1
Enriching Symantec CCS with RedSeal's Network Security Architecture Analytics
Sean Finn Global Solutions Architect, RedSeal Networks
SymantecVision2013-Enriching CCS.pptx
SYMANTEC VISION 2013
Agenda Topics
• Fundamental Security Management Challenges
• RedSeal System Overview
• Device Configuration Hardening
• Evaluating Network Security Architectures
• Network-Aware Vulnerability Metrics: RedSeal Risk, and Downstream Risk
• RedSeal:CCS Integration
SymantecVision2013-Enriching CCS.pptx 2
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
Fundamental Security Management Challenges
3 SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
FCAPS: A Classic Network Management Taxonomy
• Fault Management
• Configuration Management
• Audit Management
• Performance Management
• Security
Today, we may find a lot more attention on (A)pplications, vs. (A)ccounting ...
* - In the early 1980s the term FCAPS was introduced within the first Working Drafts (N1719) of ISO 10040, the Open Systems Interconnection (OSI) Systems Management Overview (SMO) standard. SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
4
SYMANTEC VISION 2013
FCAPS: A Network Management Taxonomy
F C P
A
S
• The backbone for each of these aspects of network management is CONFIGURATION MANAGEMENT:
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
5
SYMANTEC VISION 2013
Real World Operations: Applied Change Management
F C P
A
S Organic Growth and
Replacements
Application Management
Security Change Requests
“Break/Fix” Changes
• How are changes reviewed, and approved?
• How is system documentation updated?
• What feedback mechanisms exist to ensure accurate implementation of change?
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
6
SYMANTEC VISION 2013
RedSeal System Overview
7 Presentation Identifier Goes Here
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
RedSeal System Functional Overview
1. Automatically imports current router/firewall/load balancer (“device”) configuration files
2. Parses device configurations checking the use of best practices and your custom configuration standards
3. Builds a layer 3 (IP) topology map
4. Computes all possible access that the Network Security Architecture makes available, based on Access Lists, Firewall Rules, and NAT configuration
5. Compares available access to defined RedSeal Access Policies
6. Evaluates access to vulnerabilities from “untrusted” connections
7. Computes a set of “network aware” vulnerability metrics for each host
8
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
8
SYMANTEC VISION 2013 9
RedSeal Security Information Visualizations
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
Attack Simulation
for Prioritization
Security
Architecture
Compliance
Security
Architecture
Examination
Network
Configuration
Hardening
Network Inventory &
Topology
RedSeal System Use Cases/Value Propositions
Design
Data Collection
Model “Validation”
Security Change
Process Integrations
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
10
SYMANTEC VISION 2013
Feature Clusters
Config Management
Model Issues
Topo Layout
Custom Groups
Best Practice Checks
Custom BPCs
Device Cleanup
Explorer:Access
Detailed Path
SIC / SIM / Tracked Query
“What Is” Policy
PCI Policy Template
Compliance Custom Policy
Risk and DSR Metrics
Explorer:Threat
Risk Map
Vuln Prioritization Rpt
Network Access
Assessment of
Vulnerability
Exposure
Security
Architecture
Compliance
Security
Architecture
Examination
Network
Configuration
Hardening
Network Inventory &
Topology
RedSeal Features Ad Hoc Uses
Process Integration
CCS Integration
Device Cleanup Export
BPC Change Rpt
Topo Query
Model Issue Export
Explorer/SIC/Detailed
Path Query:
Forensic, Etc.
Review/Audit Changes
Eval Change Request
TO: Ticket System
Update Business Decision
To Symantec CCS:
Risk, DSR, ...
Explorer:Threat Query
Risk Map Query
TO: Ticket System
TO: Ticket System
Pie Chart, Reporting
To Symantec CCS:
Model Issue Violations
To Symantec CCS:
Best Practice Check
(BPC) Violations
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
11
SYMANTEC VISION 2013
Device Configuration Hardening
12 SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
RedSeal Device Configuration “Best Practice Checks”
• About 150 pre-defined Best Practices Checks (BPCs)
• If a BPC doesn’t apply, you can suppress it
• Custom BPCs can be created
13 SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
Best Practice Check Changes Report
• Report new or resolved BPC violations
• Report can be automatically published via email
14 SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
Evaluating Network Security Architectures
15 SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
What Happens When ...
• Effective Connectivity is a result of both the current routing state, and the configured Security Policy
• Relying on the state of Dynamic Routing to enforce Security Policy can lead to unpredictable results
Dynamic
Routing
Table
X E0/1 Filtered
Connectivity
Unfiltered
Connectivity
Packet Source: A
Packet Destination: B
E0/2
E0/3
E0/4
E0/5
E0/0
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
16
SYMANTEC VISION 2013
Network Security Architecture Analytics
Router
Packet Source: A
Packet Destination: B
E0/1
E0/2
E0/3
E0/4
E0/5
E0/0
• Explicitly Evaluate All Components Of Your Network Security Architecture
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
17
SYMANTEC VISION 2013 18
RedSeal Explorer: Access Results
• RedSeal Explorer access queries report available connectivity between the specified source and destination
• Rendered as blue arrows in the topology, and in tabular format in the lower-right pane
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
Detailed Path Analysis
• Identifies devices in access path
• Pinpoints exact firewall rules/ACLs
Access specification: SRC and DST addresses, protocols,
ports
Hop-by-hop path that provides
connectivity
When a hop is selected
here (gray), it is used to populate
details on the right side
of the window.
Inbound and outbound interfaces,
NAT mapping
Specific ACL and NAT
rules that impact
forwarding
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
19
SYMANTEC VISION 2013
Security Segmentation - Outside:Inside • Exactly what traffic do you allow IN to your network?
• Exactly what traffic do you allow OUT from your network?
• How would you answer these questions to an auditor today?
• In real-world production networks, manually assessing, and enumerating all of this traffic can be very time-consuming.
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
20
SYMANTEC VISION 2013
Internal Segmentation
• How are your internal security zones defined?
• How is intra-zone security implemented?
• How are these impacted by ongoing change management?
• How effective is your internal segmentation?
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
21
SYMANTEC VISION 2013
From (A) .... To (B)
Security Architecture Query
(A): Set of
Subnets
and/or
Hosts
(B): Set of
Subnets
and/or
Hosts
Available Connectivity Specifications:
- L3 Address
- IP Protocol
- L4 Ports
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
22
SYMANTEC VISION 2013
RedSeal Policy: Security Architecture Compliance
(A): Set of
Subnets
and/or
Hosts
(B): Set of
Subnets
and/or
Hosts
“Business Decisions”:
Approval Status of
Specific Flow
Specifications
Approved Flow Specs
Un-Approved
Forbidden
Available
Connectivity
From (A) .... To (B)
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
23
SYMANTEC VISION 2013 24 SymantecVision2013-Enriching CCS.pptx
RedSeal “Zones & Policy” Tab
• PCI Policy is a standard, predefined policy template
• Custom Policies can be created to meet specific network security segmentation requirements
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
Network-Aware Vulnerability Metrics: RedSeal Risk, and Downstream Risk
25 SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013 26 SymantecVision2013-Enriching CCS.pptx
• [Business] Value: An estimate of business value for the device, in the range of 0..100; based on services found on the host. The default value can be overridden by user.
– Maximum default value: 75
• Exposure: A measure of the probability, in the range 0..1, of an attack being launched against the host by any one of the vulnerabilities that have been found on it.
– Primary factors for computing exposure:
• CVSS scores
• Attack depth
• RedSeal Risk: The product of [Business] Value times Exposure.
RedSeal Risk = (Business Value * Exposure)
RedSeal Network Vulnerability Metrics
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013 27
Downstream Risk (DSR)
• Downstream risk: Sum of the risk scores of all hosts reachable either directly or indirectly that would therefore be exposed to pivot attack from this host
© 2013 RedSeal Networks, Inc. All rights reserved.
SymantecVision2013-Enriching CCS.pptx
SYMANTEC VISION 2013
RedSeal Risk Map: Visualizing Vulnerability Metrics
28
Multiple, and Custom, Risk Maps are Available
Risk Map Controls tab provides access to how to ORGANIZE, COLOR, and SIZE the Host Risk icons
The FILTER section allows specific values ranges to be selected; and also provides Color Map controls
The RISK MAP itself provides multiple facets of drill-down capabilities
The DETAILS, HOSTS, and VULNERABILITIES Tabs provide detailed numerical information. Exportable.
SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
RedSeal:CCS Integration
29 SymantecVision2013-Enriching CCS.pptx
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
CCS:RedSeal
Connector
30
CCS
Vulnerability
Manager
CCS
Standards
Manager
CCS
Incident
Manager
CCS
Policy
Manager
Trouble Ticket
Device Config Files
RedSeal User Interface, Visual Queries, and Reports
Network Vulnerability Scans
CCS Dashboard Reports
SymantecVision2013-Enriching CCS.pptx
RedSeal:Symantec CCS System Integration Overview
© 2013 RedSeal Networks, Inc. All rights reserved.
SYMANTEC VISION 2013
Configuring the Connector: RedSeal
Map RedSeal
Connector Fields
to Asset,
Assessment,
Status CCS
Categories
SymantecVision2013-Enriching CCS.pptx 31
SYMANTEC VISION 2013
Executing and Monitoring Jobs: RedSeal
SymantecVision2013-Enriching CCS.pptx 32
SYMANTEC VISION 2013
CCS Dashboard
SymantecVision2013-Enriching CCS.pptx 33
SYMANTEC VISION 2013 34 SymantecVision2013-Enriching CCS.pptx
SYMANTEC VISION 2013
Questions?
35 SymantecVision2013-Enriching CCS.pptx
Thank you!
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
36
Sean Finn
408.641.2200
SymantecVision2013-Enriching CCS.pptx