HFN Brown Bag

slurpslapoutΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

66 εμφανίσεις

NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

1

HFN Brown Bag

Essential Security Practices for
Hastily Formed Networks

NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

2


Bill Murray is an executive consultant in the office of the CTO,
Cybertrust Corporation,

and an Associate
Professorat the
Naval Postgraduate School
. He is
Certified Information Security Professional (CISSP
)
and serves as Secretary of
(ISC)
2
, the certifying body, Bill is an advisor on the Board of Directors of the
New
York Metropolitan Chapter of ISSA.

He has more than fifty years experience in information technology and more than forty years in security. During
more than twenty
-
five years with IBM his management responsibilities included development of access control
programs, advising IBM customers on security, and the articulation of the IBM security product plan. He is the
author of the IBM publication
Information System Security Controls and Procedures.


Mr. Murray has made significant contributions to the literature and the practice of information security. He is a
popular speaker on such topics as network security architecture, encryption, PKI, and Secure Electronic
Commerce. He is a founding member of the International Committee to Establish the "Generally Accepted
System Security Principles" (GSSP, now referred to as the GISSP) as called for in the National Research
Council's Report:
Computers at Risk
.


Bill remains as an active member of this committee. He is a founder
and board member of the
Colloquium on Information System Security Education (CISSE).


He has been recognized as a founder of the systems audit field and by Information Security Magazine as a
Pioneer in Computer Security. In 1987 he received the
Fitzgerald Memorial Award

for leadership in data
security. In 1989 he received the Joseph J.
Wasserman Award

for contributions to security, audit and
control.

In 1995 he received a Lifetime Achievement Award from the
Computer Security Institute
. In 1999 he
was enrolled in the
ISSA Hall of Fame

in recognition of his outstanding contribution to the information security
community.


He holds a Bachelor Science Degree in Business Administration from Louisiana State University. He is a
graduate of the Jesuit Preparatory High School of New Orleans.








William Hugh Murray

NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

3

Abstract

This presentation discusses Essential Security Policies, Practices, Measures, and
Methods for Hastily Formed Networks.


While "hastily formed" is not the
equivalent of
ad hoc
, "hasty" does suggest that traditional formal development
methods may not apply.


However, history suggests that the absence of any
method is rarely hasty; that which is put together in haste and without method
rarely performs at all, much less as intended.


This presentation will quickly revisit the concepts of security, network, "hastily
formed," and "essential" to arrive at recommendations for meeting security
requirements using:




Generic policies suitable for most network applications in hostile environments


Traditional and accepted strategies and tactics


Commercial
-
of
-
the
-
shelf products and components, and


Broadly applicable standards, guidelines, procedures, and controls


NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

4

Essential Security Practices


~ 0.8 effective


Can be done by anyone


Using available resources


Synergistic in layered defenses or defense in
depth.


Sufficient to get one off the target of opportunity
list …..


….and for emergency missions.


May not be sufficient for a hardened target

NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

5

Examples of Essential Practices


Wearing a helmet


Digging a hole


Wearing body armor


Using Anti
-
virus


Personal firewalls


Putting mission critical data on a file server


NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

6

Hastily formed…*


Surprising precipitating event (e.g., 9/11, Katrina)


Chaos


Insufficient resources


Multi
-
agency response


Distributed response


Insufficient (pre
-
existing) (broken or failing) infrastructure


(Minimum of pre
-
arrangement)


(Bound late)

* http://www.nps.edu/cebrowski/HFN.html


NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

7

Network


Collection of nodes and links


Typically communicating nodes over communication links


We speak of PANs, LANs, WANs (also MANs, SANs,
NANs); also agencies, commands, enterprises, and other
affinity groups


Usually for the purpose of cooperation and collaboration


e.g., disaster response, war
-
fighting


“A ‘cloud’ with routers at its boundaries”*


* Rex Buddenberg


NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

8

Desiderata of HFNs


Robustness (e.g., mesh topology)


Open as to connection


Ease of repair


Inter
-
operability


Cross
-
domain addressability


Minimal required pre
-
arrangement


Fail
-
soft under load


Other



NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

9

Network Security


Network Integrity: getting traffic from any node to any
other node with an acceptable signal
-
to
-
noise ratio. (No
interference or contamination)



Network Confidentiality: getting traffic from any node
only to a specified node. (minimal leakage).



Network Availability: getting traffic from any node to any
other on a specified schedule, even in the presence of
interference.


Said another way, a node must be able to protect itself from any traffic
that it sees, nodes and links must not leak, there must always be a path.

NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

10

Policies


Trust is essential to cooperation and
coordination….


…..but communication trumps security.


Availability is necessary


Signal
-
to
-
noise must be “good enough”


Confidentiality is merely nice, but….

NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

11

Examples of Essential Practices


Restrictive policy (using e.g., proxies and f/ws)


Redundant capacity (links) (over
-
provisioned)


Media diversity (e.g. radio and wire, Internet and PSTN)


Path diversity (e.g., mesh routing across multiple media)


Peer
-
to
-
peer (link) and End
-
to
-
end (layer 7) cryptography (e.g., SSH,
SSL, other VPNs) (belt and suspenders)



Layered defenses


Peer
-
to
-
peer mutual authentication (e.g., 2
-
way SSL) (may imply
mutually trusted third
-
party)


COTS Crypto


Out
-
of
-
band (VPN) connection setup and control


Physical security of nodes and links

NPS CISR

HFN Brown Bag: Security for Hastily
Formed Networks

12

Examples of 3
rd

Party Introducers


AOL


Yahoo!


MSN


ICQ Servers


Enterprise IM servers


Skype


WebEx