Upload
cornelia-george
View
216
Download
2
Tags:
Embed Size (px)
Citation preview
Turning the Network Inside Out
Joel Snyder, Ph.D.Senior PartnerOpus [email protected]
Most networks focus on perimeter defense“[AT&T’s gateway creates] a sort of crunchy shell
around a soft, chewy center.” (Bill Cheswick, Design of a
Secure Internet Gateway, April, 1990)
Big Bad Internet
Perimeter defense has its flaws
“Protecting your network
with a perimeter firewall is
like putting a stake in the
middle of a field and
expecting the other team to
run into it.”
#include <statistic on insider
break-in percent>
“If your position is invisible,
the most carefully concealed
spies will not be able to get a
look at it.” (Sun-Tzu)
Big Bad Internet
Virus
Defense in Depth is the alternative
Make the network
“crunchy,” not soft and
chewy throughout.
Turn the network inside-
out: the security is on
the inside, not on the
outside
We don’t do defense-in-depth because...Cost
• The cost of adding firewall
“brains” has been
prohibitive
Performance
• Firewalls are slower than
Gigabit switches
Management
• Determining the “many-to-
many” relationships are
difficult
Cost
• The cost of adding firewall
“brains” has been
prohibitive
Performance
• Firewalls are slower than
Gigabit switches
Management
• Determining the “many-to-
many” relationships are
difficult
Authentication
• How do you know who
has that IP address
anyway? What about
NATed users?
Policy
• It’s hard to describe the
security policy for inside
users; it’s much easier
to describe the Internet-
oriented policy
Authentication
• How do you know who
has that IP address
anyway? What about
NATed users?
Policy
• It’s hard to describe the
security policy for inside
users; it’s much easier
to describe the Internet-
oriented policy
Whoops. I lied. My bad.
Cost• dropping
Performance• increasing
Management• getting better
Cost• dropping
Performance• increasing
Management• getting better
Authenticatio
n
• solved
Policy• OK, there had to be
something we
couldn’t solve with
technology
Authenticatio
n
• solved
Policy• OK, there had to be
something we
couldn’t solve with
technology
You can implement Defense-in-Depth
New and Exciting
802.1X Authentication
Digital Certificates
VLANs as Security Barriers
Multiple levels of ACLs
Firewall/VPN on the NIC
Network Intrusion
Detection/Prevention Systems
Not-so-bleeding-edge
MAC lock-down on ports
Authenticated routing updates
Rate-limiting (DoS resistance)
Host-based IDS
RADIUS-based authentication
SSH (Secure Shell) for management
SNMPv3 and not SNMPv2
“Access Ethernet” dedicated management network
802.1X is the new standard for layer 2 authentication
SupplicantEAP over WirelessEAP over LAN
Supplicant
Authenticators Authentication Server (e.g.,
RADIUS server)
EAP over RADIUS
The World
802.1X on every port adds security
In the wireless environment,
802.1X is absolutely required
• 802.11i and WPA (Wi-Fi
Protected Access) use
802.1X
• Pure 802.1X for
authentication solves
most WEP problems (if
implemented with mutual
authentication methods
TLS, TTLS or PEAP)
EAP over
RADIUS
“Put the user on VLAN x and here’s what he has access to...”
“Here’s your WEP key for the next 30 seconds...”
802.1X on every port adds security, II
In the wired environment, 802.1X adds security
• Microsoft gives it to you for free with W2K and XP
• Many wireless vendors too...
* 802.1X ties to RADIUS which means...
...you can use RADIUS to push authorization information to wired and wireless equipment* VLAN information* ACL (access control list) information
What are pitfalls and caveats with 802.1X?
802.1X does not mandate an authentication method
• So you have to pick one (TLS, TTLS, or PEAP)
• There are a bunch of choices and a bunch of interoperability problems
(TTLS vs. PEAP)
• Strategy: hold off until this battle is settled by the IETF
802.1X does not require you to swap out your RADIUS infrastructure
• You can get a new, small server which will proxy to your existing
RADIUS servers
802.1X will not immediately be “full featured”
• Authorization information, such as ACLs and VLANs, is still awaiting
“industry agreement”
n = p•q
d = e-1 mod((p-1)(q-1))
Public/Private Cryptography enables ...
Authentication
• Using public/private cryptography, I can strongly prove my
identity
Integrity Checking
• Using public/private cryptography, I can digitally sign documents
and ensure that they cannot be tampered with
• Digitally signed documents have “proof of sender” as well
Encryption
• Using public/private cryptography, I can encrypt short and long
strings of data effectively
Digital Certificates enable public/private cryptography
A Certificate can be many things and have many forms, but fundamentally is a binding of a public key to an identity
n = p•q
d = e-1 mod((p-1)(q-1))
Many existing IT applications can use certificates
Authentication
SSL-based Web servers
VPNs Remote User
Authentication
Windows 2K/XP Login
802.1X Network
Authentication
E-mail (Netscape, Outlook,
others supporting S/MIME)
Encryption
E-mail (S/MIME clients)
Certificate-based techniques can also be used to pass encryption keys for secret key encryption: disk partitions, for example
And they all can use the same certificate!
So, why isn’t everyone using them?
PKI manufacturers have made it more complex than it needs
to be
• “Solve all the problems up front, for country-wide
deployments” seems to be their strategy
And expensive!
Certificate Revocation List strategies have not been coherent
• Online Certificate Status Protocol may help
Certificate Enrollment is chaotic
• Four different protocols in common use
• Plus a few proprietary ones
VLANs aren’t just for breakfast anymore
802.1q (Virtual LANs) can be used to combine, yet not mix, traffic
from multiple networks
Originally: Management Domains
Now: Security Domains
“tagged” VLANs
Use VLANs to distribute protected and unprotected services
1st Floor 2nd Floor 3rd Floor 4th Floor
Using VLANs for security has its risks
If packets jump from one VLAN to the
other... the game is over
Management of switching infrastructure
is now as important as management of
firewalls
Your switches are your weak links
• Attacks
• Bugs
Switch vendors have a very bad
reputation in this area
Risk/Benefit Analysis
All Access Control Lists are not created equalSome are more equal than others
Static Packet
Filters
Typically look only
IP layer
Cannot be used for
port-based
controls
Are commonly
implemented
High performance
“Extended” Access
Lists
(Packet Filters)
Look at things within
IP and TCP or UDP
header (such as port
number and flags)
Can be used for
limited port-based
controls
Available on many,
but not all, platforms
High performance
Stateful
Packet Filters
Look at entire
datagram and try and
simulate higher layer
state machines
Considered very
secure at layer 3
(Check Point, Cisco
depend on them)
Slower and more
CPU/memory
intensive
ACLs can be spread throughout your network to increase security
Pre-filter protocols (such as SNMP) you never want to let in; block spoofed packets
Block SMTP not from Internet.
Allow traffic to HR server only from HR VLAN
User can get to departmental servers and Internet only
Kiosk PCs can’t get to inside net
ACLs everywhere is a tricky situationStatic ACLs on ports can be difficult to manage and maintain (at
this time)
802.1X-derived ACLs don’t have sufficient context to work at IP
layer (yet)
Not every device has the capability
Not every policy-based security server has the ability
“Put the user on VLAN x and here’s what he has access to...”
But this is a technology coming very soon to a theatre near you!
You can put a firewall on a NICTechnically, this is not making the
network itself crunchy and more secure
“Defense in Depth” isn’t too concerned
with labels
Policy Server
Policy
Policy
Vendors: 3COM, Snap, OmniCluster, NetMaster, Corrent
You can make a network which has deep defenses
TheNetwork
TheNetwork
IDS/IPSIntrusion Detection
and Preventionfor forensics and
prevention
IDS/IPSIntrusion Detection
and Preventionfor forensics and
prevention
PerimeterFirewallsand VPNs
Old Standbys still useful!
PerimeterFirewallsand VPNs
Old Standbys still useful!
PKI AuthenticationUniform approach toauthentication givesstrongest security
PKI AuthenticationUniform approach toauthentication givesstrongest security
Multi-Level SecurityPush ACLs everywhere
they can go,dynamic, too.
Multi-Level SecurityPush ACLs everywhere
they can go,dynamic, too.
Layer 2Authentication
802.1X Network Login authenticates
users
Layer 2Authentication
802.1X Network Login authenticates
users
Internal SecurityEmbedded Firewall secures desktops
and servers
Internal SecurityEmbedded Firewall secures desktops
and servers
WirelessSecure wireless LAN, using 802.1X and/or802.11i and/or IPsec
WirelessSecure wireless LAN, using 802.1X and/or802.11i and/or IPsec
SegmentationVLANs as management
and as securitydomains
SegmentationVLANs as management
and as securitydomains
Thank you.
Questions, comments?