View
215
Download
0
Tags:
Embed Size (px)
Citation preview
The Crumbling Perimeter
Modern Problems Securing Your Network
Douglas Orr
Vice President of Engineering
Proprietary and Company Confidential Information
Company Background
Based on 5 years of academic research at the University of Michigan funded by Cisco, Intel and DARPA.
Recognized as the leading supplier of Worm, DDoS and routing attack solutions in North America, Europe and Asia.
Rich development partnership with Michnet, CAEN, UMHS, MAIS
Arbor Networks provides Network Integrity Systems that protect organizations from zero-day security threats and operational vulnerabilities.
Fully funded. $33 million from investors including:
Proprietary and Company Confidential Information
Perimeter: Well known egress/ingress to/from outside world Home of firewall/IDS Gateway to DMZ
Perimeter vs. Internal
Inner Network: What we think of as: Inner Sanctum What therapists call a “safe place” Home of:
Unrestricted file shares Unexpected mssql servers Unsanctioned p2p servers
Proprietary and Company Confidential Information
Internal Security Issues: Crumbling Perimeter
Wireless access points ContractorsVPN connectionsInternal threatsWorms/viruses
(careful what you track in on your boots…)
Mergers, Acquisitions
Proprietary and Company Confidential Information
A Word about Worms
worm hosts within the first week:
witty, march, 2004. about 12,000 hosts.sasser, may 2004. about 200,000 hosts.SQLSlammer, january 2003. about 75,000 hosts.blaster, august 2003. about 300,000 hosts.nimda, september 2001. about 600,000 hosts.code red, july 2001. about 500,000 hosts.
sources: arbor, caida, cert, symantec.
Proprietary and Company Confidential Information
Another reason to care: liability
So, let’s not forget the regulators…
Proprietary and Company Confidential Information
Security-related Regulations
•Sarbanes-Oxley
•Gramm-Leach-Bliley
•Health Insurance Portability Accountability Act
•And, this is probably just the beginning…
Proprietary and Company Confidential Information
Regulatory Environment: SOX
Focused on financials, auditorsMgmt responsible for confidentiality and integrity of financial infoSecurity focus:
AuthorizationAccessibility Auditing
Tools:2 factor passwordsLogging/audit trails
Proprietary and Company Confidential Information
Regulatory Environment: GLBA
Graham-Leach-BlileyPrivacy of financial informationFor: financial institutions, banks, …Not allowed to disclose without written consentEstablish standard for safeguarding customer info
Requires written security policyApple pie: (training, design network w/security in mind, detect/prevent attacks)
Proprietary and Company Confidential Information
Regulatory Environment: HIPAA
HIPAA -health insurance portability accountability actPrivacy/security of medical informationPrimarily insurance-relatedProviders, plans, data warehouses
Proprietary and Company Confidential Information
Regulatory Environment: HIPAA…
Generally: Identity kept separate from medical recordsRequires risk assessment and security measures to mitigate risks identifiedAll focused on Protected Health Information (phi or ephi)All related to Confidentiality, Integrity and Availability (CIA)
Proprietary and Company Confidential Information
Regulatory Environment: HIPAA…
Required and Addressable items…Examples:
Unique user authenticationAuto logoutEncryptionAuditIntegrity checkingStrong AuthTransmission securityMalicious codeIdentify and protect against incidents…
Proprietary and Company Confidential Information
The Challenge
Securing the inside of your network is just as important as securing the perimeter.
It is also a lot harder…
Proprietary and Company Confidential Information
The (Partial) PalettePerimeter
FirewallDMZ
InternalAnomaly DetectionIPSApplication-level AuthenticationPatch ManagementAVHost IDSNetwork Segmentation
BothNetwork IDSVulnerability assessmentSecurity Information Management
Proprietary and Company Confidential Information
Briefly: the perimeter
FirewallProvides enforcement for policy of what gets in and what gets out
DMZReduces risk for resources that are shared between “inside” and “outside”
Network IDSAlerts to known bad behaviors
Proprietary and Company Confidential Information
Perimeter Issues
Need a good policy, including “default deny”Port 80, encryption reduce granularity, visibilityApplications are more valuable if universally accessibleNobody likes limitations…
Proprietary and Company Confidential Information
The Internal Security Environment
Perimeter Security Internal Security
Network Environment
10’s of Systems to protect 10’s of Mbps of traffic to inspect and mediate
1,000’s of systems to protect 100’s of Mbps of traffic to inspect and mediate
Application Environment
10’s of applications <10 protocols Standard/well-defined apps Stricter adherence to protocols Client Server apps
1,000s of applications >100 protocols (+weaker) Homegrown apps Loose adherence to protocols Peer-to-Peer apps
Management Environment
10’s of user groups to distinguish in terms of policy Block that which is unknown Typically centrally coordinated
100’s of user roles/groups to distinguish Observe that which is unknown (don’t disrupt) Typically locally coordinated
Proprietary and Company Confidential Information
The Analysts
“Securing Internal Networks: The Final Frontier”
“The proliferation of alternate paths into the organization, application layer attacks and devastating worms, are all
hammering home the conclusion that perimeter defenses must be complimented by a full range of internal security measures.
Addressing this need will inevitably require implementing a combination of different types of security controls, though we expect products that are better tuned to the unique challenges
of internal security will begin to emerge in 2004.”Internal Security is a Critical Business ProblemSafe QuarantineWorms: A
Service Level Threat
Proprietary and Company Confidential Information
IDS
Generally, signature based watching for network or host misuseHost-based IDS new variantIssues:
Chatty, false positivesFragileMonotonically increasing signature db
Examples:Okena (host), snort, realsecure, etc.
Proprietary and Company Confidential Information
Intrusion Prevention Systems
Aim to make IDS-style signature information actionableStop intrusions, misuse, abuse, rather than just reporting on themIssues:
Bump-in-the-lineShare signature weaknesses with IDSMore serious consequences for false positives
Proprietary and Company Confidential Information
Intrusion Prevention Systems
Latest thingSome products are recycled DoS prevention, IDS, web firewall tech, etc.Claims range from viruses, intrusion signatures to SPAM, IIS attacks
Very cool if it works…Examples
ISS proventia, Symantec Manhunt, ToplayerEntercept, Sanctum
Proprietary and Company Confidential Information
Network Segmentation
Internal firewalls or switch aclsOnly permit explicitly sanctioned traffic between “zones”Limits exposure for hacking or internal threatIssues:
Big timeRequires detailed application knowledgeRequires hardwareRequires policy
Proprietary and Company Confidential Information
Anomaly Detection
Model “what is normal”Alert or act on “abnormal” eventsHost/NetworkUpdate of and largely complementary to IDSOptional enforcement tie-insRelational/Statistical AD
Proprietary and Company Confidential Information
Relational ModelingEnterprise Network
Site 1
Site 2
Data Center
Extranet
A
A
A
A
B
B
C
D
C
E
E
F
G
H
C
C
C
D
D
D
C
E
F
F
G
G
H
I
Auto Learns Host Behaviors Who talks to Who Who talks to Who – HOW Across Your Entire Network
Proprietary and Company Confidential Information
Anomaly Detection
Issues:HardScaling (detail, speed)Some network traffic patterns are difficult to interpret“what is normal” changes periodically and over timeIf there is enforcement, has false positive penalty, like IPS
Proprietary and Company Confidential Information
Anomaly Detection
ExamplesPeakflow/X, Mazu, Lancope, Q1
Proprietary and Company Confidential Information
Case Study -- HIPAA
Watch critical servers for anomalieshttps only permitted protocol -- ensures encryptionhttps only to known destinations -- transportational integrity https only in known bw patterns -- also transportational integrityAlert on violation; provide audit trail for investigation/prosecution
Proprietary and Company Confidential Information
Case Study -- Network Segmentation
Observe all behaviors(Analyze, experience shock, repeat…)Group by known topologiesGenerate ACL’s to correspond to known, sanctioned applications)Default denyApply to segmentation routers
Proprietary and Company Confidential Information
PKI, Strong Authentication
Decrease risk of false authenticationCan be application-level authenticationDecreases risks of damage after break-inDecreases risks of internal threatsIssues:
PITA… ideally requires application awareness
Proprietary and Company Confidential Information
Security Integration Manager
Combines and correlates security eventsHelps rationalize multiple security outputs (e.g., IDS+FW logs+scanners…)Correlations can be more reliable than individual signalsIssues:
Big timeExamples
Netforensics, Intellitactics, etc.
Proprietary and Company Confidential Information
AntiVirus
Well understood and important… what can I say?
Issues:Polymorphic viruses may kick our assThe more popular the system, the bigger the problemWhy *did* you click on that attachment?Wasn’t your spouse *listening* to you???
Proprietary and Company Confidential Information
Internal Security Miscellanea
All good security practices also applyPolicy, policy, policyDefault denyAudit trailsBackup, catastrophe plansVulnerability assessmentPatch management