260 likes | 290 Views
Defense-in-Depth: Turning the Network Inside Out. Joel Snyder, Ph.D. Senior Partner Opus One jms@opus1.com. 2-Part Presentation. PART 1 (now): Building a “Crunchy” Network 802.1X, Digital Certificates, VLANs, Multiple levels of ACLs, Firewall/VPN on the NIC, NIDS/NIPS
E N D
Defense-in-Depth:Turning the Network Inside Out Joel Snyder, Ph.D. Senior Partner Opus One jms@opus1.com
2-Part Presentation • PART 1 (now): Building a “Crunchy” Network • 802.1X, Digital Certificates, VLANs, Multiple levels of ACLs, Firewall/VPN on the NIC, NIDS/NIPS • PART 2 (at 11:15 a.m.): Emerging Technologies • Application-aware firewalls, Rate/Content-based IPS, “target”-based IDS
Big Bad Internet Most networks focus on perimeter defense • “[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)
Big Bad Internet Perimeter defense has its flaws • “Protecting your network with a perimeter firewall is like putting a stake in the middle of a field and expecting the other team to run into it.” • #include <statistic on insider break-in percent> • “If your position is invisible, the most carefully concealed spies will not be able to get a look at it.” (Sun-Tzu) Virus
Defense-in-Depth is the alternative • Make the network “crunchy,” not soft and chewy throughout. • Turn the network inside-out: the security is on the inside, not on the outside
Cost The cost of adding firewall “brains” has been prohibitive Performance Firewalls are slower than Gigabit switches Management Determining the “many-to-many” relationships are difficult We don’t do defense-in-depth because... • Authentication • How do you know who has that IP address anyway? What about NATed users? • Policy • It’s hard to describe the security policy for inside users; it’s much easier to describe the Internet-oriented policy
Cost dropping Performance increasing Management getting better Whoops. I lied. My bad. • Authentication • solved • Policy • OK, there had to be something we couldn’t solve with technology
New and Exciting 802.1X Authentication Digital Certificates VLANs as Security Barriers Multiple levels of ACLs Firewall/VPN on the NIC Network Intrusion Detection/Prevention Systems Not-so-bleeding-edge MAC lock-down on ports Authenticated routing Rate-limiting (DoS resistance) Host-based IDS RADIUS authentication SSH for management SNMPv3 and not SNMPv2 “Access Ethernet” dedicated management network You can implement Defense-in-Depth
802.1X is the new standard for layer 2 authentication EAP over RADIUS Supplicant EAP over WirelessEAP over LAN Authentication Server (e.g., RADIUS server) Authenticators Supplicant The World
In the wireless environment, 802.1X is absolutely required 802.11i and WPA (Wi-Fi Protected Access) use 802.1X Pure 802.1X for authentication solves most WEP problems In the wired environment, 802.1X adds security Microsoft and Apple give it to you for free EAP over RADIUS “Here’s your WEP key for the next 30 seconds...” “Put the user on VLAN x and here’s what he has access to...” • 802.1X ties to RADIUS which means… • You can use RADIUS to push authorization information to wired and wireless equipment • VLANs & Filters 802.1X on every port adds security
What are pitfalls and caveats with 802.1X? • 802.1X does not mandate an authentication method • So you have to pick one (TLS, TTLS, or PEAP) • There are a bunch of choices and a bunch of interoperability problems (TTLS vs. PEAP) • Strategy: hold off until this battle is settled by the IETF • 802.1X does not require you to swap out your RADIUS infrastructure • You can get a new, small server which will proxy to your existing RADIUS servers • 802.1X will not immediately be “full featured” • Authorization information, such as ACLs and VLANs, is still awaiting “industry agreement”
Public/Private Cryptography enables ... n = p•q d = e-1 mod((p-1)(q-1)) • Authentication • Using public/private cryptography, I can strongly prove my identity • Integrity Checking • Using public/private cryptography, I can digitally sign documents and ensure that they cannot be tampered with • Digitally signed documents have “proof of sender” as well • Encryption • Using public/private cryptography, I can encrypt short and long strings of data effectively
n = p•q d = e-1 mod((p-1)(q-1)) Digital Certificates enable public/private cryptography A Certificate can be many things and have many forms, but fundamentally is a binding of a public keyto an identity
Authentication SSL-based web servers VPNs Remote User Authentication Windows 2K/XP Login 802.1X Network Authentication Email (Netscape, Outlook, others supporting S/MIME) Encryption Email (S/MIME clients) Many existing IT applications can use certificates Certificate-based techniques can also be used to pass encryption keys for secret key encryption: disk partitions, for example And they all can use the same certificate!
So why isn’t everyone using them? • PKI manufacturers have made it more complex than it needs to be • “Solve all the problems up front, for country-wise deployments” seems to be their strategy • And expensive! • Certificate Revocation List strategies have not been coherent • Online Certificate Status Protocol may help • Certificate Enrollment is chaotic • Four different protocols in common use • Plus a few proprietary ones
VLANs aren’t just for breakfast anymore Originally: Management Domains Now: Security Domains • 802.1q (Virtual LANs) can be used to combine, yet not mix, traffic from multiple networks “tagged” VLANs
3rd Floor 2nd Floor 1st Floor 4th Floor Use VLANs to distribute protected and unprotected services
Using VLANs for security has its risks • If packets jump from one VLAN to the other... the game is over • Management of switching infrastructure is now as important as management of firewalls • Your switches are your weak links • Attacks • Bugs • Switch vendors have a very bad reputation in this area Risk/Benefit Analysis
Some are more equal than others Static Packet Filters Typically look only IP layer Cannot be used for port-based controls Are commonly implemented High performance All Access Control Lists are not created equal “Extended” Access Lists (Packet Filters) • Look at things within IP and TCP or UDP header (such as port number and flags) • Can be used for limited port-based controls • Available on many, but not all, platforms • High performance StatefulPacket Filters • Look at entire datagram and try and simulate higher layer state machines • Considered very secure at layer 3 (Check Point, Cisco depend on them) • Slower and more CPU/memory intensive
ACLs can be spread throughout your network to increase security Allow traffic to HR server only from HR VLAN Block SMTP not from Internet. Kiosk PCs can’t get to inside net Pre-filter protocols (such as SNMP) you never want to let in; block spoofed packets User can get to departmental servers and Internet only
ACLs everywhere is a tricky situation • Static ACLs on ports can be difficult to manage and maintain (at this time) • 802.1X-derived ACLs don’t have sufficient context to work at IP layer (yet) • Not every device has the capability • Not every policy-based security server has the ability But this is a technology coming very soon to a theatre near you! “Put the user on VLAN x and here’s what he has access to...”
You can put a firewall on a NIC • Technically, this is not making the network itself crunchy and more secure • “Defense in Depth” isn’t too concerned with labels Policy Policy Policy Server Vendors: 3COM, Snap, OmniCluster, NetMaster, Corrent
Wireless Secure wireless LAN, using 802.1X and/or802.11i and/or IPsec Segmentation VLANs as managementand as securitydomains Multi-Level SecurityPush ACLs everywherethey can go,dynamic, too. Layer 2Authentication 802.1X Network Login authenticates users IDS/IPS Intrusion Detectionand Preventionfor forensics andprevention Internal Security Embedded Firewall secures desktops and servers PerimeterFirewallsand VPNs Old Standbys still useful! PKI AuthenticationUniform approach toauthentication givesstrongest security You can make a network which has deep defenses The Network
Questions, comments? Be sure to join me in 15 minutes for the second half of this presentation! Right here!
Featured Topic: Defense-in-depth Includes an on demand webcast with Joel titled Defense-in-Depth: Turning the Network Inside-Out, and resources from both Information Security and SearchSecurity. http://searchsecurity.com/FeaturedTopic/defenseindepth