Enriching Symantec CCS with RedSeal's Network Security...

1

Enriching Symantec CCS with RedSeal's Network Security Architecture Analytics

Sean Finn Global Solutions Architect, RedSeal Networks

SymantecVision2013-Enriching CCS.pptx

SYMANTEC VISION 2013

Agenda Topics

• Fundamental Security Management Challenges

• RedSeal System Overview

• Device Configuration Hardening

• Evaluating Network Security Architectures

• Network-Aware Vulnerability Metrics: RedSeal Risk, and Downstream Risk

• RedSeal:CCS Integration

SymantecVision2013-Enriching CCS.pptx 2

© 2013 RedSeal Networks, Inc. All rights reserved.


Fundamental Security Management Challenges

3 SymantecVision2013-Enriching CCS.pptx



FCAPS: A Classic Network Management Taxonomy

• Fault Management

• Configuration Management

• Audit Management

• Performance Management

• Security

Today, we may find a lot more attention on (A)pplications, vs. (A)ccounting ...

* - In the early 1980s the term FCAPS was introduced within the first Working Drafts (N1719) of ISO 10040, the Open Systems Interconnection (OSI) Systems Management Overview (SMO) standard. SymantecVision2013-Enriching CCS.pptx


4

http://en.wikipedia.org/wiki/Open_Systems_Interconnection





FCAPS: A Network Management Taxonomy

F C P

A

S

• The backbone for each of these aspects of network management is CONFIGURATION MANAGEMENT:



5


Real World Operations: Applied Change Management

F C P

A

S Organic Growth and

Replacements

Application Management

Security Change Requests

“Break/Fix” Changes

• How are changes reviewed, and approved?

• How is system documentation updated?

• What feedback mechanisms exist to ensure accurate implementation of change?



6


RedSeal System Overview

7 Presentation Identifier Goes Here



RedSeal System Functional Overview

1. Automatically imports current router/firewall/load balancer (“device”) configuration files

2. Parses device configurations checking the use of best practices and your custom configuration standards

3. Builds a layer 3 (IP) topology map

4. Computes all possible access that the Network Security Architecture makes available, based on Access Lists, Firewall Rules, and NAT configuration

5. Compares available access to defined RedSeal Access Policies

6. Evaluates access to vulnerabilities from “untrusted” connections

7. Computes a set of “network aware” vulnerability metrics for each host

8



8

SYMANTEC VISION 2013 9

RedSeal Security Information Visualizations




Attack Simulation

for Prioritization

Security

Architecture

Compliance

Security

Architecture

Examination

Network

Configuration

Hardening

Network Inventory &

Topology

RedSeal System Use Cases/Value Propositions

Design

Data Collection

Model “Validation”

Security Change

Process Integrations



10


Feature Clusters

Config Management

Model Issues

Topo Layout

Custom Groups

Best Practice Checks

Custom BPCs

Device Cleanup

Explorer:Access

Detailed Path

SIC / SIM / Tracked Query

“What Is” Policy

PCI Policy Template

Compliance Custom Policy

Risk and DSR Metrics

Explorer:Threat

Risk Map

Vuln Prioritization Rpt

Network Access

Assessment of

Vulnerability

Exposure

Security

Architecture

Compliance

Security

Architecture

Examination

Network

Configuration

Hardening

Network Inventory &

Topology

RedSeal Features Ad Hoc Uses

Process Integration

CCS Integration

Device Cleanup Export

BPC Change Rpt

Topo Query

Model Issue Export

Explorer/SIC/Detailed

Path Query:

Forensic, Etc.

Review/Audit Changes

Eval Change Request

TO: Ticket System

Update Business Decision

To Symantec CCS:

Risk, DSR, ...

Explorer:Threat Query

Risk Map Query

TO: Ticket System

TO: Ticket System

Pie Chart, Reporting

To Symantec CCS:

Model Issue Violations

To Symantec CCS:

Best Practice Check

(BPC) Violations



11


Device Configuration Hardening




RedSeal Device Configuration “Best Practice Checks”

• About 150 pre-defined Best Practices Checks (BPCs)

• If a BPC doesn’t apply, you can suppress it

• Custom BPCs can be created




Best Practice Check Changes Report

• Report new or resolved BPC violations

• Report can be automatically published via email




Evaluating Network Security Architectures




What Happens When ...

• Effective Connectivity is a result of both the current routing state, and the configured Security Policy

• Relying on the state of Dynamic Routing to enforce Security Policy can lead to unpredictable results

Dynamic

Routing

Table

X E0/1 Filtered

Connectivity

Unfiltered

Connectivity

Packet Source: A

Packet Destination: B

E0/2

E0/3

E0/4

E0/5

E0/0



16


Network Security Architecture Analytics

Router

Packet Source: A

Packet Destination: B

E0/1

E0/2

E0/3

E0/4

E0/5

E0/0

• Explicitly Evaluate All Components Of Your Network Security Architecture



17


RedSeal Explorer: Access Results

• RedSeal Explorer access queries report available connectivity between the specified source and destination

• Rendered as blue arrows in the topology, and in tabular format in the lower-right pane



Detailed Path Analysis

• Identifies devices in access path

• Pinpoints exact firewall rules/ACLs

Access specification: SRC and DST addresses, protocols,

ports

Hop-by-hop path that provides

connectivity

When a hop is selected

here (gray), it is used to populate

details on the right side

of the window.

Inbound and outbound interfaces,

NAT mapping

Specific ACL and NAT

rules that impact

forwarding



19


Security Segmentation - Outside:Inside • Exactly what traffic do you allow IN to your network?

• Exactly what traffic do you allow OUT from your network?

• How would you answer these questions to an auditor today?

• In real-world production networks, manually assessing, and enumerating all of this traffic can be very time-consuming.



20


Internal Segmentation

• How are your internal security zones defined?

• How is intra-zone security implemented?

• How are these impacted by ongoing change management?

• How effective is your internal segmentation?



21


From (A) .... To (B)

Security Architecture Query

(A): Set of

Subnets

and/or

Hosts

(B): Set of

Subnets

and/or

Hosts

Available Connectivity Specifications:

- L3 Address

- IP Protocol

- L4 Ports



22


RedSeal Policy: Security Architecture Compliance

(A): Set of

Subnets

and/or

Hosts

(B): Set of

Subnets

and/or

Hosts

“Business Decisions”:

Approval Status of

Specific Flow

Specifications

Approved Flow Specs

Un-Approved

Forbidden

Available

Connectivity

From (A) .... To (B)



23

SYMANTEC VISION 2013 24 SymantecVision2013-Enriching CCS.pptx

RedSeal “Zones & Policy” Tab

• PCI Policy is a standard, predefined policy template

• Custom Policies can be created to meet specific network security segmentation requirements



Network-Aware Vulnerability Metrics: RedSeal Risk, and Downstream Risk




• [Business] Value: An estimate of business value for the device, in the range of 0..100; based on services found on the host. The default value can be overridden by user.

– Maximum default value: 75

• Exposure: A measure of the probability, in the range 0..1, of an attack being launched against the host by any one of the vulnerabilities that have been found on it.

– Primary factors for computing exposure:

• CVSS scores

• Attack depth

• RedSeal Risk: The product of [Business] Value times Exposure.

RedSeal Risk = (Business Value * Exposure)

RedSeal Network Vulnerability Metrics



Downstream Risk (DSR)

• Downstream risk: Sum of the risk scores of all hosts reachable either directly or indirectly that would therefore be exposed to pivot attack from this host




RedSeal Risk Map: Visualizing Vulnerability Metrics

28

Multiple, and Custom, Risk Maps are Available

Risk Map Controls tab provides access to how to ORGANIZE, COLOR, and SIZE the Host Risk icons

The FILTER section allows specific values ranges to be selected; and also provides Color Map controls

The RISK MAP itself provides multiple facets of drill-down capabilities

The DETAILS, HOSTS, and VULNERABILITIES Tabs provide detailed numerical information. Exportable.




RedSeal:CCS Integration




CCS:RedSeal

Connector

30

CCS

Vulnerability

Manager

CCS

Standards

Manager

CCS

Incident

Manager

CCS

Policy

Manager

Trouble Ticket

Device Config Files

RedSeal User Interface, Visual Queries, and Reports

Network Vulnerability Scans

CCS Dashboard Reports


RedSeal:Symantec CCS System Integration Overview



Configuring the Connector: RedSeal

Map RedSeal

Connector Fields

to Asset,

Assessment,

Status CCS

Categories



Executing and Monitoring Jobs: RedSeal



CCS Dashboard



Questions?


Thank you!

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

36

Sean Finn

[email protected]

408.641.2200


Enriching Symantec CCS with RedSeal's Network Security...

Documents

Transcript of Enriching Symantec CCS with RedSeal's Network Security...