12
NPS CISR HFN Brown Bag: Security f or Hastily Formed Network s 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

Embed Size (px)

Citation preview

Page 1: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

1

HFN Brown Bag

Essential Security Practices for Hastily Formed Networks

Page 2: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

2

Bill Murray is an executive consultant in the office of the CTO, Cybertrust Corporation, and an Associate Professorat the Naval Postgraduate School. He is Certified Information Security Professional (CISSP) and serves as Secretary of (ISC)2, the certifying body, Bill is an advisor on the Board of Directors of the New York Metropolitan Chapter of ISSA.

He has more than fifty years experience in information technology and more than forty years in security. During more than twenty-five years with IBM his management responsibilities included development of access control programs, advising IBM customers on security, and the articulation of the IBM security product plan. He is the author of the IBM publication Information System Security Controls and Procedures.

Mr. Murray has made significant contributions to the literature and the practice of information security. He is a popular speaker on such topics as network security architecture, encryption, PKI, and Secure Electronic Commerce. He is a founding member of the International Committee to Establish the "Generally Accepted System Security Principles" (GSSP, now referred to as the GISSP) as called for in the National Research Council's Report: Computers at Risk.  Bill remains as an active member of this committee. He is a founder and board member of the Colloquium on Information System Security Education (CISSE).

He has been recognized as a founder of the systems audit field and by Information Security Magazine as a Pioneer in Computer Security. In 1987 he received the Fitzgerald Memorial Award for leadership in data security. In 1989 he received the Joseph J. Wasserman Award for contributions to security, audit and control. In 1995 he received a Lifetime Achievement Award from the Computer Security Institute. In 1999 he was enrolled in the ISSA Hall of Fame in recognition of his outstanding contribution to the information security community.

He holds a Bachelor Science Degree in Business Administration from Louisiana State University. He is a graduate of the Jesuit Preparatory High School of New Orleans.

William Hugh Murray

Page 3: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

3

Abstract

This presentation discusses Essential Security Policies, Practices, Measures, and Methods for Hastily Formed Networks.  While "hastily formed" is not the equivalent of ad hoc, "hasty" does suggest that traditional formal development methods may not apply.  However, history suggests that the absence of any method is rarely hasty; that which is put together in haste and without method rarely performs at all, much less as intended.

This presentation will quickly revisit the concepts of security, network, "hastily formed," and "essential" to arrive at recommendations for meeting security requirements using:

 • Generic policies suitable for most network applications in hostile environments • Traditional and accepted strategies and tactics • Commercial-of-the-shelf products and components, and • Broadly applicable standards, guidelines, procedures, and controls

Page 4: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

4

Essential Security Practices

• ~ 0.8 effective• Can be done by anyone• Using available resources• Synergistic in layered defenses or defense in

depth.• Sufficient to get one off the target of opportunity

list …..• ….and for emergency missions.• May not be sufficient for a hardened target

Page 5: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

5

Examples of Essential Practices

• Wearing a helmet

• Digging a hole

• Wearing body armor

• Using Anti-virus

• Personal firewalls

• Putting mission critical data on a file server

Page 6: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

6

Hastily formed…*

• Surprising precipitating event (e.g., 9/11, Katrina)• Chaos• Insufficient resources• Multi-agency response • Distributed response• Insufficient (pre-existing) (broken or failing) infrastructure • (Minimum of pre-arrangement)• (Bound late)* http://www.nps.edu/cebrowski/HFN.html

Page 7: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

7

Network

• Collection of nodes and links• Typically communicating nodes over communication links• We speak of PANs, LANs, WANs (also MANs, SANs,

NANs); also agencies, commands, enterprises, and other affinity groups

• Usually for the purpose of cooperation and collaboration • e.g., disaster response, war-fighting• “A ‘cloud’ with routers at its boundaries”*

* Rex Buddenberg

Page 8: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

8

Desiderata of HFNs

• Robustness (e.g., mesh topology)• Open as to connection• Ease of repair• Inter-operability• Cross-domain addressability• Minimal required pre-arrangement • Fail-soft under load• Other

Page 9: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

9

Network Security

• Network Integrity: getting traffic from any node to any other node with an acceptable signal-to-noise ratio. (No interference or contamination)

• Network Confidentiality: getting traffic from any node only to a specified node. (minimal leakage).

• Network Availability: getting traffic from any node to any other on a specified schedule, even in the presence of interference.

Said another way, a node must be able to protect itself from any traffic that it sees, nodes and links must not leak, there must always be a path.

Page 10: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

10

Policies

• Trust is essential to cooperation and coordination….

• …..but communication trumps security.

• Availability is necessary

• Signal-to-noise must be “good enough”

• Confidentiality is merely nice, but….

Page 11: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

11

Examples of Essential Practices

• Restrictive policy (using e.g., proxies and f/ws)• Redundant capacity (links) (over-provisioned)• Media diversity (e.g. radio and wire, Internet and PSTN)• Path diversity (e.g., mesh routing across multiple media) • Peer-to-peer (link) and End-to-end (layer 7) cryptography (e.g., SSH,

SSL, other VPNs) (belt and suspenders) • Layered defenses• Peer-to-peer mutual authentication (e.g., 2-way SSL) (may imply

mutually trusted third-party)• COTS Crypto• Out-of-band (VPN) connection setup and control• Physical security of nodes and links

Page 12: NPS CISRHFN Brown Bag: Security for Hastily Formed Networks 1 HFN Brown Bag Essential Security Practices for Hastily Formed Networks

NPS CISR HFN Brown Bag: Security for Hastily Formed Networks

12

Examples of 3rd Party Introducers

• AOL

• Yahoo!

• MSN

• ICQ Servers

• Enterprise IM servers

• Skype

• WebEx