Feb 13, 2016
Turning the Network Inside OutJoel Snyder, Ph.D.Senior PartnerOpus [email protected]
Most networks focus on perimeter defense“[AT&T’s gateway creates] a sort of crunchy shell around
a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)
Big Bad Internet
Perimeter defense has its flaws“Protecting your network
with a perimeter firewall is like putting a stake in the middle of a field and expecting the other team to run into it.”
#include <statistic on insider break-in percent>
“If your position is invisible, the most carefully concealed spies will not be able to get a look at it.” (Sun-Tzu)
Big Bad Internet
Virus
Defense in Depth is the alternative
Make the network “crunchy,” not soft and chewy throughout.
Turn the network inside-out: the security is on the inside, not on the outside
We don’t do defense-in-depth because...Cost
• The cost of adding firewall “brains” has been prohibitive
Performance• Firewalls are slower than
Gigabit switches
Management• Determining the “many-to-
many” relationships are difficult
Authentication• How do you know who
has that IP address anyway? What about NATed users?
Policy• It’s hard to describe the
security policy for inside users; it’s much easier to describe the Internet-oriented policy
Whoops. I lied. My bad.
Cost• dropping
Performance• increasing
Management• getting better
Authentication• solved
Policy• OK, there had to be
something we couldn’t solve with technology
You can implement Defense-in-DepthNew and Exciting
802.1X AuthenticationDigital CertificatesVLANs as Security BarriersMultiple levels of ACLsFirewall/VPN on the NICNetwork Intrusion
Detection/Prevention Systems
Not-so-bleeding-edge MAC lock-down on ports Authenticated routing updates Rate-limiting (DoS resistance) Host-based IDS RADIUS-based authentication SSH (Secure Shell) for
management SNMPv3 and not SNMPv2 “Access Ethernet” dedicated
management network
802.1X is the new standard for layer 2 authentication
Supplicant EAP over WirelessEAP over LAN
Supplicant
Authenticators Authentication Server (e.g.,
RADIUS server)
EAP over RADIUS
The World
802.1X on every port adds security
In the wireless environment, 802.1X is absolutely required• 802.11i and WPA (Wi-Fi
Protected Access) use 802.1X
• Pure 802.1X for authentication solves most WEP problems (if implemented with mutual authentication methods TLS, TTLS or PEAP)
EAP over
RADIUS
“Put the user on VLAN x and here’s what he has access to...”
“Here’s your WEP key for the next 30 seconds...”
802.1X on every port adds security, II
In the wired environment, 802.1X adds security• Microsoft gives it
to you for free with W2K and XP
• Many wireless vendors too...
* 802.1X ties to RADIUS which means...
...you can use RADIUS to push authorization information to wired and wireless equipment* VLAN information* ACL (access control list) information
What are pitfalls and caveats with 802.1X?802.1X does not mandate an authentication method
• So you have to pick one (TLS, TTLS, or PEAP)• There are a bunch of choices and a bunch of interoperability problems
(TTLS vs. PEAP)• Strategy: hold off until this battle is settled by the IETF
802.1X does not require you to swap out your RADIUS infrastructure• You can get a new, small server which will proxy to your existing
RADIUS servers802.1X will not immediately be “full featured”
• Authorization information, such as ACLs and VLANs, is still awaiting “industry agreement”
n = p•q
d = e-1 mod((p-1)(q-1))
Public/Private Cryptography enables ...
Authentication• Using public/private cryptography, I can strongly prove my identity
Integrity Checking• Using public/private cryptography, I can digitally sign documents
and ensure that they cannot be tampered with• Digitally signed documents have “proof of sender” as well
Encryption• Using public/private cryptography, I can encrypt short and long
strings of data effectively
Digital Certificates enable public/private cryptography
A Certificate can be many things and have many forms, but fundamentally is a binding of a public key to an identity
n = p•q
d = e-1 mod((p-1)(q-1))
Many existing IT applications can use certificates
AuthenticationSSL-based Web serversVPNs Remote User
AuthenticationWindows 2K/XP Login802.1X Network AuthenticationE-mail (Netscape, Outlook,
others supporting S/MIME)
EncryptionE-mail (S/MIME clients)
Certificate-based techniques can also be used to pass encryption keys for secret key encryption: disk partitions, for example
And they all can use the same certificate!
So, why isn’t everyone using them?PKI manufacturers have made it more complex than it needs to
be• “Solve all the problems up front, for country-wide
deployments” seems to be their strategyAnd expensive!Certificate Revocation List strategies have not been coherent
• Online Certificate Status Protocol may helpCertificate Enrollment is chaotic
• Four different protocols in common use• Plus a few proprietary ones
VLANs aren’t just for breakfast anymore
802.1q (Virtual LANs) can be used to combine, yet not mix, traffic from multiple networks
Originally: Management Domains
Now: Security Domains
“tagged” VLANs
Use VLANs to distribute protected and unprotected services1st Floor 2nd Floor 3rd Floor 4th Floor
Using VLANs for security has its risks
If packets jump from one VLAN to the other... the game is over
Management of switching infrastructure is now as important as management of firewalls
Your switches are your weak links • Attacks• Bugs
Switch vendors have a very bad reputation in this area
Risk/Benefit Analysis
All Access Control Lists are not created equalSome are more equal than others
Static Packet Filters
Typically look only IP layer
Cannot be used for port-based controls
Are commonly implemented
High performance
“Extended” Access Lists
(Packet Filters) Look at things within
IP and TCP or UDP header (such as port number and flags)
Can be used for limited port-based controls
Available on many, but not all, platforms
High performance
StatefulPacket Filters
Look at entire datagram and try and simulate higher layer state machines
Considered very secure at layer 3 (Check Point, Cisco depend on them)
Slower and more CPU/memory intensive
ACLs can be spread throughout your network to increase security
Pre-filter protocols (such as SNMP) you never want to let in; block spoofed packets
Block SMTP not from Internet.
Allow traffic to HR server only from HR VLAN
User can get to departmental servers and Internet only
Kiosk PCs can’t get to inside net
ACLs everywhere is a tricky situationStatic ACLs on ports can be difficult to manage and maintain (at
this time)
802.1X-derived ACLs don’t have sufficient context to work at IP layer (yet)
Not every device has the capabilityNot every policy-based security server has the ability
“Put the user on VLAN x and here’s what he has access to...”
But this is a technology coming very soon to a theatre near you!
You can put a firewall on a NICTechnically, this is not making the
network itself crunchy and more secure “Defense in Depth” isn’t too concerned
with labels
Policy Server
Policy
Policy
Vendors: 3COM, Snap, OmniCluster, NetMaster, Corrent
You can make a network which has deep defenses
TheNetwork
IDS/IPSIntrusion Detection
and Preventionfor forensics and
prevention
PerimeterFirewallsand VPNs
Old Standbys still useful!
PKI AuthenticationUniform approach toauthentication givesstrongest security
Multi-Level SecurityPush ACLs everywhere
they can go,dynamic, too.
Layer 2Authentication
802.1X Network Login authenticates
users
Internal SecurityEmbedded Firewall secures desktops
and servers
WirelessSecure wireless LAN, using 802.1X and/or802.11i and/or IPsec
SegmentationVLANs as management
and as securitydomains
Thank you.
Questions, comments?