Transcript Document
A 24x7x365
Secure Government
Internet Portal
by Gavin Longmuir
[email protected]
1
5 November 2001
What are the objectives of
Information Security
Availability
Confidentiality
Integrity
[email protected]
2
5 November 2001
A Secure AND Available
Portal?
A secure highly available Government
Internet portal needs to not only ensure
availably of the resources but to ensure
the integrity of the resources and prevent
opportunities for malicious misuse of the
resource.
[email protected]
3
5 November 2001
Guidelines that must be
followed
National Office for the Information
Economy (NOIE) – Online Security
Requirements for Commonwealth
Agencies
Commonwealth Privacy Act (Public
Sector) 1998
[email protected]
4
5 November 2001
Guidelines …
Protective Security Manual (PSM)
Part C: Information Security
Part E: Physical Security
Defence Signals Directorate (DSD)’s ACSI 33
HB
HB
HB
HB
HB
HB
HB
2: Evaluated Products
3: Risk Management
4: Security Management
8: Network Security
10: Web Security
13: Intrusion Detection and Audit Analysis
14: Physical Security
[email protected]
5
5 November 2001
Guidelines …
DSD’s Gateway Certification Guide
DSD/NOIE Commonwealth Agency Online
Security Checklist
[email protected]
6
5 November 2001
Industry guidelines
ISO 17799:2001 - Code of practice for
Information Security Management
Formally AS/NZS 4444.1 or BS 7799.1
AS/NZS 4360:1999 – Risk Management
[email protected]
7
5 November 2001
Building a Secure High
Availability Environment
Physical Security – Computer Rooms
Firewalls
Intrusion and Misuse Detection
Security Awareness and Training
Building It Secure – Evaluated Products
Availability
Denial of Service Attacks
Incident Handling
[email protected]
8
5 November 2001
Physical Security – Computer
Rooms
Standards developed by DSD and ASIO T4
Group
Access Control/All Physical access secured
(including ducts and wall/roof tiles)
Alarm Systems (Certification to be undertaken
by ASIO T4 Group)
Secure Containers/Racks
Extensive UPS Systems (including testing)
[email protected]
9
5 November 2001
Firewalls
Implemented as security enforcing points of the
network
Filtering device
Application
Filtering
Stateful Inspection
IP Header Restriction (eg. Source IP address)
Application Restriction (eg. Only FTP get/recv)
Content
To have verbose logging and reporting
apparatus
[email protected]
10
5 November 2001
Intrusion and Misuse
Detection
Intrusion Detection Systems (IDS)
Network (Promiscuous) Tap - NIDS
Host based with additional system activity as inputs – HIDS
Based on expert ‘pattern’ matching – not 100%
Placement is vital – event could occur in non-monitored
environment
Monitoring and correlation with other logs
(routers/firewalls) can give essential foresight
Logs provide legal forensic evidence for any possible
prosecution
[email protected]
11
5 November 2001
SSL and Intrusion Detection
Encryption protocols are blind spots for any
NIDS – they are tunnels
Use of HIDS could be used at the end points
Typical encryption technologies are SSL, IPSec,
and VPNs
Other protocols such as SNA may not be
understood by the IDS
[email protected]
12
5 November 2001
Vulnerability Monitoring
Vulnerability testing of the security
enforcing functions of the environment
must be done to ensure correct
configuration
Automatic scanning and manual invoking
after every major configuration change
Host based integrity checking is also to
be undertaken
[email protected]
13
5 November 2001
Security Awareness and
Training
Staff must understand their
responsibilities for security and why it is
enforced
Operations staff are to have a full
understanding of the security enforcing
functions of the environment along with
the functionality of the enforcing devices
[email protected]
14
5 November 2001
Building It Secure – Evaluated
Products
Building a secure environment requires the use of a
evaluated or trusted system
Evaluated systems have been evaluated against a number
of criteria to test the functionality of the system
Criteria describe strength of the security system, the
security features provided, confidence in systems design,
and confidence in system implementation
DSD’s Evaluated Product List (EPL)
The use of Evaluated Firewalls is mandated
[email protected]
15
5 November 2001
Avoiding Single Points of
Failure
Multiple geographic separate sites
Multiple broadband carriers
Traffic load-balancing or management tools
Clustering – horizontal (parallel) scaling
Increases availability
Increases bandwidth
Decreases integrity? – content replication
Failover/High-Availability of ALL networking
devices
[email protected]
16
5 November 2001
Calculating Availability
Replication of any component within the
environment increases availability
Most manufactures provide availability
information with devices such as mean time to
failure
Serial Availability – the product of component
reliability for all devices between two locations
in a network
Parallel Availability – the inverse of the product
of component unreliability for all mirrored
devices in a network
[email protected]
17
5 November 2001
Load-Balancing Firewalls
Firewall’s are traditionally seen as traffic bottlenecks
Newer Firewalls now come with load-balancing features
Software implementations pass state information between
‘nodes’ – but don’t scale
Hardware implementations pass state but not information
like CPU load or memory utilisation
Highly Protected information must be protected by
multiple serially implemented Firewalls (of different
manufacture)
Placement of smart load-balancing traffic management
devices ‘in-front’ of these serial-paired Firewalls
[email protected]
18
5 November 2001
Denial of Service Attacks
Use modern and patched networking devices
Data Flood Attacks
Infrastructure Attacks
Distributed Denial of Service Attacks
Logical access filtering
SYN flood throttling
Connection rate throttling
Data rate throttling
Still need multiple sites and defence in depth –
greatest defence is redundancy
[email protected]
19
5 November 2001
Incident Handling
Part of the Business Continuity Plan
Identification and Analysis of the event
Reporting Procedures and resultant actions
documented in detail
Confirmation of system(s) and data/information
integrity
Collection and integrity of audit logs and other
evidence used for forensics
[email protected]
20
5 November 2001
Ensuring Integrity of the
Resource
How to tell a Fake?
Quality Management
[email protected]
21
5 November 2001
How to tell a Fake?
An intruder (possibility only says) accesses
restricted components of the environment
Has the data/information been tampered with?
Has malicious code been placed?
Have to prove it – otherwise treat as it has
Malicious network traffic redirection
Digital signatures – verification of content
SSL certificates – verification of destination
[email protected]
22
5 November 2001
Quality Management
Mandated change control, peer review and
testing procedures
Information/data protection from newly
developed rogue application functionality
Including reassessment of threats and risk
Development and testing to occur in non-production
environment
Backups of non-replicated/non-redundant data
[email protected]
23
5 November 2001
Threat and Risk Assessment
DSD’s Risk Assessment Methodology
Based on AS/NZS 4360:1999
[email protected]
24
5 November 2001
Risk Assessment Methodology
Asset Identification
(Estimated) Threat to Asset
(Estimated) Threat Likelihood
(Estimated) Harm, if Realised
(Resultant) Risk Assessment
(Estimated) Required Risk
(Resultant) Counter-measure Priority Rating
Counter-measures (Policy, Procedures, Design)
Identification (and Acceptance) of Residual Risk
[email protected]
25
5 November 2001
Example TRA Entry
Asset – Loss or Corruption of
Government data/information Resources
and supporting systems
Threat to the Asset – Unavailable or
bogus service from IP service hijacking or
infiltration
[email protected]
26
5 November 2001
Example TRA …
Threat Likelihood – High
Harm, if Threat is Realised – Serious
Resultant Risk – Critical (4)
Required Risk – Nil (0)
Counter-measure Priority Rating - 4
[email protected]
27
5 November 2001
Example TRA …
Counter-measures
Deployment of NIDS and HIDS
Controlled and ‘hardened’ system OS
Ensure that security enforcing devices deny all this is not
specifically allowed
TCP/IP Ingress and Egress filtering
Residual Risk
New attack mechanism which is not picked up by IDS
In-band attack via permitted communication paths enforced
by Security enforcing mechanisms
Standard Operating Procedures are not followed – patches
not applied
[email protected]
28
5 November 2001
To recap
The shown outlined infrastructure is for
supporting Government customers for secure
and highly availably application hosting. Topics
covered included:
Portal Integrity
Portal Availability
Guidelines and Monitory requirements
Analysis of Threats and Risks
And proposed counter-measures
[email protected]
29
5 November 2001
Recommendation
A suitable architecture can be shaped that can
not only provide the capacity and scalability
required but also the security needed for
mission critical systems
Creation of a project team to finalise design,
select products and create/document
procedures is required as the next step in this
project
[email protected]
30
5 November 2001