architecture frameworks and secure network...

.

CIS 3500 1

Architecture Frameworks and Secure Network Architectures

Chapter #11:

Architecture and Design

Chapter Objectives

n Explore use cases and purpose for frameworks

n Examine the best practices for system architectures

n Explain the use of secure configuration guides

n Given a scenario, implement secure network architecture

concepts

Implementing Secure Protocols2

Industry-Standard Frameworks and Reference Architectures

n Architecture determines which security controls are

implemented and how they are configured

n Architectures are intended to be in place for a long term and

are difficult to change

n Carefully choosing and implementing the correct architecture

for an organization’s computer systems up front makes them

easier to maintain and more effective over time

n Generic blueprint


Regulatory

n Most industries in the United States are regulated in one

manner or another

n When it comes to cybersecurity, more and more regulations

are beginning to apply, from privacy, to breach notification,

to due diligence and due care provisions


.

CIS 3500 2

Non-regulatory

n Non-regulatory, such as the National Institute of Standards

and Technology (NIST)

n Special Publication 500 series – cloud

n Special Publication 800 series – security controls (CSF)

n The NIST CSF is being mandated for government agencies,

but is completely voluntary in the private sector

n This framework has been well received


National vs. International

n U.S. federal government has its own cloud-based reference

architecture called the Federal Risk and Authorization

Management Program (FedRAMP)

n EU rules and regulations covering privacy issues and data

protection are radically different from those in the U.S.

n Safe Harbor Framework – not a valid mechanism any more

n GDPR – May 25, 2018


Industry-Specific Frameworks

n There are several industry-specific frameworks

n NERC CIP (North American Electric Reliability Corporation

Critical Infrastructure Protection)

n HITRUST Common Security Framework (CSF) for use in the

medical industry and enterprises that must address

HIPAA/HITECH rules and regulations


Benchmarks/Secure Configuration Guides

n Benchmarks and secure configuration guides offer guidance

for setting up and operating computer systems to a secure

level

n Benchmark guides from manufacturers of the software,

from the government, and from an independent Center for

Internet Security (CIS)

n Government resources from NIST and DISA


.

CIS 3500 3

Platform/Vendor-Specific Guides

n Setting up secure services is important to enterprises

n Some of the best guidance comes from the manufacturer in

the form of platform/vendor-specific guides

n These guides include installation and configuration

guidance, and in some cases operational guidance as well


Web Server

n Market leaders are Microsoft, Apache, and nginx

n Web servers connections between users (clients) and web

pages (data being provided) are prone to attacks

n For Microsoft’s IIS and SharePoint Server the company

provides solid guidance on the proper configuration

n The Apache Software Foundation provides some

information for its web server products as well

n Center for Internet Security – benchmarking guides


Operating System

n The operating system (OS) is a key component for the

secure operation of a system

n Comprehensive, proscriptive configuration guides for all

major operating systems are available from

n manufacturers

n Center for Internet Security, and

n DoD DISA STIGs program


Application Server

n Application servers handle specific tasks

n E.g. e-mail server, database server, messaging platform

n Require proper configuration


.

CIS 3500 4

Network Infrastructure Devices

n Network infrastructure devices are the switches, routers,

concentrators, firewalls, and other specialty devices

n Proper configuration can be challenging but is very

important

n Failures at this level can adversely affect the security of

traffic being processed by them


General Purpose Guides

n CIS controls


Defense-in-Depth/Layered Security

n Defense-in-depth (layered security) is a security principle

by which multiple, differing security elements are employed

to increase the level of security

n Should an attacker bypass one security measure, one of the

overlapping controls can still catch and block the intrusion

n E.g. in networking: access control lists, firewalls, intrusion

detection systems, and network segregation, can be

employed in an overlapping fashion to achieve protection


Vendor Diversity

n Having multiple suppliers creates vendor diversity

n Not only Cisco routers/switches

n Multiple operating systems, such as both Linux and

Windows

n Having multiple vendors adds to layered defense, removes

a single failure mode scenario (common firmwares)


.

CIS 3500 5

Control Diversity

n Control diversity – both administrative and technical controls

provide layered security

n Value of policies and procedures

n If there are technical controls backing up policies, then policy

violations may still not create a complete vulnerability, as the

technical control can stop a problem from occurring

n Total reliance on technical controls provides insufficient

security


Administrative

n Administrative controls are those that operate on the

management aspects of an organization

n They include controls such as policies, regulations, and laws

n Management activities such as planning and risk

assessment are common examples

n Having multiple independent, overlapping administrative

controls can act as a form of layered security


Technical

n Technical controls are those that operate through a

technological intervention in the system

n Include user authentication (passwords), logical access

controls, antivirus/anti-malware software, firewalls,

intrusion detection and prevention systems

n Overlapping technical controls, such as firewalls and access

control lists to limit entry, is an example of layered security

through technical controls


User Training

n The best defense is to implement a strong user training

program that instructs users to recognize safe and unsafe

computing behaviors (phishing, spear phishing, clickbaiting)

n User-specific training – related to the tasks

n Monitor users and mandate retraining (clicking unverified

links in e-mails)

n For problematic users may need to add additional layers of

protection


.

CIS 3500 6

Zones/Topologies

n Different zones/topologies are designed to provide layers of

defense

n A constant issue is that accessibility inversely related to

level of protection

n Trade-offs between access and security are handled

through zones


DMZ

n DMZ is between the untrusted Internet and the trusted

internal network

n It acts as a buffer zone – machines there shall be considered

as being compromised

n Lock-down approach needs to be applied

n User is separated from the request for data

n Having intermediaries allow significant security to be enforced

n Scalability is more easily realized


Extranet

n An extranet is an extension of a selected portion of a company’s

intranet to external partners

n This allows a business to share information

n Typically VPN is used to secure this channel

n Extranet implies both privacy and security

n privacy is required for many communications

n security is needed to prevent unauthorized use

n Firewall management, remote access, encryption, authentication,

and secure tunnels across public networks can be applied


Intranet

n An intranet describes a network that has the same

functionality as the Internet but lies inside the trusted area

n Not available over the Internet to untrusted users

n To outside users:

n duplication of information onto machines in the DMZ, or

n extranets to trusted partners

n Users on the intranet can access information on the internet

through a proxy server – cached copy or masked request


.

CIS 3500 7

Wireless

n Wireless networking does not use direct physical links

n Either hub and spoke or mesh

n hub and spoke: the wireless access point is the hub and is

connected to the wired network

n mesh: wireless units talk directly to each other, without a

central access point

n New wireless access points combine both of these

characteristics: they talk to each other in a mesh and at

least one station is connected to the wired networkImplementing Secure Protocols25

Guest

n A guest zone is a network segment that is isolated from

systems that guests should never have access to

n Administrators commonly configure on the same hardware

multiple logical wireless networks

n Separate access to separate resources based on login

credentials


Honeynets

n Honeynet is a network designed to look like a corporate

network, but is made attractive to attackers

n A honeynet is a collection of honeypots that act like real

network servers but possess only fake data

n All of the traffic is assumed to be illegitimate

n Analyze and learn from malicious activities


NAT

n Network Address Translation (NAT) translates private

(non-routable) IP addresses

into public (routable) IP addresses


Internet

Firewall

192.168.10.1

192.168.10.2

131.107.2.200

N e t w o r k A d d r e s s T r a n s l a t i o n

S o u r c e D e s t in a t io n

1 9 2 . 1 6 8 . 1 0 . 1

1 3 1 . 1 0 7 . 2 . 2 0 0

2 0 0 . 2 0 0 . 2 0 . 1

Internal Network

.

CIS 3500 8

NAT

n Port mapping


Firewall

131.107.2.200

Internal Network

192.168.10.1192.168.10.2

192.168.10.3

P o r t M a p p i n g

S o u r c e D e s t i n a t i o n P o r t

1 3 1 . 1 0 7 . 2 . 2 0 0 2 0 0 . 2 0 0 . 2 0 . 1

1 9 2 . 1 6 8 . 1 0 . 3

8 0

8 0

200.200.20.1Internet

NAT

n Static NAT – maps an internal, private address to an

external, public address

n Dynamic NAT – maps an internal, private IP address to a

public IP address selected from a pool of registered

n Port Address Translation (PAT) – allows many different

internal, private addresses to share a single external IP

address


Ad Hoc

n An ad hoc – packets are directed to and from their source

and target locations without using a central router

n A common source of ad hoc networks is in the wireless

space

n Advantages: no need for access points, can be easy to

configure and provide a simple way to communicate

n Disadvantages: managing is difficult, no central device,

traffic stats, security implementations, or monitoring


Segregation/Segmentation/Isolation

n Networks have become more complex, limitations in

Spanning Tree Protocol (STP) to manage Layer 2 traffic

efficiently

n Network fabric as a term describes a flat, depthless network

n DMZ-based architecture allows for differing levels of trust,

the isolation of specific pieces, and using security rules

n “Enclaves” are sections of a network that are logically

isolated - special protections can be employed


.

CIS 3500 9

Physical

n Physical segregation is where you have separate equipment

to handle different classes of traffic

n Most secure method but also the most expensive.

n Contractual obligations sometimes require physical

segregation of equipment

n Payment Card Industry Data Security Standards (PCI DSS) –

to be considered out of scope for security audit


Logical (VLAN)


n A virtual LAN (VLAN) is a logical implementation of a LAN

and allows computers connected to different physical

networks to act and communicate as if they were on the

same physical network

n Trunking is the process

of spanning a single VLAN

across multiple switches

Virtualization

n Virtualization offers isolation logically while still enabling

physical hosting

n Virtual machines allow you to run multiple machines on a

single piece of hardware, enabling higher rates of utilization

n If a single piece of hardware has multiple virtual machines

running, they are isolated from each other by the

hypervisor layer


Air Gaps

n Air gap is the term used to describe when no data path exists

between two networks

n Goal is to prevent any possibility of unauthorized access

n Sooner or later some form of data transfer is needed

(weakness) - transfer files via USB

n Measures fail because people can move files and information

between the systems with external devices

n False sense of security – these transfers are not subject to

serious security checksImplementing Secure Protocols36

.

CIS 3500 10

Tunneling/VPN

n Tunneling/virtual private networking (VPN) – two networks

connect securely across an unsecure networks

n Protocols such as IPsec, L2TP, SSL/TLS, and SSH

n Site-to-site communications and remote access to a

network


Site-to-Site

n Site-to-site: connect two or more networks across an

intermediary network layer

n Internet or some other public network

n Encryption to make content unreadable


Remote Access

n Remote access: user requires access to a network and its

resources, but is not able to make a physical connection

n Remote access via a tunnel or VPN has the same effect as

directly connecting the remote system to the network


Security Device/Technology Placement

n The placement is related to the purpose of the device and

the environment that it requires

n These devices must be in the flow of the network traffic

n Placement needs are fairly specific and essential for the

devices to function properly


.

CIS 3500 11

Sensors

n Sensors are devices that capture data and act upon it

n Sensors can be network or host

n Network-based sensors can provide coverage across multiple

machines, they may have issues with encrypted traffic, and

have limited knowledge of what hosts they are doing

n Host-based sensors provide more specific and accurate

information about host machines

n Deployment strategy must consider network traffic

engineeringImplementing Secure Protocols41

Collectors

n Collectors are sensors, or concentrators that combine

multiple sensors that collect data for processing

n Collectors are subject to the same placement rules and

limitations as sensors


Correlation Engines

n Correlation engines take sets of data and match the

patterns against known patterns

n They are a crucial part of tools such as antivirus or

intrusion detection devices

n Should incoming data match one of the stored profiles, the

engine can alert or take other actions

n They are limited by the strength of the match

n Placement: traffic you want to study must pass through


Filters

n Packet filters process packets based on source and

destination addresses, ports, or protocols, and either allow

passage or block them

n Often part of a firewall

n Filters are local to the traffic being passed, so they must

be inline

n Spam filters act as a sorter — good e-mail to your inbox,

spam to the trash


.

CIS 3500 12

Proxies

n Proxies are servers that act as a go-between between

clients and other systems

n They act on the clients’ behalf

n They must be in the normal path of network traffic


Firewalls

n

n Firewalls at their base level are policy enforcement engines

that determine whether traffic can pass or not based on a

set of rules. Regardless of the type of firewall, the

placement is easy: firewalls must be inline with the traffic

they are regulating. If there are two paths for data to get to

a server farm, then either one firewall must have both

paths go through it or two firewalls are necessary. Firewalls

are commonly placed between network segments, enabling

them to examine traffic that enters or leaves a segment.

This gives them the ability to isolate a segment while

avoiding the cost or overhead of doing this segregation on

each and every system.


VPN Concentrators

n A VPN concentrator takes multiple individual VPN

connections and terminates them into a single network

n The VPN side of the concentrator is exposed to the Internet

n If you have multiple different types of VPN users with

different security profiles and different connection needs,

then you might have multiple concentrators


SSL Accelerators

n An SSL accelerator is used to provide SSL/TLS

encryption/decryption at scale – removing the load from

web servers

n It needs to be placed between the appropriate web servers

and the clients they serve, typically Internet facing


.

CIS 3500 13

Load Balancers

n Load balancers take incoming traffic and distribute it across

multiple network operations

n It must reside in the traffic path between the requestors

and the servers that are providing the service

n For reasons of efficiency, load balancers are typically

located close to the systems that they are managing the

traffic for


DDoS Mitigator

n DDoS mitigators act as an umbrella, shielding away the

unwanted DDoS packets

n It must reside in the network path of the traffic it is

shielding

n It should be positioned at the very edge of the network,

before other devices


Aggregation Switches

n An aggregation switch provides connectivity for several

other switches

n It is placed upstream from the multitude of devices and

takes the place of a router or a much larger switch

n These traffic management devices are located based on

network layout topologies to limit unnecessary router usage


Taps and Port Mirror

n Most enterprise switches can copy the activity of one or

more ports through a Switch Port Analyzer (SPAN) port,

also known as a port mirror – send traffic for analysis

n They can have issues when traffic levels get heavy –

aggregate SPAN traffic can exceed throughput

n A Test Access Point (TAP) is a passive signal-copying

mechanism installed between two points on the network

n Adds to costs but does not create a bottleneck


.

CIS 3500 14

SDN

n Software-defined networking (SDN) enables network

engineers to reconfigure the network by making changes

via a software program, without the need for re-cabling

n SDN allows for network function deployment via software

e.g. create a firewall between two segments by telling the

SDN controllers to make the change

n SDN is relatively new and just beginning to make inroads

into local networks


Stay Alert!

There is no 100 percent secure system, and

there is nothing that is foolproof!

architecture frameworks and secure network...

Documents