Securing the Borderless Network March 21, 2000 Ted Barlow

Securing the Securing the Borderless Network Borderless Network

March 21, 2000

Ted Barlow

Securing the NetworkSecuring the Network

Copyright 2000, Deloitte Touche Tohmatsu Copyright 2000, Deloitte Touche Tohmatsu

The Internet has fundamentally The Internet has fundamentally changed the way networks are changed the way networks are

designed and secureddesigned and secured

IntroductionIntroduction



How things used to be . . .How things used to be . . .

• single host environment

• mainframe security systems

• hierarchical controls

• well-defined access paths

• dumb terminals

• centralized storage/processing of data

Mainframe

Controller

Dumb Terminals Dumb Terminals

Old ModelOld Model



““Fortress” Security ModelFortress” Security Model

Internet InternalNetworkFirewall

Protocols:

SMTPFTPHTTP

““New” Old ModelNew” Old Model



DMZ

““Freeway” Security ModelFreeway” Security Model

Internet InternalNetworkFirewall

WebServer

Application/Database

VendorExtranet

HTTP

SSLJava

ActiveX

SMTPS/MIME

VPNViruses

Trojans H.323

CreditValidation

Network

New ModelNew Model



What are the Risks? What are the Risks? • Denial of Service

• DDOS (Distributed Denial of Service Attacks)

• Defacement

• 3693 web server defacements in 1999 (www.attrition.org)

• 130 government sites (.gov)

• Loss of private data

• CD Universe (~350,000 credit card numbers)

• Breach of internal networks and systems

RisksRisks



How do you Build a Secure How do you Build a Secure Internet Application Environment? Internet Application Environment?

• Incorporate security reviews early in the design process

• Design with future strong authentication methods in mind

• Design for explosive growth

• Encrypt entire path from client to backup tapes for critical data

• Establish security baselines and perform security hardening before going live on the Internet

Design and BuildDesign and Build



Key Components of the Key Components of the Secure NetworkSecure Network

• Border routers

• DMZ

• Firewalls

• Encrypted data paths

• Intrusion Detection System (IDS)

• Content Security (CVP)

InfrastructureInfrastructure



The Firewall/DMZ EnvironmentThe Firewall/DMZ Environment

• Begin with a secure screening router

• Choose a firewall that is extensible, scalable

• Packet filtering vs. application proxy firewalls

• Firewall appliances and next generation firewalls

• Network address translation (NAT) will improve DMZ security

• Build firewall redundancy

FirewallsFirewalls



Choosing the Right Firewall SolutionChoosing the Right Firewall Solution

Packet Filters

Application-Proxy Gateways

Stateful Inspection

Firewall ComparisonFirewall Comparison

PROS CONS• Application Independent• High Performance• Scalable

• Good Security• Fully Aware of Application Layer

• Good Security• High Performance• Scalable• Fully Aware of Application Layer• Extensible

• Low Security• No Protection Above Network Layer

• Poor Performance• Limited Application Support• Poor Scalability

• More Expensive



Is Intrusion Detection Necessary?Is Intrusion Detection Necessary?

• Definition – the ability to detect and defend against defined attack patterns

• Host based & network based

• Network IDS can be integrated with firewalls to automatically respond to attacks

• Host based IDS can detect changes to operating system programs and configurations

IDSIDS



Internet Web Server

Internet

External Router

Intranet Web Server

InternalNetwork

DMZ

Outside

Application/Database Server

Backup Server

Intrusion Detection System (IDS)

Inside

Design Case StudyDesign Case Study

Internal Router



Web Server

Internet

External Router

Internal Router

IDS

App Server

Backup Server

InternalNetwork

IDS Console

IDS

CVP Server

DMZ

NAT

DMZ

NAT

Design Case StudyDesign Case Study



How do you Maintain a Secure How do you Maintain a Secure Internet Application Environment? Internet Application Environment?

• Keeping ahead of security exploits is a full time job

• Actually review and report on firewall, IDS and system logs

• Develop incidence response (IR) procedures and IR team

• Periodically review and audit system and network security configurations

MaintenanceMaintenance



What is coming in Network Security? What is coming in Network Security?

• Better, cheaper authentication mechanisms

• Open network security models

• System, application level “firewalls”

• Windows 2000

Future DevelopmentsFuture Developments



Windows 2000 Security Windows 2000 Security

• Kerberos Authentication Infrastructure• Certificate Authority (CA)• Security Configuration Editor• IPSec Support• Encrypting File System (EFS)




Kerberos AuthenticationWindows 2000 supports several authentication models: Kerberos for internal authentication and X.509 certificates for external authentication. Kerberos can be configured to use private or public key authentication. Keys are managed by the Domain Controller (DC) in the Key Distribution Center (KDC). A User is granted a ticket or certificate which permits a session between the user and the server. Important security considerations:

• The KDC MUST be physically secured• Susceptible to password dictionary attacks• Administrators still have complete access




Certificate Authority (CA)

This is a Public Key Certificate Server built into Windows 2000. The server manages the issuing, renewal, and cancellation of digital certificates. Digital certificates are used to initiate encrypted sessions such as Secure Sockets Layer (SSL) for secure web-based communications.




Security Configuration Editor

This is a Microsoft Management Console (MMC) tool that eases security administration. Allows administrators to create security baselines by defining templates with global security parameters, and then perform security analyses against the templates. Manages security policies, file system access control, and Registry permissions.




Internet Protocol Security (IPSec)

Defines security policies at the lowest possible layer: the network communication layer. Enables encryption and decryption of network packets before they leave the network interface card (NIC). Supports the use of public keys (RSA) or private keys (DES).




Encrypting File System (EFS)

Allows users to encrypt files and directories that only they (and administrators) can decrypt. EFS creates a separate 56-bit encryption key based on the Data Encryption Standard (DES) algorithm. The administrator’s key can unlock any encrypted file in the domain. This service is very fast and encryption/decryption occurs without the user noticing.




Summary of Best Practices Summary of Best Practices

• If possible, create a separate trusted network (DMZ)

• Choosing the right firewall solution is key

• Application security is only as strong as system and network security

• Design the infrastructure to facilitate monitoring and data backups

• Intrusion Detection Systems – you can’t defend what you don’t detect

SummarySummary



Questions?Questions?Contact: Ted BarlowContact: Ted Barlow

[email protected]@dttus.com

Thank You Thank You

Documents

Securing the Borderless Network March 21, 2000 Ted Barlow