this solution:

– QoS Device cannot consistently classify or encode the information based on IP Header information as some of the data may be encrypted.

– When devices are NAT’d, setting the QoS based on IP Address is difficult.

• The QoS may see the “Intranet” as a single IP due to NAT’ing issues.

– QoS cannot classify traffic by groups or users

– QoS device is unprotected by the corporate firewall and is susceptible to attacks.


QoS Device Placement: Internal

Internet

Firewall

DMZ Machine DMZ Machine

IntranetQoS Device

Consider a QoS Device on the Intranet side of a Corporate Firewall.


QoS On the Internal Side: Issues

There are several issues with this solution:

– QoS device does not know the level of traffic on the Internet link as it has no visibility to congestion levels between the QoS device and the gateway (such as a link-to-link VPN).

– As such, the QoS gateway cannot prevent unacceptable traffic levels from saturating the gateway.


Wrap-Up

Secure Network Infrastructure:

– More than just a firewall

– Requires a “Security Program” as a foundation and includes:

• Policies and awareness training

• Technical controls whenever possible

• Assessments, reviews, penetration testing

• Incident response plans and drills

– Requires continual vigilance


Contact Information

Please feel free to contact me with any questions or comments:

Lucent TechnologiesBell Labs Innovations

Lucent Technologies Inc.Room 2N-611J101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]

George McBride, CISSPSecurity Practice

Lucent Worldwide Services

Pre-Conference Tutorial T-3: May 4, 2004 Making the Right Choices for Your Secure Network Infrastructure George G. McBride Senior Manager, Security Practice.

Documents

network security

security infrastructure

security concerns

robust security

security devices

holistic security program

secure network infrastructures

strong perimeter security