Securing Enterprise Network

Transcription

1 Securing Enterprise Network Indian Computer Emergency Response Team Department of Information Technology Ministry of Communications & Information Technology New Delhi

2 Expansion in Enterprise networks Network performance, high availability, and uptime are must for not only running the dayto-day operations of an enterprise, they are also critical for a successful business. Networks are expanding in one more sensethey are running myriad applications that in turn drive many of the businesses that these enterprises deal in.

3 Challenges of expanding enterprise network This growth and expansion of enterprise networks, and increasing reliance of businesses on them, has given rise to new challenges of securing these networks However securing a network and thereby However securing a network and thereby guaranteeing its high performance, availability, and uptime isn't a difficult task provided security managers do the right thing. The challenge is to know what those right things are.

4 So,what does Securing enterprise Network mean? Securing enterprise Networks means practising preventative and real-time defense methods to be implemented by an enterprise: to protect its bussiness network against to protect its bussiness network against potential threats that may impede or paralyze the system safeguards bussiness-sensitive information and applications from malicious sources through combined efforts of IT strategies,software and hardware.

5 Network & Security A Computer Network is an interconnected group of computing nodes, which use a welldefined, mutually agreed set of rules and conventions known as protocol, interact with each other meaningfully, and allow resource sharing preferably in a predictable and controlled manner. Network Security is the need to protect one or more aspects of network s operation and permitted use. Security requirements may be Local or Global in their scope, depending upon the network s or internetwork s purpose of design and deployment.

6 Aspects of A Computer Network Network Architecture Servers and Workstations LAN : Cabled and Wireless WAN ISP Link Perimeter Network Devices Network Security Appliances

7 Elements of Network Security Primary elements of security of any computer network include security provisioning at : - Sending Node Intermediated Forwarding Node Receiving Node Interconnection Links Mechanism of Transmission

8 Basic Secure Network Design 8

9 Major Network Security Equipment 1. Routers & Managed Switches 2. Link Load Balancer 3. Firewall (Universal Threat Management) 4. VPN 5. Intrusion Prevention System 6. Antivirus and Antimalware Solution 7. Antispam and Security 8. Web Security 9. Filters 10. Log Management & Analysis 11. Network Access Control 12. Management System 13. Patch Management 14. Backup Solutions 15. Endpoint Security 9

10 Firewall A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria. Products: Hardware Firewall Cisco PIX 515,520 and Cisco ASA 5500 Fortinet Fortigate ZyXEL ZyWALL UTM (Universal Threat Management) Check Point UTM These days most devices are supported by failover feature. This is required to keep the network active in case the master device (firewall) fails. 10

11 What about UTM? Unified Threat Manager All-in-one devices that can do: Firewall Antivirus IPS VPN Etc. This is being discussed because vendors very often push UTM devices when customers are looking for IPS solutions

12 UTM Products Fortinet Radware Cisco (ASA appliance) Juniper

13 UTM Pro s & Con s Pro s Cost effective for remote branch offices where other capabilities like Firewall are also needed Con s Usually a limited subset of IPS functionality and signatures as compared to stand alone IPS products

14 Intrusion Prevention Systems (IPS) IPSs are not a new technology, they are simply an evolved version of IDS. IDS have been one of the cornerstones of network security they are a passive component which only detects and reports without preventing. It is the intrusion prevention system (IPS) which, is to prevent attacks. Because IDS and IPS technologies offer many of the same capabilities, administrators can usually disable prevention features in IPS products, causing them to function as IDSs.

15 IPS (Intrusion Prevention System) An Intrusion Prevention System is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network based IPS: Snort Sourcefire (Open Source) Winpooch (Windows Only) Cisco IPS 4200 series IBM Proventia GX Series Tipping point Cyberoam UTM McAfee M Series Juniper 15

16 Definition Intrusion Detection Intrusion detection is a technique of detecting unauthorized access to a computer system or a computer network. An intrusion into a system is an attempt by an outsider to the system to illegally gain access to the system. Intrusion prevention, on the other hand, is the art of preventing an unauthorized access of a system s resources. The two processes are related in a sense that while intrusion detection passively detects system intrusions, intrusion prevention actively filters network traffic to prevent intrusion attempts.

17 IPS (Intrusion Prevention System) Host Based IPS McAfee Kaspersky Panda CA 17

18 What can an IPS do? IPS can detect and block: OS, Web and database attacks Spyware / Malware Instant Messenger Peer to Peer (P2P) Worm propagation Critical outbound data loss (data leakage)

19 Antivirus Suites and Internet Security Antivirus Software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware. Some examples are:- Bit Defender 2010 Suite McAfee Virus Scan Plus Symantec Corporate 11.0 Cyberoam UTM Panda Security Kaspersky Space Security Trend Micro Scan Suites Quickheal Total Security 19

20 Anti Spam and Security Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products, get-richquick schemes, or quasi-legal services. To get rid of these Spam one should use good Anti Spam and Security for Mail Server and Services. Few examples are:- Symantec mail security for Microsoft Exchange GFI mail security (scans with multiple antivirus engines) Cisco IronPort (c & x series) Cyberoam Checkpoint UTM AVG Server edition 8.5 for Linux Kaspersky Total Space Security for Linux 20

21 Web Security As more and more attacks are being carried out over the HTTP layer or protocol there is a growing need to push the envelope and bring Web security to new levels. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. Few dedicated Web Security products are:- Cisco IronPort S series Microsoft ISA Enterprise 2006 Cyberoam UTM Sophos Web Gateway Fortinet UTM Barracuda Web Filter Trend Micro InterScan Web Security Virtual Appliance Alcatel Omniaccess

22 Auditing & Log Management It is in the best interest of organizations to have appropriate auditing policies in place that affectively and efficiently collect the information regarding events including critical events occurring in the network and systems in the form of logs and manage them appropriately. This has created the need for Computer Security Log Management, which is the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log Management Should be centralized and Products should support Syslog, SNMP and Windows Logs. A few are:- -Manage Engine Event Log Analyzer -GFI Event Management -Linux (for syslog) -System Information and event management (SIEM)tools 22

23 System Information and event management (SIEM)tools Centralized Syslog Server : This facilitates record-keeping of all systems and network activity at a single locations, which offers advantages such as, it can be placed at different segments for secure storage, allows better corelation of attacks across different platforms, easier backup policies,real-time alert generation using tools like Swatch(simple watcher) and security benefit that at least with a central syslog server the entries associated with the attack itself can be obtained even if the original machine has got hacked and the traces being wiped off by intruder. 23

24 System Information and event management (SIEM)tools. 24

25 Patch Management Patch management tasks include: maintaining current knowledge of available patches, deciding what patches are appropriate for particular systems, create testing environment so that patches can be tested before deploying to the clients,ensuring that patches are installed properly, testing systems after installation, and documenting all associated procedures, such as specific configurations required. Manage Engine GFI Languard Security Manager Plus Novell ZENworks Patch Management. Available for Windows, NetWare, Macintosh, AIX, Solaris and HP-UX. Altiris client management suite 25

26 Backup Backup is the activity of copying files or databases so that they will be preserved in case of equipment failure or other catastrophe. Backup is usually a routine part of the operation of large businesses to the administrators of smaller business computers. Administrators must choose right type of hardware and software to be used for regular backup. Backup Devices: HP DAT 320, Iomega REV 120, LTO s For Large Data Centres: IBM System Storage Online Backup Solutions e.g. SugarSync, box.net S/W: Symantec Veritas, IBM Tivoli, Norton backup Disaster Recovery Servers 26

27 Testing of Patches 27

28 Endpoint Security Endpoint security is a strategy in which security software is distributed to end-user devices but centrally managed. A server or gateway hosts the centralized security program, which verifies logins and sends updates and patches when needed. This type of solution includes: Firewall IPSEC VPN IPS Web Security URL Filtering Antivirus & Anti-Malware Anti-Spam & Security Few Solutions are: Checkpoint Endpoint Security Symantec Endpoint Security Product 11.0 Trend Micro Endpoint Security 28

29 Building secure environment Defense in Depth: Using a layered Approach Increases an attacker s risk of detection Decreases an attacker s chances of success

30 Secure environment A secure environment is a combination of : Hardened hosts(nodes) Intrusion Detection System(IDS) Operating Processes Standard and Emergency Threat Modeling and Analysis Simple Security Risk Analysis Attack Vectors and threat modeling Dedicated Responsible Staff Chief Information Security Officer(CISO)responsible for all, should acquire coordination of sectoral and other CERTs as required. Continous Training Users and Security Staff-against social engineering

31 Host Hardening This process starts with an requirements evaluation to see what the server is for and to assess the risks involved The main stages of host hardening are as follows: Disabling unused services and user accounts Tightening the security settings of required services (Limiting access by host or IP block) Replacing insecure or vulnerable services with more secure alternatives Removing unused tools, libraries, and files (OS minimization) Tightening file system security settings (System ACLS) Installing host-based intruder detection systems (HIDS) Running high risk services in a tightly controlled environment (e.g. chroot jail)

32 Processes Operating Processes : Aim for compliance with an overall operational process framework Eg. Microsoft Operations Framework s SLAs, O LAs and UCs As a minimum define Operating Processes - Standard Operating Procedures: set of security policies used during normal conditions - Emergency Operating Procedures: Tighter policies used during high-risk or under-attack conditions - Include scheduled internal and external audits to verify security compliances practiced in the organisation

33 Education and Research As minimum, there is a need to subscribe to security advisories: Microsoft Security Notification service CERT-In SANS Institute Other Vendor specific CISCO,Oracle,IBM and so on Apart from notifications,study available operational security guidance

34 Recommendations: Summary Protect the infrastructure - Secure endpoints - Protect and Web - Defend critical internal servers - Backup and recover data Protect the information - Discover where sensitive information resides - Monitor how data is being used - Protect sensitive information from loss

35 Recommendations(contd.) Develop and enforce IT policies - Define risk and develop IT policies - Assess infrastructure and processes - Report, monitor and demonstrate due care - Remediate problems Manage systems - Implement secure operating environments - Distribute and enforce patch levels - Automate processes to streamline efficiency - Monitor and report on system status

36 Thank you