information security overview of technologies & solutions
TRANSCRIPT
Information Security
IntroductionThe Enterprise NetworkDefense in DepthWhat to protect against?
Technologies & SolutionsPerimeter TechnologiesInternal Technologies
ConsultingAudit, Implementation & Support
Introduction
The security of your network is evaluated daily, the question is…
““Are you the one doing Are you the one doing it?”it?”
Introduction
Good Information Security provides; Data confidentiality
Ensure that no data is disclosed intentionally or unintentionally
Data integrity Ensure that data is not modified by unauthorized
personel, that no unauthorized changes are made by authorized personel, and that data remains consistent, both internally and externally
Data availability Provide reliable and timely access to data and
resources
The Enterprise NetworkBranch Office Corporate HQ
Public Internet
ISP Router
LAN
Security Enforcement
DMZ ServicesSecure Gateway
Secure GatewayFirewall
Internal Servers
Wireless Access
Corporate Data
IP Communication
Telecommutor
SOHO
Defense in Depth
How?Secure the perimeterSecure the internal networkAccount for the human factor
Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Defense in Depth
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Firewalls, VPN quarantine,…Firewalls, VPN quarantine,…
Guards, locks, tracking devicesGuards, locks, tracking devices
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against social User education against social engineeringengineering
OS hardening, update management, OS hardening, update management, authenticationauthentication
Network Security
Network Security – focus on perimeter and Internal Network solutions
PerimeterPerimeter
Internal NetworkInternal Network Network segments (VLANs), Network segments (VLANs), IPSec, NIDS, Network Access IPSec, NIDS, Network Access Protection, …Protection, …
Firewalls, VPN, NIDS, Anti-Firewalls, VPN, NIDS, Anti-Spam, …Spam, …
Why do we need Network Security?
First look at what you need to protect Data (company resources) Services (applications or their individually
accessible parts and the people using them) Protect against what?
Malware (Viruses, Spyware,…) Spam (“Steals” resources and productivity) Hackers (Network penetration, defacements,
DoS Attacks,…) Internal Users (Unauthorized access,…) …
Common Threat Classification
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network Host Application
Threats againstthe network
Threats against the host
Threats against the application
Examples of Network Threats
Threat Examples
Information gathering
Port scanning
Using trace routing to detect network topologies
Using broadcast requests to enumerate subnet hosts
Eavesdropping Using packet sniffers to steal passwords
Denial of service (DoS)
SYN floods
ICMP echo request floods
Malformed packets
Spoofing Packets with spoofed source addresses
Typical Pattern of an Attack
Enter the network through SQL Injection etc.
Install or use port proxy software to open inbound connections
Remotely control the host to mount further attacks from inside until a domain controller is accessible
Gain control of the desired resources Erase traces of attack and remove installed
software
Perimeter Technologies
Firewall (Packet Filter, Stateful, Proxy) Intrusion Detection System (IDS, IPS)Virtual Private Network (IPsec, SSL)Anti-Spam (Mail relay, AV)Anti-Spyware (URL filtering, AV)Anti-Virus
Firewall – Static Packet Filter
Every router is a static packet filter (including your ISP router)
First incoming and last outgoing layer of your network security
Faster at screening traffic than stateful or proxy firewalls
But no knowledge of “state” thus less secure than most common firewalls
Firewall – Stateful
Most common type of Firewall todayKeeps track of “state”, blocks traffic
that is not in its table of established connections
Slower at screening traffic than packet filter, but more secure
Firewall - Proxy
Most advanced, least common type of Firewall (is also a stateful firewall)
Higher degree of security because internal and external hosts never communicate directly
Examines the entire packet to ensure compliance with the protocol that is indicated by the destination port number
Firewall – Basic theory of operation
External Network (Internet)
External Network (Internet) Internal Network (LAN)Internal Network (LAN)
Intermediate Network (DMZ)Intermediate Network (DMZ)
Firewall Divides your internal network from an external network (usually Internet)If the incoming connection is an “answer” to an outgoing connection, the connection is allowed, if not, the connection is dropped. (Stateful)Most firewalls have DMZ functionality, allowing you to further divide your network in order to supply some “Internet faced services” to your users.
Connection allowed
Connection refused
Firewalls – Juniper
Integrated Firewall/IPSec VPN NetScreen 500/200/50/25/XT/GT/HSC
Solution includes Stateful Inspection (Perimeter defense) Deep Inspection (Application-Level Protection) Built-In Antivirus (Protects remote locations) Web filtering (Prevent inappropiate web usage) Secure Remote Acces (IPsec VPN – Secure
Client)
Firewalls – Check Point
FirewallFireWall-1
Solution includes Comprehensive application protection Industry-leading management High performance
Other Technologies
So if we buy a Firewall we are safe?!
Why NOT?Weaknesses in TCP/IP suite
IP Address SpoofingCovert ChannelsIP Fragments AttacksTCP FlagsSYN FloodConnection Hijacking…
Intrusion Detection System
Gateway Intrusion Detection SystemA network intrusion detection system
which acts as a network gatewayDesigned to stop malicious traffic and
generate alerts on suspicious trafficAn “ideal” gateway IDS is able to stop all
known exploits
GIDS vs NIDS (Placement)
GIDS Acts as network
gateway Stops suspect
packets Prevents successful
intrusions False positives are
VERY bad
NIDS Only observes
network traffic Logs suspect
packets and generates alerts
Cannot stop an intruder
False positives are not as big of an issue
IDS – Basic theory of operation
Internet
IDS
LAN
IDS
Firewall IDS
DMZ
Much like a bridging firewall, IDS makes forward/drop decisions…-This packet is always good so pass it into my network.-This packet is always bad so drop it and tell me about it.-This packet is sometimes bad so tell me about it, but don't drop it.
IDS – Juniper IDS – IPS
NetScreen-IDP 10/100/500/1000 Solution includes
Eight different detection methods are used to protect the network from network, application and hybrid attacks
Understands state to pinpoint exactly where an attack can be perpetrated and only look there
Ability to define a response action in the rulebase for detected attacks
Sub-second Stateful-failover between Juniper Networks devices without losing sessions
Enables closed loop investigation, linking directly from the log to the rule that triggered it and the session's packet capture
IDS – Check Point IDS - IPS
IntruShield Solution includes
Unprecedented flexibility of IDS deployment, including in-line, tap, and span modes to suit any network security architecture
Thorough analysis of traffic at multi-gigabit rates that builds and maintains traffic state information and performs comprehensive protocol analysis.
Intelligent detection of known, unknown, and DoS attacks using a combination of signature, anomaly and DoS detection techniques.
Proactive capability to stop in-progress attacks coupled with a rich set of alerting and response actions.
Powerful capability to set multiple, highly granular, custom intrusion policies within a single sensor.
VPN
A Virtual Private Network is a service that offers a secure, reliable connection over a shared public infrastructure such as the Internet.
Two main types;Remote AccessSite-to-site
Two main technologies;IPsec (and L2TP)SSL
VPN – Remote Access
Secure Remote Access for mobile users and/or home office.
Using a secure software client or hardware device for IPsec, or a webbrowser for SSL based VPN
If you able to connect to the Internet, you are able to connect to the corporate network
VPN – Site-to-Site
Valid replacement for leased lines and Frame Relay connections to connect different sites.
Using specialized VPN devices or built-in into a firewall
If both your sites have Internet connectivity, they can be connected using VPN
VPN – Basic theory of operation
VPN Tunnel
Site-to-Site VPN
Remote Access
A VPN tunnel is setup using a secure client or SSL capable webbrowser, all data send through the tunnel is encrypted, the packets can still be captured, but if they are they are encrypted.
VPN - IPsec
Usually employs custom software at each of the endpoints – the device and the client
Normally utilizes OSI Layer 3 Protocols (AH – ESP)
Authentication Header provides two-way device authentication (implemented in hard- or software)
Encapsulation Security Payload protocol provides data encryption (3DES, AES)
VPN – SSL
Employs Webbrowser at the client side and a device at the corporate side
SSL is an network Layer ProtocolSSL uses Certificates to prove the
identities of both endpointsAll trafic is encrypted using a shared
key and a negotiated encryption algorithm (3DES, AES)
VPN – Juniper IPsec VPN
Built-in to firewall range of products Solution includes
Secure client enables adherens to security policy SSL VPN
NetScreen-RA 500, NetScreen-SA 1000/3000/5000 Solution includes
Secure access for remote/mobile employees, with no client software required
Secure LAN, intranet, and extranet access for employees, business partners, and customers
Hardware-based SSL acceleration Hardware-based HTTP compression Dynamic access privilege management, with three
access methods
VPN – Check Point IPsec VPN
VPN-1, VPN-1 Edge, VPN-1 VSX Solution includes
Simple VPN deployment Highest level of security Easy-to-use centralized management Unparalleled performance High availability
SSL VPN SSL Network Extender
Solution includes Network-level connectivity over SSL VPN Support for all IP-based applications Combined IPSec and SSL VPN solution Integrated with Check Point VPN-1
Anti-Spam (Spam Firewall)
Acts as a mailrelay server – accepts incoming mail, scans the content and forwards the mail to the back-end mailserver.
Usually in combination with an Antivirus scanning engine to deliver spam- and virus-free e-mail.
Prevents direct access to your e-mail server
Anti-Spam – Basic theory of operation
E-mail is delivered to the Spam Firewall
E-mail is checked against IP Block Lists, Antivirus scanning is performed, user rules are applied, spam fingerprint, intention analysis, Bayesian analysis and rule-based scoring checks are performed
Clean E-Mail is relayed to internal mailserver
Anti-Spam – Barracuda Anti-Spam Firewall
200/300/400/600/800 Outbound Mode
200/300/400/600/800 Solution Includes
Spam Filter Content Based Filtering Bayesian Algorithms Denial of Service Protection Anti-Spoofing Anti-Phising
Virus Filter Dual-Layer Virus Blocking Decompression of Archives File Type Blocking
Anti-Spam – Trend Micro
Anti-Spam Spam Prevention Solution (SPS 2.0)
Solution includes Advanced Filtering, Analysis, and Updating
Capabilities Comprehensive Reporting and Auditing Dynamic, Flexible Heuristic Technology Ease of Administration and Configuration High Performance and Scalability Seamless Integration with Antivirus and Content
Security Offerings
Anti-Spyware (Gateway)
Gateway device to stop spyware installations, block spyware sites and scan for spyware signatures
Some solutions can detect spyware on user desktops and target them for cleaning
Usually combined with Antivirus solutions
Anti-Spyware – Basic theory of operation
If a user requests access to a website, the device checks if the site is listed in the known spyware sites list, if not the request is proxied. The content of therequested site then is scanned for spyware (and viruses) if the content is Spyware and virus free it is delivered to the client, if not it is dropped.
Internet
Firewall
LAN
Clients
Spyware & AV Proxies
Anti-Spyware – BlueCoat
Anti-SpywareSpyware InterceptorProxySG + ProxyAV
Solution includesEasy, affordable, and effective spyware
preventionAutomatically updates spyware profiles,
policies, and prevention techniques. Backed by world-leading experts in web
proxy performance and security at Blue Coat Labs™
Anti-Spyware – Barracuda
Anti-Spyware Spyware Firewall 210/310/410
Solution includes Stops spyware downloads (including drive-by
downloads) Stops virus downloads Blocks access to spyware websites Detects spyware access to the Internet Facilitates spyware removal Website Category blocking Content Inspection Flexible Policy Enforcement
Antivirus (Gateway)
Provides Internet gateway protection against viruses (http, ftp, smtp traffic)
If combined with internal antivirus solution provides dual layer protection (different vendors)
Usually a combination of Anti-Spyware, Anti-Virus and Anti-Spam on the gateway
Anti-Virus (Gateway) – Basic theory of operation
Internet
Firewall
LAN
Clients
Spyware & AV Proxies
Requested webcontent is scanned with antivirs engine on the proxy serverClean content is delivered to the clients.
Anti-Virus – Trend Micro
Anti-Virus Interscan Web Security Suite
Solution includes Comprehensive Web Security Leading Virus Protection Anti-phishing Anti-spyware URL Filtering Module Scalable and Flexible Centralized Management and Coordination
Anti-Virus - BlueCoat
Anti-VirusProxySG with Web Virus Scanning
Solution includesVisual Policy ManagerPolicy processing engineCustom splash pagesContent stripping ProxyAV integrationICAP server integrationAuto sense settings
Internal Technologies
LAN security using “perimeter” devices
Network Access ProtectionNetwork segmentation (VLANs)Strong AuthenticationMalware protectionWLAN security
LAN Security using perimeter devices
Ingress and egress filtering on every router
Internal firewalls to segregate resources
Proxies to enhance performance and security
IDS sensors to function as “canaries in a coal mine” and monitor the internal network
Network Access Protection
Provides endpoint security for access to your LAN.
Make sure every device complies to your corporate access policy before LAN access is allowed
Prevents “rogue” devices from accessing your network
Network Access Protection – Basic theory of operation
Client device request access to the network (cable is plugged in)
A policy compliance check is performed by a device/server to see if the client has the necessary access rights (802.1X) and the required Anti-Virus en Operating System updates. If the client complies to policy access to the
network is allowed If the client does not comply, the client is
placed in a quarantine network section and updated to comply to the corporate policy
Network Access Protection – Check Point
Network Access Protection Total Access Protection
Solution includes VPN Remote Access Policy Enforcement Web Remote Access Policy Enforcement Internal Policy Enforcement with 802.1X-
compatible Gateways Rogue Access Prevention with 802.1x-
compatible Gateways Internal Policy Enforcement with InterSpect Standalone Enforcement
Network Segmentation (VLANs)
Divide (Virtual LANs) your physical network in several logical entities to prevent unauthorized access to certain parts of you LAN
VLAN membership based on identity (802.1x)
Increase security and tracebility in your local network
VLANs – Basic theory of operation
802.1X & VLAN capable switch
VLAN 2VLAN 1
VLAN 3
VLAN capable switch divides your LAN into segments only, access rulesdefine whom can access which other segement of your network. Membership to a VLAN can be based on identity of the device that requestsAccess (802.1x)
Network Segmentation – ProCurve
Network SegmentationIdentity driven managementDynamic VLANs
Solution includesAccess Control – Based on users’
business needs. Access Rights – Not only based on the
individuals and their group associations, but also day, time and location.
Policy Enforcement – On a per-user, per-session basis.
Strong Authentication
Traditional static password are insecure, if you can “guess” someones password you have access.
Strong Authentication requires you to both have something (Token – fingerprint, ect) and know something (pin code – password)
Information on Token is encrypted for added security
Can be used for computer logon, single-sign-on, secure remote access
WLAN security
Secure Access to you corporate LANDefend against “rogue” Access Points Identity based Wireless AccessUsage of strong encryption and key
exchange protocols
WLAN Security
Pre-802.11i security (WPA) as a replacement to the insecure WEP model
Includes TKIP (Temporal Key Integrity Protocol) and 802.1x (identity) protocols