Transcript Information Security

Information Security
Overview of Technologies & Solutions
Information Security

Introduction
The Enterprise Network
 Defense in Depth
 What to protect against?


Technologies & Solutions
Perimeter Technologies
 Internal Technologies


Consulting

Audit, Implementation & Support
Introduction
The security of your network is
evaluated daily, the question is…
“Are you the one doing
it?”
Introduction

Good Information Security provides;

Data confidentiality


Data integrity


Ensure that no data is disclosed intentionally or
unintentionally
Ensure that data is not modified by unauthorized
personel, that no unauthorized changes are made by
authorized personel, and that data remains consistent,
both internally and externally
Data availability

Provide reliable and timely access to data and
resources
The Enterprise Network
Branch Office
Corporate HQ
IP
Communication
LAN
Telecommutor
Wireless Access
Public
Internet
Security Enforcement
ISP Router
Secure Gateway
Firewall
SOHO
Internal Servers
Corporate Data
Secure Gateway
DMZ Services
Defense in Depth

How?
Secure the perimeter
 Secure the internal network
 Account for the human factor


Using a layered approach:
Increases an attacker’s risk of detection
 Reduces an attacker’s chance of success

Defense in Depth
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
ACL, encryption
Application hardening, antivirus
OS hardening, update management,
authentication
Network segments, IPSec, NIDS
Firewalls, VPN quarantine,…
Guards, locks, tracking devices
User education against social
engineering
Network Security

Network Security – focus on
perimeter and Internal Network
solutions
Internal Network
Perimeter
Network segments (VLANs),
IPSec, NIDS, Network Access
Protection, …
Firewalls, VPN, NIDS, AntiSpam, …
Why do we need Network Security?

First look at what you need to protect



Data (company resources)
Services (applications or their individually
accessible parts and the people using them)
Protect against what?





Malware (Viruses, Spyware,…)
Spam (“Steals” resources and productivity)
Hackers (Network penetration, defacements,
DoS Attacks,…)
Internal Users (Unauthorized access,…)
…
Common Threat Classification
Network
Host
Threats against
the network
Spoofed packets, etc.
Threats against the host
Buffer overflows, illicit paths, etc.
Threats against the application
SQL injection, XSS, input tampering, etc.
Application
Examples of Network Threats
Threat
Information
gathering
Examples
Port scanning
Using trace routing to detect network
topologies
Using broadcast requests to enumerate
subnet hosts
Eavesdropping
Using packet sniffers to steal passwords
Denial of service
(DoS)
SYN floods
ICMP echo request floods
Malformed packets
Spoofing
Packets with spoofed source addresses
Typical Pattern of an Attack





Enter the network through SQL Injection
etc.
Install or use port proxy software to open
inbound connections
Remotely control the host to mount further
attacks from inside until a domain
controller is accessible
Gain control of the desired resources
Erase traces of attack and remove installed
software
How to protect yourself?

Technologies & Solutions
Secure the perimeter
 Secure the internal network

Perimeter Technologies
Firewall (Packet Filter, Stateful, Proxy)
 Intrusion Detection System (IDS, IPS)
 Virtual Private Network (IPsec, SSL)
 Anti-Spam (Mail relay, AV)
 Anti-Spyware (URL filtering, AV)
 Anti-Virus

Firewall – Static Packet Filter
Every router is a static packet filter
(including your ISP router)
 First incoming and last outgoing layer
of your network security
 Faster at screening traffic than
stateful or proxy firewalls
 But no knowledge of “state” thus less
secure than most common firewalls

Firewall – Stateful
Most common type of Firewall today
 Keeps track of “state”, blocks traffic
that is not in its table of established
connections
 Slower at screening traffic than
packet filter, but more secure

Firewall - Proxy
Most advanced, least common type of
Firewall (is also a stateful firewall)
 Higher degree of security because
internal and external hosts never
communicate directly
 Examines the entire packet to ensure
compliance with the protocol that is
indicated by the destination port
number

Firewall – Basic theory of operation
Intermediate Network (DMZ)
Connection allowed
External Network (Internet)
Internal Network (LAN)
Connection refused
Firewall Divides your internal network from an external network (usually
Internet)
If the incoming connection is an “answer” to an outgoing connection, the
connection is allowed, if not, the connection is dropped. (Stateful)
Most firewalls have DMZ functionality, allowing you to further divide your
network in order to supply some “Internet faced services” to your users.
Firewall Solutions
Juniper (Formerly NetScreen)
 Check Point

Firewalls – Juniper

Integrated Firewall/IPSec VPN


NetScreen 500/200/50/25/XT/GT/HSC
Solution includes





Stateful Inspection (Perimeter defense)
Deep Inspection (Application-Level Protection)
Built-In Antivirus (Protects remote locations)
Web filtering (Prevent inappropiate web usage)
Secure Remote Acces (IPsec VPN – Secure
Client)
Firewalls – Check Point

Firewall


FireWall-1
Solution includes



Comprehensive application protection
Industry-leading management
High performance
Other Technologies

So if we buy a Firewall we are safe?!

Why NOT?

Weaknesses in TCP/IP suite
 IP
Address Spoofing
 Covert Channels
 IP Fragments Attacks
 TCP Flags
 SYN Flood
 Connection Hijacking
…
Intrusion Detection System

Gateway Intrusion Detection System
A network intrusion detection system
which acts as a network gateway
 Designed to stop malicious traffic and
generate alerts on suspicious traffic
 An “ideal” gateway IDS is able to stop all
known exploits

GIDS vs NIDS (Placement)




GIDS
Acts as network
gateway
Stops suspect
packets
Prevents
successful
intrusions
False positives
are VERY bad




NIDS
Only observes
network traffic
Logs suspect
packets and
generates alerts
Cannot stop an
intruder
False positives
are not as big of
an issue
IDS – Basic theory of operation
DMZ
IDS
Internet
LAN
IDS
Firewall
IDS
Much like a bridging firewall, IDS makes forward/drop decisions…
-This packet is always good so pass it into my network.
-This packet is always bad so drop it and tell me about it.
-This packet is sometimes bad so tell me about it, but don't drop it.
IDS Solutions
Juniper
 Check Point

IDS – Juniper

IDS – IPS


NetScreen-IDP 10/100/500/1000
Solution includes





Eight different detection methods are used to protect the
network from network, application and hybrid attacks
Understands state to pinpoint exactly where an attack
can be perpetrated and only look there
Ability to define a response action in the rulebase for
detected attacks
Sub-second Stateful-failover between Juniper Networks
devices without losing sessions
Enables closed loop investigation, linking directly from
the log to the rule that triggered it and the session's
packet capture
IDS – Check Point

IDS - IPS


IntruShield
Solution includes





Unprecedented flexibility of IDS deployment, including inline, tap, and span modes to suit any network security
architecture
Thorough analysis of traffic at multi-gigabit rates that
builds and maintains traffic state information and
performs comprehensive protocol analysis.
Intelligent detection of known, unknown, and DoS attacks
using a combination of signature, anomaly and DoS
detection techniques.
Proactive capability to stop in-progress attacks coupled
with a rich set of alerting and response actions.
Powerful capability to set multiple, highly granular,
custom intrusion policies within a single sensor.
VPN
A Virtual Private Network is a service
that offers a secure, reliable
connection over a shared public
infrastructure such as the Internet.
 Two main types;

Remote Access
 Site-to-site


Two main technologies;
IPsec (and L2TP)
 SSL

VPN – Remote Access
Secure Remote Access for mobile
users and/or home office.
 Using a secure software client or
hardware device for IPsec, or a
webbrowser for SSL based VPN
 If you able to connect to the Internet,
you are able to connect to the
corporate network

VPN – Site-to-Site
Valid replacement for leased lines and
Frame Relay connections to connect
different sites.
 Using specialized VPN devices or
built-in into a firewall
 If both your sites have Internet
connectivity, they can be connected
using VPN

VPN – Basic theory of operation
Site-to-Site VPN
VPN Tunnel
Remote Access
A VPN tunnel is setup using a secure client or SSL capable webbrowser, all
data send through the tunnel is encrypted, the packets can still be captured,
but if they are they are encrypted.
VPN - IPsec




Usually employs custom software at each
of the endpoints – the device and the client
Normally utilizes OSI Layer 3 Protocols (AH
– ESP)
Authentication Header provides two-way
device authentication (implemented in
hard- or software)
Encapsulation Security Payload protocol
provides data encryption (3DES, AES)
VPN – SSL
Employs Webbrowser at the client
side and a device at the corporate
side
 SSL is an network Layer Protocol
 SSL uses Certificates to prove the
identities of both endpoints
 All trafic is encrypted using a shared
key and a negotiated encryption
algorithm (3DES, AES)

VPN Solutions
Juniper
 Check Point

VPN – Juniper

IPsec VPN


Solution includes


Secure client enables adherens to security policy
SSL VPN


Built-in to firewall range of products
NetScreen-RA 500, NetScreen-SA 1000/3000/5000
Solution includes





Secure access for remote/mobile employees, with no
client software required
Secure LAN, intranet, and extranet access for employees,
business partners, and customers
Hardware-based SSL acceleration
Hardware-based HTTP compression
Dynamic access privilege management, with three access
methods
VPN – Check Point

IPsec VPN


Solution includes






Simple VPN deployment
Highest level of security
Easy-to-use centralized management
Unparalleled performance
High availability
SSL VPN


VPN-1, VPN-1 Edge, VPN-1 VSX
SSL Network Extender
Solution includes




Network-level connectivity over SSL VPN
Support for all IP-based applications
Combined IPSec and SSL VPN solution
Integrated with Check Point VPN-1
Anti-Spam (Spam Firewall)



Acts as a mailrelay server – accepts
incoming mail, scans the content and
forwards the mail to the back-end
mailserver.
Usually in combination with an Antivirus
scanning engine to deliver spam- and
virus-free e-mail.
Prevents direct access to your e-mail
server
Anti-Spam (Spam Firewall)
Web Mail
Anti-Spam Firewall
DMZ
Internet
LAN
E-Mail Server
Anti-Spam – Basic theory of operation
E-mail is delivered to the Spam
Firewall
 E-mail is checked against IP Block
Lists, Antivirus scanning is
performed, user rules are applied,
spam fingerprint, intention analysis,
Bayesian analysis and rule-based
scoring checks are performed
 Clean E-Mail is relayed to internal
mailserver

Anti-Spam Solutions
Barracuda
 Trend Micro

Anti-Spam – Barracuda

Anti-Spam Firewall


Outbound Mode


200/300/400/600/800
200/300/400/600/800
Solution Includes

Spam Filter






Content Based Filtering
Bayesian Algorithms
Denial of Service Protection
Anti-Spoofing
Anti-Phising
Virus Filter



Dual-Layer Virus Blocking
Decompression of Archives
File Type Blocking
Anti-Spam – Trend Micro

Anti-Spam


Spam Prevention Solution (SPS 2.0)
Solution includes






Advanced Filtering, Analysis, and Updating
Capabilities
Comprehensive Reporting and Auditing
Dynamic, Flexible Heuristic Technology
Ease of Administration and Configuration
High Performance and Scalability
Seamless Integration with Antivirus and
Content Security Offerings
Anti-Spyware (Gateway)
Gateway device to stop spyware
installations, block spyware sites and
scan for spyware signatures
 Some solutions can detect spyware
on user desktops and target them for
cleaning
 Usually combined with Antivirus
solutions

Anti-Spyware – Basic theory of
operation
LAN
Internet
Firewall
Spyware & AV
Proxies
Clients
If a user requests access to a website, the device checks if the site is listed in
the known spyware sites list, if not the request is proxied. The content of the
requested site then is scanned for spyware (and viruses) if the content is
Spyware and virus free it is delivered to the client, if not it is dropped.
Anti-Spyware Solutions
BlueCoat
 Barracuda

Anti-Spyware – BlueCoat

Anti-Spyware
Spyware Interceptor
 ProxySG + ProxyAV


Solution includes
Easy, affordable, and effective spyware
prevention
 Automatically updates spyware profiles,
policies, and prevention techniques.
 Backed by world-leading experts in web
proxy performance and security at Blue
Coat Labs™

Anti-Spyware – Barracuda

Anti-Spyware


Spyware Firewall 210/310/410
Solution includes








Stops spyware downloads (including drive-by
downloads)
Stops virus downloads
Blocks access to spyware websites
Detects spyware access to the Internet
Facilitates spyware removal
Website Category blocking
Content Inspection
Flexible Policy Enforcement
Antivirus (Gateway)
Provides Internet gateway protection
against viruses (http, ftp, smtp
traffic)
 If combined with internal antivirus
solution provides dual layer
protection (different vendors)
 Usually a combination of AntiSpyware, Anti-Virus and Anti-Spam
on the gateway

Anti-Virus (Gateway) – Basic theory of
operation
LAN
Internet
Firewall
Spyware & AV
Proxies
Clients
Requested webcontent is scanned with antivirs engine on the proxy server
Clean content is delivered to the clients.
Anti-Virus (Gateway) – Solutions
Trend Micro
 BlueCoat

Anti-Virus – Trend Micro

Anti-Virus


Interscan Web Security Suite
Solution includes







Comprehensive Web Security
Leading Virus Protection
Anti-phishing
Anti-spyware
URL Filtering Module
Scalable and Flexible
Centralized Management and Coordination
Anti-Virus - BlueCoat

Anti-Virus


ProxySG with Web Virus Scanning
Solution includes
Visual Policy Manager
 Policy processing engine
 Custom splash pages
 Content stripping
 ProxyAV integration
 ICAP server integration
 Auto sense settings

Internal Technologies
LAN security using “perimeter”
devices
 Network Access Protection
 Network segmentation (VLANs)
 Strong Authentication
 Malware protection
 WLAN security

LAN Security using perimeter devices
Ingress and egress filtering on every
router
 Internal firewalls to segregate
resources
 Proxies to enhance performance and
security
 IDS sensors to function as “canaries
in a coal mine” and monitor the
internal network

Network Access Protection
Provides endpoint security for access
to your LAN.
 Make sure every device complies to
your corporate access policy before
LAN access is allowed
 Prevents “rogue” devices from
accessing your network

Network Access Protection – Basic
theory of operation


Client device request access to the network
(cable is plugged in)
A policy compliance check is performed by
a device/server to see if the client has the
necessary access rights (802.1X) and the
required Anti-Virus en Operating System
updates.


If the client complies to policy access to the
network is allowed
If the client does not comply, the client is
placed in a quarantine network section and
updated to comply to the corporate policy
Network Access Protection - Solutions

Check Point
Network Access Protection – Check
Point

Network Access Protection


Total Access Protection
Solution includes






VPN Remote Access Policy Enforcement
Web Remote Access Policy Enforcement
Internal Policy Enforcement with 802.1Xcompatible Gateways
Rogue Access Prevention with 802.1xcompatible Gateways
Internal Policy Enforcement with InterSpect
Standalone Enforcement
Network Segmentation (VLANs)
Divide (Virtual LANs) your physical
network in several logical entities to
prevent unauthorized access to
certain parts of you LAN
 VLAN membership based on identity
(802.1x)
 Increase security and tracebility in
your local network

VLANs – Basic theory of operation
VLAN 1
VLAN 2
802.1X & VLAN capable switch
VLAN 3
VLAN capable switch divides your LAN into segments only, access rules
define whom can access which other segement of your network.
Membership to a VLAN can be based on identity of the device that requests
Access (802.1x)
Network Segmentation – Solutions
HP ProCurve
 Nortel

Network Segmentation – ProCurve

Network Segmentation
Identity driven management
 Dynamic VLANs


Solution includes
Access Control – Based on users’
business needs.
 Access Rights – Not only based on the
individuals and their group associations,
but also day, time and location.
 Policy Enforcement – On a per-user, persession basis.

Network Segmentation – Nortel

Network Segmentation


Dynamic VLAN assignment
Solution includes
Strong Authentication




Traditional static password are insecure, if
you can “guess” someones password you
have access.
Strong Authentication requires you to both
have something (Token – fingerprint, ect)
and know something (pin code –
password)
Information on Token is encrypted for
added security
Can be used for computer logon, singlesign-on, secure remote access
Strong Authentication – Solutions
SafeWord
 Vasco
 ActivCard

Strong Authentication – Safeword
Strong Authentication
 Solution includes

Strong Authentication – Vasco
Strong Authentication
 Solution includes

Strong Authentication – ActivCard
Strong Authentication
 Solution includes

Malware protection

Corporate Managed Antivirus and
Anti-Spyware solutions
Malware Protection – Solutions

Trend Micro
WLAN security
Secure Access to you corporate LAN
 Defend against “rogue” Access Points
 Identity based Wireless Access
 Usage of strong encryption and key
exchange protocols

WLAN Security
Pre-802.11i security (WPA) as a
replacement to the insecure WEP
model
 Includes TKIP (Temporal Key Integrity
Protocol) and 802.1x (identity)
protocols

Security Consulting Services
Audit, design, implementation and
support of your secure networking
infrastructure
 Customized training based on
implemented solutions or at customer
request
 Coaching of IT division when selecting
and implementing security solutions
