Secure Network Infrastructure

Download Report

Transcript Secure Network Infrastructure

Lucent Worldwide Services
Security Practice
Pre-Conference Tutorial T-3: May 4, 2004
Making the Right Choices for Your Secure
Network Infrastructure
George G. McBride
Senior Manager, Security Practice
Lucent Technologies Professional Consulting
Secure Network Infrastructure:
Making the Right Choices
What the Web-Site Says:
Firewalls, intrusion detection systems and other security devices play a vital role in
securing networks against malicious traffic from untrusted networks. Nevertheless,
most firewall systems contain inherent design flaws and limitations that hinder even
the most diligent efforts of IT staffs. These weaknesses often exist because the
firewall has been created by stretching the capabilities of another device, which was
not originally designed for network security. As a result, vulnerabilities remain, which
hackers can exploit as they continue to develop new techniques to cripple or break
through networks. The limitations of these firewalls also add to capital and operating
costs, as an IT staff puts in additional time and effort—and purchases additional
equipment—to compensate for inherent flaws. What are the technical features you
need to pay special attention to, in order to ease security concerns and lower
costs? How do you educate your IT staff to take advantage of key next-generation
firewall features available today? This session will include a review of some of the
crucial features and capabilities, which include: centralized management platform,
bridging instead of routing, powerful packet processing, high availability, robust
security, Quality of Service (QoS) and full support for virtual firewalls. With these
features in place, firewalls can reduce design and management time, and minimize
the total cost of ownership of a security infrastructure. It will also illustrate how
governments and service providers, can achieve savings from shorter installation
time and fewer management hours to keep their network protected at all times.
Lucent Technologies – Copyright 2004
2
Secure Network Infrastructure
What we are going to cover this afternoon:
– What are the components of a “Secure Network
Infrastructure”
• Policies, Awareness, People
• Network Components
• The key role of a Firewall and how our “Perimeter”
continues to blend.
• Risk assessments and their value to your network
– And a lot more!
– Q&A / Discussion
Lucent Technologies – Copyright 2004
3
Secure Network Infrastructures: Definition
The architecture and implementation of a design that
balances business requirements with a holistic security
program.
This includes:
– The concept of least privilege
– Segmented networks on the inside
– Addressing as many concerns as possible through technical
controls with the remainder addressed through policy
– Authenticating requests and encrypting of all sensitive
information
– Encompassing a strong perimeter security
Lucent Technologies – Copyright 2004
4
The Holistic View
Security from the top-down and bottom-up:
–
Formalized methodology to determine what assets you are trying to
protect
–
Formalized methodology to identify threats against those assets
–
Formalized program to conduct pro-active and ad-hoc risk
assessments to identify vulnerabilities and measure risk
–
Formalized program to conduct penetration tests
–
Security program including policies, awareness, and expectations of
security staff communicated
–
Monitoring of network traffic and events including a formalized and
rehearsed Incident Response Plan
–
An effective anti-virus infrastructure
–
Program to regularly distribute application and operating system
updates. This also implies an inventory exists!
Lucent Technologies – Copyright 2004
5
Key ingredient to a “Secure Network”: People
You’ve got to have the best people available:
– Skilled
– Educated
– Happy
– Doing what they do best (in the right job!)
Need senior management approval and support for all
activities
Lucent Technologies – Copyright 2004
6
Asset Identification & Valuation
Types of Assets:
Valuation Determination:
– People
– Business Impact
– Buildings
– Replacement Cost
– Systems
– Cost to re-train
– Processes
– Downtime
– Applications
– Cost to rebuild
– Intellectual Property
– Value to your competitors
– “Product”
Cost to protect <= “Value”
Lucent Technologies – Copyright 2004
7
Asset Determination
Asset determination is a “subjective” approach.
– “All of my systems are critical”
– Should include an enterprise-wide review
– Can be completed via surveys, interviews, previously
conducted Business Impact Analysis studies
– Review of Business Continuity Plans / Disaster Recovery
(BCP/DR) documentation
– Ranking and ordering
– Executive-level approval
Lucent Technologies – Copyright 2004
8
Threats?
Categories of threats that can strike at an asset:
– Industry specific
– Human
• Intentional/Malicious vs. Accidental
– Environmental
– Physical
– Logical
– Mother Nature
Lucent Technologies – Copyright 2004
9
Risk Assessment Program
Develop a Risk Assessment Program:
– Takes Assets and Threats as an input
• You need to know what you are protecting and “what” is
trying to attack the assets
– Should allocate resources for assessments
• People
• Tools & Equipment
– Development or adoption of a methodology
– Include a mechanism to track findings and closure
Lucent Technologies – Copyright 2004
10
Risk Assessment Methodologies
Provide an end to end process for conducting
comprehensive technical and business risk assessments
– Information Security Forum
• FIRM, SARA, SPRINT
• FRAPP
• COBIT
• OCTAVE
• NSA
• Many others, including derivatives of those above
Lucent Technologies – Copyright 2004
11
Securing the Network
A number of concepts introduced into the network design
and operating philosophy will increase overall security
These concepts include:
– Network Segmentation
– Least Privileges
– Policy
– Authentication (Identify Management)
– Logging, Auditing, and Review
– Strong perimeter security
Lucent Technologies – Copyright 2004
12
Network Segmentation
It does not refer to segmenting your Intranet from the
Internet. It is logically segmenting your Intranet
Often implemented through VLANs or through Firewall
segmentation
Can be used to segment by location, by business unit, or
most often, by critical asset
• Payroll
• Research and Development / Engineering
Restricts malicious activities by malicious users and
applications such as worms.
Lucent Technologies – Copyright 2004
13
Intrusion Detection Systems (IDS)
IDS Has Three Primary Functions:
– Monitor
– Detect
– React / Respond
An IDS can be based on the host or the network:
– Host Intrusion Detection System (HIDS)
– Network Intrusion Detection System (NIDS)
Lucent Technologies – Copyright 2004
14
IDS Types
Intrusion Detection Systems can use two different
mechanisms to “detect” malicious behavior:
– Anomaly Detection
• Uncovers abnormal patterns of behavior by establishing a
baseline of normal usage patterns and noting any anomaly
as a possible intrusion. What is considered to be an
anomaly can vary, but any incident that occurs with a
frequency greater than or less than two standard deviations
from the statistical norm raises an eyebrow.
– Misuse Detection or Signature Detection
• Uses specifically known patterns of unauthorized behavior
to detect malicious activity. These specific patterns are
called signatures.
Lucent Technologies – Copyright 2004
15
Segment, Then Monitor!
Where to monitor?
– Each segment?
– Critical/Sensitive/High-Value segments?
– Inside the Firewall?
– Outside the Firewall?
– VPN and Remote Access Gateways?
– Partner connections?
– Wireless connectivity points?
– Areas with “transient” employees?
Lucent Technologies – Copyright 2004
16
Intrusion Prevention Systems (IPS)
Can be host or network based, an IPS has the capability
to stop malicious traffic before it is successful.
An IPS is usually installed “in-line” between two network
segments and will:
– Monitor
– Detect
– Block
An IPS does more than just send a “RST” packet to a
misbehaving host.
Lucent Technologies – Copyright 2004
17
IPS and IDS Features
There are several “features” to look for with an IDS or IPS:
– IPS Operating “In-Line”
– High level of granular control
– High reliability and availability
– High performance
– Low Latency
– Accurate detection (low false-positive and false-negative rates)
– Advanced alerting and reaction mechanisms
Lucent Technologies – Copyright 2004
18
The Least Privileged Concept
“Anything that is not expressly permitted is denied”.
Permitting individuals access only to required resources
when required.
– Do users need access to WWW resources? File Servers?
Applications?
Unix ROOT level Example:
– Reviewing if ROOT level is truly required
– Only providing ROOT level access to persons who require it
– Providing those users with regular level access and only using
ROOT level access as required
Lucent Technologies – Copyright 2004
19
Technical Restrictions and Policy
A thorough computer and network security policy must be
established and publicized through the company.
– Should provide specific requirements, guidelines,
configurations, and expectations of users and administrators
– Should clearly indicate the consequences for non-compliance
– Should be authorized by the compliance officer or
CEO/President
Whenever possible, technical controls must be enabled to
ensure compliance with policies
Lucent Technologies – Copyright 2004
20
Authentication and Identity Management
Essentially, “Are you who you claim to be?”
– The use of two factor authentication, such as having a PIN code
and a hand held token
– Biometrics such as fingerprint, facial patterns, or retinal scans
– Secure enrollment process
– Use of Single Sign On (SSO), Lightweight Directory Access
Protocol (LDAP), or Active Directory (AD)
– Automated (Cost Savings!) and secure password resets
– Takes the “Asset” into consideration:
• Biometric authentication may be excessive for
authentication at the cafeteria, but not the ISP’s data center
Lucent Technologies – Copyright 2004
21
Logging, Auditing, and Review
Develop a program to identify which needs to be logged
– Assets, Threats, Risks will determine what is logged and
appropriate retention policies
– Logs are completely useless, tape up space, and slow the
systems down …… When not reviewed
– Centralized monitoring provides a holistic view and provides
vision into trends and attack patterns
– Provides additional forensics and incident response details
– Helps identify systems and processes that have gone haywire
– Provides accountability
Lucent Technologies – Copyright 2004
22
Perimeter Security
Can it be strong enough?
– Corporate Remote Access
• Dial-Up (pcAnywhere!)
• VPN (PPTP, IPSec, and SSL) and SSH
– Wireless
– DMZ Connectivity
– Inbound Telnet?
– Dual-homed machines that straddle the network perimeter
Lucent Technologies – Copyright 2004
23
And the Perimeter continues to get fuzzy…
Applications (usually in the DMZ) provide an entry point
into the network.
– SQL Injection
– Bad Coding Logic
SSL VPN’s are relatively new and have a variety of
commercial and open-sourced solutions
– Client side security issues
– Server side security issues
Lucent Technologies – Copyright 2004
24
The Firewall
So many vendors and different types, which one is the
best?
– Software only solution or a packaged hardware and software
solution
– Microsoft Windows or UNIX (including variants such as Solaris
and Linux)
– Bridging versus routing connectivity
– Centralized management and monitoring solutions
– High availability and redundant solutions
– What functionality do you want in the FW?
Lucent Technologies – Copyright 2004
25
Software vs Hardware Based Firewalls
A software based firewall is an application add-on that sits
on top of the computer’s operating system.
– Installed as an aftermarket item or integrated into the OS
– Must update OS and FW software and ensure interoperability
so nothing breaks
– Efficiency of the firewall will be dependent on the actual
characteristics of the machine chosen
– May be able to purchase add-on functionality to increase
performance or add features
– Priced from $0 and up
Lucent Technologies – Copyright 2004
26
Software vs Hardware Based Firewalls
A hardware based firewall is a physical device that is
plugged into the network.
– Usually pre-configured from the vendor
– May allow for the purchase of add-on hardware or software to
increase performance or add features
– Usually look towards the vendor as a single point of contact for
updates
– Hardware based appliances are optimized for speed by design
as circuits, chips, logic, and processes are designed for a
particular application.
– OS may be proprietary, but generally comes “hardened”
Lucent Technologies – Copyright 2004
27
What OS To Choose?
Obviously, not a consideration on hardware based
firewalls as they come pre-configured.
Software Firewalls:
– Do you have a choice?
– Is one OS inherently more “secure” than another?
– What OS are you familiar with?
– Is the FW Software optimized for a particular software
platform?
Lucent Technologies – Copyright 2004
28
Routing Firewalls
Routing Firewalls traditionally have the following
characteristics:
– Acts as a router with filtering capability
– Has 2 or more interfaces that inspect and filter traffic prior to
deciding whether to forward the packet to another interface or
to drop it
– Each interface has an IP address layer 3 presence
– Packets that are forwarded would decrement the TTL, have the
IP address changed (NAT), and then routed to the destination
Lucent Technologies – Copyright 2004
29
Routing Firewalls
There are several “disadvantages” of the traditional
routing firewall.
– It may not be easy to install a routing firewall between two
networks as you will need IP addresses for each interface and
the “awareness” of hosts to know that the Firewall is the
gateway
– While firewalls may be configured not to respond to certain
types of “malicious” or “exploratory” traffic, it is often easy to not
only detect that a firewall exists, but the type of firewall it is
– Has an IP address at it’s interface which could be addressable
by a malicious person
– May require more processing power than a bridging firewall as
it must bridge and route
Lucent Technologies – Copyright 2004
30
Bridging Routers
Rather than “routing”, how about inspecting the packet
and then moving them to the proper interface?
– Works at the OSI model layer 2 – the Data Link Layer
– AKA: Transparent, In-Line, Shadow, or Stealth FW
– Data comes in one interface and out the other, after passing
through any filtering
Lucent Technologies – Copyright 2004
31
Bridging Routers
Bridging routers have several advantages:
– Zero Configuration: The bridging firewall can be placed in line
with the network (or segment) that it is protecting. A bridging
firewall can be placed:
• Between two routers
• Between a router and a switch (which may protect a group
of sensitive machines)
– Because the bridging router operates on Layer 2, it has no IP
address and becomes un-addressable and unreachable by IP
address
– Bridging routers require less processing overhead and can be a
simpler device or incorporate more functionality when
compared to an equivalent firewall
Lucent Technologies – Copyright 2004
32
Management And Monitoring
In the beginning, each Firewall had a console where the
alerting, logging, and rules were managed.
– Firewalls were managed as individual entities
– Logs were kept separately. Rules managed individually
And then firewalls began to log to the SYSLOG, a way to
centrally manage the logs and alerts.
And then when the logs and alerts were centralized, then
the management of the firewalls was also centralized
Lucent Technologies – Copyright 2004
33
Management And Monitoring
Centralized Monitoring:
– Provides a holistic view of the corporate Firewall infrastructure
– Centrally manage logs
• Event Correlation
– Centrally administer systems
• One workstation to administer all Firewalls
• Easy to ensure consistency and uniformity
• Allows for FW policy and procedures verification
– Requires less hardware and software
• Cheaper!
Lucent Technologies – Copyright 2004
34
Outsourced Management of Firewalls
Centralized firewall management has several key
advantages:
– Generally not a company’s “core competency”
– Staffing levels
– Rule set Management
– 24x7 Support Requirements
– Generally requires a “formal” FW Change Policies and
Requirements
– You pay for economies of scale.
Lucent Technologies – Copyright 2004
35
What is QoS
QoS: Quality of Service is the prioritization of network
traffic for certain applications and services.
Can be implemented through:
– MPLS: Multi-Protocol Label Switching
• Used to establish “fixed bandwidth pipes”. Packets are
generally market at certain ingress routers and un-marked
at egress routers.
– DiffServ: Differentiated Services
• Utilizes the IPv4 Type of Service (ToS) field.
• Typically “applied” at border routers
Lucent Technologies – Copyright 2004
36
Why is QoS Important?
QoS is a necessity for Voice Over IP (VoIP)
– Must have a “bandwidth pipe” available for VoIP traffic to help
facilitate VoIP availability and PSTN quality calls
– QoS will help minimize:
• Packet Loss
• Latency
• Jitter
– And QoS can help increase security by throttling down worm,
virus, and mal-ware propagation
Lucent Technologies – Copyright 2004
37
QoS And Firewalls
Where do you put the QoS management devices?
– Inside?
– Outside?
What do you look for in a QoS management system?
– QoS Assignment
• All types of traffic (Critical/NAT’d/Encrypted Traffic)
– Transparency & Ease of Use
Lucent Technologies – Copyright 2004
38
QoS Device Placement: External
Consider a QoS Device on the Internet side of a Corporate
Firewall.
Intranet
Internet
QoS Device
DMZ Machine
Firewall
DMZ Machine
Lucent Technologies – Copyright 2004
39
QoS On the External Side: Issues
There are several issues with this solution:
– QoS Device cannot consistently classify or encode the
information based on IP Header information as some of the
data may be encrypted.
– When devices are NAT’d, setting the QoS based on IP Address
is difficult.
• The QoS may see the “Intranet” as a single IP due to
NAT’ing issues.
– QoS cannot classify traffic by groups or users
– QoS device is unprotected by the corporate firewall and is
susceptible to attacks.
Lucent Technologies – Copyright 2004
40
QoS Device Placement: Internal
Consider a QoS Device on the Intranet side of a Corporate
Firewall.
Intranet
Internet
QoS Device
Firewall
DMZ Machine
DMZ Machine
Lucent Technologies – Copyright 2004
41
QoS On the Internal Side: Issues
There are several issues with this solution:
– QoS device does not know the level of traffic on the Internet
link as it has no visibility to congestion levels between the QoS
device and the gateway (such as a link-to-link VPN).
– As such, the QoS gateway cannot prevent unacceptable traffic
levels from saturating the gateway.
Lucent Technologies – Copyright 2004
42
Wrap-Up
Secure Network Infrastructure:
– More than just a firewall
– Requires a “Security Program” as a foundation and includes:
• Policies and awareness training
• Technical controls whenever possible
• Assessments, reviews, penetration testing
• Incident response plans and drills
– Requires continual vigilance
Lucent Technologies – Copyright 2004
43
Contact Information
Please feel free to contact me with any questions or
comments:
Lucent Technologies
Bell Labs Innovations
George McBride, CISSP
Security Practice
Lucent Worldwide Services
Lucent Technologies Inc.
Room 2N-611J
101 Crawfords Corner Road
Holmdel, NJ 07733
Phone: +1.732.949.3408
E-mail: [email protected]
Lucent Technologies – Copyright 2004
44