Firewalls (IDS and IPS) MIS 5214 Week 6
Agenda Defense in Depth Evolution of IT risk in automated control systems Security Domains Where to put firewalls in an N-Tier Architecture? In-class exercise Part 1 Build an IT Architecture In-class exercise Part 2 Add security Architecture Next-week Midterm Exam
What is implied by this model of security?
What is implied with this architectural model?
Early computer architecture of automated control systems separated Corporate and Control Domains Critical infrastructure systems supporting major industries are dependent on information systems for command and control Manufacturing, Transportation, Energy, Water/Wastewater Highly dependent on disparate legacy proprietary control systems which were up until recently isolated from corporate information systems Control system security used to mean locating and identifying problems in a closed-loop system
LAN 1 connected via layer 2 switch PBX LAN 2 connected via layer 2 switch PBX HMI = Human Machine Interface CS = Control System PBX = Private Branch Exchange telephone system switches between users on local lines while allowing users to use a fixed # of external phone lines RTU = Remote Terminal Unit is a computer controlled device that connects physical machines to distributed control systems PLC = Programmable Logic Controller IED = Intelligent End device
Security based on Isolation from the Internet Air Gap between control system LAN and corporate LAN Security by Obscurity Few, if any, understood the architecture or operation of the resources on the controls systems Local Area Network (LAN) Works well for environments that have no external connections Allows organization to focus on physical security
Total isolation from the untrusted external network resulted in reduced need for communications security Only threats to operations were physical access to a facility or plant floor Most data communication in isolated information infrastructure required limited authorization and security oversight Operational commands, instructions and data acquisition occurred in a closed environment where all communications were trusted If a command or instruction was sent via the network it was expected to arrive and perform the authorized function as only authorized operators had access to the system Control Systems Cyber Security: Defense in Depth Strategies, Prepared by Idaho National Laboratory s Control Systems Security Center, for U.S. Department of Homeland Security, External Report# INL/EXT-06-11478, May 2006
Year ~2000 isolated control system networks began being interconnected to corporate networks with simple routers and switches Router is a networking device that forwards data packets between computer networks Routers perform the traffic directing functions on the Internet A data packet is typically forwarded from one router to another router through the networks that constitute the internetwork until it reaches its destination node
Many previously isolated control system networks have been interconnected as part of an IT modernization process of web-ification Introducing IT components into the control system domain continues to result in security problems: No business case for cyber security in control system environments Increased dependency on automation of control systems Use of technologies with known vulnerabilities Considerable amount of open source information available on control system configurations and operations Control system communication protocols are absent of security functionality Control system technologies have limited security, and if they do vendor supplied security capabilities often enabled if the administrator is aware of the capability
Over the past 2 decades IT architectures that separated corporate and control domains began evolving Legacy control systems being replaced with modern open architecture standards and common communication protocols Positive impacts Efficient communications, robust data storage and exchange, increased interoperability and control of infrastructure systems, quicker time to market, predictive analytics Negative impacts Same technologies exploited and compromised in the Internet and IT networks
Example threat surface for vulnerability to database compromise from SQL Injection
Risk of Multilayer protocols Distributed Network Protocol 3 (DNP3) communications protocol for SCADA systems used by water and power utilities Not all protocols fit nicely within OSI model layers. Especially in case of devices on networks that were never intended to interoperate with the Internet Likely lack robust security features for protecting CIA of data they communicate Previously isolated devices and networks increasingly connected to unanticipated threats December 2015 attackers cut power to utilities supervisory control and data acquisition (SCADA) systems creating first known cyberattack created blackout impacting 80,000 homes in Ukraine DNP3 created before networking was a consideration, instead of OSI s 7 layer model developers used Enhanced Performance Architecture (EPA) that approximated OSI layers: 7 (app), 4 (transport) & 2 (data link) with no encryption or authentication. No Intrusion Protection Systems, no Intrusion Detection Systems able to understand connections between DNP3 and IP networks and identify DNP3 attacks!
Defense in Depth through Network Segmentation to create Security Domains IT network infrastructure domains are sets of logical (and physical) resources available to a subject A subject can be a user, a process, an application Security domains build on this concept and add the following requirement: Resources within each domain are working under the same security policy and managed by the same group Different domains are separated by logical boundaries created by components that enforce security policy for each domain Such as firewalls with ACLs, directory services making access decisions, and objects have their own ACLs indicating which individuals and groups can access and run operations/processes on them
Zone 1: External connectivity to the Internet, peer locations, and backup facilities Zone 2: External connectivity for corporate communications Zone 3: Control systems communications from external services Zone 4: Control systems operations process based or SCADA
Attack scenarios are studied and suggest Intrusion begins at some point outside the control zone, and attacker pries deeper and deeper into the architecture Securing each core zone creates a defensive strategy with depth Offering administrators more opportunities for information and control of resources Introduces cascading countermeasures that will not necessarily impede business functionality Control Systems Cyber Security: Defense in Depth Strategies, Prepared by Idaho National Laboratory s Control Systems Security Center, for U.S. Department of Homeland Security, External Report# INL/EXT-06-11478, May 2006
Firewalls DMZ deployments Control Systems Cyber Security: Defense in Depth Strategies, Prepared by Idaho National Laboratory s Control Systems Security Center, for U.S. Department of Homeland Security, External Report# INL/EXT-06-11478, May 2006
Where to put firewalls in N-Tier systems
In-class exercise part 2 Break your Team into smaller groups of 2 or 3: Using CSET s Diagram Tool draw a logical network diagram that Identifies technical infrastructure needed by a 30 person consulting firm to provide services developing and maintaining mission-based and service delivery information systems for a government agency See NIST Special Publication 800-60 Volume 1 Guide for Mapping Types of Information Systems to Security Categories Using appropriate network symbols and annotation in your architectural diagram, include: Information System Servers: e.g. Web, Application, Database, File, Groups of desktop/laptop computers illustrating organized within LANS of organizational units Security domain areas (based in-part on security categorizations) NIST Special Publication 800-60 Volume 2 Guide for Mapping Types of Information Systems to Security Categories: Appendices Appropriately placed switches, routers, firewalls, Intrusion Detection System(s) and/or Intrusion Protection Systems: Label the firewalls and IDSs to indicate the type of firewall technology and the type of IDS technology you placed in each location of your diagram Where the interconnection(s) to the Internet is and to your: clients, sub-contractors and remote staff accessing your organization s various IT system resources via the Internet The level of detail is your diagram should be one at which you would feel comfortable explaining to a group of high level executives There is no single right answer: The purpose of this exercise is to get you thinking about security architecture and to get you comfortable with documenting your ideas with diagrams
Preparation for Mid Term Emphasis on terminology and concepts Study lecture slides and notes Readings Textbook assigned chapters (look at practice questions in textbook) Other readings (e.g. NIST and FIPS documents) as covered/discussed in class lectures Practice quizzes See additional material: MIS5214_StudyMaterials_Firewalls-IDS-IPS.pdf in Wrap Up of this lecture Subjects covered: 1. Threat environment 2. Planning and policy 3. Cryptography 4. Secure Networks (and Module A: Networking Concepts) 5. Firewalls