Architecting Security across global networks

Download Architecting Security across global networks

Post on 19-Jan-2017

64 views

Category:

Documents

2 download

Embed Size (px)

TRANSCRIPT

  • Confidentiality level C1 | 8 August 20111

    Architecting Security

    across global networks

    Presented by Marco Ermini8 August 2011

  • Confidentiality level C1 | 8 August 20112

    A huge topic: where to start?

    Divide et impera

  • Confidentiality level C1 | 8 August 20113

    A huge topic: where to start?

    This will not be about how to architect a network, or about network

    security in general - it is about network visibility.

    Divide et impera

  • Confidentiality level C1 | 8 August 20114

    A huge topic: where to start?

    This will not be about how to architect a network, or about network

    security in general - it is about network visibility.

    You land in this complex company (or you acquire it) and you divide

    your tasks:

    Divide et impera

  • Confidentiality level C1 | 8 August 20115

    A huge topic: where to start?

    This will not be about how to architect a network, or about network

    security in general - it is about network visibility.

    You land in this complex company (or you acquire it) and you divide

    your tasks:

    1. Identify the networks

    Divide et impera

  • Confidentiality level C1 | 8 August 20116

    A huge topic: where to start?

    This will not be about how to architect a network, or about network

    security in general - it is about network visibility.

    You land in this complex company (or you acquire it) and you divide

    your tasks:

    1. Identify the networks

    2. Identify the challenges

    Divide et impera

  • Confidentiality level C1 | 8 August 20117

    A huge topic: where to start?

    This will not be about how to architect a network, or about network

    security in general - it is about network visibility.

    You land in this complex company (or you acquire it) and you divide

    your tasks:

    1. Identify the networks

    2. Identify the challenges

    3. Identify the alternatives

    Divide et impera

  • Confidentiality level C1 | 8 August 20118

    Architecting Securityacross global networks

    Identify the networks

    Identify the challenges

    Identify the alternatives

  • Confidentiality level C1 | 8 August 20119

    Identify the networks

    Network maps anyone?

  • Confidentiality level C1 | 8 August 201110

    Identify the networks

    Network maps anyone?

  • Confidentiality level C1 | 8 August 201111

    Identify the networks

    Network maps anyone?

  • Confidentiality level C1 | 8 August 201112

    Identify the networks

    Network maps anyone?

  • Confidentiality level C1 | 8 August 201113

    Identify the networks

  • Confidentiality level C1 | 8 August 201114

    Identify the networks

    Asset DB anyone?

  • Confidentiality level C1 | 8 August 201115

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

  • Confidentiality level C1 | 8 August 201116

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

  • Confidentiality level C1 | 8 August 201117

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

  • Confidentiality level C1 | 8 August 201118

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    cs_os_name cs_os_versionnumber

    SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 10 9/10 | 10 9/10

    SOLARIS 10 177

    SOLARIS 10 1/06 820

    SOLARIS 10 10/08 1413

    SOLARIS 10 10/08 | SOLARIS 10 10/08 1

    SOLARIS 10 10/09 1554

    SOLARIS 10 11/06 2164

    SOLARIS 10 3/05 35

    SOLARIS 10 5/08 259

    SOLARIS 10 5/08 | SOLARIS 10 5/08 3

    SOLARIS 10 5/09 725

    SOLARIS 10 6/06 278

    SOLARIS 10 8/07 397

    SOLARIS 10 8/11 3

    SOLARIS 10 9/10 3442

    SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 1

    SOLARIS 10 X64 10

    SUN SOLARIS 10 4

  • Confidentiality level C1 | 8 August 201119

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

  • Confidentiality level C1 | 8 August 201120

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

  • Confidentiality level C1 | 8 August 201121

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

  • Confidentiality level C1 | 8 August 201122

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

  • Confidentiality level C1 | 8 August 201123

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

    IP address field has space for only one entry (!!!)

  • Confidentiality level C1 | 8 August 201124

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

    IP address field has space for only one entry (!!!)

    No way to do an automatic import, therefore many departments dont use it

  • Confidentiality level C1 | 8 August 201125

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

    IP address field has space for only one entry (!!!)

    No way to do an automatic import, therefore many departments dont use it

    It relies on a special tool to fetch the data, but the tool is not ubiquitous

  • Confidentiality level C1 | 8 August 201126

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

    IP address field has space for only one entry (!!!)

    No way to do an automatic import, therefore many departments dont use it

    It relies on a special tool to fetch the data, but the tool is not ubiquitous

    Almost 35000 entries, but no one knows if the data is qualitatively relevant

  • Confidentiality level C1 | 8 August 201127

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

    IP address field has space for only one entry (!!!)

    No way to do an automatic import, therefore many departments dont use it

    It relies on a special tool to fetch the data, but the tool is not ubiquitous

    Almost 35000 entries, but no one knows if the data is qualitatively relevant

    No one is accountable for the data, only for the Asset DB tool in itself

  • Confidentiality level C1 | 8 August 201128

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

    IP address field has space for only one entry (!!!)

    No way to do an automatic import, therefore many departments dont use it

    It relies on a special tool to fetch the data, but the tool is not ubiquitous

    Almost 35000 entries, but no one knows if the data is qualitatively relevant

    No one is accountable for the data, only for the Asset DB tool in itself

    There is a disconnection between who created and maintains the system,

    and the business objectives of it

  • Confidentiality level C1 | 8 August 201129

    Identify the networks

    Asset DB anyone?

    Examples of our Asset DB:

    OS, OS version number, support group, IP address and DB version are free

    text fields

    OS: circa 240 counted, without including the version number!

    DB and Computers counted as different entities

    80+ support groups (!!!) many of which clearly legacy or duplicated

    No unique correspondence between Asset DB entry and physical reality

    IP address field has space for only one entry (!!!)

    No way to do an automatic import, therefore many departments dont use it

    It relies on a special tool to fetch the data, but the tool is not ubiquitous

    Almost 35000 entries, but no one knows if the data is qualitatively relevant

    No one is accountable for the data, only for the Asset DB tool in itself

    There is a disconnection between who created and maintains the system,

    and the business objectives of it

  • Confidentiality level C1 | 8 August 201130

    Identify the networks

  • Confidentiality level C1 | 8 August 201131

    Identify the networks

    Which hosts are still used, which ones are legacy?

  • Confidentiality level C1 | 8 August 201132

    Identify the networks

    Which hosts are still used, which ones are legacy?

    What is the usage of the hosts?

    Which one needs to stay on the same subnets/logical networks?

    Which one needs to be kept separated?

  • Confidentiality level C1 | 8 August 201133

    Identify the networks

    Which hosts are still used, which ones are legacy?

    What is the usage of the hosts?

    Which one needs to stay on the same subnets/logical networks?

    Which one needs to be kept separated?

    Which vulnerabilities have the hosts?

    Can you detect them?

    Can you patch them?

  • Confidentiality level C1 | 8 August 201134

    How is the network planned?

  • Confidentiality level C1 | 8 August 201135

    How is the network planned?

    Legacy not just in the hosts, also in the networks

  • Confidentiality level C1 | 8 August 201136

    How is the network planned?

    Legacy not just in the hosts, also in the networks

    Was there a policy when the network was planned?

    Was the policy actually usable?

    Did they use it?

  • Confidentiality level C1 | 8 August 201137

    How is the network planned?

    Legacy not just in the hosts, also in the networks

    Was there a policy when the network was planned?

    Was the policy actually usable?

    Did they use it?

    Firewall based versus routing based

  • Confidentiality level C1 | 8 August 201138

    How is the network planned?

    Legacy not just in the hosts, also in the networks

    Was there a policy when the network was planned?

    Was the policy actually usable?

    Did they use it?

    Firewall based versus routing based

  • Confidentiality level C1 | 8 August 201139

    How is the network planned?

    Legacy not just in the hosts, also in the networks

    Was there a policy when the network was planned?

    Was the policy actually usable?

    Did they use it?

    Firewall based versus routing based

  • Confidentiality level C1 | 8 August 201140

    How is the network planned?

    Legacy not just in the hosts, also in the networks

    Was there a policy when the network was planned?

    Was the policy actually usable?

    Did they use it?

    Firewall based versus routing based

  • Confidentiality level C1 | 8 August 201141

    Firewall-based network

  • Confidentiality level C1 | 8 August 201142

    Firewall-based network

    Pros (supposed):

  • Confidentiality level C1 | 8 August 201143

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

  • Confidentiality level C1 | 8 August 201144

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

    Only allowed IP/port pairs can establish a session

  • Confidentiality level C1 | 8 August 201145

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

    Only allowed IP/port pairs can establish a session

    Possible to implement a precise change management for firewall requests

  • Confidentiality level C1 | 8 August 201146

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

    Only allowed IP/port pairs can establish a session

    Possible to implement a precise change management for firewall requests

    Possible to implement monitoring of connections

  • Confidentiality level C1 | 8 August 201147

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

    Only allowed IP/port pairs can establish a session

    Possible to implement a precise change management for firewall requests

    Possible to implement monitoring of connections

    Cons (certain!):

  • Confidentiality level C1 | 8 August 201148

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

    Only allowed IP/port pairs can establish a session

    Possible to implement a precise change management for firewall requests

    Possible to implement monitoring of connections

    Cons (certain!):

    Lots of firewalls are needed!

  • Confidentiality level C1 | 8 August 201149

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

    Only allowed IP/port pairs can establish a session

    Possible to implement a precise change management for firewall requests

    Possible to implement monitoring of connections

    Cons (certain!):

    Lots of firewalls are needed!

    Rules just accumulate, possibly duplicate and overlap and shadow each other

  • Confidentiality level C1 | 8 August 201150

    Firewall-based network

    Pros (supposed):

    Each application/network is separate

    Only allowed IP/port pairs can establish a session

    Possible to implement a precise change management for firewall requests

    Possible to implement monitoring of connections

    Cons (certain!):

    Lots of firewalls are needed!

    Rules just accu...

Recommended

View more >