Securing the Borderless Network

grrrgrapeInternet and Web Development

Oct 31, 2013 (3 years and 7 months ago)

51 views

Securing the
Borderless Network



March 21, 2000

Ted Barlow

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

The Internet has fundamentally
changed the way networks are

designed and secured

Introduction

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

How things used to be . . .


single host environment


mainframe security
systems


hierarchical controls


well
-
defined access paths


dumb terminals


centralized
storage/processing of data

Old Model

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

“Fortress” Security Model

Internet

Internal

Network

Firewall

Protocols:

SMTP

FTP

HTTP

“New” Old Model

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

DMZ

“Freeway” Security Model

Internet

Internal

Network

Firewall

Web

Server

Application/

Database


Vendor

Extranet

HTTP

SSL

Java

ActiveX

SMTP

S/MIME

VPN

Viruses

Trojans

H.323

Credit

Validation

Network

New Model

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

What are the Risks?


Denial of Service


DDOS (Distributed Denial of Service Attacks)


Defacement


3693 web server defacements in 1999
(www.attrition.org)


130 government sites (.gov)


Loss of private data


CD Universe (~350,000 credit card numbers)


Breach of internal networks and systems

Risks

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

How do you Build a Secure

Internet Application Environment?


Incorporate security reviews early in the design process


Design with future strong authentication methods in mind


Design for
explosive

growth


Encrypt entire path from client to backup tapes for critical
data


Establish security baselines and perform security
hardening
before

going live on the Internet

Design and Build

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Key Components of the

Secure Network


Border routers


DMZ


Firewalls


Encrypted data paths


Intrusion Detection System (IDS)


Content Security (CVP)


Infrastructure

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

The Firewall/DMZ Environment


Begin with a secure screening router


Choose a firewall that is extensible, scalable


Packet filtering vs. application proxy firewalls


Firewall appliances and next generation firewalls


Network address translation (NAT) will improve
DMZ security


Build firewall redundancy

Firewalls

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Choosing the Right Firewall Solution

Packet

Filters

Application
-
Proxy Gateways

Stateful
Inspection

Firewall Comparison

PROS

CONS



Application Independent



High Performance



Scalable



Good Security



Fully Aware of Application


Layer



Good Security



High Performance



Scalable



Fully Aware of Application


Layer



Extensible



Low Security



No Protection Above


Network Layer




Poor Performance



Limited Application Support



Poor Scalability



More Expensive

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Is Intrusion Detection Necessary?


Definition


the ability to detect and defend
against defined attack patterns


Host based & network based


Network IDS can be integrated with firewalls to
automatically respond to attacks


Host based IDS can detect changes to operating
system programs and configurations


IDS

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Internet Web Server

Internet

External
Router

Intranet Web
Server

Internal

Network

DMZ

Outside

Application/Database
Server

Backup
Server

Intrusion Detection
System (IDS)

Inside

Design Case Study

Internal
Router

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Web Server

Internet

External
Router

Internal
Router

IDS

App Server

Backup
Server

Internal

Network

IDS Console

IDS

CVP
Server

DMZ

NAT

DMZ

NAT

Design Case Study

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

How do you Maintain a Secure

Internet Application Environment?


Keeping ahead of security exploits is a full time
job


Actually review and report on firewall, IDS and
system logs


Develop incidence response (IR) procedures and
IR team


Periodically review and audit system and network
security configurations

Maintenance

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

What is coming in Network Security?


Better, cheaper authentication mechanisms


Open network security models


System, application level “firewalls”


Windows 2000

Future Developments

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Windows 2000 Security


Kerberos Authentication Infrastructure


Certificate Authority (CA)


Security Configuration Editor


IPSec Support


Encrypting File System (EFS)

Future Developments

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Kerberos Authentication

Windows 2000 supports several authentication
models: Kerberos for internal authentication and
X.509 certificates for external authentication.
Kerberos can be configured to use private or public
key authentication. Keys are managed by the
Domain Controller (DC) in the Key Distribution
Center (KDC). A User is granted a
ticket

or
certificate which permits a session between the user
and the server. Important security considerations:




The KDC
MUST

be physically secured



Susceptible to password dictionary attacks



Administrators still have complete access

Future Developments

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Certificate Authority (CA)

This is a Public Key Certificate Server built
into Windows 2000. The server manages the
issuing, renewal, and cancellation of digital
certificates. Digital certificates are used to
initiate encrypted sessions such as Secure
Sockets Layer (SSL) for secure web
-
based
communications.

Future Developments

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Security Configuration Editor

This is a Microsoft Management Console
(MMC) tool that eases security administration.
Allows administrators to create security
baselines by defining templates with global
security parameters, and then perform security
analyses against the templates. Manages
security policies, file system access control,
and Registry permissions.

Future Developments

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Internet Protocol Security (IPSec)

Defines security policies at the lowest
possible layer: the network communication
layer. Enables encryption and decryption of
network packets before they leave the
network interface card (NIC). Supports the
use of public keys (RSA) or private keys
(DES).


Future Developments

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Encrypting File System (EFS)

Allows users to encrypt files and directories
that only they (and administrators) can
decrypt. EFS creates a separate 56
-
bit
encryption key based on the Data Encryption
Standard (DES) algorithm. The
administrator’s key can unlock any encrypted
file in the domain. This service is very fast
and encryption/decryption occurs without the
user noticing.

Future Developments

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Summary of Best Practices


If possible, create a separate trusted network
(DMZ)


Choosing the right firewall solution is key


Application security is only as strong as system
and network security


Design the infrastructure to facilitate monitoring
and data backups


Intrusion Detection Systems


you can’t defend
what you don’t detect

Summary

Securing the Network

Copyright 2000, Deloitte Touche Tohmatsu

Questions?

Contact: Ted Barlow

tbarlow@dttus.com



Thank You