Embed Size (px)
Citation preview
SANS Technology Institute - Candidate for Master of Science Degree
Implementing and AutomatingCritical Control 19: Secure Network Engineering
forNext Generation Data Center Networks
Aron Warren, George Khalil, Michael HoehlFebruary 2012
SANS Technology Institute - Candidate for Master of Science Degree
Objectives
• Introduction
• Secure Network Engineering
• Challenges for Next Generation Networks
• Functional Requirements
• Key Risk Considerations
• High-Level Design and Build Approach
• N-Tier Application and Infrastructure Control Checklist
• Lessons Learned
SANS Technology Institute - Candidate for Master of Science Degree
Introduction
• SANS 20 Critical Security Controls for Effective
Cyber Defense
• Security Control 19 “Secure Network Engineering”
• Technical approaches to advance this control
• Scope is for Web/Mobile App and 40GbE
SANS Technology Institute - Candidate for Master of Science Degree
Secure Network Engineering
• Document Gathering is First Step
• Understand Data Flows
• Log Events and Correlate
• Apply Least Privileged Principles
• Divide and Secure
• Establish Trust and Validate Data Integrity
• Test and Validate Routinely
SANS Technology Institute - Candidate for Master of Science Degree
Challenges for Next Generation Networks
• 40GbE is still early in “hype” cycle for Enterprises
• Throughput speed ≠ Wire speed
• Uncertainty increases relative to speed
• Limited forensic team experience with 40 GbE
• Existing operations resource capacity
SANS Technology Institute - Candidate for Master of Science Degree
Functional Requirements
1. Documentation
2. Data Center Physical Controls
3. Enclaves
4. Firewalls and Security Apps
5. Internet Access
6. DNS
7. Hardening
8. Config and Change Mgt
9. Virtual and Blade Servers
10.Vulnerability and Threat Mgt
11.Log Mgt
12.Asset Mgt
13.Access Mgt
14.Performance Mgt
15.Forensic Mgt
16.Service Mgt
SANS Technology Institute - Candidate for Master of Science Degree
Key Risk Considerations
• Mixing assets of different value
• Integrating security and network controls
• High event volume and Impact of false negatives
• Understanding data flows and security policies
• Performance impact of inspection
• Protecting high authority access
• Configuration errors and product defects
SANS Technology Institute - Candidate for Master of Science Degree
High-level Design and Build Approach
SANS Technology Institute - Candidate for Master of Science Degree
N-Tier ApplicationControl Checklist
Enclave for each app function Dedicated Internet Access Firewall Security Fabric Separate Infrastructure Firewall SSL Accelerator and Proxies Tiered DNS Virtualization and Blade Servers Netflow Network Address Translation Network Monitoring Switch Load Balancers
SANS Technology Institute - Candidate for Master of Science Degree
InfrastructureControl Checklist
Enclave for each function No direct Internet access Infrastructure Firewall Dedicated Enterprise Firewall Customer Authentication Admin Authentication Jump Boxes Network Access Control (NAC) Business-to-Business (B2B) VPN System and Security Event Mgt
SANS Technology Institute - Candidate for Master of Science Degree
Lessons Learned
Promising Solutions
•Security Fabric
•Firewall Policy Mgt
•Virtual Switch Replacement
•IEEE 802.1AE (MACsec)
Pitfalls
•Poor Documentation
•Too many ACLs and Flows
•Netflow “meltdown”
•4 x10 Port Aggregation
•Virtual Switch Overload
•Poorly designed QoS
•Forensic Teams
SANS Technology Institute - Candidate for Master of Science Degree
Benefits
• Improved Security
• Increased Design Credibility
• Better Manageability
• Lower Total Costs
• Faster Response to Threats
Ultimately, adopting these design recommendations will provide a solid foundation for safeguarding infrastructure and data at the highest speeds available today—and tomorrow.
