From Enterprise Perimeter to Distributed, Virtual ... · A/S PKI Enterprise Access to Mail...

From Enterprise Perimeter to Distributed, Virtual Enterprise Security

Ed Amoroso

SVP, CSO – AT&T

eamoroso@att.com

Sandbags Piled in Front of AT&T Building – 12/15/41

Enterprise Perimeter

Untrusted External

“Inside the Firewall”

“Outside the Firewall”

Original Perimeter Objective (Circa 1995)

Web (External)

Untrusted External

Enabling Browser Access to Enterprise Website

Web (External)

Untrusted External

Rule Added to Firewall to Allow Inbound Access

to TCP/Port 80 (http)

Packets from Browsers “Anywhere” Enter the

Perimeter

“Off the Shelf” Web Software and Tools with Potentially Exploitable Vulnerabilities

Proxy A/V

IPS DLP

UTM Firewall Router

Enterprise Access to

Web Server

Admin Access to

Web Server RBAC 2FA Log

“Allowed” A/S

PKI Scan

Perimeter Design

Web (External)

Enabling External VPN Access to Enterprise

Web (External)

Designed for VPN/RA

Client

Proxy A/V

IPS DLP

UTM Firewall Router

Web Server

Admin Access to

Web Server RBAC 2FA Log

“Allowed” A/S

PKI Scan

Proxy A/V

IPS DLP

PKI Scan

FW Admin

Access to VPN Server

RBAC 2FA Log

Firewall Router

VPN Server “Allowed”

Integrate into Common Physical

Perimeter

Perimeter Design

Web (External)

Third Party Gateway

Adding Third Party Gateway Access to Enterprise

Web (External)

VPN Designed

for Third Party Care, Contact, Support, etc.

Proxy A/V

IPS DLP

UTM Admin Access to

Third Party Gateways

PKI Scan

Proxy A/V

IPS DLP

PKI Scan

Proxy A/V

IPS DLP

PKI Scan

Typically Source IP-Based Authentication

Third Party Gateways

“Allowed”

Web (External)

Third Party Gateway

Integrate into Common Physical Perimeter

Perimeter

Perimeter Design

Enterprise Assets

Web (External)

Third Party Gateway

Enterprise Assets

Web (External)

Third Party Gateway

Adding Inbound Email to Enterprise

Proxy A/V

IPS DLP

PKI Scan

Proxy A/V

IPS DLP

PKI Scan

Perimeter

Proxy A/V

IPS DLP

PKI Scan

“Allowed”

Proxy A/V

IPS DLP

PKI Scan

Perimeter

Allow Exchange with any Sender or

Receiver

Integrate into Common Physical Perimeter

Web (External)

Third Party Gateway

Perimeter Design

Enterprise Assets

Web (External)

Third Party Gateway

Enterprise Assets Additional

Firewall Rule Exceptions

Additional Firewall Rule

Exceptions

Web (External)

Third Party Gateway

“Hundreds” to “Millions” of Rules (1995 – 2015)

Enterprise Assets

Web (External)

Third Party

Expanded Third Party Gateways

Exceptions

Additional Third Parties, Retail Dealers, Outsourcing,

Offshoring

Enterprise Assets

Additional Remote Access, Employee Telework,

Road Warriors

Web (External)

VPN Third Party

Expanded Employee Remote Access

Exceptions

Offshoring

Enterprise Assets

Unauthorized Network Connections

(Internet Exposing)

Network Misconfigurations (Internet Exposing)

Web (External)

VPN Third Party

Network Vulnerabilities

Exceptions

Road Warriors

Offshoring

Enterprise Assets

Enterprise Use of Mobility

Web (External)

VPN Third Party

Employee Use of Mobile

Exceptions

Road Warriors

Offshoring

(Internet Exposing)

Enterprise Assets

Web (External)

VPN Third Party

Typical State of the Practice Enterprise Design

Exceptions

(Internet Exposing)

Enterprise Use of Mobility

Road Warriors

Offshoring

Outside

Enterprise Perimeter Reality (Circa 2015)

North/South Exploit (Perimeter)

East/West Exploit (Enterprise)

Successfully attack this . . . and gain access to this . . .

Phishing Attack Data Exfiltration

Nation State Exfiltration Attacks

Inbound Filtering

Outbound Filtering

Many Solutions Exist to Reduce Risk

Inbound

Many Solutions Exist to Reduce Risk

Outbound

No Good Solutions Exist to Reduce Traversal Risk

Baseline Perimeter

Enabling Browser Access to Web Server

Virtual Micro Perimeter

Micro-Perimeter Design (Web Server)

Step 1: Provision Web Server into Integrated Cloud

Proxy A/V

IPS DLP

PKI Scan

Step 2: Provision Virtual Micro-Perimeter into Run Time System

Micro-Perimeter Provisioning to Cloud

Tenant

Security Orchestration

Hypervisor

FW Proxy A/S FW Web

Virtual Appliances

East-West Protection for Web

Virtual Perimeter

Sampling of Vendors with

Virtual Appliances

Security C&C

Adding Security Command & Control – Virtual

Step 1: Provision Security Cmd/Ctrl into Virtual Data Center

Step 2: Provision Virtual Micro-Perimeter into Run Time System

Proxy A/V

IPS DLP

PKI Scan

Proxy A/V

IPS DLP

PKI Scan

Integrate into Common Virtual

Perimeter

Security C&C

Micro-Perimeter Provisioning to Cloud

Tenant

Hypervisor

Web Server

Tenant

Security Alerting Security Reporting Risk Compliance

Virtual Appliances

Security APIs

Tenant

Hypervisor

Virtual Appliances

FW Proxy A/S FW

Security APIs

East-West Protection for Web and C&C

Enterprise Assets

Gateway

Adding Gateway – Virtual

Tenant

Hypervisor

Web Server

Tenant

Security Alerting Security Reporting Risk Compliance

Virtual Appliances

Security APIs

Tenant

Hypervisor

Virtual Appliances

FW Proxy A/S FW

Security APIs

Tenant

Hypervisor

Gate way

Virtual Appliances

FW Proxy A/S FW

East-West Protection for Web, C&C, and

Gateway

Enterprise Assets

Gateway

Successfully attack this . . . and gain NO access to this . . .

East-West Traversal Mitigated by Virtual Perimeter

Enterprise Assets

Gateway

Legacy Assets

Legacy Assets Dependent on Existing Perimeter

Gateway

Legacy

(Legacy Assets)

Legacy Assets Dependent on Existing Perimeter

Gateway

Legacy

Enterprise Perimeter Has Less to Defend

Gateway

Legacy

Gateway

Legacy

Web Back-End

Gateway

Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Gateway

Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Gateway

Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Gateway

Legacy Web

Back-End

SOC (Primary)

SOC (Backup)

Gateway Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Gateway Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Ring (Gateway)

Ring (Legacy)

Ring (Back-End)

Ring (Web Server)

SOC (Primary)

SOC (Backup)

SOC (Primary)

SOC (Backup)

Security Command and Control (C&C)

Micro-Domain Rings

Robust, Secure Communication

with Multiple C&C

Micro-Domain Rings

Security Software Drop Locations

Botnet Command and Control (C&C)

with Multiple C&C

Botnet Software Drop Locations

ZeroAccess Botnet (Click Fraud)

Massive Industry Botnet Takedown Effort

Resilient!!

Resilience of Botnets

Micro-Domain Rings

with Multiple C&C

Security Software Drop Locations

Micro-Domain Rings

Distributed, Virtual Enterprise Perimeter Design

From Enterprise Perimeter to Distributed, Virtual ... · A/S PKI Enterprise Access to Mail...

Documents

Reflection PKI Services Manager User Guide - …docs.attachmate.com/reflection/pki/1.3sp1/pki-manager-user-guide.pdfTest Certificate Dialog Box ... 8 Reflection PKI Services Manager

PrimeKey Enterprise Java Bean Certificate Authority (EJBCA) · fromJBossandunzipthedownloadedﬁletoadirectoryofyourchoice.Thepath/opt/pki/isourinstal- ... Using this you can place

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise

PKI history 4 PKI – Public Key Infrastructure

Queensland Government Enterprise Architecture PKI Framework …pki.health.qld.gov.au/documents/T3C65_CPSv1.0.pdf · 2011. 2. 11. · Queensland Government Information Security Framework

EJBCA Enterprise PKI by PrimeKey

Digital Certificates Support from z/OS PKI Services and ... · GSE Enterprise Systems Security Working Group December 13th 2013 Wai Choi, CISSP IBM Corporation RACF/PKI Development

X.509 Certificate Policy For The U.S. Federal PKI … is the policy framework governing the public key infrastructure (PKI) component of the Federal Enterprise Architecture

Consumerization Security for the Changing Enterprise...changing enterprise environment. With hardware-enhanced security in place, you can gain layered protection for every perimeter

CS 5410 - Computer and Network Security: PKI · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center CS 5410 - Computer and Network Security: PKI Professor Kevin

PKI Interoperability

PKI Setting

PKI Robin Burke ECT 582. Outline Discussion Review The need for PKI PKI hierarchical PKI networked PKI bridging Certificate policies rationale examples

Public Key Infrastructure (PKI) Trust Serviceshecker.org/mozilla/slalom-pki-fact-sheet.pdfyour PKI will be ready for global acceptance Public Key Infrastructure (PKI) Trust Services

Middleware Security - Nikhefdavidg/presentations/Middleware... · 2009-04-19 · > passwords, enterprise PKI, Kerberos > PKI with trusted third parties > Federated access > Controlled

Enterprise API Security Choices - Black Hat · Enterprise API Security Layers Enterprise DataDatacenter Enterprise Applications Perimeter Defense Trust and Control Assurance and Compliance

VoIP Administration Guide R76 - Check Point Software · Enterprise Deployment 1: Perimeter VoIP Gateway..... 7 Enterprise Deployment 2: LAN Segmentation ... Enabling Dynamic Opening

DoD Public Key Infrastructure (PKI) Partner PKI ...jitc.fhu.disa.mil/projects/pki/documents/DoD_PKI_Interoperability... · UNCLASSIFIED DoD Public Key Infrastructure (PKI) Partner

Cisco IOS PKI Overview Understanding and Planning a PKI · Cisco IOS PKI Overview Understanding and Planning a PKI CiscoIOSpublickeyinfrastructure(PKI)providescertificatemanagementtosupportsecurityprotocols

Identity as the New Perimeter - TechVision Research...enterprise security, risk mitigation, and has the potential of better positioning the ... is the new perimeter and that concept