perimeter security and network segmentation
TRANSCRIPT
1
IN3210/4210 Network and Communications Security
Perimeter security and network segmentation
Nils NordbottenSeptember 2020
IN3210/4210 2
2
IN3210/4210
Background: Saltzer and Schroeder (1975) identified eight design principles for security mechanisms
● Economy of mechanism (minimalism)● Fail-safe defaults● Complete mediation● Open design (Kerckhoff 1883, Shannon 1948)
● Separation of privilege● Least privilege● Least common mechanism● Psychological acceptability (Kerckhoff 1883)
Much has changed since 1975, but the principles are generally still valid
3
IN3210/4210
Background: Defense in depth may provide stronger security than would be obtained by any of the security measures alone● True defense in depth requires that the security measures provide overlapping (i.e., redundant security) and
that the breach of one is independent from breaching the others- E.g., antivirus scanning and firewall both in gateway and on host machines, potentially using products
from different vendors? - The use of the same libraries, hardware, etc. may result in common vulnerabilities
● One way to look at it when designing a system is to assume that the other defensive layers (e.g., firewall) have been breached
4Also known as the Swiss cheese model
3
IN3210/4210 5
IN3210/4210
Internal network
Network segmentation
● Segment network using, e.g.:- Firewalls- Virtual Local Area Networks (VLANs)- Virtual Private Networks (VPN)- Software-/policy-defined approaches
● May use Private VLAN (port isolation) to prevent hosts from communicating with other hosts within the same Private VLAN
6
External network (e.g., Internet)
DMZ
4
IN3210/4210
The Zero Trust Model (J. Kindervag, “No more chewy centers: The zero trust model of information security,” Forrester Research, 2016)
Main concepts:
1. Ensure all resources are accessed securely regardless of location
2. Adopt a least privilege strategy and strictly enforce access control
3. Inspect and log all traffic
Zero trust: no trusted or untrusted interfaces, networks, users, network traffic, etc.
7
IN3210/4210
The zero trust network architecture (J. Kindervag, “Build security into your network’s DNA: the zero trust network architecture,” Forrester Research, 2010)
Segmentation gateway provides (micro-) segmentation● Firewall, crypto, activity monitoring, content
filtering, intrusion prevention system, access control
MCAP: Microcore and perimeterNAV: Networks analytics and visibilitySIM: Security information management
8
5
IN3210/4210
Firewalls are an important part of perimeter security
● All traffic from inside to outside, and vice versa, must pass through ● The security policy defines what traffic can pass● The firewall itself should be immune to compromise
9
External network (e.g., Internet)
Internal network
IN3210/4210
The requirements for a reference monitor identified in “the Anderson report” (1972) are also more generally applicable to other security mechanisms - in principle firewalls included
The reference validation mechanism:
1. must be tamper proof.
2. must always be invoked.
3. must be small enough to be subject to analysis and tests to assure that it is correct.
James P. Anderson, “Computer Security Technology Planning Study,” 1972
10
6
IN3210/4210
Firewalls - some advantages and limitations
Advantages:● May mitigate the consequences of configuration errors, user mistakes, etc.● Provides some protection against vulnerabilities being exploited before being patched/fixed● Provides protection against network enumeration (e.g., port scanning) etc.● Facilitates network monitoring and intrusion detection (by “reducing noise” on the internal
network)Limitations:● Provides limited protection against many threats (e.g., inside threats, malicious content,
phishing,…) ● Do not protect against attacks circumventing or bypassing the firewall filter (e.g., through external
WLAN, cellular network, SSH/VPN tunnel,….)● Widely used protocols such as HTTPS (on port 443) can be used to carry other traffic
11
IN3210/4210
Firewall policy default action
● Allow biased / default permit: all packets except those meeting specified criteria are allowed to pass (that which is not expressly prohibited is permitted)
● Deny biased / default deny: only packets meeting specified criteria are allowed to pass (that which is not expressly permitted is prohibited)
The latter is generally the more secure approach.
12
7
IN3210/4210
Packet filtering firewall
Filters packets based on information contained in the packet:● Source and destination IP address● Transport protocol● Source and destination port number● TCP flags (ACK, SYN?)● Network interface● …
Simple and fast13
PhysicalData LinkNetworkTransportApplication
IN3210/4210
Packet-filtering rules example – allowing incoming/outgoing SMTP traffic
14
Protocol Src address Src port Destaddress
Destport
Flags Action
TCP External >1023 Internal 25 Permit
TCP Internal 25 External >1023 ACK Permit
TCP Internal >1023 External 25 Permit
TCP External 25 Internal >1023 ACK Permit
Any Any Any Any Any Deny
The first matching
rule is applied
The internal src/dest address should typically be set to the address(es) of the internal SMTP server(s)
8
IN3210/4210
A stateless packet filter makes its decision based on the current packet only. With stateful packet inspection (SPI), decisions are based on the current packet and state
● Maintains state about established TCP/UDP connections (possibly also FTP etc.)
● More powerful than stateless inspection
15
IN3210/4210
Application-level gateway (application proxy)
16
Circuit-level gateway/proxy is similar but at the transport layer
PhysicalData LinkNetworkTransportApplication
PhysicalData LinkNetworkTransportApplication
Application proxy
9
IN3210/4210
Next Generation Firewall (NGFW)
A term used to describe products combining a traditional packet filter firewall with additional functionality such as:● Intrusion prevention and/or security monitoring● Malware protection / anti-virus● Application level firewall● Content filtering● …
Unified Threat Management (UTM) is another term used in a similar way
17
IN3210/4210
Network Address (Port) Translation
● Public address (and port) ↔ private address (and port)
● Conceals details of the internal network
● Restricts incoming traffic
18
10
IN3210/4210
Information flow control
● Diode – provides one-way information flow only- Network pump – similar to a diode but providing TCP acknowledgements in reverse direction
● Security filter – filtering of structured packets/data based on allowed field values
● Guard – may provide functionality similar to an application level gateway/proxy, but typically also makes use of security labels for release decisions- Security label: a set of metadata providing information on the security handling of a data object (e.g., a
documents classification). The security label, the data object to which it applies, and their association may be protected , e.g., by a digital signature.
19