View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Securing the Securing the Borderless Network Borderless Network
March 21, 2000
Ted Barlow
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
The Internet has fundamentally The Internet has fundamentally changed the way networks are changed the way networks are
designed and secureddesigned and secured
IntroductionIntroduction
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
How things used to be . . .How things used to be . . .
• single host environment
• mainframe security systems
• hierarchical controls
• well-defined access paths
• dumb terminals
• centralized storage/processing of data
Mainframe
Controller
Dumb Terminals Dumb Terminals
Old ModelOld Model
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
““Fortress” Security ModelFortress” Security Model
Internet InternalNetworkFirewall
Protocols:
SMTPFTPHTTP
““New” Old ModelNew” Old Model
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
DMZ
““Freeway” Security ModelFreeway” Security Model
Internet InternalNetworkFirewall
WebServer
Application/Database
VendorExtranet
HTTP
SSLJava
ActiveX
SMTPS/MIME
VPNViruses
Trojans H.323
CreditValidation
Network
New ModelNew Model
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
What are the Risks? What are the Risks? • Denial of Service
• DDOS (Distributed Denial of Service Attacks)
• Defacement
• 3693 web server defacements in 1999 (www.attrition.org)
• 130 government sites (.gov)
• Loss of private data
• CD Universe (~350,000 credit card numbers)
• Breach of internal networks and systems
RisksRisks
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
How do you Build a Secure How do you Build a Secure Internet Application Environment? Internet Application Environment?
• Incorporate security reviews early in the design process
• Design with future strong authentication methods in mind
• Design for explosive growth
• Encrypt entire path from client to backup tapes for critical data
• Establish security baselines and perform security hardening before going live on the Internet
Design and BuildDesign and Build
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Key Components of the Key Components of the Secure NetworkSecure Network
• Border routers
• DMZ
• Firewalls
• Encrypted data paths
• Intrusion Detection System (IDS)
• Content Security (CVP)
InfrastructureInfrastructure
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
The Firewall/DMZ EnvironmentThe Firewall/DMZ Environment
• Begin with a secure screening router
• Choose a firewall that is extensible, scalable
• Packet filtering vs. application proxy firewalls
• Firewall appliances and next generation firewalls
• Network address translation (NAT) will improve DMZ security
• Build firewall redundancy
FirewallsFirewalls
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Choosing the Right Firewall SolutionChoosing the Right Firewall Solution
Packet Filters
Application-Proxy Gateways
Stateful Inspection
Firewall ComparisonFirewall Comparison
PROS CONS• Application Independent• High Performance• Scalable
• Good Security• Fully Aware of Application Layer
• Good Security• High Performance• Scalable• Fully Aware of Application Layer• Extensible
• Low Security• No Protection Above Network Layer
• Poor Performance• Limited Application Support• Poor Scalability
• More Expensive
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Is Intrusion Detection Necessary?Is Intrusion Detection Necessary?
• Definition – the ability to detect and defend against defined attack patterns
• Host based & network based
• Network IDS can be integrated with firewalls to automatically respond to attacks
• Host based IDS can detect changes to operating system programs and configurations
IDSIDS
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Internet Web Server
Internet
External Router
Intranet Web Server
InternalNetwork
DMZ
Outside
Application/Database Server
Backup Server
Intrusion Detection System (IDS)
Inside
Design Case StudyDesign Case Study
Internal Router
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Web Server
Internet
External Router
Internal Router
IDS
App Server
Backup Server
InternalNetwork
IDS Console
IDS
CVP Server
DMZ
NAT
DMZ
NAT
Design Case StudyDesign Case Study
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
How do you Maintain a Secure How do you Maintain a Secure Internet Application Environment? Internet Application Environment?
• Keeping ahead of security exploits is a full time job
• Actually review and report on firewall, IDS and system logs
• Develop incidence response (IR) procedures and IR team
• Periodically review and audit system and network security configurations
MaintenanceMaintenance
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
What is coming in Network Security? What is coming in Network Security?
• Better, cheaper authentication mechanisms
• Open network security models
• System, application level “firewalls”
• Windows 2000
Future DevelopmentsFuture Developments
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Windows 2000 Security Windows 2000 Security
• Kerberos Authentication Infrastructure• Certificate Authority (CA)• Security Configuration Editor• IPSec Support• Encrypting File System (EFS)
Future DevelopmentsFuture Developments
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Kerberos AuthenticationWindows 2000 supports several authentication models: Kerberos for internal authentication and X.509 certificates for external authentication. Kerberos can be configured to use private or public key authentication. Keys are managed by the Domain Controller (DC) in the Key Distribution Center (KDC). A User is granted a ticket or certificate which permits a session between the user and the server. Important security considerations:
• The KDC MUST be physically secured• Susceptible to password dictionary attacks• Administrators still have complete access
Future DevelopmentsFuture Developments
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Certificate Authority (CA)
This is a Public Key Certificate Server built into Windows 2000. The server manages the issuing, renewal, and cancellation of digital certificates. Digital certificates are used to initiate encrypted sessions such as Secure Sockets Layer (SSL) for secure web-based communications.
Future DevelopmentsFuture Developments
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Security Configuration Editor
This is a Microsoft Management Console (MMC) tool that eases security administration. Allows administrators to create security baselines by defining templates with global security parameters, and then perform security analyses against the templates. Manages security policies, file system access control, and Registry permissions.
Future DevelopmentsFuture Developments
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Internet Protocol Security (IPSec)
Defines security policies at the lowest possible layer: the network communication layer. Enables encryption and decryption of network packets before they leave the network interface card (NIC). Supports the use of public keys (RSA) or private keys (DES).
Future DevelopmentsFuture Developments
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Encrypting File System (EFS)
Allows users to encrypt files and directories that only they (and administrators) can decrypt. EFS creates a separate 56-bit encryption key based on the Data Encryption Standard (DES) algorithm. The administrator’s key can unlock any encrypted file in the domain. This service is very fast and encryption/decryption occurs without the user noticing.
Future DevelopmentsFuture Developments
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Summary of Best Practices Summary of Best Practices
• If possible, create a separate trusted network (DMZ)
• Choosing the right firewall solution is key
• Application security is only as strong as system and network security
• Design the infrastructure to facilitate monitoring and data backups
• Intrusion Detection Systems – you can’t defend what you don’t detect
SummarySummary
Securing the NetworkSecuring the Network
Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu
Questions?Questions?Contact: Ted BarlowContact: Ted Barlow
[email protected]@dttus.com
Thank You Thank You