Layered Access Control-Six Defenses That Work. Joel M Snyder Senior Partner Opus One, Inc.

Similar documents
Network Access Control: A Whirlwind Tour Through The Basics. Joel M Snyder Senior Partner Opus One

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

1. How will NAC deal with lying clients?

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Security+ SY0-501 Study Guide Table of Contents

COPYRIGHTED MATERIAL. Contents

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Wireless Network Security

Cisco Network Admission Control (NAC) Solution

Security Assessment Checklist

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

NETWORK THREATS DEMAN

Configuring WEP and WEP Features

All-in one security for large and medium-sized businesses.

"Charting the Course... MOC 6435 B Designing a Windows Server 2008 Network Infrastructure Course Summary

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Solution Architecture

Configuring the Client Adapter through Windows CE.NET

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Securing the Converged Enterprise, Part I

Wireless Network Security Fundamentals and Technologies

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Securing Wireless LANs with Certificate Services

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Cisco Self Defending Network

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Wireless# Guide to Wireless Communications. Objectives

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

Chapter 11: It s a Network. Introduction to Networking

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Securing BYOD with Cisco TrustSec Security Group Firewalling

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

SYLLABUS. DIVISION: Business and Engineering Technology REVISED: FALL 2015 CREDIT HOURS: 4 HOURS/WK LEC: 4 HOURS/WK LAB: 0 LEC/LAB COMB: 4

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Cisco NAC Network Module for Integrated Services Routers

Information Security in Corporation

Wireless LAN Security. Gabriel Clothier

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Exam Questions CWSP-205

Securing Your Most Sensitive Data

Your wireless network

Cloud-Enable Your District s Network For Digital Learning

Configuring Cipher Suites and WEP

Wireless and Network Security Integration Solution Overview

Exam Questions Demo Cisco. Exam Questions

Pulse Policy Secure X Network Access Control (NAC) White Paper

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Cisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

Cisco SA 500 Series Security Appliances

Networks with Cisco NAC Appliance primarily benefit from:

Interop Labs Network Access Control

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Wednesday, May 16, 2018

Palo Alto Networks PCNSE7 Exam

Education Network Security

Integrating Riverbed SD-WAN with Palo Alto Networks GlobalProtect Cloud Service

Network Virtualization Business Case

BYOD: BRING YOUR OWN DEVICE.

Introduction to Information Security Dr. Rick Jerz

CSA for Mobile Client Security

Standard For IIUM Wireless Networking

Renovating our security management: New ways to protect your infrastructure

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

CTS2134 Introduction to Networking. Module 08: Network Security

Figure 5-25: Setup Wizard s Safe Surfing Screen

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

Executive Summery. Siddharta Saha. Downloaded from

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Cisco Exam Questions & Answers

ARUBA MULTIZONE DATA SHEET

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

NETWORKING 3.0. Network Only Provably Cryptographically Identifiable Devices INSTANT OVERLAY NETWORKING. Remarkably Simple

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Merge physical security and cybersecurity for field operations.

Hacking Air Wireless State of the Nation. Presented By Adam Boileau

Network Configuration Example

Chapter 24 Wireless Network Security

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

TopGlobal MB8000 Hotspots Solution

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Partner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014

WIRELESS AS A BUSINESS ENABLER. May 11, 2005 Presented by: Jim Soenksen and Ed Sale, Pivot Group

What is Eavedropping?

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Layer 2 authentication on VoIP phones (802.1x)

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Chapter 11: Networks

Campus Network Design

Wireless LAN, WLAN Security, and VPN

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Transcription:

Layered Access Control-Six Defenses That Work Joel M Snyder Senior Partner Opus One, Inc. jms@opus1.com

Perimeter defense has its flaws z Protecting your network with a perimeter firewall is like putting a stake in the middle of a field and expecting the other team to run into it. z #include <statistic on insider break-in percent> z If your position is invisible, the most carefully concealed spies will not be able to get a look at it. (Sun-Tzu) Virus Big Bad Interne t 2

Defense-in-Depth is the alternative z Make the network crunchy, not soft and chewy throughout z Turn the network inside-out: the security is on the inside, not on the outside 3

Here are Six Strategies you can use as guideposts for Defense in Depth Strategy 1: Authenticate and Authorize all Network Users Strategy 2: Deploy VLANs for traffic separation and coarsegrained security Strategy 3: Use stateful firewall technology at the port level for fine-grained security Strategy 4: Place encryption throughout the network to ensure privacy Strategy 5: Detect threats to the integrity of the network and remediate them Strategy 6: Include end-point security in policy-based enforcement 4

You are not being given the Holy Gospel These are strategies that you can mix and match as appropriate to your own network and your own requirements! How secure is this network? Is it more secure than it was? Is it secure enough for our business? Adding defense in depth to a network is as much policy and procedures as it is hardware and software 5

Strategy 1: Authenticate and Authorize all Network Users You need to know who is on the other end of the wire? Who are you? What is their role?? Once you know who you can define authorization 6

802.1X Provides a standards-based approach for authentication and authorization EAP over RADIUS Supplicant EAP over Wireless EAP over LAN Authenticators Authentication Server (e.g., RADIUS server) Supplicant Use the same RADIUS+LDAP infrastructure for your SSL and IPsec VPN users The World 7

802.1X on every port adds security In the wireless environment, 802.1X is absolutely required 802.11i and WPA (Wi-Fi Protected Access) use 802.1X Pure 802.1X for authentication solves most WEP problems In the wired environment, 802.1X adds security Microsoft and Apple give it to you for free Here s your WEP key for the next 30 seconds... 802.1X ties to RADIUS which means You can use RADIUS to push authorization information to wired and wireless equipment VLANs & Filters EAP over RADIUS Captive Portals are so very 20th century Put the user on VLAN x and here s what he has access to... 8

Strategy 2: Use VLANs for coarse-grained security 802.1q VLANs are present on all modern switches tagged VLANs 9

VLANs can be used as security barriers Coarse Grained means you don t want too many of them Using VLANs for security has its risks Enterprise VLAN If packets jump from one Assignments VLAN to the other... the game is over Outside the firewall Management of switching Trusted Internal User infrastructure is now as High Security Zone important as management of Remediation Zone firewalls Your switches are your weak VoIP Services links Attacks Bugs 10

Key to successful use of VLANs is dynamic assignment If you have authenticated your users you can have authorization information Which Tells You What VLAN They Go On! Other Strategies based on endpoint security status (see strategy 6) based on lack of authentication Put the user on VLAN x and here s what he has access to... 11

Strategy 3: Use firewalls for fine-grained security The network is such a critical resource, it needs to be protected down to the port level 12

Management and Economics challenge the use of Firewalls within the Network How are you going to define policy? How are you going to bind policy to an authenticating user? Answer: role-based management of users How can you afford to buy a thousand ports of firewall? How can we get firewalls with dozens and hundreds of ports in them? Answer: the price is coming down faster than you can imagine 13

The Key strategy for Internal Firewalls: Use Role-based and Resource-based Policy Define policy first Define policy first Define policy first Start with your wireless network as a test of the technology Authentication Roles Rsrcs Rule Use a combination of port-based firewalls and VLANs as appropriate If an intermediate solution is right for you, jump on it! 14

Strategy 4: Place encryption throughout the network Wireless Network? You should be encrypting! Remote Access Network? You should be encrypting! Graham- Leach NISPOM Ch.8 HIPAA Sarbarne s-oxley CA SB1386 Wired network in a building? You still might want to encrypt! ASPCA 15

Encrypt where needed and in the right way Environment Common Solutions All Wireless Server to Server Wired Client to Server Wired Client to Remote Access Server 802.11i combined with 802.1X using either TKIP or AES encryption; VPN protocol to VPN concentrator IPsec in transport or tunnel mode between servers or server farm subnets Application Layer Encryption (SSL); link-layer encryption in building VPN protocol such as IPsec or SSL to corporate VPN gateway 16

Strategy 5: Detect threats to the network and remediate The Holy Trinity of Security The Rodney Dangerfield Corollary: Integrity don t get no respect. Integrity Privacy Authentication and Authorization 17

Detecting threats seems to be on everyone s mind 18

Detection and remediation can ensure network integrity Key strategy: Identify greatest areas of risk and concentrate on those first Key strategy: Focus on technologies that have the lowest cost (capital and operations) Example: trojan horses, viruses, and malware Enormous risk Enormous potential for loss Risk of infection is high Example: firewalls with built-in IPS technology Low cost Moderate tuning Operationally easy 19

Strategy 6: Include end-point security in policy The hot topic for 2005 is End Point Security! This issue came to the front with SSL VPN and now everyone is on the bandwagon Vendor Cisco Check Point Microsoft Juniper Buzzword CSA + CCA + CTA + Network Admission Control Total Access Protection Network Access Protection Juniper End-Point Defense Initiative 20

End point security adds a column to the access control tuple Authentication Roles RsrcsEnv Rule Derived zone based on various attributes. Like groups, but based on security posture assessment. IP 21

Your guideposts for adding Defense-in- Depth Strategy Authenticate and Authorize everyone VLANs for traffic separation and coarse-grained security Stateful firewall for fine-grained security Encryption for privacy Detect Threats and Remediate to insure integrity Add end-point security to policy enforcement VLANs, 802.1X Technology 802.1X, RADIUS + LDAP High-density firewalls, 802.1X 802.11i (Wireless); IPsec/SSL/TLS (Wired/remote access); others IPS/IDS and derivations (IPSin-firewall, e.g.) In flux. Watch closely. 22

Audience response Questions? 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback