architecting security across global networks

Confidentiality level C1 | 8 August 20111

Architecting Security

across global networks

Presented by Marco Ermini8 August 2011


A huge topic: where to start?

“Divide et impera”



• This will not be about how to architect a network, or about network

security in general - it is about network visibility.






• You land in this complex company (or you acquire it) and you divide

your tasks:







your tasks:

1. Identify the networks







your tasks:


2. Identify the challenges







your tasks:


2. Identify the challenges

3. Identify the alternatives



Architecting Securityacross global networks

Identify the networks

Identify the challenges

Identify the alternatives



• Network maps anyone?



• Asset DB anyone?




• Examples of our Asset DB:





– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free

text fields






text fields

– “OS”: circa 240 counted, without including the version number!






text fields


cs_os_name cs_os_versionnumber

SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 10 9/10 | 10 9/10

SOLARIS 10 177

SOLARIS 10 1/06 820

SOLARIS 10 10/08 1413

SOLARIS 10 10/08 | SOLARIS 10 10/08 1

SOLARIS 10 10/09 1554

SOLARIS 10 11/06 2164

SOLARIS 10 3/05 35

SOLARIS 10 5/08 259

SOLARIS 10 5/08 | SOLARIS 10 5/08 3

SOLARIS 10 5/09 725

SOLARIS 10 6/06 278

SOLARIS 10 8/07 397

SOLARIS 10 8/11 3

SOLARIS 10 9/10 3442

SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 1

SOLARIS 10 X64 10

SUN SOLARIS 10 4






text fields







text fields


– “DB” and “Computers” counted as different entities






text fields



– 80+ support groups (!!!) many of which clearly legacy or duplicated






text fields




– No unique correspondence between Asset DB entry and physical reality






text fields





– IP address field has space for only one entry (!!!)






text fields






– No way to do an automatic import, therefore many departments don’t use it






text fields







– It relies on a special tool to fetch the data, but the tool is not ubiquitous






text fields








– Almost 35000 entries, but no one knows if the data is qualitatively relevant






text fields









– No one is accountable for the data, only for the Asset DB tool in itself






text fields










• There is a disconnection between who created and maintains the system,

and the business objectives of it



• Which hosts are still used, which ones are legacy?




• What is the usage of the hosts?

– Which one needs to stay on the same subnets/logical networks?

– Which one needs to be kept separated?




• What is the usage of the hosts?

– Which one needs to stay on the same subnets/logical networks?

– Which one needs to be kept separated?

• Which vulnerabilities have the hosts?

– Can you detect them?

– Can you patch them?


How is the network planned?



• Legacy not just in the hosts, also in the networks




• Was there a policy when the network was planned?

– Was the policy actually usable?

– Did they use it?







• Firewall based versus routing based


Firewall-based network



• Pros (supposed…):




– Each application/network is “separate”





– Only allowed IP/port pairs can establish a session






– Possible to implement a precise change management for firewall requests







– Possible to implement monitoring of connections








• Cons (certain!):









– Lots of firewalls are needed!










– Rules just accumulate, possibly duplicate and overlap and shadow each other











– Lots of personnel/operational efforts

– Difficult to implement security/monitoring/compliance tools













– Waste of IP addresses














– Projects get bored and just ask for “allow all”















– No real visibility!















– No real visibility!

– No real security!


No real visibility


No real visibility

• You cannot really enforce protocols on the firewalls


No real visibility


• You cannot possibly TAP all of these interfaces


No real visibility



• Even if you TAP them, they will bypass you


No real visibility




• Projects tend to skip the processes if they are too complex


No real visibility




• Projects tend to skip the processes if they are too complex

• When NAT/NATP is used, it becomes complex to understand real sources

and destinations


No real security


No real security

• You will have to choose what to protect and what not


No real security


• Often reduced to only “perimeter defence”


No real security



• Projects will tend to bypass monitored points seeking for simplicity in

deployment


No real security




deployment

• If you enable logging on big pipes, you will get huge amount of data


No real security




deployment


• Firewalls tends to become congestion points


No real security




deployment



• Subject to DoS attacks


No real security




deployment




• Often traffic spoofing is disabled – firewall used as routers


No real security




deployment





• Does not understand OSI Layer 4 and above


No real security




deployment






• End to end encryption takes out the usefulness of the firewall


No real security




deployment







• Network borders are blurred


No real security




deployment







• Network borders are blurred

• Lacking proper access control mechanisms


Different security policy



• Divide the network into sensitivity zones




– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.





• Simplify the requirements






– Identify what is really important and what can be “drawn together”







• Take the responsibility and accountability for simplification








• Secure the end point too!









• Employ better tools for network monitoring










– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.











– Application-aware tools – Next Generation Firewalls












– Select and slice the data that you want to analyse – in real time!













– Identify to which user a traffic belongs to














– Deal with encryption















– Keep a forensic registration of the traffic – you may need it!















– Keep a forensic registration of the traffic – you may need it!

– Produce NetFlow/PCAPs for SIEM tools


Example of simplified network segregation



• Traffic flows for delivered

applications




applications

– Internet application to allow

customers’ self service provisioning




applications






applications



– Outsourced management of the

office LAN to a third party




applications








applications





– Mobile customer with a dedicated

APN, accessing a mobile

management platform




applications







management platform




applications







management platform

• Security point of controls




applications







management platform


– Next Generation Firewalls/IPSes




applications







management platform






applications







management platform



– Web Application Firewalls/DoS

protection




applications







management platform




protection




applications







management platform




protection

– Session Registration




applications







management platform




protection





applications







management platform




protection


– NAC




applications







management platform




protection


– NAC

– Database Activity Monitoring




applications







management platform




protection


– NAC





applications







management platform




protection


– NAC


– Vulnerability Scanners




applications







management platform




protection


– NAC






applications







management platform




protection


– NAC



– Two factors authentication




applications







management platform




protection


– NAC







applications







management platform




protection


– NAC




– Captive portal


Multiple applications deployment – old approach


Multiple applications deployment – new policy


Security Monitoring with the new policy


Next evolution?


Next evolution?

• Fabric path interception

• Packets are routed and

switched only on the main

switching/routing instance

• There is no switching or routing

happening on the access switch


Next evolution?








Next evolution?







• Capacity can scale to 768 x 10

Gb/sec ports

• However, real throughput

depends on the fabric

connectors (generally 40

Gb/sec)


Next evolution?








Gb/sec ports




Gb/sec)


Next evolution?








Gb/sec ports




Gb/sec)

• Could we do that?


Next evolution?


Next evolution?

• Interchangeable 1+10 Gb/sec ports


Next evolution?


• 10 Gb/sec iBypass HD


Next evolution?



• Chassis-based bypass/load balancer


Next evolution?




• Programmable bypass or TAP


Next evolution?





• Higher ports density xBalancer


Next evolution?






• Real application detection on the xBalancer/Director Pro


Next evolution?







• “Passive checks” for tool failures


Next evolution?








• Correlation of sources/destinations/NAC tokens with real users (AD

accounts)


Next evolution?









accounts)

• Real distributed management common for bypasses, TAPs, etc.


Next evolution?









accounts)

• Real distributed management common for bypasses, TAPs, etc.

• APIs and connections with SIEM tools


Thank you

architecting security across global networks

Documents