a layered approach to support extranet security ralph santitoro director of security solutions -...
Post on 19-Dec-2015
222 views
TRANSCRIPT
A Layered Approach to Support Extranet Security
Ralph SantitoroDirector of Security Solutions - NortelEntNet @ SUPERCOMM 2005 Panel 2 Session - June 6, [email protected] http://www.nortel.com/security
© 2005 Nortel Networks. All Rights Reserved. -2-
What are you trying to protect?
> Business Continuity• Protecting the network, hosts and applications from threats or vulnerabilities• Protecting outsourced services, e.g., Call Centers, Customer Service
Business ContinuityBusiness Continuity
Information SecurityInformation Security Information Privacy Layer
Network, Host, and Application Defense Layer
> Information Security• Controlling the usage of information• Auditing the movement of information
© 2005 Nortel Networks. All Rights Reserved. -3-
What’s Keeping the CxO Up at Night?
> Computer worms, viruses
> Regulatory compliance
> Online fraud
> Early warning of cyber attacks
> Data Privacy
- Top 5 Security Concerns for 2005*
80% of CSOs report that cyber attacks had a 80% of CSOs report that cyber attacks had a bottom-line financial impact on their organizations*bottom-line financial impact on their organizations*
* Source: CSO Interchange New York December 2004
2
3
4
5
1
© 2005 Nortel Networks. All Rights Reserved. -4-
Regulations will Drive Security Deployments - Regulations will increase the focus on Security
> Sarbanes Oxley
> Health Insurance Portability and Accountability Act (HIPAA)
> Gramm-Leach-Bliley (GLB)
> California Database Breach Notification Act (SB1386)
> Data Protection and Misuse Act (UK)
> Personal Information Protection & Electronic Documents Act (Canada)
> Safe Harbor Act – EU Data Protection Act (Europe, U.S.)
Business Continuity- Protecting the Network, Hosts and Applications- What are the Threats ?
© 2005 Nortel Networks. All Rights Reserved. -6-
Business Continuity- Must maintain reliable services
> Conduct business without outages of critical services
> Maintain communications• Internally and with customers, suppliers, partners
© 2005 Nortel Networks. All Rights Reserved. -7-
What are the Threats ?- Malicious Software (Malware) : Viruses, Worms, Trojans
> Typically infect computer by exploiting “vulnerabilities” and social engineering• Steal passwords (e.g., cookies)• Destroy documents• Steal confidential data (e.g, Phishing, Scam)• Impede host or network device performance• Distribute SPAM
> Infected computers threaten security of the network
> How to stop Malware• AntiVirus software• Intrusion Detection software or appliances• Traffic Management devices• Security policies
© 2005 Nortel Networks. All Rights Reserved. -8-
Denial of Service and DDoS attacks
> Targets known “vulnerability” in devices
> Can cause devices to completely stop working
> Denial of Service• one hacker targeting one network device or host
> Distributed Denial of Service (DDoS)• One or several hackers taking over multiple hosts on the Internet.• These machines then target a single network device or host
© 2005 Nortel Networks. All Rights Reserved. -9-
Extranet Challenges- Threats from Encrypted Traffic
> Sensitive data, VPN traffic, secure multimedia and eCommerce rely on encryption for security• Encryption hides malicious code
> Threat prevention devices must:• Decrypt the traffic • Scan traffic for Malware• Report or take action on the traffic
• E.g., report the threat, drop the traffic, reduce the bandwidth, etc.
• Re-encrypt the traffic
© 2005 Nortel Networks. All Rights Reserved. -10-
ANATOMY OF A REAL-WORLD ATTACK A sophisticated attacker will leverage trust relationships to gain access to more valuable information assets.
Base camp
A target server is attacked and compromised
The acquired server is used as vantage pointto penetrate the corporate net
Further attacks are performed as an internal user
External attacker’s system
5 P’s • Probe• Penetrate• Persist• Propagate• Paralyze
© 2005 Nortel Networks. All Rights Reserved. -11-
Threat Prevention
> Extranet Treats require similar protection to other internal or external threats
> Similar technologies and procedures used
> Intelligent traffic management is critical
Configure
Capture
Analyze Signatures
Violations
BehaviorScan
Patch
Policy
Log
Alert
Block
Monitor Detect
ActMitigate
MonitorMonitor
DetectDetect
ActAct
MitigateMitigate
© 2005 Nortel Networks. All Rights Reserved. -12-
Enterprise Security Challenge- A Dynamic Situation
Infrastructure Attacks
Unknown Connections• Wireless access points• Unused active ports• Unauthorized use
Extranet• Compromised • Malicious• Unintentional
Unknown attacks Engineered attacks
• Passwords compromised• Sessions intercepted
X
X
X
X
X
Intranet• Compromised • Malicious• Unintentional
X
X
XX
Understand the network. Detect the vulnerabilities. Protect the assetsUnderstand the network. Detect the vulnerabilities. Protect the assets
© 2005 Nortel Networks. All Rights Reserved. -13-
Security Policy Layers- Why Deep Packet (L3-L7) Inspection and Intelligent Traffic Management are so important
IP A
cces
s Pro
tect
ion
Denia
l of S
ervi
ce
Attack
Pro
tect
ion
Applic
atio
n
Insp
ectio
nApp
ly P
olic
ies
Anti-Spoofing
ScanSynFin DoS Attack
Worms, Viruses, Trojans …
Peer-to-Peer
Instant Messaging
VoIPGuaranteed
Limited
Reporting and LoggingM
alw
are
Insp
ectio
n
Example Traffic Flows
© 2005 Nortel Networks. All Rights Reserved. -14-
Remote End Point Compliance
> Remote end point devices (PCs, mobile devices, etc.) accessing Extranet are assessed prior to network access• To determine if they are compliant with security policies
> Example policy compliance rules• AntiVirus installed, AntiSpyware installed, Operating System
security patches and Application security patches must be installed
> Compliance Policies Choices• Block All, Quarantine, Allow Some, Allow All
End point devices accessing the network are made End point devices accessing the network are made compliant with corporate security policiescompliant with corporate security policies
© 2005 Nortel Networks. All Rights Reserved. -15-
Remote End Point Security Challenges and Solutions for Extranets
> Masquerading: How do I know the user hasn’t stolen a user ID & password?• Use a Token-based or 2-factor authentication, e.g,. RSA SecureID card or User ID /
Password + VPN ID / Password
> Negligence: A user walks away from her desk leaving an open VPN session• Use an auto-logoff timer to terminate VPN session after a period of inactivity
> Residual Data: A patient’s medical data is cached on a PC and becomes accessible to the next user
• Use cache cleansing to clear browser history and cached data once VPN session is terminated.
> Trust: I don’t want sensitive applications accessed from any unknown PCs• Use dynamic access policies enabling varied access depending on configured
parameters at login, e.g., allow Email, but no file access or deny access completely
© 2005 Nortel Networks. All Rights Reserved. -16-
VirusIDS AntiSpywarePFW
Remote Endpoint Security Compliance and Remediation for Extranets
> Example Extranet end point security policy to access network:• AntiVirus must be installed• AntiSpyware must be installed
Client-based Extranet access
Quarantine / RemediationVirusIDS AntiSpywarePFW
Client-less Extranet access
Extranet VPN connection
© 2005 Nortel Networks. All Rights Reserved. -17-
Summary
> Extranets require multiple layers of protection to ensure business continuity and protect information privacy• Secure access (VPN) with user-based Security Policies
• Threat Prevention at Layer 3-7 • Deep Packet Inspection and Intelligent Traffic Management
• End Point Security Compliance and Remediation