Transcript Network Policy - Andrew.cmu.edu

Network Policy
(slides by Jeremy, Brian, and
Daniel)
What Network Policy IS
• Includes a set of preconditions required for
network access and to maintain that
access (access policy)
• Some Examples:
– Must be running the organization’s specified
antivirus product with latest virus definitions
– Must have personal firewall enabled
• Egress/ingress, particular ports, protocols, etc.
– Must pass a scan for known vulnerabilities
(like CMU)
What Else Network Policy IS
• Specifies access controls for systems and
resources
• Examples:
– Bank teller can only connect to the bank
network during regular business hours
– Staff not employed by the payroll department
must not access payroll records.
Anything Else?
• What is allowed on the network
– Hotmail, Ebay, Ameritrade, Pornography?
• What is monitored
– How long do you keep the logs
– What do you do with them after that time
period
– Who handles these logs
– Who is responsible for auditing them
Network Policy is NOT
• A firewall, IDS,
IPS, etc
• A certification
• Something you
download and
print
• Something you
purchase
It is a custom tailored process!
The IKEA Analogy for Network
Policy
• No policy is like having no instructions for
securing the network
• Seems simple but actually a million complicated
pieces with complex interactions
• “Universal Tool” – Not the best solution
• It works great until it falls apart and needs to be
redone the right way
– Find out what those extra parts do after the fact
• Frustrating?
• Quality Issues?
But Policy is Just Paper
• True, policy needs to be enforced
– People are either ignorant of or don’t care what is on
the paper.
– Survey: Who has knows CMU’s Network Policy?
• How to enforce Network Policy?
– Technology: firewalls, ACLs, Nessus, card readers,
network monitors, encryption, active directory etc.
• Can’t effectively deploy these tools without
policy
– Can’t build sturdy furniture
(security) without directions
(policy)
– Policy = Directions
Designing Network Policy
• Very specific to the organization’s needs
• No “one size fits all”
• Try to follow best practices
– Least Privilege
– Defense in Depth
– ACTIVE MONITORING
• Build this into the policy!
• Threats constantly evolve, security must
do the same.
The Case: Issues to Consider
• Least Privilege
– Sponsors – “What do you mean I can’t do xyz, I paid
for this thing to happen!”
– Money Talks, but making exceptions can break down
security of entire system
• People want money spent on something visible
– Make case for security supporting visibility? Does it?
• People want invisible security
• If it is a hassle, they will circumvent it
– Media – use venue as backdoor
More Issues: Insiders
• Organizations implicitly trust them
• Intimate knowledge of system and its
weak points
• May be sympathetic to protesters
• Physical access to critical areas
– Easy to plug in a rogue WAP on the wired
network
• Many new temporary employees
– Where is their loyalty?
Showdown: Wireless Policy
VS
Wireless Policy Considerations
• Basic requirements for event
– Can enough cable be run at the venue to
support all wired connections?
– Do the participants need wireless? Why?
• Who is in charge?
– Delegate who is in charge and who takes
responsibility for problems
• Establishes accountability and point of contact
What is the Risk?
• Perform a Risk Assessment
– Potential Threats:
• DoS, Session hijacking, sniffing, MITM, ad-hoc connections
• Wardrive/Warwalk to determine physical exposure
– What is the wireless going to be used for?
• casual websurfing (low risk)
• Media/sponsor access (medium risk)
• Confidential scheduling and voting (high risk)
– How frequently to assess risk?
• Do the threats outweigh the benefits?
• See NIST 800-30 for more formal information
Consider Wireless Topology
• Network Topology
– Wireless as untrusted network
– Wired as trusted network
– Separate them with a gateway
– Install filter to control/monitor traffic at that
junction
• Active monitoring goes in the wireless policy!
Other Considerations
• How to Authenticate
– Cost, ease of implementation, ease of use
– PKI may be too much, Open may be too little
• Maintaining Confidentiality
– Encryption – WEP, WPA, IPSec
• Selection based on sensitivity of data
– Key management
• How to distribute
• Can we change it faster than it can be cracked?
• Availability
– Most noticeable
– Productivity losses
– Media backlash
No WiFi For You!
• Do we allow it or not?
• Is the threat greater than the benefit?
– Difficult to quantify
• Do we also allow limited wired access if wireless
goes down?
• What if wireless keys are shared with outsiders?
• Many other “what if’s”
• See NIST 800-48 for a wealth of information
This Can Be Really Tough!
• Difficulty will cause users
to circumvent security
measures
• Prepare for your first line
of defense to fail (D.I.D.)
• Perhaps we need
something more rigorous
• A formal framework with
better metrics for making
critical decisions
Conclusion
• Are Network Policies such as the ones
described tonight silver bullets??
• The answer is NO!!!!
Conclusion
• These are guidelines that need to be
enforced, understood, documented and
evaluated constantly because the
environmental variables (such as new
technology) change over time