Transcript IPS/IDS

Network Domain
Zach Curry, Nick Tsamis, Andrew Arvay
Network Administrator Levels
 Identifies Network Responsibilities
 Eliminates Excess Costs
 Over Training
 Training Consistency
 Divided Into:
 Network Administrator Level 1 (NAL1)
 Network Administrator Level 2 (NAL2)
 Network Administrator Level 3 (NAL3)
Network Administrator Levels
 Network Administrator Level 1
 End user devices
 Workstations
 Local Ethernet Cables
 VoIP Devices
 User Account Management
 New Users
 User Groups
 Removal of Users
 Setting File Sharing Permissions
 Group Based Permissions
Network Administrator Levels
 Network Administrator Level 2
 Network Infrastructure
 Switches/Routers
 Cat5E/Cat6 Cabling
 Network Backbone
 Servers
 Backups
 Firewall Administration
Network Administrator Levels
 Network Administrator Level 3
 Network Device Certification and Accreditation
 Network Documentation
 Network Topology
 Continuity Of Operations Plan (COOP)
Network Admin Certification
 Network Administrator Level 1 (NAL1)
 Network+ Certification
 Used to measure skill as a network technician







Hardware
Software
Installation
Troubleshooting
Connections
OSI Model
LAN/WAN Protocols
Network Admin Certification
 Network Administrator Level 2 (NAL2)
 Security+ Certification
 Computer Security









Cryptography
Access Control
Disaster Recovery
Risk Management
Network Security
Compliance and Operational Security
Threats and Vulnerabilities
Application, Data, and Host Security
Identity Management
Network Admin Certification
 Network Administrator Level 3 (NAL3)
 CISSP Certification
 Certified Information Systems Security Professional









Access Control Systems & Methodology
Applications & Systems Development
Business Continuity & Disaster Recovery Planning
Cryptography
Law, Investigation & Ethics
Operations Security (Computer)
Physical Security
Security Architecture, Models, & Management Practices
Telecommunications & Network Security
Continuity Of Operations Plan
(COOP)
 Backups
 Frequency
 Type
 Full
 Incremental
 Differential
 Retention
 Offsite Location
Continuity Of Operations Plan
(COOP)
 Redundancy
 Services
 Primary Domain Controller (PDC/BDC)
 DHCP/DNS
 Network
 Core Routers
 Switches
 Power
 UPS
 Circuits
Continuity Of Operations Plan
(COOP)
 Natural Disasters





Fire
Flooding
Tornadoes
Hurricane
Earthquake
 Power Loss
 Hot/Cold Alternate Backbone
Continuity Of Operations Plan
(COOP)
Device Certification and
Accreditation
 Due Diligence
 Network Devices Meet
 Security Requirements
 Policy Requirements
 Clearance Requirements
 Can affect security requirements
 Continuous Process
 Cradle to Grave
Network Defense Testing
 Practice As You Play




Password Cracking
Phishing Attempts
Blue Team
Red Team
 Detailed Reports
 Action Requirements
 Resolution Deadlines
Personnel Decertification
Procedures
 Notify Helpdesk/Security Manager
 Leaving
 Decertification
 Relocation
 Permissions Applied As Groups
 Group Y has write access to resource X
 Removal From Group = Removed Access
 Much more efficient vs. User-based permissions
Network Topology
 Physical – The way devices are laid out in a network
 Example: Ring, Star, Bus, etc
 Logical – How signals behave on the network
 Example: Ethernet
Network Segmentation
 Keep traffic separate
 Network load
 Load balancing
 VLANs
 Traffic types
IPS/IDS
 Intrusion Prevention/Detection System
 Log and alert on suspicious activity
 Firewalls
 DMZ
Hardening and Patching
 Keep security software and operating systems up to date
 Properly configure network devices to close security holes
 Only expose needed services on the network
IP Addressing
 Create subnets to segment traffic
 Private IP subnets:
 192.168.0.0/16
 172.16.0.0/12
 10.0.0.0/8
 Reserve IPs for critical devices
 IPv6 & IPv4
QoS Policy
 Quality of Service
 Deals with network contention
 Telephony
 Protocols
WAN Encryption Policy
 Depending on the sensitivity of the information, different
network requirements may exist for different hardware
 Classified information/hardware should always be encrypted and must stay on
classified networks
 Non-classified and classified networks should be physically separated
 Sensitive information that traverses a public network should be
encrypted BEFORE it leaves the private network
 Have no idea who’s snooping it once it leaves
 Classified and Non-classified networks must remain
independent
 Classified information should never be accessible from a nonclassified network; The network should enforce that
unauthorized hardware and software not run where prohibited
WAN Encryption - VPN
 Virtual Private Network
 Allows the extension of a private network across a public network (internet)
 Encryption should always be used when passing data across public networks
 A VPN creates an encrypted ‘tunnel’ through which a remote client can
connect to an enterprise network for instance – Host to Gateway
– Employees may be required to
use a server on the private
network. A VPN can allow that
employee to securely access
private resources remotely
– Gateway to Gateway
connections allow a regional
office’s network to connect to the
head office’s network
image credit:
wikipedia
Incident Response
 For the purposes of IT, incidents are observed when
normal network operation is disturbed; some level of
crisis may be observed.
 DOS (intentional or unintentional)
 Classified information leak
 Others (Power outage/flood/brownout/cable or router failure)
 The purpose of Incident Response is to minimize the
impact that the incident causes both immediately and
may potentially create in the future.
1.
2.
3.
Identify the incident.
Gather necessary resources for response.
Execute applicable incident response plan.
Incident Response Requirements
 Need to have response teams and plans in place
 Security team and plan should be updated to address specific
incident concerns
 Plan needs to be THOROUGH and COMPLETE. May have the need
for several different kinds of plans.
 ‘Big red button’ plans
 Minimize number and severity of security incidents
 Contain damage; minimize additional/ongoing, risks
 What actions are to be taken against discovered
attackers/offenders; lawsuit/Employee reprimand/etc
 Specify the appropriate personnel
 Avoid “Too many cooks in the kitchen”
Financial Responsibility
Distribution
 Insurance coverage may apply; must fulfill all insurance
requirements
 Federal implications, e.g. HIPAA/ICO/PCI-DSS
 Ensure compliance to auditing authorities:
 Information privacy - ICO (UK)
 HIPAA – department of HHS
 PlayStation Network data leak ended in ~$300k fines
 Credit card numbers remained encrypted
 Other personal information was not, however
 Attack was found to be ‘preventable’
(pwned)
Financial Responsibility
Distribution
 Who is responsible for paying for what resources in a given enterprise?
 Must have a plan in place to define who pays for what in order to avoid
finger pointing!
 Especially important to have this defined in critical situations (incident response)
 Example: data storage in an academic environment
 Professor may utilize computing resources more than others for research outside
of the institution’s scope
Network Authentication
 Used to verify identity
 User is who they say they are
 Multi-factor authentication: more than one factor
 Authentication factors:
1.
Knowledge: something user knows
2.
Possession: something user has
3.
Inherence : something user is
e.g.: password
e.g.: token
e.g.: retinal scan
Physical Security Policy
 Least Privilege - basic pillar of security
 Access rights are set at the minimum required level in order to perform job
duties
 Principle of effectiveness:
 Must be using security controls properly in order for them to be effective
(e.g.: Locks do no good if the key is in the lock)
 Separation of duty
`
Network Infrastructure Security
 Two levels of security:
1. Basic physical perimeter security on campus
 Shared facilities can create cause for concern
 Workstations should remain locked and protected by the main physical perimeter at least
2.
Controlled, monitored access around critical infrastructure devices (e.g.:
sever room, building network switch)
 All employees don’t need access to the server room
 Should employ a security mechanism independent of the campus security
All employee access
Restricted access
Building switch
Enterprise campus
Server room
Switch
Switch
Switch
Switch
Questions?
References













http://technet.microsoft.com
http://www.techsecuritytoday.com/index.php/entry/who-ultimately-pays-for-a-security-breach
http://www.bu.edu/tech/files/2010/01/sc02_enterasys.pdf
http://www.abetterkeywaylocksmith.com/images/content/cabinet-keyservices.jpg?nxg_versionuid=published
http://docs.oracle.com/cd/B10501_01/network.920/a96582/scn81082.gif
http://www.confidenttechnologies.com/files/Post%20it%20note%20password.jpg
http://img.tfd.com/cde/_SECURID.GIF
http://webdesignlists.com/wp-content/uploads/2012/09/retinal-scan.jpg
http://4.bp.blogspot.com/_2ZvV0BgOUE0/TGikpYJwKYI/AAAAAAAAA4Q/5RgEQ9TR1zg/s1600/shrug
.jpg
http://commons.wikimedia.org/wiki/File:Finger-pointing-icon.png
http://commons.wikimedia.org/wiki/File:DHS_Network_Topology.jpg
http://en.wikipedia.org/wiki/CompTIA
https://www.isc2.org/CISSP/Default.aspx