Turning the Network Inside Out

Joel Snyder, Ph.D.Senior PartnerOpus Onejms@opus1.com

Most networks focus on perimeter defense“[AT&T’s gateway creates] a sort of crunchy shell

around a soft, chewy center.” (Bill Cheswick, Design of a

Secure Internet Gateway, April, 1990)

Big Bad Internet

Perimeter defense has its flaws

“Protecting your network

with a perimeter firewall is

like putting a stake in the

middle of a field and

expecting the other team to

run into it.”

#include <statistic on insider

break-in percent>

“If your position is invisible,

the most carefully concealed

spies will not be able to get a

look at it.” (Sun-Tzu)

Big Bad Internet

Virus

Defense in Depth is the alternative

Make the network

“crunchy,” not soft and

chewy throughout.

Turn the network inside-

out: the security is on

the inside, not on the

outside

We don’t do defense-in-depth because...Cost

• The cost of adding firewall

“brains” has been

prohibitive

Performance

• Firewalls are slower than

Gigabit switches

Management

• Determining the “many-to-

many” relationships are

difficult

Cost

• The cost of adding firewall

“brains” has been

prohibitive

Performance

• Firewalls are slower than

Gigabit switches

Management

• Determining the “many-to-

many” relationships are

difficult

Authentication

• How do you know who

has that IP address

anyway? What about

NATed users?

Policy

• It’s hard to describe the

security policy for inside

users; it’s much easier

to describe the Internet-

oriented policy

Authentication

• How do you know who

has that IP address

anyway? What about

NATed users?

Policy

• It’s hard to describe the

security policy for inside

users; it’s much easier

to describe the Internet-

oriented policy

Whoops. I lied. My bad.

Cost• dropping

Performance• increasing

Management• getting better

Cost• dropping

Performance• increasing

Management• getting better

Authenticatio

n

• solved

Policy• OK, there had to be

something we

couldn’t solve with

technology

Authenticatio

n

• solved

Policy• OK, there had to be

something we

couldn’t solve with

technology

You can implement Defense-in-Depth

New and Exciting

802.1X Authentication

Digital Certificates

VLANs as Security Barriers

Multiple levels of ACLs

Firewall/VPN on the NIC

Network Intrusion

Detection/Prevention Systems

Not-so-bleeding-edge

MAC lock-down on ports

Authenticated routing updates

Rate-limiting (DoS resistance)

Host-based IDS

RADIUS-based authentication

SSH (Secure Shell) for management

SNMPv3 and not SNMPv2

“Access Ethernet” dedicated management network

802.1X is the new standard for layer 2 authentication

SupplicantEAP over WirelessEAP over LAN

Supplicant

Authenticators Authentication Server (e.g.,

RADIUS server)

EAP over RADIUS

The World

802.1X on every port adds security

In the wireless environment,

802.1X is absolutely required

• 802.11i and WPA (Wi-Fi

Protected Access) use

802.1X

• Pure 802.1X for

authentication solves

most WEP problems (if

implemented with mutual

authentication methods

TLS, TTLS or PEAP)

EAP over

RADIUS

“Put the user on VLAN x and here’s what he has access to...”

“Here’s your WEP key for the next 30 seconds...”

802.1X on every port adds security, II

In the wired environment, 802.1X adds security

• Microsoft gives it to you for free with W2K and XP

• Many wireless vendors too...

* 802.1X ties to RADIUS which means...

...you can use RADIUS to push authorization information to wired and wireless equipment* VLAN information* ACL (access control list) information

What are pitfalls and caveats with 802.1X?

802.1X does not mandate an authentication method

• So you have to pick one (TLS, TTLS, or PEAP)

• There are a bunch of choices and a bunch of interoperability problems

(TTLS vs. PEAP)

• Strategy: hold off until this battle is settled by the IETF

802.1X does not require you to swap out your RADIUS infrastructure

• You can get a new, small server which will proxy to your existing

RADIUS servers

802.1X will not immediately be “full featured”

• Authorization information, such as ACLs and VLANs, is still awaiting

“industry agreement”

n = p•q

d = e-1 mod((p-1)(q-1))

Public/Private Cryptography enables ...

Authentication

• Using public/private cryptography, I can strongly prove my

identity

Integrity Checking

• Using public/private cryptography, I can digitally sign documents

and ensure that they cannot be tampered with

• Digitally signed documents have “proof of sender” as well

Encryption

• Using public/private cryptography, I can encrypt short and long

strings of data effectively

Digital Certificates enable public/private cryptography

A Certificate can be many things and have many forms, but fundamentally is a binding of a public key to an identity

n = p•q

d = e-1 mod((p-1)(q-1))

Many existing IT applications can use certificates

Authentication

SSL-based Web servers

VPNs Remote User

Authentication

Windows 2K/XP Login

802.1X Network

Authentication

E-mail (Netscape, Outlook,

others supporting S/MIME)

Encryption

E-mail (S/MIME clients)

Certificate-based techniques can also be used to pass encryption keys for secret key encryption: disk partitions, for example

And they all can use the same certificate!

So, why isn’t everyone using them?

PKI manufacturers have made it more complex than it needs

to be

• “Solve all the problems up front, for country-wide

deployments” seems to be their strategy

And expensive!

Certificate Revocation List strategies have not been coherent

• Online Certificate Status Protocol may help

Certificate Enrollment is chaotic

• Four different protocols in common use

• Plus a few proprietary ones

VLANs aren’t just for breakfast anymore

802.1q (Virtual LANs) can be used to combine, yet not mix, traffic

from multiple networks

Originally: Management Domains

Now: Security Domains

“tagged” VLANs

Use VLANs to distribute protected and unprotected services

1st Floor 2nd Floor 3rd Floor 4th Floor

Using VLANs for security has its risks

If packets jump from one VLAN to the

other... the game is over

Management of switching infrastructure

is now as important as management of

firewalls

Your switches are your weak links

• Attacks

• Bugs

Switch vendors have a very bad

reputation in this area

Risk/Benefit Analysis

All Access Control Lists are not created equalSome are more equal than others

Static Packet

Filters

Typically look only

IP layer

Cannot be used for

port-based

controls

Are commonly

implemented

High performance

“Extended” Access

Lists

(Packet Filters)

Look at things within

IP and TCP or UDP

header (such as port

number and flags)

Can be used for

limited port-based

controls

Available on many,

but not all, platforms

High performance

Stateful

Packet Filters

Look at entire

datagram and try and

simulate higher layer

state machines

Considered very

secure at layer 3

(Check Point, Cisco

depend on them)

Slower and more

CPU/memory

intensive

ACLs can be spread throughout your network to increase security

Pre-filter protocols (such as SNMP) you never want to let in; block spoofed packets

Block SMTP not from Internet.

Allow traffic to HR server only from HR VLAN

User can get to departmental servers and Internet only

Kiosk PCs can’t get to inside net

ACLs everywhere is a tricky situationStatic ACLs on ports can be difficult to manage and maintain (at

this time)

802.1X-derived ACLs don’t have sufficient context to work at IP

layer (yet)

Not every device has the capability

Not every policy-based security server has the ability

“Put the user on VLAN x and here’s what he has access to...”

But this is a technology coming very soon to a theatre near you!

You can put a firewall on a NICTechnically, this is not making the

network itself crunchy and more secure

“Defense in Depth” isn’t too concerned

with labels

Policy Server

Policy

Policy

Vendors: 3COM, Snap, OmniCluster, NetMaster, Corrent

You can make a network which has deep defenses

TheNetwork

TheNetwork

IDS/IPSIntrusion Detection

and Preventionfor forensics and

prevention

IDS/IPSIntrusion Detection

and Preventionfor forensics and

prevention

PerimeterFirewallsand VPNs

Old Standbys still useful!

PerimeterFirewallsand VPNs

Old Standbys still useful!

PKI AuthenticationUniform approach toauthentication givesstrongest security

PKI AuthenticationUniform approach toauthentication givesstrongest security

Multi-Level SecurityPush ACLs everywhere

they can go,dynamic, too.

Multi-Level SecurityPush ACLs everywhere

they can go,dynamic, too.

Layer 2Authentication

802.1X Network Login authenticates

users

Layer 2Authentication

802.1X Network Login authenticates

users

Internal SecurityEmbedded Firewall secures desktops

and servers

Internal SecurityEmbedded Firewall secures desktops

and servers

WirelessSecure wireless LAN, using 802.1X and/or802.11i and/or IPsec

WirelessSecure wireless LAN, using 802.1X and/or802.11i and/or IPsec

SegmentationVLANs as management

and as securitydomains

SegmentationVLANs as management

and as securitydomains

Thank you.

Questions, comments?