1 / 46

The Crumbling Perimeter

The Crumbling Perimeter. Modern Problems Securing Your Network Douglas Orr Vice President of Engineering. Company Background. Arbor Networks provides Network Integrity Systems that protect organizations from zero-day security threats and operational vulnerabilities.

flynn
Download Presentation

The Crumbling Perimeter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Crumbling Perimeter Modern Problems Securing Your Network Douglas Orr Vice President of Engineering

  2. Company Background Arbor Networks provides Network Integrity Systems that protect organizations from zero-day security threats and operational vulnerabilities. Fully funded. $33 million from investors including: Based on 5 years of academic research at the University of Michigan funded by Cisco, Intel and DARPA. Recognized as the leading supplier of Worm, DDoS and routing attack solutions in North America, Europe and Asia. Rich development partnership with Michnet, CAEN, UMHS, MAIS

  3. Perimeter Security … Internal Security

  4. Perimeter vs. Internal • Perimeter: • Well known egress/ingress to/from outside world • Home of firewall/IDS • Gateway to DMZ • Inner Network: • What we think of as: Inner Sanctum • What therapists call a “safe place” • Home of: • Unrestricted file shares • Unexpected mssql servers • Unsanctioned p2p servers

  5. Internal Security Issues: Crumbling Perimeter • Wireless access points • Contractors • VPN connections • Internal threats • Worms/viruses • (careful what you track in on your boots…) • Mergers, Acquisitions

  6. A Word about Worms worm hosts within the first week: witty, march, 2004. about 12,000 hosts. sasser, may 2004. about 200,000 hosts. SQLSlammer, january 2003. about 75,000 hosts. blaster, august 2003. about 300,000 hosts. nimda, september 2001. about 600,000 hosts. code red, july 2001. about 500,000 hosts. sources: arbor, caida, cert, symantec.

  7. Another reason to care: liability So, let’s not forget the regulators…

  8. Security-related Regulations • Sarbanes-Oxley • Gramm-Leach-Bliley • Health Insurance Portability Accountability Act • And, this is probably just the beginning…

  9. Regulatory Environment: SOX • Focused on financials, auditors • Mgmt responsible for confidentiality and integrity of financial info • Security focus: • Authorization • Accessibility • Auditing • Tools: • 2 factor passwords • Logging/audit trails

  10. Regulatory Environment: GLBA • Graham-Leach-Bliley • Privacy of financial information • For: financial institutions, banks, … • Not allowed to disclose without written consent • Establish standard for safeguarding customer info • Requires written security policy • Apple pie: (training, design network w/security in mind, detect/prevent attacks)

  11. Regulatory Environment: HIPAA HIPAA -health insurance portability accountability act Privacy/security of medical information Primarily insurance-related Providers, plans, data warehouses

  12. Regulatory Environment: HIPAA… Generally: Identity kept separate from medical records Requires risk assessment and security measures to mitigate risks identified All focused on Protected Health Information (phi or ephi) All related to Confidentiality, Integrity and Availability (CIA)

  13. Regulatory Environment: HIPAA… Required and Addressable items… • Examples: • Unique user authentication • Auto logout • Encryption • Audit • Integrity checking • Strong Auth • Transmission security • Malicious code • Identify and protect against incidents…

  14. The Challenge Securing the inside of your network is just as important as securing the perimeter. It is also a lot harder…

  15. TOOLS

  16. The (Partial) Palette • Perimeter • Firewall • DMZ • Internal • Anomaly Detection • IPS • Application-level Authentication • Patch Management • AV • Host IDS • Network Segmentation • Both • Network IDS • Vulnerability assessment • Security Information Management

  17. Briefly: the perimeter • Firewall • Provides enforcement for policy of what gets in and what gets out • DMZ • Reduces risk for resources that are shared between “inside” and “outside” • Network IDS • Alerts to known bad behaviors

  18. Perimeter Issues Need a good policy, including “default deny” Port 80, encryption reduce granularity, visibility Applications are more valuable if universally accessible Nobody likes limitations…

  19. Internal Security

  20. The Internal Security Environment

  21. The Analysts “Securing Internal Networks: The Final Frontier” “The proliferation of alternate paths into the organization, application layer attacks and devastating worms, are all hammering home the conclusion that perimeter defenses must be complimented by a full range of internal security measures. Addressing this need will inevitably require implementing a combination of different types of security controls, though we expect products that are better tuned to the unique challenges of internal security will begin to emerge in 2004.”Internal Security is a Critical Business ProblemSafe QuarantineWorms: A Service Level Threat

  22. IDS

  23. IDS • Generally, signature based watching for network or host misuse • Host-based IDS new variant • Issues: • Chatty, false positives • Fragile • Monotonically increasing signature db • Examples: • Okena (host), snort, realsecure, etc.

  24. IPS

  25. Intrusion Prevention Systems • Aim to make IDS-style signature information actionable • Stop intrusions, misuse, abuse, rather than just reporting on them • Issues: • Bump-in-the-line • Share signature weaknesses with IDS • More serious consequences for false positives

  26. Intrusion Prevention Systems • Latest thing • Some products are recycled DoS prevention, IDS, web firewall tech, etc. • Claims range from viruses, intrusion signatures to SPAM, IIS attacks • Very cool if it works… • Examples • ISS proventia, Symantec Manhunt, Toplayer • Entercept, Sanctum

  27. Network Segmentation

  28. Network Segmentation • Internal firewalls or switch acls • Only permit explicitly sanctioned traffic between “zones” • Limits exposure for hacking or internal threat • Issues: • Big time • Requires detailed application knowledge • Requires hardware • Requires policy

  29. Anomaly Detection

  30. Anomaly Detection Model “what is normal” Alert or act on “abnormal” events Host/Network Update of and largely complementary to IDS Optional enforcement tie-ins Relational/Statistical AD

  31. A C E F D C A E G F A C I E C A H B G D F D C B G H D C Relational Modeling Auto Learns Host Behaviors Who talks to Who Who talks to Who – HOW Across Your Entire Network Enterprise Network Site 1 Data Center Extranet Site 2

  32. Anomaly Detection • Issues: • Hard • Scaling (detail, speed) • Some network traffic patterns are difficult to interpret • “what is normal” changes periodically and over time • If there is enforcement, has false positive penalty, like IPS

  33. Anomaly Detection • Examples • Peakflow/X, Mazu, Lancope, Q1

  34. Case Study -- HIPAA Watch critical servers for anomalies https only permitted protocol -- ensures encryption https only to known destinations -- transportational integrity https only in known bw patterns -- also transportational integrity Alert on violation; provide audit trail for investigation/prosecution

  35. Case Study -- Network Segmentation Observe all behaviors (Analyze, experience shock, repeat…) Group by known topologies Generate ACL’s to correspond to known, sanctioned applications) Default deny Apply to segmentation routers

  36. PKI, Strong Authentication

  37. PKI, Strong Authentication • Decrease risk of false authentication • Can be application-level authentication • Decreases risks of damage after break-in • Decreases risks of internal threats • Issues: • PITA… ideally requires application awareness

  38. SIM

  39. Security Integration Manager • Combines and correlates security events • Helps rationalize multiple security outputs (e.g., IDS+FW logs+scanners…) • Correlations can be more reliable than individual signals • Issues: • Big time • Examples • Netforensics, Intellitactics, etc.

  40. AntiVirus

  41. AntiVirus • Well understood and important… what can I say? • Issues: • Polymorphic viruses may kick our ass • The more popular the system, the bigger the problem • Why *did* you click on that attachment? • Wasn’t your spouse *listening* to you???

  42. Misc.

  43. Internal Security Miscellanea All good security practices also apply Policy, policy, policy Default deny Audit trails Backup, catastrophe plans Vulnerability assessment Patch management

  44. General Notes

  45. General Treat internal hosts as though exposed to internet Internal security requires significant insight to network operations Network operations and security are Gemini twins of system operations

More Related