Embed Size (px)
Citation preview
ENTERPRISE NETWORK SECURITY & COMPLIANCE
A VENDOR’S PERSPECTIVE
Anusha VaidyanathanProduct Management
DISCLAIMER
The views expressed here are my own, though I may draw examples from my past and present professional experiences.
AGENDA
Scope
B2B - Vendors selling to enterprises
"Devices in your network"
Not in scope
Not about specific security solutions
Devices in your Network
COMPLIANCE ALPHABET SOUP
FIPS 140-2
Common Criteria
ICSA NSS
PCI DSS HIPPA SOXISO
27002FIPS200 GLBA FISMA NERC
IT Security &
Compliance
Product
Security &
Compliance
Homologation
FCC, UL, CB/CE
DVTTCG –TPM
Export Complian
ceHardware
Security &
Compliance
Internet
Mobile
Branch
Saas
ApplicationsPaas/Iaas
Applications
White-box
switches
Data Center
DEVICES IN YOUR ENTERPRISE NETWORK TODAY
Courtesy: Palo Alto Networks Virtual Firewall
A BRIEF HISTORY
Then Now
Centralized+ Distributed
Programmable
VNFs /Service chaining
Network Virtualization
Tightly Coupled
Rigid
Monolithic
Custom hardware
A BRIEF HISTORY
Then Now
Hypervisor
IaaS Clouds
Virtual
Physical
Orchestration
Courtesy: Juniper SRX 5600
Courtesy: Silver Peak Systems Inc.
WHOSE ‘OS’ IS IT ANYWAY?
Applications
Management and Orchestration
Malware analysis
Analytics
SIEMs
Anti-Virus
DLP
Embedded Systems
SDN Controllers
Firewall
Routers
Switches
WAN optimization
Web Application Firewalls
Load balancers
Secure Web gateways
VPN devices
IPS
Embedded Systems
Cloud Apps (Iaas)
ApplicationsCloud Apps
(Saas/Paas)
A BRIEF HISTORY
Then Now
Service Chaining SD-WAN and Firewall VNFs
Courtesy: Silver Peak Systems Inc.
A BRIEF HISTORY
Then Now
Centralized Orchestrator, Distributed Devices
Courtesy: Silver Peak Systems Inc.
A BRIEF HISTORY
Then Now
Courtesy: Silver Peak Systems Inc.
• FIPS boundaries - hardware vs. software only
• TPM for virtual
• Common Criteria – Evolving => Assurance levels to Protection Profiles
• IPSec/SSL encryption – commodity hardware, AES NI instructions
Compliance Considerations
New Threat Vectors
•Virtualization – Hypervisor, Containers
Courtesy: Docker
New Threat Vectors & Considerations
•Programmability
• DDoS on REST APIs
• Authentication
• Distributed Data Plane – Backward & Forward compatibility
•‘Outside the Box’ - Secure communications
RISING OPEN SOURCE USAGE
Copy-left vs. Permissive licenses
Vendors
Publish ALL 3rd party licenses
Publish source code for modified copy-left licenses
Maintain tabs on Bill of Materials
Provide trickle-down SLAs for open source vulnerabilities
Courtesy: Blackduck Software
“SHARE MY PIE”
Vendors Enterprises
Vulnerability Assessment
• OWASP top 10
• SANS 25
• TCP/IP attacks
Penetration Testing
• Privilege escalations
• Availability
• Security Posture
DEVOPS AND HOSTED CLOUD APPLICATIONS
The release is dead, long live the release!
Network vendors with physical, virtual, IaaS products
Follow (Agile) software release cycles
Enterprises with cloud or web services
Saas/Paas products
Devops model
Risks
Availability, Stability, DDoS
Courtesy: http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
SUMMARY
Enterprise networks are adapting to network virtualization and cloud applications
Programmable, hardware agnostic products introduce new threat vectors
Vendor compliance standards help in enterprise IT security & compliance
Vendor best practices for open source usage & vulnerability assessment
THANK YOU Questions?
