operation of a network.

dashingincestuousSecurity

Feb 22, 2014 (3 years and 5 months ago)

73 views

4/15/02

Chapter 15. Security Architecture

1

Chapter 15: Security Architecture


Network Architecture


Design principles, physical configuration, functional organization,

operational procedures, and data formats for design, construction, and

operation of a network.


Security


The condition achieved when designated systems and information are

protected from espionage, sabotage, subversion, and terrorism, as well

as against loss or unauthorized use and/or disclosure.


The measures necessary to achieve this condition.


So…security architecture is the intersection of these definitions.





4/15/02

Chapter 15. Security Architecture

2

Security Architecture
-

An Unprotected Network

Internal Network
Internet
Remote
Office
Remote
Office
Leased Line
Dial
-
Up
Service
Remote Control
Voice Trunks
1
-
800 Service
ISDN, DSL or
Cable Modem
DSL or Cable
Modem
Home User
ISP
Web & ftp
Services
Physical Media
(e.g.,
cd
or floppy)
Router
Physical
Path
Wireless
Network
4/15/02

Chapter 15. Security Architecture

3

Security Architecture
-

An Unprotected Network


The only interface to the Internet is a simple router.


All IP addresses and services on the internal network are exposed

to the the Internet.


The network topology and services are easily mapped with any of the

mapping tools readily available at both the IP (address mapping) and

TCP (port mapping) layers.


There is no intrusion detection.


This is a common architecture through the late 1990s, is now beginning

to change.


What then are the principles that should guide this change?

4/15/02

Chapter 15. Security Architecture

4

Security Architecture


high level principles


Principle
-

A consistent access architecture across all domains

Wireless

Wired

Home or Small Office

VPN + SecurID,

Optional wireless LAN in home,
56k/DSL/ISDN/wireless to home

Campus

VPN + SecurID,

wireless LAN

Travel

Dial
-
in modem or

VPN + SecurID/LAN

STAFF
MOBILITY

4/15/02

Chapter 15. Security Architecture

5

Security Architecture
-

Core Principles


Protected network


1. Control external visibility of the network. Make only those resources

visible that are necessary to conduct business.


2. Control access to all systems on the network (e.g., routers, switches,

servers, and workstations).


3. Control transmission across all security boundaries, internal and

external.


4. Monitor, detect, and act on all suspicious behavior within the network

and at it boundaries.


All of this begins by clearly and completely understanding the network

topology of the security domain that needs to be protected.

4/15/02

Chapter 15. Security Architecture

6

Security Architecture
-

Control External Visibility


1. Expose only that part of the DNS name/address space appropriate

for external view (addresses that must be externally resolved).


2. Eliminate all unnecessary external services enabling only those

required to interact with external users.


3. Locate publicly accessible resources on a network that does not

expose the internal network
-

has no visibility of the internal network

and cannot be used as an entry point to the internal network.


For example, anonymous ftp and public web servers go here, with no

ability for the ftp server to establish a 2
-
way connection with an internal

device
-

all connections should be one
-
way, in
-
to
-
out (push).

4/15/02

Chapter 15. Security Architecture

7

Security Architecture
-

Control User Access to Systems


1.
IP source routing is prohibited. Limits a users ability to specify routes

which could be hazardous.


2. Each internal system should require positive authentication before a

user is granted access
-

only exception is anonymous access.



Passwords, 2
-
factor, or biometric authentication


3. Remote access services should impose security restrictions equivalent

to those imposed on internal users.


4. Access authorizations should be based on “need
-
to
-
know”.



4/15/02

Chapter 15. Security Architecture

8

Security Architecture
-

Boundary Control


The entire network boundary needs to be identified and controlled.




Internet



Wireless networks



Remote offices



Dial
-
up access and ISDN



Always
-
on access (dsl, cable modems)



Carry
-
in access (media like CDs, floppies, zip cartridges)


Any external network attached behind the firewall (e.g., remote

office) must comply with the same security policy as the internal

network since that traffic does not go through the boundary control

device (i.e., no unsecured back doors).



4/15/02

Chapter 15. Security Architecture

9

Security Architecture


Internet Access

Internet access is typically controlled by a filtering device


filtering router


stateful inspection firewall


proxy firewall

These devices operate in accordance with a set of security policy
rules that are enforced by the router or firewall. Traffic crossing the
boundary is allowed or denied in accordance with the rules.

Most of these devices can implement automatic alerts to notify a
system administrator when an adverse event occurs


in many cases
these alerts are turned off or ignored because of large event volume.

Logs are enabled on these devices and should be read regularly.

4/15/02

Chapter 15. Security Architecture

10

Security Architecture


Wireless Networks


Wireless networks represent a rapidly emerging set of technologies that

will be widely deployed in the future. These networks bring with them a

new set of vulnerabilities and security issues.


Three classes of networks are being developed:



Wide Area Networks (worldwide in extent)


Local Area networks (restricted to a campus/building setting)


Personal Area Networks (restricted to an office/person setting)


Wide area and local area networks are similar in extent and services to

their wired counterparts.


The personal area network does not have a wired counterpart.

4/15/02

Chapter 15. Security Architecture

11

Security Architecture
-

Monitor, Detect, and Act


1. Logs should be turned on and reviewed.


2. Intrusion detection should be implemented (network and/or host).


3. Vulnerability scanning should be implemented.


4. Virus scanning at the firewall, mail server, and desktop should be

implemented.


5. An incident response procedure should be implemented.


4/15/02

Chapter 15. Security Architecture

12

Security Architecture
-

A Protected Network

Internal Network
Internet
Remote
Office
Remote
Office
Leased Line
Voice Trunks
1
-
800 Service
DSL or Cable
Modem
Home User
ISP
Public
Services
Firewall
Physical Media
(e.g.,
cd
or floppy)
Router
Remote Access
Service
ISDN Dial
-
up
Wireless
Network
4/15/02

Chapter 15. Security Architecture

13

Security Architecture
-

The Demilitarized Zone (DMZ)


The public network attached to the firewall is often called the DMZ.


It is a public area, its addresses are externally advertised, users can

access servers here (e.g., web, ftp, external DNS) without

authentication.


Consequently, these machines are 100% likely to be attacked. So…



Keep them patched, scan them often, read logs daily.


Do not allow them to see any traffic flowing through


the firewall
-

user a separate Ethernet interface.


Make their files read
-
only, remove other services


Do not allow them access to the internal network


Administrative access should be console only
-

not remote

4/15/02

Chapter 15. Security Architecture

14

Security Architecture
-

With Intrusion Detection

Internal Network
Internet
Remote
Office
Remote
Office
Leased Line
Voice Trunks
1-800 Service
DSL or Cable
Modem
Home User
ISP
Public
Services
Firewall
Physical Media
(e.g.,
cd
or floppy)
Net Switch
Remote Access
Service
ISDN Dial-up
Router
Intrusion
Detection
4/15/02

Chapter 15. Security Architecture

15

Security Architecture
-

Intrusion Detection


Added a network switch with port mirroring (interface for the ID system

to be able capture and observe all traffic).


ID device is connected to an interface on a mirrored port.


ID device has large storage capacity and signature capability.


Could be put behind the network router, but if router filtering is used,

the ID device would not see all the traffic. Position depends on the

extent of the traffic the device needs to see.


Could also be put on the internal network for internal ID (insider).


Most systems support multiple probes that can observe traffic at

multiple locations. Each probe contains a unique signature capability.

4/15/02

Chapter 15. Security Architecture

16

Security Architecture
-

Internal Network


Have treated the internal network as a homogeneous security domain

(i.e., same level of security everywhere). This means all segments

must be equally secure
-

not always desirable (cost, ease of use).


Consider the concept of an enclave, where an enclave is a network or

sub
-
net that has a consistent set of security requirements.


There may be multiple enclaves within an enterprise network. (e.g., a

student enclave with relatively low security requirements and an

administrative enclave with more restrictions
-

often done today by

having a single network enclave and locking down certain hosts (e.g.,

ones containing student grades).


In a large environment, this becomes very difficult.




4/15/02

Chapter 15. Security Architecture

17

Security Architecture
-

Internal Network


Consider a network with four enclaves:


1. A public space (web, anonymous ftp)
-

open to anyone over the

Internet.


2. A user facility that provides computing cycles to the international

research community at large
-

must be capable of supporting remote

and local access to researchers from all over the world.


3. The general Intranet for employees
-

provides in
-
house web, mail, and

other network service
-

needs to support employees, but restrict access

to outsiders (web may contain IP, product design, etc.).


4. A business computing environment containing the organizations

official books (profit, loss, project, cost data) as well as the Human

Resources system (payroll, salaries, etc.)
-

only accessible to a limited

set of internal staff members.


4/15/02

Chapter 15. Security Architecture

18

Security Architecture
-

Internal Network

Internal Network
Firewall
Router

Public
Enclave
Business
Enclave
Intranet
Enclave
User Facility
Enclave
NO

YES

4/15/02

Chapter 15. Security Architecture

19

Security Architecture
-

Internal Network


The firewall is actually multiple firewall, or may be a single firewall

for the entire network with additional firewalls or filtering routers

between internal enclaves.


An internal enclave might be an entire sub
-
net or a single system

depending on the number of systems being protected.


The point is, staff are not free to move around everywhere, but must

pass through a protection zone (e.g., a firewall) before moving

between internal enclaves.


The motivation here is that each enclave has different protection

requirements.