Turning the Network Inside Out

Turning the Network Inside OutJoel Snyder, Ph.D.Senior PartnerOpus [email protected]

Most networks focus on perimeter defense“[AT&T’s gateway creates] a sort of crunchy shell around

a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)

Big Bad Internet

Perimeter defense has its flaws“Protecting your network

with a perimeter firewall is like putting a stake in the middle of a field and expecting the other team to run into it.”

#include <statistic on insider break-in percent>

“If your position is invisible, the most carefully concealed spies will not be able to get a look at it.” (Sun-Tzu)

Big Bad Internet

Virus

Defense in Depth is the alternative

Make the network “crunchy,” not soft and chewy throughout.

Turn the network inside-out: the security is on the inside, not on the outside

We don’t do defense-in-depth because...Cost

• The cost of adding firewall “brains” has been prohibitive

Performance• Firewalls are slower than

Gigabit switches

Management• Determining the “many-to-

many” relationships are difficult

Authentication• How do you know who

has that IP address anyway? What about NATed users?

Policy• It’s hard to describe the

security policy for inside users; it’s much easier to describe the Internet-oriented policy

Whoops. I lied. My bad.

Cost• dropping

Performance• increasing

Management• getting better

Authentication• solved

Policy• OK, there had to be

something we couldn’t solve with technology

You can implement Defense-in-DepthNew and Exciting

802.1X AuthenticationDigital CertificatesVLANs as Security BarriersMultiple levels of ACLsFirewall/VPN on the NICNetwork Intrusion

Detection/Prevention Systems

Not-so-bleeding-edge MAC lock-down on ports Authenticated routing updates Rate-limiting (DoS resistance) Host-based IDS RADIUS-based authentication SSH (Secure Shell) for

management SNMPv3 and not SNMPv2 “Access Ethernet” dedicated

management network

802.1X is the new standard for layer 2 authentication

Supplicant EAP over WirelessEAP over LAN

Supplicant

Authenticators Authentication Server (e.g.,

RADIUS server)

EAP over RADIUS

The World

802.1X on every port adds security

In the wireless environment, 802.1X is absolutely required• 802.11i and WPA (Wi-Fi

Protected Access) use 802.1X

• Pure 802.1X for authentication solves most WEP problems (if implemented with mutual authentication methods TLS, TTLS or PEAP)

EAP over

RADIUS

“Put the user on VLAN x and here’s what he has access to...”

“Here’s your WEP key for the next 30 seconds...”

802.1X on every port adds security, II

In the wired environment, 802.1X adds security• Microsoft gives it

to you for free with W2K and XP

• Many wireless vendors too...

* 802.1X ties to RADIUS which means...

...you can use RADIUS to push authorization information to wired and wireless equipment* VLAN information* ACL (access control list) information

What are pitfalls and caveats with 802.1X?802.1X does not mandate an authentication method

• So you have to pick one (TLS, TTLS, or PEAP)• There are a bunch of choices and a bunch of interoperability problems

(TTLS vs. PEAP)• Strategy: hold off until this battle is settled by the IETF

802.1X does not require you to swap out your RADIUS infrastructure• You can get a new, small server which will proxy to your existing

RADIUS servers802.1X will not immediately be “full featured”

• Authorization information, such as ACLs and VLANs, is still awaiting “industry agreement”

n = p•q

d = e-1 mod((p-1)(q-1))

Public/Private Cryptography enables ...

Authentication• Using public/private cryptography, I can strongly prove my identity

Integrity Checking• Using public/private cryptography, I can digitally sign documents

and ensure that they cannot be tampered with• Digitally signed documents have “proof of sender” as well

Encryption• Using public/private cryptography, I can encrypt short and long

strings of data effectively

Digital Certificates enable public/private cryptography

A Certificate can be many things and have many forms, but fundamentally is a binding of a public key to an identity

n = p•q

d = e-1 mod((p-1)(q-1))

Many existing IT applications can use certificates

AuthenticationSSL-based Web serversVPNs Remote User

AuthenticationWindows 2K/XP Login802.1X Network AuthenticationE-mail (Netscape, Outlook,

others supporting S/MIME)

EncryptionE-mail (S/MIME clients)

Certificate-based techniques can also be used to pass encryption keys for secret key encryption: disk partitions, for example

And they all can use the same certificate!

So, why isn’t everyone using them?PKI manufacturers have made it more complex than it needs to

be• “Solve all the problems up front, for country-wide

deployments” seems to be their strategyAnd expensive!Certificate Revocation List strategies have not been coherent

• Online Certificate Status Protocol may helpCertificate Enrollment is chaotic

• Four different protocols in common use• Plus a few proprietary ones

VLANs aren’t just for breakfast anymore

802.1q (Virtual LANs) can be used to combine, yet not mix, traffic from multiple networks

Originally: Management Domains

Now: Security Domains

“tagged” VLANs

Use VLANs to distribute protected and unprotected services1st Floor 2nd Floor 3rd Floor 4th Floor

Using VLANs for security has its risks

If packets jump from one VLAN to the other... the game is over

Management of switching infrastructure is now as important as management of firewalls

Your switches are your weak links • Attacks• Bugs

Switch vendors have a very bad reputation in this area

Risk/Benefit Analysis

All Access Control Lists are not created equalSome are more equal than others

Static Packet Filters

Typically look only IP layer

Cannot be used for port-based controls

Are commonly implemented

High performance

“Extended” Access Lists

(Packet Filters) Look at things within

IP and TCP or UDP header (such as port number and flags)

Can be used for limited port-based controls

Available on many, but not all, platforms

High performance

StatefulPacket Filters

Look at entire datagram and try and simulate higher layer state machines

Considered very secure at layer 3 (Check Point, Cisco depend on them)

Slower and more CPU/memory intensive

ACLs can be spread throughout your network to increase security

Pre-filter protocols (such as SNMP) you never want to let in; block spoofed packets

Block SMTP not from Internet.

Allow traffic to HR server only from HR VLAN

User can get to departmental servers and Internet only

Kiosk PCs can’t get to inside net

ACLs everywhere is a tricky situationStatic ACLs on ports can be difficult to manage and maintain (at

this time)

802.1X-derived ACLs don’t have sufficient context to work at IP layer (yet)

Not every device has the capabilityNot every policy-based security server has the ability

“Put the user on VLAN x and here’s what he has access to...”

But this is a technology coming very soon to a theatre near you!

You can put a firewall on a NICTechnically, this is not making the

network itself crunchy and more secure “Defense in Depth” isn’t too concerned

with labels

Policy Server

Policy

Policy

Vendors: 3COM, Snap, OmniCluster, NetMaster, Corrent

You can make a network which has deep defenses

TheNetwork

IDS/IPSIntrusion Detection

and Preventionfor forensics and

prevention

PerimeterFirewallsand VPNs

Old Standbys still useful!

PKI AuthenticationUniform approach toauthentication givesstrongest security

Multi-Level SecurityPush ACLs everywhere

they can go,dynamic, too.

Layer 2Authentication

802.1X Network Login authenticates

users

Internal SecurityEmbedded Firewall secures desktops

and servers

WirelessSecure wireless LAN, using 802.1X and/or802.11i and/or IPsec

SegmentationVLANs as management

and as securitydomains

Thank you.

Questions, comments?