Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Driving Behavioral Change for Information Management through Data-Driven Gree...
Securing your presence at the perimeter
1. Securing your presence
at the perimeter
Ben Rothke, CISSP CISA
BT Global Services
Senior Security Consultant
2. About me….
•
•
•
•
Ben Rothke (too many certifications)
Senior Security Consultant – British Telecom
Frequent writer and speaker
Author - Computer Security: 20 Things Every Employee
Should Know
BT Americas Inc.
2
3. The perimeter is not necessarily dead
• Firewalls and border routers are still the cornerstone for
perimeter security
• Always will be a place for VPNs
• Attacks occur at the application layer
– So ensure app security
BT Professional Services
3
4. But the perimeter it is getting blurred…
• VPNs
• complicated network connections with multiple partners
– contractors, consultants
– 3rd party collaboration
– vendors
• wireless networks
• laptops
• malicious insiders
– worms (compromised computers can be seen as malicious
insiders)
BT Professional Services
4
5. Ok, the perimeter is dead, the cloud proves it
BT Professional Services
5
6. Perimeter challenges
•
•
•
•
•
•
•
•
Determining proper firewall design
access to resources for remote users
effective monitoring and reporting
need for enhanced packet inspection
security standards compliance
long-term maintenance
ensuring attackers don’t find that single vulnerability
data leakage
BT Professional Services
6
8. Key points
• Perimeter security is popular
– cheap, convenient, somewhat effective
– firewalls and IDS most common tools for network security
• Firewalls and IDS fighting an uphill battle
– both attackers and legitimate users struggle to avoid/evade
them
• Security management is a key challenge
BT Professional Services
8
9. Securing network perimeters
• Goal is to provide adequate access without
jeopardizing confidential or mission-critical areas
• Elements:
– firewalls, IDS, bastion host, Network Address Translation
(NAT), proxy servers
– combined with authentication mechanisms
• Bastion host
– provides Web, FTP, e-mail, or other services running on a
specially secured server
BT Professional Services
9
10. But the firewall is not a panacea
• Malicious traffic that is passed on open ports and not
inspected by the firewall
• any traffic that passes through an encrypted tunnel or
session
• attacks after a network has been penetrated
• traffic that appears legitimate
• users and administrators who intentionally or
accidentally install viruses
• administrators who use weak passwords
BT Professional Services
10
11. Policy is required to secure a perimeter
• Firewall policies typically lists of allow or deny rules
• what should the default rule be?
• Default allow:
– convenient since doesn’t interfere with legitimate activity
• Default deny:
– more secure, since every allowed use undergoes security
review
– if policy too restrictive, people complain and it gets fixed
– if policy too permissive, only learn about it too late after an
attack
BT Professional Services
11
12. Other policy issues
• Scale
– Large organizations have thousands of rules
– How do you process them efficiently?
– How do you know they are correct?
• Ingress vs. egress filtering
– Ingress: filter packets from the Internet
– Egress: filter traffic to the Internet (why?)
BT Professional Services
12
13. Operational weaknessess
• Technology
– firewall rules not adequately maintained
– system configurations and access not being monitored
– passwords
• Standards
–
–
–
–
unpatched software/firmware
no criteria for hiring outside auditors and IT pros
no consistent security assessments
production data being used for dev/QA apps
BT Professional Services
13
14. Start thinking about DLP
• Small data leaks lead to major damage
– a minor water leak…
– becomes major structural damage
BT Professional Services
14
15. There is a lot DLP can do
• Detect sensitive content in any combination of network
traffic, data at rest or endpoint operations
• Detect sensitive content using
– sophisticated content-aware detection techniques, including
partial/exact document matching, structured data fingerprinting,
statistical analysis, extended regular expression matching,
conceptual and lexicon analysis, and more
• Support detection of sensitive data content in structured
and unstructured data, using registered or described
data definitions
• Block email communication policy violations
BT Professional Services
15
16. Do you have authority over your data?
• DLP enables you to finally control your data:
–
–
–
–
–
–
Identify: know where your data resides
Monitor: what is happening, who did it, when
Warning: user alerted when moving sensitive data
Prevention: unauthorized actions are thwarted
Control: only approved devices can be used
Reporting: compliance reports (SoX, PCI, HIPAA / HITECH,
GLBA, Euro-SoX, and more)
BT Professional Services
16
17. Testing
• Publicly-accessible systems
– IP-hosts
– all web apps
– web services
• Web interfaces:
– routers
– firewalls
– email
• Wireless
BT Professional Services
17
18. Ask lots of questions and fill up whiteboards
1. What are we doing beyond vulnerability scans to find
security flaws?
2. Are we looking at all of our critical perimeter systems?
3. When are we going to get to everything else?
4. What are the results of our latest external security
assessment?
5. What’s being done to resolve these issues?
6. Even if nothing is turned up, when’s our next round of
testing scheduled for?
7. Have we started thinking about the data?
8. Should we consider DLP?
BT Professional Services
18
19. Use tools
• There are myriad tools, use them judiciously
–
–
–
–
–
–
–
QualysGuard
WebInspect
Acunetix WVS
CommView for WiFi
Web browsers
Google
other exploit tools
– Make sure your staff reads Security Strategy: From
Requirements to Reality
– http://amzn.to/fT2yG6
BT Professional Services
19
20. Creating and maintaining a strong perimeter
• Good design
• updated design
• built and designed by engineers
– with management oversight
• risk-based
• business needs understood
• maintained
– competent staff
– maintained at an adequate level
BT Professional Services
20