jwp whitepaper hoehl khalil
Post on 19-Feb-2018
230 Views
Preview:
TRANSCRIPT
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
1/79
Implementing and AutomatingCritical Control 19: Secure Network
Engineeringfor
Next Generation Data Center Networks
STI Joint Written Project
Authors: Aron Warren, George Khalil, Michael Hoehl
Accepted:
AbstractThis document provides technical and best practice approaches to
implement and automate safeguards consistent with control 1,
!"ecure #etwor$ %ngineering&, of the "A#" Twent' (ritical "ecurit'(ontrols for %)ective ('ber *efense+ The scope is the secure design ofcuttingedge high speed -.Gb% networ$s designed to host /nternetfacing web and mobile applications+
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
2/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
4
1 Executi!e Summar"
People seem to want to treat computer security like it's rocket science or black magic. Infact, computer security is nothing but attention to detailandgood design.
Marcus J. anum
!e"t #eneration networks will ha$e to defend against many of the same threats
targeting today%s networks. Modern reconnaissance, disco$ery, and mapping approaches
are $ersatile and &ust as effecti$e at higher network speeds. he ma&or difference is the
speed of e"ploitation. (hereas today%s network may re)uire a few days to complete a
multi*gigabyte data theft attack, poorly designed !e"t #eneration + #igabyte -thernet
+#b-/ networks can facilitate this same e"ploit in &ust a few seconds. his condition
makes the re)uirement for secure network engineering $ital for !e"t #eneration
networks.
!etwork design is foundational to security controls. Incorporating safeguards at
this le$el is essential to pre$ent the circum$ention of higher le$el controls. he first and
most fundamental re)uirement is to build a multi*tiered network architecture. o
accomplish this, assets of similar $alue and function are segmented into encla$es.
0hokepoints are then created between each encla$e. his approach allows access,
detecti$e, and pre$enti$e controls to be implemented in a logical manner with rapid
response to suspected threats. 1urther, pro"ies can be introduced at each chokepoint that
further reduces the surface of attack.
he proposed !*iered architecture has two silos. he first silo contains the
segmented applications. -ncla$es for Internet 2ccess, 3345Pro"ies, 6P52PI 3er$ers,
(eb 2pplications, and 7ata are recommended. he second silo contains the
infrastructure ser$ices. -ncla$es for 0ustomer 2uthentication, !etwork 2pplications,
Management, and 898 connections are recommended in this silo.
:nce the !*iered network architecture is in place, additional controls are
implemented within each encla$e. 0ontrols include centrali;ed authentication, IP3,
!20, malware scanning, data leakage pre$ention, $ulnerability and patch management.
hese controls are tuned for each encla$e to optimi;e performance and effecti$eness.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
3/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
6
-ncla$es are interconnected using a security fabric. 2 security fabric is created
by using a switching platform that pro$ides multiple security ser$ices across the
encla$es. he security fabric includes the familiar firewall capabilities. It also is
e"panded to pro$ide other security ser$ices including network IP35I73, web application
and database firewalling, in*line malware scanning, and load balancing. 8y combining
all these ser$ices within the security fabric, packets can be e"changed beyond +#bps
through backplane speeds of o$er 9.?ba in June 9@. In 9@9, only a
few $endors are offering products that support +#b- and adoption by enterprises has
been slow. 2 solution based on functional re)uirements and product a$ailability is
pro$ided in this paper. 2 8ill of Materials is included in 2ppendi" 8.
echnology is &ust one part of a triad of considerations. People and process are the
other core considerations for this paper%s proposed solution. 7ocumentation and
procedures are necessary to optimi;e the e"isting staff resources. 7ocumentation is
li$ing, with regular updates e"pected from re)uirements phase to asset retirement.
2utomation of processes is necessary at +#b-. 3e$eral approaches are proposed
including engaging Managed 3ecurity 3er$ice Pro$iders M33Ps/ who must be
e"perienced in +#b- or higher technologies.
here are se$eral benefits associated with this secure network engineering of ne"t
generation networks. hese include impro$ed security, increased design credibility,
better manageability, lower total costs, and faster response to threats. =ltimately,
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
4/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
-
adopting these design recommendations will pro$ide a solid foundation for safeguarding
infrastructure and data at the highest speeds a$ailable todayAand tomorrow.
# $ro%lem Description
#1 Introduction to SANS Critical Securit" Control 19
he 32!3 Institute, in collaboration with many other organi;ations, e"tracted
twenty critical technical security controls 32!3, 9@@/ from e$ision ? of the !I3
3pecial Publication >*
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
5/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
7
3pecifically mentioned in the control is the use of layered 7!3 ser$ice. his is
achie$ed by only allowing intranet 7!3 ser$ers to forward unanswerable )ueries to 7!3
ser$ers located in a 7MC. In turn the 7MC 7!3 ser$er is only allowed to forward
re)uests to the Internet.
o measure the success of the design, port and $ulnerability scanners are used to
determine $isibility of systems. If unauthori;ed systems are found or sensiti$e data
machines, such as database ser$ers, are located and publically $isible then the scoring of
the design takes a noticeable numerical hit.
## Critical Securit" Control 19 ImplementationC&allenges
(hen designing a secure network, a balance of security, performance and
accessibility must be achie$ed. 2 perfectly secure network would be air*gaped, with so
many controls in place that the functionality would border on unusable. hat design is
not what this paper stri$es to achie$e. (hen too many controls are put into place, the
performance of the network begins to become degraded. his paper%s ob&ecti$e is to
define a secure network approach to perform at + #bps -thernet +#b-/ throughput.
his meant some of the security controls had to be shifted to specific indi$idual de$ices
in order to ensure the necessary throughput. (hen single points of failure create too high
of a risk for loss of a$ailability, redundancy must then be considered. he design
presented here does not detail all of the possible redundancy options that could or should
be implemented but instead focuses on the theme of 0ritical 0ontrol @BAa design that
pre$ents a hacker from pi$oting through the network by minimi;ing attack points and
creating data chokepoints for analysis. !etwork design must incorporate security
controls early into the planning process rather than as an afterthought. 8y not building
security into the pro&ect early, higher and possibly une"pected/ implementation costs
might occur down the road.
#' Network C&allenges for Next Generation Networks
+#b- and @#b-, at the time of this writing, are still considered cutting edge
technologies with few $endors offering a product line specifically targeting +#b-. o
clarify, this paper focuses on +#b- in a single pipe as opposed to aggregation of +
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
6/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
2
separate @#b- pipes. -$en though switch $endors ha$e been offering +#b- backplane
speeds for se$eral years now, today the chokepoint or bottleneck impacting total
throughput is not with the switching fabric. he problem lies with the ability for the other
technologies, such as firewall, I73, IP3 and applications, to keep up with the sheer
$olume of data being thrown at it.
he le$el of uncertainty increases relati$e to speed too. 1or e"ample, in the past if
@D of traffic was missed on a @Mbps pipe, this only resulted in an actual uncertainty of
@Mbps. 6owe$er, this same @D is e)ui$alent to @Mbps of unanaly;ed traffic at @#b-
and +Mbps at +#b-. (ith an increase in speed, the scale of unanaly;ed traffic
uncertainty/ scales to an unacceptable le$el.
+#b- introduces human capital challenges as well. More traffic, and the associated
monitoring, will re)uire additional e"perienced staff to re$iew the alerts and e$ents that
will be created. he +#b- flows and technologies will also demand a higher skilled
staff. 2utomation will be critical if adding staff is not in the budget
1orensics analysis teams are only now beginning to ramp up for +#b-.
:rgani;ations must be careful not to get too far ahead of incident handling teams, law
enforcement, and assessment teams. In the e$ent these teams are not prepared to work
with the +#b- infrastructure, the enterprise may find work being done on production
systemsAor e$en worse, the production systems may get confiscated to conduct
in$estigations.
#( )rgani*ational c&allenges wit& (+G%E and NextGeneration Networks
1or this 3I Joint (ritten Pro&ect, a fictitious organi;ation was created and named
#I20 -nterprises. #I20 -nterprises is a small to medium si;ed growing business with
@, employees, two data centers, 9 people in central business and I, and is the
largest supplier of fortune cookie sayings in the world. #I20 -nterprises has recently
decided to implement a +#b- network to meet the demands of mobile apps that deli$er
fortunes. he 0I: has created a special tiger pro&ect team to handle this challenge. he
recommendations and scope of this paper are associated with this type of organi;ation
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
7/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
8
profile. 1urther, the business has asked that automation be considered where$er a$ailable
so that additional staffing is minimi;ed.
' ,unctional -e.uirements
2s with all pro&ects and designs, a clear understanding of business and technical
re)uirements is re)uired. 8ased upon the fictitious company #I20 -nterprises%
organi;ation profile, the following re)uirements were used to de$elop this paper%s
recommendations.
(ith +#b- networks, security cannot be bolted on as an afterthought. he
network design will not be successful if security is not included early in the re)uirements
and planning phases. 3ecure network engineering is only @ of 9 critical security
controlsAhowe$er it can be one of the most impactful. 1urther, there are no higher le$el
controls that can o$ercome a serious deficiency with lower le$el network controls.
(ithout proper network design and build practices, many of the other @B critical security
controls can be defeated or simply circum$ented.
'1 Documentation
3ecure network engineering begins with gathering documentationAnot creating
documentation. =nderstanding the specific business purposes/ of the new infrastructure,
risk appetite of the organi;ation, e"isting infrastructure, current data flows, planned
interfaces, financial constraints, corporate security policies, contractual e.g., P0I/ and
regulatory e.g., 3:E/ obligations are important first steps. #aps are typically disco$ered
during this first phase. 2 small in$estment of time here can result in big payoffs later in
the pro&ect.
0reating an accurate map of the current and intended network is necessary early on
in the pro&ect. 2 traditional network topology map is an e"cellent start howe$er this doesnot pro$ide the entire picture. 7ocumentation should also include all protocols running
through the network, data flows, chokepoints, asset lists including $alue/, access
controls, and system administration methods. Inter*system dependency should also be
documented. 1or e"ample, an IP host cannot talk to its peer o$er the network without
names resolution. 3e$eral of these documents are li$ing and change regularly. -stablish
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
8/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
9
a change management procedure for documents, as well as a means to properly secure the
documentation.
'# Data Center $&"sical Controls
!e"t, a data center site re$iew is in order. !etwork engineers will commonly
consider data center en$ironmental e.g., cooling, power, cable distribution, and rack
space/. 6owe$er, data center physical security controls must also be inspected and
planned for. 3ecure network engineering includes implementing proper physical
safeguards to protect the new infrastructure from unauthori;ed access, tampering, and
theft. -nsure appropriate data center facility entry controls are implemented to limit and
monitor physical access to systems and infrastructure. Fisitors must be easily
distinguished from authori;ed staff. Fisitor logs, which include all staff and $isitors,
building card access systems, and sur$eillance e)uipment must be implemented.
Physical security controls and logging are also re)uired for any remo$able media.
'' Encla!es
1ast, fat, and flat may seem like an ideal mantra for ne"t generation networks.
6owe$er, this design approach leads to operational and security risks. 4ack of
segmentation makes it difficult for the !:0 to monitor traffic flows for anomalies and
routing failures. 0ongestion management and a$oidance become challenging as well.
Inspection and troubleshooting 4ayer + through 4ayer G problems with con$entional
tools becomes almost impossible. 6igh $alue assets become mi"ed with different assets
that are not maintained, safeguarded, and monitored with the same le$el of rigor. he
surface of attack then becomes large and these low $alue assets might become pi$ot
points of attack.
oday%s ad$anced web and mobile applications are tiered in architecture. his
pro$ides another credible argument for separation of hosts into communities or encla$es.
2n encla$e allows for easy grouping of assets of similar functionality or $alue. rust
boundaries can be created making it easier to assign responsibilities and establish
accountabilities. 0hokepoints can be introduced between the encla$es to prioriti;e
network flows, inspect traffic, and perform forensics. he chokepoints can also be used
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
9/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
to limit access to the hosts and their associated applications. he use of encla$es is
mandatory.
2dditionally encla$es make audit and compliance reporting easier for organi;ations.
-$erything does not ha$e to be in scope for inspection by an auditor or compliance
assessor. If the infrastructure contains hosts of $arious data classifications then
separation can pro$ide financial benefits as well. (hen all hosts are present on a flat
network, security controls that are re)uired for compliance e.g., P0I 733 9./ may need
to be applied to all hosts within the segment. his may end up being e"tremely costly.
2s a minimum design standard,the following encla$es are re)uiredH
Figure 3.3: Enclave Overview
he silo of encla$es on the left of 1igure ?.? is for the !*ier 2pplications. he
Internet 2ccess -ncla$e ser$es as the entry point into the infrastructure from the Internet.
his encla$e contains the Internet access pro$ider e)uipment including routers and
switches. 2 dedicated, standalone firewall separates the untrusted Internet access
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
10/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
1.
pro$ider network from the trusted customer premises e)uipment. he 3345Pro"y
-ncla$e ser$ices as the peering point for 334 encryption of mobile and browser de$ices.
0ustomers are challenged for authentication from this encla$e. 2dditionally pro"ies are
to be hosted within this encla$e. he 6P52PI -ncla$e, (eb 2pplication -ncla$e, and
7ata -ncla$e are re)uired to host the e)ui$alent !*ier application function.
he silo of encla$es on the right of 1igure ?.? is for Infrastructure 2pplications.
he 0ustomer 2uth -ncla$e contains the credential stores for customer authentication
and authori;ation. he !etwork 2pp -ncla$e contains ser$ices like 7!3, !P,
27I=3, 3I-M, and tape back*up. he 898 -ncla$e is essentially a landing beach for
business partners to securely communicate with systems within the other encla$es. he
Management -ncla$e contains the &ump bo"es for remote administration and support.
1urther technical elaboration is pro$ided in the section +, Secure Network Engineering
Practices for Next Generation Networks.
'( ,irewalls and Securit" Applications
1irewalls are used to interconnect the encla$es. he firewalls must be configured
to perform stateful inspection of network traffic. 2 standalone firewall is also re)uired
for the Internet 2ccess -ncla$e. 2 separate standalone firewall is re)uired to connect the
!*ier to the -nterprise 0ore. 2 security fabric is recommended to interconnect the !*ier 2pplication -ncla$es. In addition to the con$entional firewall functionality, the
security fabric includes integrated security applications. hese security applications are
integrated into a high*speed
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
11/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
11
etc./ do not star$e resources that are customer facing. 1or e"ample, data that needs to be
e"ported, transformed, and loaded routinely may create a sustained high utili;ation on the
+#b- network. his will consume switch, firewall, and network interface card
utili;ation. 2 separate firewall for this purpose helps reduce the risk of appreciable
performance impact on interacti$e customer transactions. 2 firewall policy manager is
re)uired to optimi;e policies and firewall rules. 2 tool for monitoring of flows through
firewall is also re)uired to ensure state table o$erflow does not occur. his last function
might be a$ailable as part of the firewall element manager.
'/ Internet Access
he network design must support multiple Internet 3er$ice Pro$iders and
di$ersity. he purpose of this re)uirement is primarily for a$ailability. 2lso, the design
must incorporate integration between at least two data centers. he purpose of this
re)uirement is to synchroni;e data between en$ironments P:7*P:7 and P:7*
=2/. 7isaster reco$ery plans must be de$eloped and scripted procedures implemented
prior to the infrastructure being made generally a$ailable.
'0 DNS
/nternal *#" must be designed in a hierarchical manner+ "ecure
7!3 ser$ers are re)uired within the !etwork 2pplication -ncla$e. hese 7!3 ser$ers
are intended for hosts within the !*ier 2pplication and Infrastructure -ncla$es only.
hese 7!3 ser$ers must point to trusted 7!3 ser$ers within the -nterprise 0ore. he
-nterprise 0ore 7!3 ser$ers then connect to authoritati$e ser$ers on the Internet. 7!3
ser$ers within the !etwork 2pplication -ncla$e as well as all 7!3 clients within the
other encla$es are not permitted direct Internet access for names resolution. 1or )ueries
of e"ternal domains, the !etwork 2pplication -ncla$e 7!3 ser$ers must perform
recursi$e lookups through the -nterprise 0ore 7!3 ser$ers. Cone transfers in5out of the
!etwork 2pplication -ncla$e are not permitted. 2 managed ser$ice pro$ider must host
and protect the domain used by customers to access the ser$ices offered by #I20
-nterprises. 0ustomer )ueries of the e"ternal domain are not to be resol$ed by the 7!3
ser$ers within the !etwork 2pp -ncla$e.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
12/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
14
' S"stem and Infrastructure 2ardening
3ystem and infrastructure hardening is re)uired. 8enchmarks from 32!3, 0I3,
or similar authoritati$e source must be adopted as part of standard system build process.
Ferification of build standards must be done prior to commissioning the system.
2utomation of security control $erification and recurring configuration inspection must
be implemented. Procedures should follow an authoritati$e standard e.g., !I3 3pecial
Publication >*@9> #uide for 3ecurity*1ocused 0onfiguration Management of
Information 3ystems/. 4astly, formal certification and accreditation procedures for
systems must be created and integrated into change management.
'3 Configuration and C&ange 4anagement
2utomated file*integrity monitoring also known as change*detection software/ is
re)uired to track network and security component alterations. hese tools must alert staff
to unauthori;ed modification of critical system files, configuration files, or content files.
ecurring configuration comparisons must be performed to ensure integrity of
applications, systems, and infrastructure. 2ll detected configuration changes with
material impact must be reconciled to 0hange Management tickets.
'9 5irtual Ser!er and 6lade Ser!er 4anagement
Firtual switching is inherent to hyper$isor platforms. 0are must be taken when
implementing 4ayer ? $irtual switch capabilities. !etwork based security controls e.g.,
firewalls, !IP3, etc./ are not to be circum$ented using these $irtual switches. !etflow or
similar technology must be included in the solution to baseline traffic patterns and to
identify communication anomalies between $irtual clients. 1lows associated with $irtual
ser$ers and blade ser$ers are to be inspected in the same manner physical hosts would be.
runking is not permitted to ensure >9.@) tagging e"ploits are not successful. 3eparate
!I0s on the hyper$isor and blade ser$er chassis must be used for each encla$e. !et1low
or a similar technology must be included in the solution to baseline traffic patterns and to
identify communication anomalies between $irtual clients.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
13/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
16
'1+ 5ulnera%ilit" and 7&reat 4anagement
Fulnerability scanning and penetration testing must be performed routinely.
3canning and testing must be performed using sources originating from the Internet as
well as from within each encla$e. his pro$ides insight into the initial surface of attack
as well as pi$ot weaknesses.
:nce the $ulnerabilities are identified through scanning or $endor notification,
remediation is re)uired. 2n operational framework is re)uired that deli$ers patch and
non*patch remediation in a timely manner. 0onsider an approach based on !I3 3pecial
Publication >*+ Fersion 9. 0reating a Patch and Fulnerability Management Program.
eal*time threat analysis must be performed using IP3s, in*line malware and
spyware scanning. 6ost Intrusion Pre$ention 3ystems 6IP3/ are highly recommendedfor seasonal companies that cannot patch systems promptly throughout the year.
3easonal free;es e.g., 0hinese !ew ear/ may re)uire systems to go unaltered for
months, pre$enting implementation of patch and non*patch remediation within ? days.
2 6IP3 can help ser$e as a bridge during these free;es. 2dditional IP3s are
recommended including (eb 2pplication 1irewalls (21/ and 7atabase 2cti$ity
Monitoring 72M/. 1or +#b- ne"t generation networks, (21 and 72M ser$ices are
becoming $ital for detecting higher le$el attacks that may be deluded among the millions
of e$ents and alerts that are being reported by the systems.
'11 8og 4anagement
hreat monitoring with actionable intelligence is a prere)uisite for rapid response.
2 3ecurity Information and -$ent Management 3I-M/ system is re)uired to gather,
process, correlate, alert, and archi$e security e$ents. -$ents from I73s e.g., replay
attacks, fragmentation attacks, buffer o$erflow attacks, etc./, firewalls e.g., 7o3 attacks,
port errors, dropped packets/, 334 e.g., 7o3 attacks, certificate errors, session drop/,
re$erse*pro"ies e.g., dictionary logon attacks, cached content change, etc./, and file
integrity monitoring can collecti$ely o$erwhelm the 3:0 staff without automation.
esiliency depends on a clear understanding of operational and security threats. If
the log sources are not properly configured, then the 3I-M and 3:0 cannot be effecti$e.
4og and e$ent sources for 3I-M include operating systems, applications, databases,
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
14/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
1-
network, and security components. 3ecure !etwork -ngineering includes the proper
configuration of these components to generate the necessary e$ents that dri$e incident
response. 1urther, the log sources and files must be safeguarded from unauthori;ed
$iewing and alteration while in transit, if possible, and while in storage. 4ogs must be
sent to a centrali;ed 3I-M to protect the integrity of e$ent data. 2 log source
configuration standard based on P0I e)uirement B or !I3 3pecial Publication >*B9
#uide to 0omputer 3ecurity 4og Management is re)uired.
'1# Asset 4anagement
2n asset management or 0M78 is re)uired to track assets and configuration
information in a secure manner. his information should be $erified routinely using
automated tools that scan the network and fingerprint assets. 2ssets must be scanned for
data classification as well. 3canners must incorporate algorithms to identify restricted
data e.g., 4uhn Mod*@ method for identifying and $alidating credit card primary
account numbers/.
ogue de$ice detection must be performed routinely. 7ata center physical security
controls should be the primary pre$enti$e control to pre$ent unauthori;ed de$ices from
connecting to the network. ogue de$ice detection should be used to $erify that the
physical controls are effecti$e. he automation for asset disco$ery and restricted datascanning may be used for disco$ering rogue de$ices.
'1' Access 4anagement
2uthentication, 2uthori;ation, and 2uditing 222/ systems for customers must be
separate from system administrators. 6igh 2uthority accounts used by 782s, firewall
administrators, network engineers, system administrators, and $endors must be located in
a separate encla$e from customer accounts. !o trust is to be established between the
-nterprise 0ore, 6igh 2uthority, and 0ustomer credential systems.
emote administration is made a$ailable from the Management -ncla$e. 8usiness
partners, manufacturer support staff, outsourced staff, managed ser$ice pro$iders, and the
I staff must all use &ump bo"es to gain access into the applications, systems, and
infrastructure. Products that may be considered for the &ump bo" function include
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
15/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
17
Microsoft erminal 3er$er, 0itri", and FM(are. Multi*factor authentication is re)uired
for access onto these &ump bo"es. 1urther, remote administrators must ha$e their
computer scanned to $erify basic security controls are in place and working properly.
!etwork 2ccess 0ontrol !20/ products are to be implemented to check the status of
malware pre$ention, personal firewall, patches, and $ulnerabilities on administrator
computers prior to re$ealing the &ump bo"es.
'1( $erformance 4anagement
3!MP, M:!, and !et1low are common tools for network engineers to perform
performance monitoring and capacity planning. hese protocols must be properly
secured. Fendor defaults e.g., 3!MP community string public/ are not permitted.
3!MP $? is re)uired. (hen a$ailable, authentication and encryption controls must be
incorporated into performance management design.
'1/ ,orensic 4anagement
3upport for forensic analysis and network monitoring :ut*of*band is re)uired.
!etwork taps or in*line :3I 4ayer @ network monitoring de$ices are acceptable. hese
de$ices are to be transparently connected so that they do not introduce performance
degradation. 3P2! or similar technology features are not to be used on +#b-
components. In addition, the integration of the network monitoring de$ices must be in a
manner that does not allow circum$ention of network based security controls e.g.,
firewalls/. 7edicated network monitoring systems for each encla$e would pro$ide the
necessary boundary to pre$ent this e"ploit.
'10 Ser!ice 4anagement
(here there is a business ad$antage, consider the use of managed ser$ice pro$iders
as an alternati$e to additional staffing. :pportunities include domain hosting, managed
PI, firewall5IP35I7352F management, security operations center ser$ices, computer
security incident handling, $ulnerability scanning and penetration testing. 3ome of these
same ser$ices are a$ailable as a cloud computing offering. his option might be
desirable for reducing capital and e"pense commitments. his allows the limited I staff
to focus on business communications and solutions by reducing the demands of daily
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
16/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
12
security operations. his also pro$ides an elastic bench of resources for the busy seasons
and rapid business growth.
( Secure Network Engineering $ractices for NextGeneration Networks
8efore authoring this paper, the 3I team approached $endors, consultants, and early
adopters of +#b- to share their e"pertise and lessons learned. his research
incorporates their feedback. 0urrent benchmarks and standards were also re$iewed for
applicability to +#b-. 3ection + presents risk considerations, remediation strategies,
technical approaches, design recommendations, and references to best practices for
secure network engineering of a +#b- infrastructure intended to host web and mobile
applications.
(1 Design and 6uild 7ec&nical Approac& for NextGeneration Networks
1igure +.@ $isually depicts a high*le$el network architecture o$er$iew with multiple
encla$es that host an Internet facing mobile or web application.
Figure 4.1: ig!"#evel Network $rc!itecture Overview
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
17/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
18
wo ma&or groups of encla$es are recommended. he silo of encla$es on the left of1igure +.@ and labeled !*ier 2pp -ncla$es contain the web and mobile applications.
-ach function of the application is isolated into a separate encla$e. his silo of encla$es
is connected by a customer facing firewall 2/ and infrastructure firewall 8/. 3eparate
firewalls are used substantially for performance and capacity planning in a +#b-
networkAnot security. 2s new +#b- firewalls arri$e on the market, a single multi*port
firewall to interconnect all !*ier 2pplication -ncla$es could be considered with proper
capacity planning. 2ccess is cascading between encla$es through the firewall so that any
encla$e can only connect to ad&acent encla$es within the !*ier 2pplication -ncla$e silo.
he Infrastructure -ncla$es contain network applications and access controls necessary
for all !*ier 2pplication -ncla$es. his includes account authentication and
authori;ation, in addition to common network applications e.g., 7!3, tape back*up,
3!MP, patching, etc./. 2dministrators of the systems and applications within the !*ier
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
18/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
19
2pplication -ncla$e must pass through the Management -ncla$e. he 898 -ncla$e is
for -7I, -4, and $endor partner connections e.g., M33P/. he -nterprise 0ore access
into this new infrastructure is restricted using a dedicated firewalls/ 7/ and Internet
access into the !*ier 2pplication -ncla$e if also restricted using a dedicated firewalls/
0/.
:nce the network has incorporated proper security controls, the architect must
consider the operational impact of +#b- speed. 2utomation becomes a critical
consideration as the $elocity of data increases many orders of magnitude. (ith speed
comes an increase in the number of flows, e$ents, and triggers. Procedural controls that
were successful with slower speed networks may get o$errun at higher speeds. 1or
e"ample, swapping current firewalls with new firewalls containing faster +#b-
interfaces has a cascading effect. he firewall may be able to handle the new packet
$olumeAhowe$er the 3:0, 3I-M and associated firewall administration tools may go
into a meltdown. 3ecurity controls, automation, and capacity planning must go hand*in*
hand.
(# Internet Access Encla!e
his first encla$e within the !*ier 2pplication silo is where the mobile and web
applications are re$ealed to the Internet. Multiple Internet access pro$iders may beterminated here to pro$ide di$ersity and redundancy.
Figure 4.% &nternet $ccess Enclave
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
19/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
1
(#1 -isk Considerations and -emediation Strategies
his is the first location where customer and attacker are being identified and
separated. his encla$e contains the highest le$el of uncertainty because the untrusted
network and trusted network are both present. Internet sourced mapping and scripted
attacks use this as their primary point of entry. Intrusion detection and pre$ention
de$ices are necessary to safeguard the infrastructure as well as to e"amine the e$ol$ing
ta"onomy of Internet based attacks. Probes and brute force authentication attacks
targeting infrastructure de$ices at this layer are common. Poorly designed networks will
unintentionally allow enumeration of network accounts in 27I=3520203 or
275472P credential store.
-thernet switches in general are by design o$ersubscribed sum of physical interface
speed e"ceeds switch backplane speed/ and can be o$erwhelmed by sustained traffic
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
20/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
4.
$olume from metro networks. 2 standalone firewall and switch are recommended for this
encla$e for the abo$e mentioned performance reason as well as security benefits.
(## 7ec&nical Approac& and Design -ecommendations
he Internet 2ccess -ncla$e is the first layer into the network. edundancy, high
a$ailability and resource isolation is critical to maintain stable and secure access to
customers. o offer redundancy, Internet access should be pro$ided by multiple I3P%s,
for di$ersity, using different paths and peering partners. his approach will pro$ide high
a$ailability in the e$ent of an I3P outage, upstream pro$ider failure, or network
e)uipment failure. Multiple I3P%s will allow traffic engineering, load balancing and
pro$ide an alternate connection in the e$ent of a 7o3 attack.
-ach connection from the Internet access%s pro$iders should be terminated into a
router supporting +#b- interfaces running 8#P using a pri$ate 23 number. his
pro$ides IP mobility across separate I3P%s and allows for future transitions between
carriers. Internet facing interfaces must pre$ent any leakage of internal routes, topology
broadcasts or redistribution, and e"plicitly pre$ent e"ternal management of the routers.
1or traffic engineering, multiple high a$ailability instances can be created to allow a path
across both I3P%s concurrently.
2ny peering relationship e.g., routing protocols, FP!, 27I=3, etc./ must bemutually authenticated prior to making a trusted connection. his control will help defeat
attack sources mas)uerading as a trusted peer. Integrity checking must also be in place to
defeat man*in*the*middle attacks.
he Internet access routers connect into a high speed +#b- switch which pro$ides
a common media for high a$ailability and fail*o$er capabilities. !etwork taps pro$ide
inspection points for Internet traffic. 3witch 3P2! features are not recommended.
2 firewall connects the aforementioned switch to the !*ier 2pplication silo. his
perimeter firewall must be a standalone de$ice with large processing power capable of
handling legitimate traffic and potential attacks simultaneously. he standalone firewall
is intended to ser$e as a buffer between the Internet 2ccess -ncla$e and the remaining
encla$es within the !*ier 2pplication silo. his approach pre$ents resource e"haustion
attacks that target the Internet facing firewall. -"ternal management and non*public
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
21/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
41
information e"posure must be disabled on the outside interfaces. he firewall should
point to the 6igh 2$ailability IP address of the perimeter routers based on the traffic
engineering designs. 2ccess 0ontrol 4ists 204s/ should be created with permit
statements that match security policy and align with business re)uirements. his
approach applies to both inbound and outbound traffic. 204s must end with an e"plicit
deny with logging enabled for dropped connections. 4ogging of denied packets pro$ides
$aluable insight including common attack $ectors, ta"onomy, and firewall administrator
204 change errors. his data is also $aluable for effecti$e data and e$ent correlation
across all network and security de$ices. 4ogging of the permitted traffic is a commonly
accepted practice. 7ata leakage considerations should include network related
information e.g., internal IP addresses, routing tables, etc./. I0MP should be disabled to
defeat reconnaissance efforts by attackers. 1urther, I0MP should be filtered to pre$ent
smurf attacks and using the network as a reflection or amplification point.
1low data should be enabled on all de$ices that support it e.g., 0isco @9>@K router/.
his network data is $ery useful to the security team with +#b- networks to identify
baseline changes, detect threats, and perform e$ent correlation. his same data is
$aluable to an attacker when mapping the network. 3afe network engineering practices
must be considered early on so that flow data is not e"filtrated or altered.
here are multiple options to forward traffic on to the ne"t encla$e 33452PI/. he
first option and most traditional is !etwork 2ddress ranslation !2/. !2 is only
recommended at the perimeter within the Internet 2ccess encla$e. his is re)uired to
translate from the 2I! IP address space to a 10 @B@> pri$ate IP address space. 1or
the other encla$es, 10@B@> addresses are used e.g., @...5>, @B9.@K>..5@K, and
@G9.@K..5@9/ and routing is performed. outing is recommended because there is less
)ueue delay associated with deep packet inspection and less chance of errors than with
!2 tra$ersal. he router protocol must be secure, ensuring that routes cannot be
maliciously manipulated or deleted. ecommended security controls include router
authentication and integrity checking. Modern firewalls support routing protocols with
associated security settings. he router protocol should ha$e established boundaries.
outing tables are not to be redistributed from -nterprise or Internet peers. oute
summari;ation or static routes must be used.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
22/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
44
2ll network de$ices must ha$e a common authoritati$e time source !P/. his
pro$ides credibility for logging and data correlation.
(#' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"
Controls
7ynamic routing protocols, such as 8#P, are generally preferred on border and edge
routers due to the ability of the router to propagate route changes more efficiently and
rapidly than by an operator entering the routes statically. 8#P has e"isted for a long time
and been thoroughly tested throughout the world. :ne of the benefits of dynamic routing
protocols is they offer route in&ection protection such as 4 $erification and
authentication of peers see 2ppendi" 2.9/. 6a$ing independent 23 numbers on the
border routers pro$ide fle"ibility to ad$ertise routes to different I3Ps for failo$er or
attack remediation strategies see 2ppendi" 2.9/.
outing black holes should be implemented on the routers and firewall and
automated where a$ailable. outers must already ha$e the 204s or maps in place to
perform this traffic filtering. his is needed to minimi;e the amount of time needed to
create the black hole and apply it. 2utomation is achie$ed when a black hole route is
in&ected on one router and $ia a dynamic routing protocol is distributed to the other
routers see 2ppendi" 2.B.?/.8lack hole routes are used to pre$ent traffic from crossing network segments. 1or
e"ample, a black hole route implemented on the border router might be used to pre$ent a
7o3 attack. 2nother e"ample might be to pre$ent the further e"filtration of data. If the
destination network is known, implementing traffic drops across the entire network can
be done )uickly and efficiently.
7eployment of Infrastructure 204s i204s/ is e"pected on border routers see
2ppendi" 2.?/. i204s permit management and control traffic to the infrastructure
switches and routers while pre$enting attack traffic directed at the infrastructure de$ices.
ypically i204s focus on source and destination IP addresses as well as 4ayer + ports
and protocols. 2ntispoofing 204s e"plicitly permit traffic based on authori;ed source
IP addresses only. 2ny traffic sourced from outside the e"plicitly permitted IP address
range is dropped 3chudel L 3mith, 9>, Interface 204 echni)ues, para. ?/ such as
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
23/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
46
pri$ate network address leakage, Martians and bogons. ransit 204s t204s/ e"plicitly
permit only re)uired and authori;ed traffic to transit the IP network 3chudel L 3mith,
9>, Interface 204 echni)ues, para. ?/. 204s typically don%t filter IP addresses
but are used more on packet types such as IP header options, IP fragments or protocols
such as routing protocols.
Many general router hardening practices such as IP :ptions selecti$e dropping and
disabling of IP 3ource outing must be deployed on the router see 2ppendi" 2.B.< and
2.B.G respecti$ely/. =nused features or ser$ices must be turned off on routers and
switches. 3uch ser$ices include dhcp, bootp and !P timeser$ing see 2ppendi" 2.>/.
he additional 0P= a$ailability, created by remo$al of unused ser$ices, allows more
fle"ibility to a$oid 0P= resource e"haustion.
4ogin banners are to be implemented on e$ery de$ice in the network to pro$ide a
$etted legal notice to anyone using the de$ice as to the le$el of pri$acy and the legal
issues associated with accessing the de$ices. !either physical location data nor network
architecture information should be found on any switches, routers or firewalls see
2ppendi" 2.B.@/.
Implement 2P inspection on routers to pre$ent malicious frame redirection or
M20 table poisoning. 2nother method a$ailable is to hard code static M20 addresses
for the most critical de$ices see 2ppendi" 2.?/.
7isable, if possible, or do not use F42! @, the default F42! for some $endors.
F42! @ is not to be re$ealed to any of the encla$es. 1urther, the management F42!
must only be re$ealed to the Management encla$e. his eliminates the switch interface
from being a possible target of attack.
2 firewall located after the border router pro$ides the ne"t depth and breadth layer
of defense 3chudel L 3mith, 9>, Principles of 7efense in 7epth and 8readth, para.
@/. (here implementation of traffic controls might o$erwhelm the border router, those
controls are transferred to the firewall. !ot only are the same 2ntispoofing 204s, i204s
and t204s found on the border routers implemented here, but more fine grained 204s
are implemented on the firewall, too. 2doption of an e"plicit deny rule is preferred here
to allow only authori;ed ports and protocols through as determined by the firewall
security plan see 2ppendi" 2.+/.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
24/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
4-
uality of 3er$ice o3/ is used to ensure that control and management traffic are
guaranteed passage when the routers and switches are o$erwhelmed with normal data
traffic see 2ppendi" 2.@
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
25/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
47
(' SS8$rox" Encla!e
334 accelerators and re$erse pro"y ser$ers are present in this encla$e. hese ser$e
multiple purposesAthe most common being to off*load encryption processing o$erhead
from 6P ser$ers. If logging is re)uired, customers are challenged at this encla$e for a
name and password.
Figure 4.3 SS#'Prox( Enclave
('1 -isk Considerations and -emediation Strategies
Man*in*the*middle, session high*&acking, 0ross*site 3cripting E33/, and denial of
ser$ice 7o3/ attacks are )uite pre$alent today. In some cases these attacks are effecti$e
because of poor network design. In other cases these attacks are effecti$e because too
much surface is re$ealed to the Internet, lea$ing systems $ulnerable to attack because of
product defect and configuration errors. 3ecure network engineering must include an
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
26/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
42
approach that reduces the surface of attack and optimi;es performance. 3pecialty
products like pro"ies and 334 accelerators are hosted in this encla$e to defeat brute force
authentication attacks and resource e"haustion attacks targeting 6P and 2PI 3er$ers.
If logon is re)uired, challenging for customer account authentication is done from
this encla$e. 4ogon at this point within the infrastructure is necessary to disguise the
comple"ity and potential $ulnerability/ of authentication ser$ers deeper within the
infrastructure. he actual customer credential store account name, passwords,
passphrase, account number, attributes, etc./ is not to be hosted within this encla$e. he
334 accelerator or pro"y will reach out to the authentication ser$ers for credential
$erification. his design approach is necessary to defeat direct attacks against the
authentication ser$er platform e.g., 7o3, buffer o$erflow, etc./ that could result in
circum$enting authentication controls.
If 334 is used for mobile de$ice or browser access which is recommended/, this
encla$e re$eals the Internet sourced data in the clear for the first time. 3ecurity controls
that safeguard confidentiality must be balanced with controls to inspect for attacks and
errors. eep in mind that encryption without inspection may disguise e"filtration
occurring within the !*ier 2pplication -ncla$es. 1urther, throughput of a +#b-
network can )uickly decline when traffic is repeatedly encrypted and unencrypted.
Pro"y and re$erse pro"y ser$ers can be used to cache content. hese platforms
might be used as a springboard of attack. 0ached contend that is not properly
safeguarded can result in unintentional data leakage. 1urther, malicious alteration of
cache content could allow client side attacks.
('# 7ec&nical Approac& and Design -ecommendations
he 3345Pro"y encla$e consists of an 334 offloading engine that will accept
inbound +#b- 334 traffic from mobile app customers and decrypt it. 334 poses certain
challenges for security de$ice inspection as packets tra$erse the network in an encrypted
form. =tili;ing an 334 offloading appliance pro$ides the enterprise with the following
ad$antagesH
Inspection of unencrypted traffic as it tra$erses other encla$es.
-limination of 334 processing on ser$ers
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
27/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
48
Implementation of an application layer firewall. 3e$eral 334 accelerator products
re$iewed pro$ide additional application firewall or 4ayer G inspection capability.
raffic from the Internet 2ccess -ncla$e must pass through a firewall before being
passed into the 33452PI -ncla$e. =nlike the Internet facing firewall, this firewall that
interconnects the Internet 2ccess and 3345Pro"y -ncla$es does not ha$e to be a
standalone appliance. 2 more sophisticated de$ice can be considered that ser$es the
secure interconnect needs between the remaining !*ier 2pplication -ncla$es. he
proposed de$ice contains shared security ser$ices that are applied to the switching fabric.
2 security fabric is created by using a shared platform that pro$ides multiple
security ser$ices across the encla$es. he security fabric must include firewall
capabilities but also can be e"panded to pro$ide other security ser$ices including networkIP35I73, web application and database firewalling, in*line malware scanning, and load
balancing. 8y combining all these ser$ices within the security fabric, customers can take
ad$antage of backplane speeds of o$er
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
28/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
49
he same F42! protections mentioned in the Internet 2ccess -ncla$e apply here
as well with the addition of disabling trunking on access layer ports see 2ppendi" 2.9?/.
his encla$e continues the design practice of separation of ser$ices and
classification. -ach de$ice or ser$ice in the encla$e offers similar ser$ices or has data
classified at the same le$el. his separation pro$ides protection from the pre$ious less
trusted encla$e while also allowing the uniform inspection of data between the encla$es.
3ince only one type of data is passing between the different encla$es the traffic
inspection can be narrowed and made $ery specific. his also pro$ides measurable
optimi;ation of performance for firewalls and IP3s at +#b- speeds.
(( 277$A$I Encla!e
his part of the !*ier 2pplication -ncla$es contains the 6P 3er$ers and 2PI3er$ers.
Figure 4.4 ))P'$P& Enclave
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
29/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
4
((1 -isk Considerations and -emediation Strategies
he aforementioned encla$es contain function specific de$ices e.g., firewall, IP3,
334 2ccelerator, etc./ that are in many cases appliances and proprietary. his encla$e
most likely will introduce multi*function capable hosts based on common enterprise
operating systems e.g., ed 6at -nterprise 4inu", Microsoft (indows 3er$er, I8M 2IE,
etc./. 6ardening, configuration management and file integrity monitoring will be
re)uired. he network design must permit the associated automated tools into this
encla$e to routinely update, inspect and report. elease management and change
management practices become $ital as the hosts within this encla$e will be updated
fre)uently e.g., code updates, software releases, content changes, etc./. 1urther,
automated update of security controls must be incorporated e.g., patching, web
application firewalls and 6IP3 signature updates, malware detection databases, etc./.
8lade ser$er and $irtual ser$er integration is now a ma&or design consideration for
this encla$e. Port aggregation is commonly considered during the design phase. his
pro$ides higher bandwidth as well as fault tolerance between blade ser$er chassis or
hyper$isor/ and ethernet switch. 0areful consideration is re)uired if cable taps,
inspection de$ices e.g., IP35I73/ and forensic analysis de$ices are to be integrated. 1ore"ample, if the blade ser$er chassis and ethernet switch are interconnected using + " @
#bps to get an aggregate of + #bps, there may not be a way to introduce a tap or IP3 in*
line.
Firtuali;ation and blade ser$ers may introduce new flows in which traffic ne$er
passes a physical switch. 2s an e"ample, consider two Microsoft (indows 3er$ers
running II3 as guests on FM(are -3E. If clustered, the (indows 3er$ers would be able
to intercommunicate without inspection by a network intrusion pre$ention system
appliance. his would make detection of a pi$ot attack more difficult. 3ome switch
$endors like 0isco and -"treme !etworks are introducing $irtual switches with features
to o$ercome this issue. 3P2! may help in some conditions, howe$er this feature is
typically the first sacrificed when the switch approaches ma"imum utili;ation.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
30/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
6.
0ommon I ser$ice acti$ities will result in large $olumes of data mo$ement e$en
though 6P 3er$er content is static. ape backup mo$es a substantial amount of data
daily. 0reating snapshots of FMs prior to software upgrades is a common practice. (ith
342s of BB.
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
31/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
61
2nomaly detection at the 6P layer is critical to monitor abnormal =4 access,
fre)uency and $olume. 1rom the +#b- network prospecti$e, !et1low5s1low data is
crucial at all layers to monitor abnormal spikes between specific hosts and destination.
his pro$ides non*signature based analysis in the e$ent that our other layers of security
fail as well as pro$ide us insight into attacks that do not fit our normal traffic beha$ior. 2
correlation engine is re)uired to process the $arious sources of data to detect anomalies
e.g., 6P ser$er logs, IP3 logs, !et1low5s1low logs, etc./
6ost based monitoring is another critical layer of protection to identify attacks and
traffic from the host and application prospecti$e. he network will see the traffic but
might not ha$e full understanding of how each application will handle the $arious types
of anomalies that is being directed towards it. 4ayering security implementation is
recommended as through the 9 critical controls and specifically critical control number
@B.
(ith a limited number of systems, the understanding of data flow is the foundation
to creating access lists limiting source and destination traffic between the 334 encla$e
and the 6P encla$e mo$ing to the (eb 2pplications -ncla$e. 204%s are applied on the
firewall limiting communications to trusted hosts between the encla$es while dropping
and logging any other non*authori;ed traffic.
((' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"
Controls
3e$eral of the security controls mentioned in ?.9.? apply to this encla$e as well.
3pecifically, the guidance pro$ided with routing, hardening, o3, 204s, firewalls, 222,
patch and $ulnerability management, and remote management apply to this encla$e.
he network design makes use of $irtuali;ation and blade ser$ers. FMs should be
separated by different trust le$els, asset $alues, or data classification. his would be
achie$ed by running FMs of the same trust le$el on the same bo" and using a separate
hyper$isor on a separate machine to host FMs of a different trust le$el. FMs should also
be pre$ented from accidentally being migrated from one trust le$el to another trust le$el.
3ecuring the hyper$isor is another hardening techni)ue and can be implemented by using
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
32/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
64
multi*factor authentication, separation of roles and pri$ileges, and disabling or remo$ing
unused ser$ices on the hyper$isor 3ee 2ppendi" 2.9G/.
6yper$isors also introduce their own network switches. 2 thorough understanding
of how the switch is implemented to pre$ent unintentional misconfigurations or breaches
of trust le$els. hese $irtual switches are also capable of using F42! trunking and as
such the same considerations presented abo$e regarding trunking apply here as well 3ee
2ppendi" 2.9G/.
If F42! trunking is used then usage of an authentication method is highly
recommended. Ports should ha$e a default configuration of not allowing trunking so that
manual configuration is re)uired as a safety precaution. 2utomatic F42! propagation,
if necessary, must also be contained to propagate F42!s within similar security ;ones
3ee 2ppendi" 2.99/.
(/ e% Application Encla!e
his encla$e contains the web application ser$ers and 2PI ser$ers. In addition, load
balancers, web application firewalls, and web application intrusion pre$ention systems
may be present.
Figure 4.* +e, $--lication Enclave
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
33/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
66
(/1 -isk Considerations and -emediation Strategieshis encla$e has many of the same risks as the aforementioned 6P52PI 3er$er
-ncla$e including multi*function hosts, $irtuali;ation, blade ser$ers, common I
ser$ices, and -thernet port re)uirements. 1urther, this encla$e is a $ery dynamic
en$ironment operationally. It is also the most comple". he hosts within this encla$e are
a hub for combining content and data from a $ariety of sources. here are many leads
and feeds to consider for this encla$e including enterprise ser$ice buses, message
ser$ices, databases, warehouses, 3:2 gateways, EM4 accelerators, and legacy gateways.
8ecause of this, accurate documentation and comprehensi$e data mapping are critical for
this encla$e.
Managing this encla$e%s 204s for firewalls, routers, and switches can be a daunting
task for engineers. 2n unintended configuration error might re$eal $ulnerabilities and
new targets of attack. In addition to the firewall administration tools pro$ided by firewall
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
34/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
6-
manufacturers, consider the use of firewall policy managers. hese products integrate
with multiple firewalls from multiple manufacturers. In addition to the routine policy
updating, they also include policy optimi;ation. 2 poorly written 204 has one of the
biggest impacts on firewall performance.
Many different types of I administrators must access this encla$e including
database administrator, system administrators, middleware administrators, application
administrators and the occasional de$eloper. 7irect access into this encla$e is a
common re)uest, howe$er this is a poor approach. 2ccess must be pro"ied through the
Management -ncla$e to ensure access controls are enforced and acti$ity can be tracked.
3ecurity integration into 3740 is also $ital. -arly adoption of security best practices will
reduce the likelihood of unplanned application problems that result in network security
controls being temporarily rela"ed to troubleshoot production problems.
(/# 7ec&nical Approac& and Design -ecommendations
Many organi;ations must consider hosting multiple web application standards that
reside within this encla$e. 2s an e"ample, the ma&ority of new web applications may be
built on I8M (ebsphere, howe$er a legacy web application based on Microsoft (indows
.!et may ha$e to remain around for a few more years. 2 design decision is re)uired to
create duplicate web application encla$es or introduce further segmentation within theencla$e.
1or architects considering further security to isolate disparate standards within the
encla$e, there are a few options. 2 common option considered is to implement IP3ec
-3P on the hosts. his pro$ides mutual authentication and encryption. 6owe$er, legacy
systems many not ha$e a practical IP3ec solution or the processing o$erhead is materially
impactful to application performance. 3ome switch manufacturers offer Pri$ate F42!s
in which the -thernet switch limits inter*port con$ersation to within the same F42!.
his can be effecti$e, howe$er load balancing and clustering can be a challenge to
integrate. 2 new standard I--- >9.@ae is being adopted by some +#b- switch
manufacturers. In this case the switch itself performs the encryption of framesAthere is
no supplicant re)uired on the host for authentication and no client needed for encryption.
erberos snooping, 447P, or 7!3 are used by the switch to determine the host type.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
35/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
67
he switch can automatically assign the encryption and segmentation settings or the
switch administrator can set this manually.
2pplication firewalls are common within this encla$e. 2lso known as layer G
firewalls or (eb 2pplication 1irewalls (21/, they safeguard web applications from the
most common forms of attack. he difference between these firewalls and the traditional
network firewall is they ha$e conte"t intelligence. 2 (21 can recogni;e attacks
targeting web application weaknesses including configuration errors, parameter
manipulation, coding errors, buffer o$erflows, and known web application defects in a
way IP3 and traditional firewalls cannot. 1or e"ample, Imper$a offers a product
3ecure3phere which pro$ides protection against the :(23P op en attacks, including
34 in&ection, E33 and 031. 3e$eral other commercial and open source solutions are
a$ailable. EM4 firewalls, 3:2 firewalls, and 6P firewalls may be of interest. hese
application firewalls can be installed as agents on the ser$er, in*line -thernet, 3P2!, or in
some cases as a cloud*based ser$ice. (ith +#b- speed, any help applying intelligence
to raw e$ents must be considered.
(/' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"
Controls
3e$eral of the security controls mentioned in ?.9.? apply to this encla$e as well.
3pecifically, the guidance pro$ided with routing, hardening, o3, 204s, firewalls, 222,
patch $ulnerability management, and remote management apply to this encla$e.
(0 Data Encla!e
his encla$e may contain traditional databases e.g., Microsoft 34 3er$er, :racle,
My34, etc./ as well as a number of other data sources including enterprise ser$ice
buses, message ser$ices, databases, warehouses, 3:2 gateways, EM4 accelerators, and
legacy gateways.
Figure 4. /ata Enclave
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
36/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
62
(01 -isk Considerations and -emediation Strategies-nterprises might consider dissol$ing this encla$e, opting to access data within the
-nterprise 0ore -ncla$e directly. 0oncerns about data synchroni;ation and the cost of
redundant data stores may make this seem an attracti$e design approach. -"panding the
use of database technology in place within the -nterprise 0ore might be tempting to
consider. apid growth in customer demand may accelerate capacity demands and
re)uire an unplanned upgrade of e"isting enterprise data ser$ices impacting internal and
e"ternal customers. 1urther, segmentation within the core may not be sufficient to create
boundaries for compliance and audit. his may draw the entire enterprise into scope for
compliance e$aluation and control implementation.
:perationally, there are potential problems using data sources within the -nterprise
0ore. 1or e"ample, two phase commit and record le$el locks become difficult to e"ecute.
here are many hidden costs and risks associated using data resources residing within the
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
37/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
68
-nterprise 0ore. 2 thorough in$estigation into all design options for is strongly
recommended. 0reating this encla$e is highly recommended.
2s with the (eb 2pplication -ncla$e, documentation and data mapping are critical
for this encla$e. Policies should also be documented including data retention and data
destruction. hese policies may dri$e archi$ing and transfers impactful to the network
capacity.
he pattern of traffic for this encla$e will be high $olume, large payload transfers.
7atabase -4 -"port*ransform*4oad/ and -7I -lectronic 7ata Interchange/ will
cause bulk transfersApossibly while customers transactions are occurring. he benefits
of a separate customer facing firewall and infrastructure firewall are best demonstrated
with this encla$e when running at +#b- speeds.
here are a number of attacks targeting database ser$ers that a con$entional I73
will not detect. 7atabase intrusion pre$ention systems also known as database acti$ity
monitors/ are becoming increasingly popular. hey pro$ide conte"tual knowledge of
database protocols and structures that is used to detect database attacks. hese products
can be placed in*line, installed as an agent, assigned to a 3P2! port, or connected to a
tap.
(0# 7ec&nical Approac& and Design -ecommendationshere are a $ariety of data sources that might be placed within or re$ealed through
this encla$e. 7atabase ser$ers are commonly staged within this part of the network. 7ay
one the database is empty. here must be an approach defined for getting data in and out
of the database ser$er to ensure the data remains rele$ant. -4 is a common way to get
this data. 6owe$er this creates a challenge for real*time data. -4s are typically done
once or twice a day, so customers that demand data with )uick e"piration will not be
satisfied. 1or e"ample, if the web or mobile application is to pro$ide logistic information
e.g., (here is my shipment of fortune cookies and when will it arri$eO/, then -4
simply won%t work. In some cases the data may not be on*premise. 2 898 connection or
-7I ser$ice is re)uired. In some cases the data is not entirely from the enterpriseAbut
instead a collection of information from enterprise, business partners and $endors. his
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
38/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
69
encla$e is where these data feeds are intended to land before being re$ealed to the (eb
2pplication -ncla$e.
!etwork engineering for this encla$e must include the secure transport of data.
0onfidentiality is important, but so is authentication and integrity checking. #arbage
tra$eling at + #bps is still garbage.
If for some business reason the data cannot reside within the 7ata -ncla$e, then
consider alternati$es like database gateways e.g., 34, EM4, 789, etc./, an enterprise
ser$ice bus e.g., ibco/, or message ser$ice e.g. I8M M 3eries/ for the encla$e.
(0' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"
Controls
3pecifically, the guidance pro$ided with routing, hardening, o3, 204s, firewalls,
222, patch and $ulnerability management, and remote management apply to this
encla$e.
In this encla$e we scope in our monitoring to continuous analysis of all database
traffic to detect unauthori;ed or anomalous acti$ities. his can be done in*line on the
network or a copy of the database transactions can be offloaded to another de$ice for
analysis. 8aselining is another important step that will assist in the identification of
normal $ersus malicious transactions see 2ppendi" 2.9>/.
( Customer Aut&entication and Aut&ori*ation Encla!e
his encla$e contains the credential store for customer accounts. 2uthentication,
authori;ation, and auditing of customer account acti$ity are performed here. his
encla$e does not contain the credential store for -nterprise 0ore accounts nor
infrastructure i.e., firewalls, routers, switches, etc./ accounts. 0ustomer data is not
stored hereA&ust the account information necessary to access the applications re$ealed to
the Internet.
Figure 4.0 usto2er $ut! Enclave
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
39/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
6
(1 -isk Considerations and -emediation Strategiese)uiring customer authentication pro$ides se$eral business opportunities for the
enterprise. (ebsite personali;ation, order processing, fulfillment tracking, logistics,
loyalty programs, and promotions can all be integrated with the website customer
credentials. Internal business systems like -P may ha$e to integrate with this customer
credential store, too. he business may re)uire many touch points to this credential store.
his might unintentionally create a large surface for attack. 3egmenting customer
authentication and authori;ation data is $ital to protect confidentiality and integrity. his
encla$e is intended to pre$ent customer account har$esting and pi$ot attacks deeper into
the enterprise infrastructure. 4astly, breach notification is e"pensi$e and can ha$e a
material impact on enterprise reputation.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
40/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
-.
his encla$e is generally re$ealed to all !*ier 2pplication -ncla$es, so secure
network engineering is critical for this encla$e. :nce this encla$e is compromised,
attackers will attempt to circum$ent firewalls between the !*ier 2pplication -ncla$es.
(# 7ec&nical Approac& and Design -ecommendations
his is not the location where system administrators, 782s, and network engineers
store their accounts to manage the infrastructure. his encla$e and associated ser$ices
are not intended for the -nterprise 0ore. here should be no trust established to
enterprise credential stores or directories.
2 dedicated solution to host customer credentials is placed within this encla$e.
3e$eral options are a$ailable including 27I=3, 472P, Microsoft 27, i$oli Identity
and 2ccess Manager, and others. Identity and 2ccess 3er$ices I2M/ systems, federated
ser$ices, and single sign*on ser$ices may also reside within this encla$e.
2utomation for I2M will become critical as the number of customers increase.
0ustomer self*registration and self*password reset should be considered. okens for
passing credentials to 6P, (eb 2pplication, and 7ata encla$es will also be created
here. Mutual authentication between hosts within in this encla$e and other encla$es is
re)uired prior to customer credential or token e"change.
(' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"
Controls
3e$eral of the security controls mentioned in ?.9.? apply to this encla$e, too.
3pecifically, the guidance pro$ided with routing, hardening, o3, 204s, firewalls, 222,
patch and $ulnerability management, remote management, and !2 apply to this
encla$e.
(3 Network Application Encla!e
raditional network applications and ser$ices reside in or are re$ealed by/ this
encla$e. his includes tape back*up, 7!3, 3I-M, !P, 1ile Integrity Monitoring,
27I=3, 20203, administrator authentication ser$ers, M1, release management,
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
41/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
-1
application performance monitoring, network performance monitoring
3!MP5M:!5!et1low/, transaction auditors, and forensic analysis tools.
Figure 4. Network $-- Enclave
(31 -isk Considerations and -emediation Strategies
he largest fraction of firewall 204s are associated with this encla$e. his part of
the network offers the greatest opportunity for firewall policy and rule optimi;ationAor
the greatest source of inefficiency and firewall performance hit. 1or e"ample, @
network ser$ices 7!3, !P, 27I=3, etc./ presented from this encla$e to the other
encla$es would result in at least G 204s G encla$es " @ network ser$ices G
204s/. (ith redundancy of hosts and ser$ices, this could possibly translate into @,
2ccess 0ontrol -ntriesQ 2s with the (eb 2pplication -ncla$e, consider 1irewall Policy
Managers 1PM/.
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
42/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
-4
In addition to 204 optimi;ation on the firewall, network engineers must consider
the number of flows passing through the firewall. hough a firewall may ha$e a new
+#b- interface that is + times faster than con$entional @#b- interface firewalls, the
state table buffer may not be the same order of magnitude larger. (ith +#b-, firewalls
might be o$erwhelmed with stateful flow management long before the physical -thernet
interface is saturated. his may result in une"pected outcomes including session loss
through the firewall. (orse, this may result in a buffer o$erflow state in the firewall
resulting in a failed closed condition that passes traffic that should be denied.
3ystem, database, application, middleware and firewall administrators all store their
accounts in 27I=3 or similar authentication system within this encla$e. 0entrali;ed
authentication of high authority accounts is re)uired for this entire infrastructure.
7istributed account management is not practical and in some cases not compliant/. 2
27I=3 or similar ser$ice for administrati$e accounts should be placed within this
encla$e. his will also pro$ide a con$enient method of centrali;ed management of
authentication controls e.g., password comple"ity, rotation, etc./. Insider threats should
be strongly considered when designing this encla$e.
he $elocity of traffic for +#b- networks is $ery high, making management a
challenge. his encla$e creates e$en more comple"ity because of the high $olume
combined with small packets. 3ecurity Information and -$ent Management 3I-M/
automation is critical for processing and correlation is necessary. -$ents from I73 e.g.,
replay attacks, fragmentation attacks, buffer o$erflow attacks, etc./, firewall e.g., 7o3
attacks, port errors, dropped packets/, 334 e.g., 7o3 attacks, certificate errors, session
drop/, re$erse*pro"y e.g., dictionary logon attacks, cached content change, etc./, and file
integrity monitoring can collecti$ely o$erwhelm the 3:0 staff and 3I-M platform
without proper planning.
(3# 7ec&nical Approac& and Design -ecommendations
2ll network application ser$ers that ser$e the !*ier 2pplication encla$e silo
reside within this encla$e. !etwork applications ser$ing the -nterprise 0ore do not
reside within this encla$e. !etwork applications include 7!3, 4ogging, !P,
management, monitoring, patch and release management, and 3I-M. hese ser$ices are
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
43/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
-6
securely re$ealed into the remaining !*ier 2pplication encla$es using the
aforementioned i204s.
wo Public ey Infrastructures PIs/ are introduced within the encla$e. he first
is for customer authentication of the ser$ices offered
www.giacenterprisescooolmobileapp.com/. he second is for non*console
administrati$e access to infrastructure components including 334 accelerators, firewalls,
IP35I73, re$erse*pro"ies, and load balancers. PI and certificate mismanagement at this
layer can impact customer trust e"piration and signing errors/ and security control
integrity. In addition to PI, 7!3 is offered from this encla$e. his is necessary for
intersystem communication without embedding IP addresses e.g., 334 accelerator needs
7!3 to find 6P ser$er IP addresses/. Mobile de$ice and web browser names
resolution of www.giacenterprisescoolmobileapp.com is pro$ided separately from this
infrastructure. Managed security pro$iders or cloud hosted ser$ices e.g., 3ymantec,
-ntrust, etc./ are recommended for automation and administration to minimi;e the need
for additional internal resources to maintain these ser$ices securely.
7!3 ser$ers within this encla$e point to trusted 7!3 3er$ers within the -nterprise
0ore. 1or )ueries of e"ternal domains, the !etwork 2pplication -ncla$e 7!3 ser$ers
perform recursi$e lookups through the -nterprise 0ore 7!3 ser$ers. 6osts within the !*
ier 2pplication -ncla$es are not permitted to )uery untrusted, e"ternal 7!3 ser$ers
directly.
1unctional isolation will result in a large number of ser$ers within this encla$e.
3er$ers residing in the network applications encla$e connect to a high port density switch
with a high speed backplane. In addition, port aggregation may be re)uired to link
multiple chassis together. 0apacity and Performance Monitoring are $ital for this encla$e
as network application performance problems could manifest as application performance
problems. hrough the security fabric the traffic is inspected and filtered real*time e.g.,
firewall, IP3 and inline 2F, etc./ before going to its destination encla$e and final system.
2 network monitoring switch is re)uired between the high speed -thernet switch
and security fabric. he network monitoring switch pro$ides an inline tap to capture and
monitor traffic without effecting enterprise ser$ices or ha$ing to schedule downtime
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
44/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
--
when the need arises. he network monitoring can then forward frames to a $ariety of
de$ices including I73, forensic analysis, and data leakage analysis.
1or managing the $irtual en$ironment, networking becomes a challenge at +#b-.
Managing $irtual network switching in addition to guest 0P= and memory demands/
can ha$e a material impact on performance of the host system. (hen the network is
$irtuali;ed at this speed, the host must allocate more resources to $irtual switching and
star$es guest resources. 3e$eral $endors are approaching this issue with $ery different
solutions. 3ome are offering $irtual switching in which a separate host is pro$iding the
resources for switching. :thers ha$e taken an approach of eliminating the $irtual
switching with de$ice dri$ers and redirecting $irtual switching to actual switching with
e"ternal physical switches. his last approach presents a problem when there are only a
limited number of physical ports supporting +#b-. 2s the cost per port drops, adoption
of the last approach may grow. 4astly, these new solutions pro$ide 3P2! ports, network
:3 and 204 control down to the FM le$el.
Fisibility into network traffic flows in the $irtual en$ironment can be a challenge.
he monitoring controls e.g., !et1low5s1low5&1low/ present in the physical switching
en$ironment must be made a$ailable within the $irtual en$ironment. his is $ital for
performance monitoring as well as security and anomaly detection. In some cases, the
switch $endor offers an option for $irtual en$ironments e.g., 0isco !e"us @F/. 2
switch $endor agnostic alternati$e should also be considered e.g., 4ancope 3tealth(atch
1low3ensorF-/.
!P 3er$ers reside within this encla$e. ime synchroni;ation is necessary for
system clocks, session management, and key management. 6ost time settings must also
be safeguarded from unauthori;ed change. 1or credible security e$ent management, an
authoritati$e clock source is re)uired e.g., P0I 733 e)uirement @/.
2ll administrati$e non*console access to network applications must be encrypted.
334 or 336 are to be used with ciphers at least @9> bit. (hen a$ailable, mutual
authentication between &ump bo"es in the Management -ncla$e and hosts within this
encla$e must be implemented.
0entrali;ed infrastructure account management is performed within this encla$e.
his ser$ice is not to be integrated with the customer or -nterprise 0ore authentication
"T/ 0oint Written ro5ect
-
7/23/2019 Jwp Whitepaper Hoehl Khalil
45/79
"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s
-7
solutions. 2 27I=3 or 20203 ser$er is recommended. 27 integration can be
consideredAhowe$er there may not be any integration with the -nterprise 0ore 27.
ey rotation between authentication ser$er and infrastructure components must be
performed at least yearly. 4ogging of authentication and access is re)uired and retention
policies would apply.
4ogging of e$ents is re)uired. hese e$ents must be re$iewed daily or automation
must be implemented. 3e$eral categories of e$ents would be gathered including
component failures, port errors, threshold e"ceeded, and security controls defeated.
0entrali;ed logging is necessary for I administrators as well as for security staff for
which the solution would reside within this encla$e. 4ogged e$ents from the other
encla$es make their way here for centrali;ed analysis. he approach and solutions
implemented here of data aggregation and analysis by the monitoring group are outside
top related