SecureTrack. Supporting SANS 20 Critical Security Controls. March

Transcription

1 SecureTrack Supporting SANS 20 Critical Security Controls March

2 Table of Contents Introduction... 3 Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches... 5 Procedures and tools for implementing and automating this control... 5 How can this control be implemented, automated, and its effectiveness measured?... 6 Critical Control 5: Boundary Defense... 9 Procedures and tools for implementing and automating this control... 9 How can this control be implemented, automated, and its effectiveness measured?... 9 Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs Procedures and tools for implementing and automating this control How can this control be implemented, automated, and its effectiveness measured? Critical Control 13: Limitation and Control of Network Ports, Protocols and Services Procedures and tools for implementing and automating this control How can this control be implemented, automated, and its effectiveness measured? Conclusion /14

3 Introduction The SANS Twenty Critical Security controls is an important initiative designed to consolidate a number of the most important security standards and initiatives into one, clear set of guidelines. Using the Critical Controls, enterprises can define, monitor and measure their security initiatives more simply and effectively than before. The Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities. The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls. 1 The most recent version of the Top 20 Critical Controls was released in August 2011 and includes the successful experience of both government agencies and private organizations. 2 Firewalls and related network security devices including routers and switches are a significant part of the 20 Controls. Configuring, monitoring, and auditing these devices correctly is essential to assuring continuous network security. Tufin Security Suite SecureTrack and SecureChange are helping hundreds of organizations around the world to meet these challenges. SecureTrack Firewall Operations Management Tufin SecureTrack is the industry leading Security Operations Management solution for network and next generation firewalls as well as network infrastructure including routers, switches, load balancers and web proxies. SecureTrack features powerful tools that eliminate routine, manual tasks while assuring security and business continuity for large and small enterprises. SecureTrack Auditing and Compliance Tufin SecureTrack enables organizations to comply with regulatory standards and successfully pass security audits. SecureTrack combines triggered compliance alerts with built in reports such as PCI DSS 2.0 to dramatically reduce audit preparation times. SecureChange Security Change Automation Tufin s pioneering SecureChange solution enables companies to automate security change management and risk analysis for the network. With SecureChange, companies can 1 For the latest version of the 20 Critical Controls, see the SANS web site securitycontrols/. All quotes in this white paper can be found there 2 SANS press release for the new version: critical controls.php 3/14

4 automate business processes to proactively enforce security policies and support governance initiatives. In this paper, we examine the Critical Controls that relate to firewalls and network configuration management, and show you how Tufin enables security teams to fulfill the requirements described in each control. We will examine the essential role of automated change tracking and compliance monitoring in assuring continuous security, and at the ways you can proactively analyze and recertify your security devices in order to eliminate potential threats. 4/14

5 Control Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Control 5: Boundary Defense Control 6: Maintenance, Monitoring, and Analysis of Audit Logs Control 13: Limitation and Control of Network Ports, Protocols and Services Solution Tufin enables you to maintain a tight configuration for all of the network devices that control access to your network. Tufin enables you to improve and verify your boundary defenses and to safely protect additional network segments. Tufin maintains a complete, segregated audit trail along with tools for monitoring and analysis. Tufin provides the tools to ensure that access is restricted and to verify business justification for all access. Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches The 4 th control covers the need to maintain a tight configuration for all of the network devices that control access. This consists of defining a coherent security policy and then continuing to ensure that all devices continue to comply with this policy over time as changes are made. And since every access request is a potential security loophole, it is essential to verify the business justification for every exception, and to revalidate that need periodically. Organizations that fail to manage their firewall, router and switch configurations are at risk. Attackers take advantage of the fact that network devices may become less securely configured over time as users demand exceptions for specific and temporary business needs, as the exceptions are deployed, and as those exceptions are not undone when the business need is no longer applicable. Making matters worse, in some cases, the security risk of the exception is neither properly analyzed nor measured against the associated business need. Attackers search for electronic holes in firewalls, routers, and switches and use those to penetrate defenses. 3 Procedures and tools for implementing and automating this control Some organizations use commercial tools that evaluate the rule set of network filtering devices to determine whether they are consistent or in conflict, providing an automated sanity check of network filters and search for errors in rule sets or access controls lists (ACLs) that may allow unintended services through the device. Such tools should be run each time significant changes are made to 3 SANS 20 Critical Security Controls, Control 4 securitycontrols/control.php?id=4 All quotes in this section are from this control 5/14

6 firewall rule sets, router ACLs, or other filtering technologies. Tufin Security Suite offers a comprehensive, lifecycle approach to maintaining secure configuration of firewalls, routers and switches. It includes several key capabilities: Corporate compliance policies: SecureTrack gives you a simple way to translate your corporate compliance strategy into a concrete policy that you can automatically monitor. Without coding, SecureTrack s Corporate Compliance Policy enables you to define traffic that should always be allowed, or always be blocked. You can also define a Risk Management Policy that specifies either blacklist or whitelist traffic, as well as permitted exceptions. This policy helps you to ensure that no changes are made that post a threat to business continuity. Compliance alerts: Any time a firewall or router configuration change violates the corporate policy, an alert is sent out so that you can maintain continuous compliance, without waiting for the next audit. Compliance reports: You can manually run or schedule periodic compliance audit reports that show the current security policy configuration in comparison to the Corporate Compliance and Risk Management policies. Many other reports can be used to audit your security policy configuration including the Software Version Compliance report, The Best Practices Report, and the Security Risk Report. Policy analysis: Before implementing a change, you can use SecureTrack s Security Policy Analysis to identify possible conflicts or violations. This pro active risk analysis tool can save hours of painstaking, manual rule base review. Network topology discovery automatically identifies the relevant devices in a query and makes it easy to define zone based queries. Rule documentation and recertification: To keep your security policy up to date at all time, you can document an expiration date and a business owner for each rule. SecureTrack will automatically alert you to rules that are going to expire so that you can recertify them, or delete them. You can also schedule reports by expiration date or owner to help manage your access rules proactively. How can this control be implemented, automated, and its effectiveness measured? Quick Win, Metric or Sensor Quick wins: Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. Quick wins: At network interconnection points such as Internet gateways, inter organization connections, and internal network segments with Tufin Solution Define a corporate compliance policy in SecureTrack that will automatically alert to any change that is not compliant. Periodically use the Software Version Compliance Report, the Corporate Compliance report, the Security Best Practices Audit, and the Cisco Device Configuration Report (DCR) to ensure that all device configurations comply with your policy. In SecureTrack, create a compliance policy for zone to zone communications and generate automatic alerts when administrators allow any unauthorized or 6/14

7 different security controls implement ingress and egress filtering to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols should be blocked with default deny rules by firewalls, network based IPS, and/or routers. Configuration/Hygiene: All new configuration rules beyond a baseline hardened configuration that allow traffic to flow through network security devices, such as firewalls and networkbased IPS, should be documented and recorded in a configuration management system, with a specific business reason for each change, a specific individual s name responsible for that business need, and an expected duration of the need. At least once per quarter, these rules should be reviewed to determine whether they are still required from a business perspective. Expired rules should be removed. Configuration/Hygiene: The latest stable version of a network device s inter network operating system (IOS) or firmware must be installed within 30 days of the update being released from the device vendor. Advanced: The network infrastructure should be managed across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices. Sensor: File Integrity Software Measurement: Standard images for the installation of systems have been created based on an accepted security standard published by organizations such as CIS, NSA, DISA, and others. Score: Pass/Fail Sensor: Standard images Measurement: Standard images for the installation of systems have been created based on an accepted security standard published by organizations such as CIS, NSA, DISA, and others. Score: Pass/Fail unapproved traffic or zones. You can create custom compliance policies that define black list, white list and business continuity policies and SecureTrack will make sure that they are enforced continuously. SecureTrack s Rule Documentation and Recertification enables you to assign a justification, a business and technical owner, and an expiration date to every access rule. You can schedule alerts and reports about expiring rules so that administrators can review their current business justification and either delete or recertify. You can also use the Rule and Object usage report to identify unused rules and objects on each device remove them if they are not longer necessary. Use the Software Version Compliance report to indicate the correct version that should be installed and check compliance on each of the devices on your network. Use SecureTrack s Policy Analysis to simulate network traffic and verify separation of networks. Tufin s change monitoring automatically detects every change on every firewall, router and switch along with many additional devices including IPSs. Every change is saved and reported as part of a comprehensive audit trail with full accountability. SecureTrack can be used to check all of the layers that comprise a standard image or configuration for a security device. First, the Software Version Compliance report checks that the correct updates are installed on every device. Second, the Best Practices Audit checks that every device is configured according to the leading security standards. For Cisco devices, there is also the Cisco Device Configuration report that checks for common errors and misconfigurations. On top of these norms, you can define your corporate compliance policy, and use automatic alerts as well as the Corporate Compliance report to ensure that devices are continuously in accordance with your policy. 7/14

8 Sensor: Packet generation tools Measurement: Confirm that the network infrastructure properly handles, routes and filters IPv6 traffic. Score: Pass or Fail. Policy analysis enables you to simulate traffic and test your firewall and router configuration. It tests offline so you do not have to load your network with test traffic. 8/14

9 Critical Control 5: Boundary Defense The 5 th control focuses on the importance of establishing secure boundaries at a time when clear physical perimeters no longer exist. It should be noted that boundary lines between internal and external networks are diminishing as a result of increased interconnectivity within and between organizations as well as the rapid rise in deployment of wireless technologies. These blurring lines sometimes allow attackers to gain access inside networks while bypassing boundary systems. However, even with this blurring of boundaries, effective security deployments still rely on carefully configured boundary defenses that separate networks with different threat levels, sets of users, and levels of control. 4 Procedures and tools for implementing and automating this control The boundary defenses included in this control build on Critical Control 4. The additional recommendations here focus on improving the overall architecture and implementation of both Internet and internal network boundary points. Internal network segmentation is central to this control because once inside a network, many intruders attempt to target the most sensitive machines. Tufin Security Suite can help organizations to comply with this control in two key ways: Policy Analysis: SecureTrack s sophisticated policy analysis enables you to check network access between any source and destination. Using Network Topology Intelligence, it shows you all of the devices along the access path on a dynamic, visual map. With Policy Analysis you can ensure that there is no unjustified access to and from sensitive internal networks. Automatic Policy Generator: SecureTrack s Automatic Policy Generator (APG) to quickly and safely deploy firewalls on additional internal network segments without threatening business continuity. APG analyzes network traffic logs and designs a firewall policy that allows only the traffic that is actually required. How can this control be implemented, automated, and its effectiveness measured? Quick Win, Metric or Sensor Quick wins: Organizations should deny communications with (or limit data flow to) known malicious IP addresses (black lists) or limit access to trusted sites (white lists). Tests can be periodically carried out by sending packets from bogon source IP addresses into the network to verify that they are not transmitted through network perimeters. Lists of bogon addresses (unroutable or otherwise unused IP addresses) are publicly available on the Internet from various sources, and indicate a series of IP Tufin Solution Define a Compliance Policy in SecureTrack that includes black list and white list traffic. Use the compliance alerts to notify about any configuration change that could violate the policy. Schedule the Compliance Audit report to periodically run and verify that all firewalls and routers are configured correctly. 4 SANS 20 Critical Security Controls, Control 5 securitycontrols/control.php?id=5 All quotes in this section are from this control 9/14

10 addresses that should not be used for legitimate traffic traversing the Internet. Visibility/Attribution: Define a network architecture that clearly separates internal systems from DMZ and extranet systems. DMZ systems are machines that need to communicate with the internal network as well as the Internet, while extranet systems are those whose primary communication is with other systems at a business partner. DMZ systems should never contain sensitive data and internal systems should never be directly accessible from the Internet. Visibility/Attribution: Design and implement network perimeters so that all outgoing web, file transfer protocol (FTP), and secure shell traffic to the Internet must pass through at least one proxy on a DMZ network. The proxy should support logging individual TCP sessions; blocking specific URLs, domain names, and IP addresses to implement a black list; and applying white lists of allowed sites that can be accessed through the proxy while blocking all other sites. Organizations should force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. Proxies can also be used to encrypt all traffic leaving an organization. Configuration/Hygiene: Organizations should periodically scan for back channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual homed hosts connected to the enterprise network and to other networks via wireless, dial up modems, or other mechanisms. Configuration/Hygiene: To limit access by an insider or malware spreading on an internal network, organizations should devise internal network segmentation schemes to limit traffic to only those services needed for business use across the internal network. Configuration/Hygiene: Organizations should develop plans to rapidly deploy filters on internal networks to help stop the spread of malware or an intruder. Advanced: To minimize the impact of an attacker pivoting between compromised systems, only allow DMZ systems to communicate with private network systems via application proxies or Define a zone based Compliance Policy that ensures that traffic from the internal network cannot pass to the internet. Use the automatic alerts and reports to verify the network design and ensure that configuration changes do not violate the design in real time. With Policy Analysis, you can verify that no sensitive protocols go directly from the internal network to the internet, but pass through a proxy. Implement these tests as a compliance policy and use alerts and scheduled reports to enforce the policy and ensure continuous compliance. Use Policy Analysis to verify that there are no back door connections to the firewalls. With the Automatic Policy Generator, you can implement firewalls on additional network segments that have a non permissive policy yet do not threaten business continuity. Use Rule Documentation to add a business justification to ever access rule and to trigger alerts for expiring rules that require recertification. Using policy analysis can help you to plan where to install those changes, effectively assuring that when they are deployed, they are 100% effective. Use Policy Analysis and a Compliance Policy to ensure that the DMZ can only access proxy servers. 10/14

11 application aware firewalls over approved channels 11/14

12 Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs This control focuses on the need for thorough, meticulous logging of security systems and the ability to analyze those logs to identify both threats and security events. Deficiencies in security logging and analysis allow attackers to hide their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible. 5 Procedures and tools for implementing and automating this control In the realm of firewalls and routers, Tufin SecureTrack maintains a complete audit trail of every configuration change that is made to every device configuration, rule base, or ACL through a readonly connection. SecureTrack s audit trail provides detailed information about every change including full accountability on the part of the administrator who made the change. This change record is stored in the SecureTrack database separated from the device maintaining an independent security audit trail along with the complete device configuration. SecureTrack includes several reports including the Best Practices report and the Cisco Device Configuration Report (DCR) that check that other devices are set to log correctly. With the Automatic Policy Generator (APG), SecureTrack also analyzes firewall traffic logs to locate overly permissive rules that may be abused by hackers. It proposes new, tighter rules based on actual usage traffic that can permit network traffic without preventing access for justified business needs and eliminate unnecessary access that was granted by old access rules. How can this control be implemented, automated, and its effectiveness measured? Quick Win, Metric or Sensor Visibility/Attribution: Each organization should include at least two synchronized time sources (i.e., Network Time Protocol NTP) from which all servers and network equipment retrieve time information on a regular basis so that timestamps in logs are consistent. Visibility/Attribution: Network boundary devices, including firewalls, network based IPS, and inbound and outbound proxies, should be configured to verbosely log all traffic (both allowed and blocked) arriving at the device. Tufin Solution The Cisco Device Configuration Report (DCR) checks to verify that your device is configured to the proper NTP servers. The Best Practice Report includes a check for rules with no log tracking across all firewall vendors. 5 security controls/control.php?id=6 12/14

13 Critical Control 13: Limitation and Control of Network Ports, Protocols and Services Control 13 addresses the need to protect remotely accessible services and applications. Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and domain name system (DNS) servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing a user or administrator that the services have been enabled. Attackers scan for such issues and attempt to exploit these services, often attempting default user IDs and passwords or widely available exploitation code. 6 Procedures and tools for implementing and automating this control SecureTrack s sophisticated policy analysis enables you to check network access between any source and destination. Using Network Topology Intelligence, it shows you all of the devices along the access path on a dynamic, visual map. With Policy Analysis you can identify the services that can be accessed from untrusted networks as well as the presence of internal firewalls. With Rule Documentation and Recertification, you can document the business owner and justification of each network access rule along with an expiration date. Alerts and reports will let you know when rules are expiring so that you can review business justification for access regularly. How can this control be implemented, automated, and its effectiveness measured? Quick Win, Metric or Sensor Visibility/Attribution: Any server that is visible from the Internet or an untrusted network should be verified, and if it is not required for business purposes it should be moved to an internal VLAN and given a private address. Configuration/Hygiene: Services needed for business use across the internal network should be reviewed quarterly via a change control group, and business units should re justify the business use. Sometimes services are turned on for projects or limited engagements, and should be turned off when they are no longer needed. Tufin Solution Use SecureTrack Policy Analysis to identify the servers that are visible from an untrusted network. To validate and maintain business justification for visible servers, use Rule Documentation and Recertification to identify the business owner, and Rule and Object Usage Analysis to make sure that the access is being used. See section above. 6 security controls/control.php?id=13 13/14

14 Configuration/Hygiene: Operate critical services on separate physical host machines, such as DNS, file, mail, web, and database servers. Advanced: Application firewalls should be placed in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized services or traffic should be blocked and an alert generated. Use SecureTrack Policy Analysis to check these services. This check is standard in the PCI DSS compliance report. Use Policy Analysis to verify that critical services are all behind application firewalls. With Palo Alto Networks Next Generation firewalls, you can use Policy Analysis to verify that application filtering is in place for critical services. Conclusion The SANS 20 Critical Controls are a valuable tool for evaluating the efficacy of your security operations and for defining a roadmap for ongoing improvement. A number of the controls are concerned with the configuration, monitoring and auditing of firewalls and other network security infrastructure. Tufin Security Suite is an essential solution for organizations that need to assure security and compliance for networks. It includes automation capabilities that enable you to track and audit every network configuration change, with full personal accountability. It gives you the in depth analysis tools that you need in order to proactively evaluate risks and eliminate potential security loopholes. Given the complexity of today s networks the number of devices, the size of rule bases and ACLs, and the assortment of vendors it is virtually impossible for security teams to manage device configuration manually. Around the world, hundreds of customers are using Tufin Security Suite to improve security, streamline operations, and assure compliance with standards. Customers report that on average, Tufin cuts the time and cost of change management and auditing in half. It eliminates the routine, painstaking manual tasks that not only take up valuable time, but can lead to potentially dangerous errors. According to Frost & Sullivan, SecureTrack can reduce audit preparation time by as much as 75% and just as important, can enable you to be continuously compliant. For more information about Tufin and how it can help you to comply with the SANS 20 Critical Controls, visit us at Copyright 2015 Tufin Tufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. 14/14