architecture frameworks and secure network...
TRANSCRIPT
.
CIS 3500 1
Architecture Frameworks and Secure Network Architectures
Chapter #11:
Architecture and Design
Chapter Objectives
n Explore use cases and purpose for frameworks
n Examine the best practices for system architectures
n Explain the use of secure configuration guides
n Given a scenario, implement secure network architecture
concepts
Implementing Secure Protocols2
Industry-Standard Frameworks and Reference Architectures
n Architecture determines which security controls are
implemented and how they are configured
n Architectures are intended to be in place for a long term and
are difficult to change
n Carefully choosing and implementing the correct architecture
for an organization’s computer systems up front makes them
easier to maintain and more effective over time
n Generic blueprint
Implementing Secure Protocols3
Regulatory
n Most industries in the United States are regulated in one
manner or another
n When it comes to cybersecurity, more and more regulations
are beginning to apply, from privacy, to breach notification,
to due diligence and due care provisions
Implementing Secure Protocols4
.
CIS 3500 2
Non-regulatory
n Non-regulatory, such as the National Institute of Standards
and Technology (NIST)
n Special Publication 500 series – cloud
n Special Publication 800 series – security controls (CSF)
n The NIST CSF is being mandated for government agencies,
but is completely voluntary in the private sector
n This framework has been well received
Implementing Secure Protocols5
National vs. International
n U.S. federal government has its own cloud-based reference
architecture called the Federal Risk and Authorization
Management Program (FedRAMP)
n EU rules and regulations covering privacy issues and data
protection are radically different from those in the U.S.
n Safe Harbor Framework – not a valid mechanism any more
n GDPR – May 25, 2018
Implementing Secure Protocols6
Industry-Specific Frameworks
n There are several industry-specific frameworks
n NERC CIP (North American Electric Reliability Corporation
Critical Infrastructure Protection)
n HITRUST Common Security Framework (CSF) for use in the
medical industry and enterprises that must address
HIPAA/HITECH rules and regulations
Implementing Secure Protocols7
Benchmarks/Secure Configuration Guides
n Benchmarks and secure configuration guides offer guidance
for setting up and operating computer systems to a secure
level
n Benchmark guides from manufacturers of the software,
from the government, and from an independent Center for
Internet Security (CIS)
n Government resources from NIST and DISA
Implementing Secure Protocols8
.
CIS 3500 3
Platform/Vendor-Specific Guides
n Setting up secure services is important to enterprises
n Some of the best guidance comes from the manufacturer in
the form of platform/vendor-specific guides
n These guides include installation and configuration
guidance, and in some cases operational guidance as well
Implementing Secure Protocols9
Web Server
n Market leaders are Microsoft, Apache, and nginx
n Web servers connections between users (clients) and web
pages (data being provided) are prone to attacks
n For Microsoft’s IIS and SharePoint Server the company
provides solid guidance on the proper configuration
n The Apache Software Foundation provides some
information for its web server products as well
n Center for Internet Security – benchmarking guides
Implementing Secure Protocols10
Operating System
n The operating system (OS) is a key component for the
secure operation of a system
n Comprehensive, proscriptive configuration guides for all
major operating systems are available from
n manufacturers
n Center for Internet Security, and
n DoD DISA STIGs program
Implementing Secure Protocols11
Application Server
n Application servers handle specific tasks
n E.g. e-mail server, database server, messaging platform
n Require proper configuration
Implementing Secure Protocols12
.
CIS 3500 4
Network Infrastructure Devices
n Network infrastructure devices are the switches, routers,
concentrators, firewalls, and other specialty devices
n Proper configuration can be challenging but is very
important
n Failures at this level can adversely affect the security of
traffic being processed by them
Implementing Secure Protocols13
General Purpose Guides
n CIS controls
Implementing Secure Protocols14
Defense-in-Depth/Layered Security
n Defense-in-depth (layered security) is a security principle
by which multiple, differing security elements are employed
to increase the level of security
n Should an attacker bypass one security measure, one of the
overlapping controls can still catch and block the intrusion
n E.g. in networking: access control lists, firewalls, intrusion
detection systems, and network segregation, can be
employed in an overlapping fashion to achieve protection
Implementing Secure Protocols15
Vendor Diversity
n Having multiple suppliers creates vendor diversity
n Not only Cisco routers/switches
n Multiple operating systems, such as both Linux and
Windows
n Having multiple vendors adds to layered defense, removes
a single failure mode scenario (common firmwares)
Implementing Secure Protocols16
.
CIS 3500 5
Control Diversity
n Control diversity – both administrative and technical controls
provide layered security
n Value of policies and procedures
n If there are technical controls backing up policies, then policy
violations may still not create a complete vulnerability, as the
technical control can stop a problem from occurring
n Total reliance on technical controls provides insufficient
security
Implementing Secure Protocols17
Administrative
n Administrative controls are those that operate on the
management aspects of an organization
n They include controls such as policies, regulations, and laws
n Management activities such as planning and risk
assessment are common examples
n Having multiple independent, overlapping administrative
controls can act as a form of layered security
Implementing Secure Protocols18
Technical
n Technical controls are those that operate through a
technological intervention in the system
n Include user authentication (passwords), logical access
controls, antivirus/anti-malware software, firewalls,
intrusion detection and prevention systems
n Overlapping technical controls, such as firewalls and access
control lists to limit entry, is an example of layered security
through technical controls
Implementing Secure Protocols19
User Training
n The best defense is to implement a strong user training
program that instructs users to recognize safe and unsafe
computing behaviors (phishing, spear phishing, clickbaiting)
n User-specific training – related to the tasks
n Monitor users and mandate retraining (clicking unverified
links in e-mails)
n For problematic users may need to add additional layers of
protection
Implementing Secure Protocols20
.
CIS 3500 6
Zones/Topologies
n Different zones/topologies are designed to provide layers of
defense
n A constant issue is that accessibility inversely related to
level of protection
n Trade-offs between access and security are handled
through zones
Implementing Secure Protocols21
DMZ
n DMZ is between the untrusted Internet and the trusted
internal network
n It acts as a buffer zone – machines there shall be considered
as being compromised
n Lock-down approach needs to be applied
n User is separated from the request for data
n Having intermediaries allow significant security to be enforced
n Scalability is more easily realized
Implementing Secure Protocols22
Extranet
n An extranet is an extension of a selected portion of a company’s
intranet to external partners
n This allows a business to share information
n Typically VPN is used to secure this channel
n Extranet implies both privacy and security
n privacy is required for many communications
n security is needed to prevent unauthorized use
n Firewall management, remote access, encryption, authentication,
and secure tunnels across public networks can be applied
Implementing Secure Protocols23
Intranet
n An intranet describes a network that has the same
functionality as the Internet but lies inside the trusted area
n Not available over the Internet to untrusted users
n To outside users:
n duplication of information onto machines in the DMZ, or
n extranets to trusted partners
n Users on the intranet can access information on the internet
through a proxy server – cached copy or masked request
Implementing Secure Protocols24
.
CIS 3500 7
Wireless
n Wireless networking does not use direct physical links
n Either hub and spoke or mesh
n hub and spoke: the wireless access point is the hub and is
connected to the wired network
n mesh: wireless units talk directly to each other, without a
central access point
n New wireless access points combine both of these
characteristics: they talk to each other in a mesh and at
least one station is connected to the wired networkImplementing Secure Protocols25
Guest
n A guest zone is a network segment that is isolated from
systems that guests should never have access to
n Administrators commonly configure on the same hardware
multiple logical wireless networks
n Separate access to separate resources based on login
credentials
Implementing Secure Protocols26
Honeynets
n Honeynet is a network designed to look like a corporate
network, but is made attractive to attackers
n A honeynet is a collection of honeypots that act like real
network servers but possess only fake data
n All of the traffic is assumed to be illegitimate
n Analyze and learn from malicious activities
Implementing Secure Protocols27
NAT
n Network Address Translation (NAT) translates private
(non-routable) IP addresses
into public (routable) IP addresses
Implementing Secure Protocols28
Internet
Firewall
192.168.10.1
192.168.10.2
131.107.2.200
N e t w o r k A d d r e s s T r a n s l a t i o n
S o u r c e D e s t in a t io n
1 9 2 . 1 6 8 . 1 0 . 1
1 3 1 . 1 0 7 . 2 . 2 0 0
2 0 0 . 2 0 0 . 2 0 . 1
Internal Network
.
CIS 3500 8
NAT
n Port mapping
Implementing Secure Protocols29
Firewall
131.107.2.200
Internal Network
192.168.10.1192.168.10.2
192.168.10.3
P o r t M a p p i n g
S o u r c e D e s t i n a t i o n P o r t
1 3 1 . 1 0 7 . 2 . 2 0 0 2 0 0 . 2 0 0 . 2 0 . 1
1 9 2 . 1 6 8 . 1 0 . 3
8 0
8 0
200.200.20.1Internet
NAT
n Static NAT – maps an internal, private address to an
external, public address
n Dynamic NAT – maps an internal, private IP address to a
public IP address selected from a pool of registered
n Port Address Translation (PAT) – allows many different
internal, private addresses to share a single external IP
address
Implementing Secure Protocols30
Ad Hoc
n An ad hoc – packets are directed to and from their source
and target locations without using a central router
n A common source of ad hoc networks is in the wireless
space
n Advantages: no need for access points, can be easy to
configure and provide a simple way to communicate
n Disadvantages: managing is difficult, no central device,
traffic stats, security implementations, or monitoring
Implementing Secure Protocols31
Segregation/Segmentation/Isolation
n Networks have become more complex, limitations in
Spanning Tree Protocol (STP) to manage Layer 2 traffic
efficiently
n Network fabric as a term describes a flat, depthless network
n DMZ-based architecture allows for differing levels of trust,
the isolation of specific pieces, and using security rules
n “Enclaves” are sections of a network that are logically
isolated - special protections can be employed
Implementing Secure Protocols32
.
CIS 3500 9
Physical
n Physical segregation is where you have separate equipment
to handle different classes of traffic
n Most secure method but also the most expensive.
n Contractual obligations sometimes require physical
segregation of equipment
n Payment Card Industry Data Security Standards (PCI DSS) –
to be considered out of scope for security audit
Implementing Secure Protocols33
Logical (VLAN)
Implementing Secure Protocols34
n A virtual LAN (VLAN) is a logical implementation of a LAN
and allows computers connected to different physical
networks to act and communicate as if they were on the
same physical network
n Trunking is the process
of spanning a single VLAN
across multiple switches
Virtualization
n Virtualization offers isolation logically while still enabling
physical hosting
n Virtual machines allow you to run multiple machines on a
single piece of hardware, enabling higher rates of utilization
n If a single piece of hardware has multiple virtual machines
running, they are isolated from each other by the
hypervisor layer
Implementing Secure Protocols35
Air Gaps
n Air gap is the term used to describe when no data path exists
between two networks
n Goal is to prevent any possibility of unauthorized access
n Sooner or later some form of data transfer is needed
(weakness) - transfer files via USB
n Measures fail because people can move files and information
between the systems with external devices
n False sense of security – these transfers are not subject to
serious security checksImplementing Secure Protocols36
.
CIS 3500 10
Tunneling/VPN
n Tunneling/virtual private networking (VPN) – two networks
connect securely across an unsecure networks
n Protocols such as IPsec, L2TP, SSL/TLS, and SSH
n Site-to-site communications and remote access to a
network
Implementing Secure Protocols37
Site-to-Site
n Site-to-site: connect two or more networks across an
intermediary network layer
n Internet or some other public network
n Encryption to make content unreadable
Implementing Secure Protocols38
Remote Access
n Remote access: user requires access to a network and its
resources, but is not able to make a physical connection
n Remote access via a tunnel or VPN has the same effect as
directly connecting the remote system to the network
Implementing Secure Protocols39
Security Device/Technology Placement
n The placement is related to the purpose of the device and
the environment that it requires
n These devices must be in the flow of the network traffic
n Placement needs are fairly specific and essential for the
devices to function properly
Implementing Secure Protocols40
.
CIS 3500 11
Sensors
n Sensors are devices that capture data and act upon it
n Sensors can be network or host
n Network-based sensors can provide coverage across multiple
machines, they may have issues with encrypted traffic, and
have limited knowledge of what hosts they are doing
n Host-based sensors provide more specific and accurate
information about host machines
n Deployment strategy must consider network traffic
engineeringImplementing Secure Protocols41
Collectors
n Collectors are sensors, or concentrators that combine
multiple sensors that collect data for processing
n Collectors are subject to the same placement rules and
limitations as sensors
Implementing Secure Protocols42
Correlation Engines
n Correlation engines take sets of data and match the
patterns against known patterns
n They are a crucial part of tools such as antivirus or
intrusion detection devices
n Should incoming data match one of the stored profiles, the
engine can alert or take other actions
n They are limited by the strength of the match
n Placement: traffic you want to study must pass through
Implementing Secure Protocols43
Filters
n Packet filters process packets based on source and
destination addresses, ports, or protocols, and either allow
passage or block them
n Often part of a firewall
n Filters are local to the traffic being passed, so they must
be inline
n Spam filters act as a sorter — good e-mail to your inbox,
spam to the trash
Implementing Secure Protocols44
.
CIS 3500 12
Proxies
n Proxies are servers that act as a go-between between
clients and other systems
n They act on the clients’ behalf
n They must be in the normal path of network traffic
Implementing Secure Protocols45
Firewalls
n
n Firewalls at their base level are policy enforcement engines
that determine whether traffic can pass or not based on a
set of rules. Regardless of the type of firewall, the
placement is easy: firewalls must be inline with the traffic
they are regulating. If there are two paths for data to get to
a server farm, then either one firewall must have both
paths go through it or two firewalls are necessary. Firewalls
are commonly placed between network segments, enabling
them to examine traffic that enters or leaves a segment.
This gives them the ability to isolate a segment while
avoiding the cost or overhead of doing this segregation on
each and every system.
Implementing Secure Protocols46
VPN Concentrators
n A VPN concentrator takes multiple individual VPN
connections and terminates them into a single network
n The VPN side of the concentrator is exposed to the Internet
n If you have multiple different types of VPN users with
different security profiles and different connection needs,
then you might have multiple concentrators
Implementing Secure Protocols47
SSL Accelerators
n An SSL accelerator is used to provide SSL/TLS
encryption/decryption at scale – removing the load from
web servers
n It needs to be placed between the appropriate web servers
and the clients they serve, typically Internet facing
Implementing Secure Protocols48
.
CIS 3500 13
Load Balancers
n Load balancers take incoming traffic and distribute it across
multiple network operations
n It must reside in the traffic path between the requestors
and the servers that are providing the service
n For reasons of efficiency, load balancers are typically
located close to the systems that they are managing the
traffic for
Implementing Secure Protocols49
DDoS Mitigator
n DDoS mitigators act as an umbrella, shielding away the
unwanted DDoS packets
n It must reside in the network path of the traffic it is
shielding
n It should be positioned at the very edge of the network,
before other devices
Implementing Secure Protocols50
Aggregation Switches
n An aggregation switch provides connectivity for several
other switches
n It is placed upstream from the multitude of devices and
takes the place of a router or a much larger switch
n These traffic management devices are located based on
network layout topologies to limit unnecessary router usage
Implementing Secure Protocols51
Taps and Port Mirror
n Most enterprise switches can copy the activity of one or
more ports through a Switch Port Analyzer (SPAN) port,
also known as a port mirror – send traffic for analysis
n They can have issues when traffic levels get heavy –
aggregate SPAN traffic can exceed throughput
n A Test Access Point (TAP) is a passive signal-copying
mechanism installed between two points on the network
n Adds to costs but does not create a bottleneck
Implementing Secure Protocols52
.
CIS 3500 14
SDN
n Software-defined networking (SDN) enables network
engineers to reconfigure the network by making changes
via a software program, without the need for re-cabling
n SDN allows for network function deployment via software
e.g. create a firewall between two segments by telling the
SDN controllers to make the change
n SDN is relatively new and just beginning to make inroads
into local networks
Implementing Secure Protocols53
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!