Improving Your Network Defense -...
Transcript of Improving Your Network Defense -...
2
Agenda: Improving Your NetworkDefense What’s the Thesis? Intrusion Detection Collecting Information Enabling Features Vulnerability Analysis Network Access Control
3
A Firewall Blocks Traffic, but…
A firewall cannot tell you how your networkis operating
A firewall cannot tell you whether yournetwork is secure
Some traffic gets through;some doesn’t.
What do you know aboutthe traffic that got through?
4
Improve Network Security withVisibility and with Control
Visibility Means: Knowing what is
happening on thenetwork from aSECURITY point of view
Also may mean: Knowingwhat is happening on thenetwork from aNETWORK point of view
(these “points of view”are not that far off)
Control Means: Enabling control
points on your networkto direct and managetraffic
Means: Changing thenetwork to be a secureasset rather than ananything-goes utility
5
Improve Network Security withVisibility and with Control
Visibility Means: Knowing what
is happening on thenetwork from aSECURITY point ofview
Also may mean:Knowing what ishappening on thenetwork from aNETWORK point ofview
(these “points of view”are not that far off)
What isthis guydoing?
What isthis serverrunning?
Who isinfected?
What is usingall the
bandwidth?
6
Improve Network Security withVisibility and with Control
Control Means: Enabling
control points onyour network todirect andmanage traffic
Means: Changingthe network to bea secure assetrather than ananything-goesutility
Who isthis
person?
Who/What canconnect to this
application?Segment to
control
Is thissystem
OK?
7
Goal:Increase your abilityto see securityissues withinthe network
1
Strategy:Add
NIDS IntrusionDetection Sensors
inside thecore & DMZ networks
8
IDS is not really fordetecting Intrusions
Security policy violations
Infected systems on your network
Mis-configured applications, firewalls,and systems
Information leakage
Unauthorized servers and clients
A properlyconfiguredfirewall andpatchdisciplinemeans thatan IDS isunlikely tocatch an“intrusion”
9
What’s hard about IDS isManagement
Do Ihave IDSbudget? yesno
Buy one, anddon’t forget themanagement
console
Use Snortsensors
Do Ihave SIMbudget?
yes
noUhoh
Buy SIM as amanagement
consoleGet some
good training
OK!
GetSome
10
Most Common Errors in IDSDeployment and Operation1) Putting Sensors in
the Wrong Place2) Not Customizing IDS
for YourEnvironment
3) Not Linking IDS toNetwork,Application, andSecurity Knowledge
4) Not Listening toWhat the IDS Says
5) Mistaking IDS forIPS
No, really. If you aren’tgoing to use the console atleast once a week, you
probably don’t want to putthis in place
An IPS drops packets; it’s afirewall with a default-allow
policy.An IDS looks for anomalies,policy violations, malicioustraffic, and funny packets.
12
Goal:Gain better insightinto traffic andflows withinthe network
2
Strategy:Collect
and Analyzesecurity and flow
informationfrom existing control
points
13
You already have an abundance ofinstrumentation… use it!
RoutersFirewallsSwitchesLoad BalancersSystems/Servers
14
Who is Talking and How Much? Youalready know!
Routers:Generate flow records (NetFlow,sFlow, etc.)
Generate ACL permit/deny
Firewalls:Generate Accept and Deny
Generate traffic flow datain session end records
Switches:Generate Link Up/Down
Have traffic flow data (SNMP)
Have network topology info.
15
Once you have the data, you cananswer important questions
What isthis guydoing?
What is usingall the
bandwidth?
Who is running arogue mail
server?
What serversare being used
the most?
How should Istart optimizingthe network?
When do I need toupgrade to fasterpipes/systems?
16
Of course, it’s not as easy as turningon logging and flow data
Cisco platforms areoptimized to routepackets, not report onthem
Gathering NetworkFlow data may haveother costs
You probably wantdifferent terms (suchas username orNETBIOS name)
The data will beexpressed in“network” terms(such as IP address)
Understanding andanalyzing the datarequires additionaltools
Asking for the data ispretty easy
17
Action Items: Network Visibility
Investigate SIM products or open source tools to collectand summarize flow and session information
Install open source tools or commercial products tomonitor traffic counters at the switch port level andgenerate usage data
Begin archiving session data (hey, disk is cheap) forfuture long-term analysis projects
18
Goal:Gain greater andmore granularcontrol overall traffic
3
Strategy:Enable
securityon devices you
already own such asswitches, routers, and
firewalls
20
Your external router is a good firstcleaner for traffic
Anti-spoofing ACL starts here
Block access to control plane onexternal network
Block traffic you don’t want towaste logging on (Slammer,etc.)
Alert on attempted control planeaccess
22
Are you using all the features youpaid for in your external firewall?
Most firewalls have rate-based DoS/IPS features… turnthem on!
Do you have a “default passall” for outbound traffic? Ifso, reconsider.
SMTP? Non-Web?
Secure your control planetraffic and disable non-securemanagement
24
Control traffic TO and THRU eachdevice in the network
Control planemanagement:either a separatemanagementnetwork (best) orACLs (good)
Trafficmanagement: blockand alert on commonerrors and worms;install anti-spoofingACLs
25
Action Items: Leverage ExistingPoints Enable security features on security devices (such as
firewalls) that you already have but are not using• DoS protection most typical
• Limited IPS features common
Put coarse controls at external devices to protectcontrol/management plane, anti-spoofing, and commonworms
Secure internal control/management plane traffic usingeither a separate “access ether” or ACLs; configurationtools
26
Goal:Better understandthe securityposture ofyour ownnetwork
4
Strategy:Use
Active or PassiveVulnerability Analysis
and Network Discovery
27
Knowing what services are running onthe network has great value
Network Team TerritoryServer Team
Territory
The Server Team may think they know what’s goingon, but getting a second opinion is always useful.
29
Active scanning can tell you morethan just services
Examplesinclude:
NessusRetinaCore ImpactISSSARAQualysSaintMS Baselinenmap
30
Active Scanning has a huge politicalcost that may drive you to Passive Active scanning will crash systems and
applications• It’s a side-effect of how these things work• Even the most gentle scan can crash applications
Active scanning is easily detectable and willset off alarms
Sometimes folks don’t like being scanned,especially if you work for different bosses
32
Passive Scanning is more limited, butcan give a lot of information still
TopExamples:SourcefireTenable(But manyIDSes do this toa limited extentanyway)
33
Action Items: Network Scanning
Add regular nmap-style (service and O/Sscan) services to your network
Research tradeoffs between active andpassive scanners to see which might be rightfor you
Work with desktop/server team to determineareas where information sharing aboutservices can help you both
34
Goal:Ensure onlyAuthorized and“Safe” UsersConnect to theNetwork
5
Strategy:Use Network
AccessControl (NAC)
to Authenticate,Validate, and Control
all network usage
36
NAC Has Four Components
1. Authentication ofthe user
Authenticate
End users areauthenticated beforegetting networkaccess
37
Environmental Information ModifiesAccess or Causes Remediation
2. Useenvironmentalinformation aspart of policydecision making
Environment
Where is the usercoming from ?
When is the accessrequest occurring?
What is the End PointSecurity posture ofthe end point?
1. Authentication ofthe user
Authenticate
38
Access Controls Define Capabilitiesand Restrict the User
3. Control usagebased oncapabilities ofhardware andsecurity policy
Allow or deny access.
Put the user on a VLAN.
Send user to remediation.
Apply ACLs or firewall rules.
2. Useenvironmentalinformation aspart of policydecision making
Environment
1. Authentication ofthe user
Authenticate Access Control
39
Management of Policy is the Weak Linkin most NAC Solutions
4. Manage it all
Usable managementand cross-platformNAC normalization
3. Control usagebased oncapabilities ofhardware andsecurity policy
2. Useenvironmentalinformation aspart of policydecision making
1. Authentication ofthe user
Environment
Authenticate Access Control
Management
40
Action Items: Network Access Control
Roll out authentication using 802.1X (youcan call it WPA2) on wireless networks
Meet with desktop team to discuss end-pointsecurity assessment and remediationstrategies and how they would fit in NAC
Inventory network assets (embedded devicesand network devices) to determine how NACwould affect the network