Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

Similar documents
Network Access Control: A Whirlwind Tour Through The Basics. Joel M Snyder Senior Partner Opus One

1. How will NAC deal with lying clients?

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

Vulnerability Management. If you only budget for one project this year...

Lessons from the Lab: NAC Framework Testing

SIEM FOR BEGINNERS Everything You Wanted to Know About

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

ProCurve Network Immunity

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.

CISNTWK-440. Chapter 5 Network Defenses

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

OSSIM Fast Guide

Ipswitch: The New way of Network Monitoring and how to provide managed services to its customers

Securing CS-MARS C H A P T E R

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Security Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One

Scrutinizer Flow Analytics

align security instill confidence

Chapter 5: Vulnerability Analysis

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ASA/PIX Security Appliance

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Device Discovery for Vulnerability Assessment: Automating the Handoff

Designing and Building a Cybersecurity Program

Chapter 4. Network Security. Part I

Sample Defense in Depth White Paper

Segmentation for Security

Mobile County Public School System Builds a More Secure Future with AMP for Endpoints

Bro: Actively defending so that you can do other stuff

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Why we need Intelligent Security? Juha Launonen Sourcefire, Inc.

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Agile Security Solutions

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

CND Exam Blueprint v2.0

AAD - ASSET AND ANOMALY DETECTION DATASHEET

August knac! 10 (or more) ways to bypass a NAC solution. Ofir Arkin, CTO

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

CIS Controls Measures and Metrics for Version 7

Cisco Cyber Threat Defense Solution 1.0

CIS Controls Measures and Metrics for Version 7

Stop Threats Before They Stop You

Five Essential Capabilities for Airtight Cloud Security

Security Automation Best Practices

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Cisco Firepower NGIPS Tuning and Best Practices

Hackproof Your Cloud Responding to 2016 Threats

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

ICS Security Monitoring

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

Cisco Self Defending Network

Un SOC avanzato per una efficace risposta al cybercrime

NETWORK THREATS DEMAN

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Reviewer s guide. PureMessage for Windows/Exchange Product tour

2013 InterWorks, Page 1

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Segment Your Network for Stronger Security

One Management Realized, with Cisco Prime Infrastructure Manage Complexity. Manage Effectively. Manage Intelligently. Closing

Compare Security Analytics Solutions

Help Your Security Team Sleep at Night

Ken Hines, Ph.D GraniteEdge Networks

2. INTRUDER DETECTION SYSTEMS

Layered Access Control-Six Defenses That Work. Joel M Snyder Senior Partner Opus One, Inc.

IBM Security QRadar Version Architecture and Deployment Guide IBM

PrecisionAccess Trusted Access Control

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Snort: The World s Most Widely Deployed IPS Technology

Education Network Security

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

Configuring Anomaly Detection

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

AMP-Based Flow Collection. Greg Virgin - RedJack

Best Practices for PCI DSS Version 3.2 Network Security Compliance

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Enterasys. Design Guide. Network Access Control P/N

Title: Episode 11 - Walking through the Rapid Business Warehouse at TOMS Shoes (Duration: 18:10)

ForeScout Agentless Visibility and Control

whitepaper: Whitelisting Without The Complexity

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

During security audits, over 15,000 vulnerability assessments are made, scanning the network IP by IP.

ForeScout CounterACT. Configuration Guide. Version 1.2

Introduction to Network Discovery and Identity

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Host Identity Sources

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Network Security in the Patched Environment. Guy Helmer, Ph.D. Palisade Systems, Inc.

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Cyber Criminal Methods & Prevention Techniques. By

Ethical Hacking and Prevention

NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL

Cisco Network Admission Control (NAC) Solution

Transcription:

Improving Your Network Defense Joel M Snyder Senior Partner Opus One jms@opus1.com

Agenda: Improving Your Network Defense What s the Thesis? Intrusion Detection Collecting Information Enabling Features Vulnerability Analysis Network Access Control 2

A Firewall Blocks Traffic, but A firewall cannot tell you how your network is operating A firewall cannot tell you whether your network is secure Some traffic gets through; some doesn t. What do you know about the traffic that got through? 3

Improve Network Security with Visibility and with Control Visibility Means: Knowing what is happening on the network from a SECURITY point of view Also may mean: Knowing what is happening on the network from a NETWORK point of view (these points of view are not that far off) Control Means: Enabling control points on your network to direct and manage traffic Means: Changing the network to be a secure asset rather than an anything-goes utility 4

Improve Network Security with Visibility and with Control What is this server running? Visibility Means: Knowing what is happening on the network from a SECURITY point of view Also may mean: Knowing what is happening on the network from a NETWORK point of view (these points of view are not that far off) What is using all the bandwidth? Who is infected? What is this guy doing? 5

Improve Network Security with Visibility and with Control Who/What can connect to this application? Is this system OK? Segment to control Who is this person? Control Means: Enabling control points on your network to direct and manage traffic Means: Changing the network to be a secure asset rather than an anything-goes utility 6

Goal: 1 Increase your ability to see security issues within the network Strategy: Add NIDS Intrusion Detection Sensors inside the core & DMZ networks 7

IDS is not really for detecting Intrusions Security policy violations Infected systems on your network Mis-configured applications, firewalls, and systems Information leakage Unauthorized servers and clients A properly configured firewall and patch discipline means that an IDS is unlikely to catch an intrusion 8

What s hard about IDS is Management Do I no Use Snort sensors Do I have SIM budget? Uh oh no yes Get Some have IDS budget? Buy SIM as a management console yes Buy one, and don t forget the management console Get some good training OK! 9

Most Common Errors in IDS Deployment and Operation 1) Putting Sensors in the Wrong Place 2) Not Customizing IDS for Your Environment 3) Not Linking IDS to Network, Application, and Security Knowledge 4) Not Listening to What the IDS Says 5) Mistaking IDS for IPS No, really. If you aren t going to use the console at least once a week, you probably don t want to put this in place An IPS drops packets; it s a firewall with a default-allow policy. An IDS looks for anomalies, policy violations, malicious traffic, and funny packets. 10

We ll dive deep into IDS later today 11

Goal: 2 Gain better insight into traffic and flows within the network Strategy: Collect and Analyze security and flow information from existing control points 12

You already have an abundance of instrumentation use it! Routers Firewalls Switches Load Balancers Systems/Servers 13

Who is Talking and How Much? You already know! Switches: Generate Link Up/Down Have traffic flow data (SNMP) Have network topology info. Routers: Generate flow records (NetFlow, sflow, etc.) Generate ACL permit/deny Firewalls: Generate Accept and Deny Generate traffic flow data in session end records 14

Once you have the data, you can answer important questions What is using all the bandwidth? Who is running a rogue mail server? When do I need to upgrade to faster pipes/systems? What is this guy doing? What servers are being used the most? How should I start optimizing the network? 15

Of course, it s not as easy as turning on logging and flow data Asking for the data is pretty easy The data will be expressed in network terms (such as IP address) Gathering Network Flow data may have other costs Understanding and analyzing the data requires additional tools You probably want different terms (such as username or NETBIOS name) Cisco platforms are optimized to route packets, not report on them 16

Action Items: Network Visibility Investigate SIM products or open source tools to collect and summarize flow and session information Install open source tools or commercial products to monitor traffic counters at the switch port level and generate usage data Begin archiving session data (hey, disk is cheap) for future long-term analysis projects 17

Goal: 3 Gain greater and more granular control over all traffic Strategy: Enable security on devices you already own such as switches, routers, and firewalls 18

Your network already has lots of security control points use them! 19

Your external router is a good first cleaner for traffic Anti-spoofing ACL starts here Block access to control plane on external network Block traffic you don t want to waste logging on (Slammer, etc.) Alert on attempted control plane access 20

Don t let the title mislead you: this book tells you how to secure your infrastructure Cisco devices! 21

Are you using all the features you paid for in your external firewall? Most firewalls have ratebased DoS/IPS features turn them on! Do you have a default pass all for outbound traffic? If so, reconsider. SMTP? Non-Web? Secure your control plane traffic and disable non-secure management 22

Now is the time to explore all those little boxes 23

Control traffic TO and THRU each device in the network Control plane management: either a separate management network (best) or ACLs (good) Traffic management: block and alert on common errors and worms; install anti-spoofing ACLs 24

Action Items: Leverage Existing Points Enable security features on security devices (such as firewalls) that you already have but are not using DoS protection most typical Limited IPS features common Put coarse controls at external devices to protect control/management plane, anti-spoofing, and common worms Secure internal control/management plane traffic using either a separate access ether or ACLs; configuration tools 25

Goal: 4 Better understand the security posture of your own network Strategy: Use Active or Passive Vulnerability Analysis and Network Discovery 26

Knowing what services are running on the network has great value The Server Team may think they know what s going on, but getting a second opinion is always useful. Network Team Territory Server Team Territory 27

Active Scanning pounds systems looking for apps and vulnerabilities 28

Active scanning can tell you more than just services Examples include: Nessus Retina Core Impact ISS SARA Qualys Saint MS Baseline nmap 29

Active Scanning has a huge political cost that may drive you to Passive Active scanning will crash systems and applications It s a side-effect of how these things work Even the most gentle scan can crash applications Active scanning is easily detectable and will set off alarms Sometimes folks don t like being scanned, especially if you work for different bosses 30

Passive Scanning watches traffic looking for apps and vulnerabilities 010 1010 0101 010 31

Passive Scanning is more limited, but can give a lot of information still Top Examples: Sourcefire Tenable (But many IDSes do this to a limited extent anyway) 32

Action Items: Network Scanning Add regular nmap-style (service and O/S scan) services to your network Research tradeoffs between active and passive scanners to see which might be right for you Work with desktop/server team to determine areas where information sharing about services can help you both 33

Goal: 5 Ensure only Authorized and Safe Users Connect to the Network Strategy: Use Network Access Control (NAC) to Authenticate, Validate, and Control all network usage 34

The Marketing View of NAC The Internet Corporate Net 35

NAC Has Four Components 1. Authentication of the user Authenticate End users are authenticated before getting network access 36

Environmental Information Modifies Access or Causes Remediation 1. Authentication of the user 2. Use environmental information as part of policy decision making Authenticate Environment Where is the user coming from? When is the access request occurring? What is the End Point Security posture of the end point? 37

Access Controls Define Capabilities and Restrict the User 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of policy decision making Environment Allow or deny access. Put the user on a VLAN. Send user to remediation. Apply ACLs or firewall rules. 38

Management of Policy is the Weak Link in most NAC Solutions 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of policy decision making Environment Management 4. Manage it all Usable management and cross-platform NAC normalization 39

Action Items: Network Access Control Roll out authentication using 802.1X (you can call it WPA2) on wireless networks Meet with desktop team to discuss end-point security assessment and remediation strategies and how they would fit in NAC Inventory network assets (embedded devices and network devices) to determine how NAC would affect the network 40

Thanks! Joel Snyder Senior Partner Opus One jms@opus1.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback