Enterprise Network Security & Compliance - A Vendor's Perspective
•
1 j'aime•231 vues
Presentation made at the Information Systems Audit and Control Association (ISACA) meetup, Oct 2016.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Enterprise Network Security & Compliance - A Vendor's Perspective
Similaire à Enterprise Network Security & Compliance - A Vendor's Perspective (20)
Dernier
Dernier (20)
Enterprise Network Security & Compliance - A Vendor's Perspective
- 1. ENTERPRISE NETWORK SECURITY & COMPLIANCE A VENDOR’S PERSPECTIVE Anusha Vaidyanathan Product Management
- 2. DISCLAIMER The views expressed here are my own, though I may draw examples from my past and present professional experiences.
- 3. AGENDA Scope B2B - Vendors selling to enterprises "Devices in your network" Not in scope Not about specific security solutions Devices in your Network
- 4. COMPLIANCE ALPHABET SOUP FIPS 140-2 Common Criteria ICSA NSS PCI DSS HIPPA SOX ISO 27002 FIPS200 GLBA FISMA NERC IT Security & Compliance Product Security & Compliance Homologat ion FCC, UL, CB/CE DVTTCG – TPM Export Complian ce Hardware Security & Compliance
- 5. Internet Mobile Branch Saas Applications Paas/Iaas Applications White-box switches Data Center DEVICES IN YOUR ENTERPRISE NETWORK TODAY Courtesy: Palo Alto Networks Virtual Firewall
- 6. A BRIEF HISTORY Then Now Centralized+ Distributed Programmable VNFs /Service chaining Network Virtualization Tightly Coupled Rigid Monolithic Custom hardware
- 7. A BRIEF HISTORY Then Now Hypervisor IaaS Clouds Virtual Physical Orchestration Courtesy: Juniper SRX 5600 Courtesy: Silver Peak Systems Inc.
- 8. WHOSE ‘OS’ IS IT ANYWAY? Applications Management and Orchestration Malware analysis Analytics SIEMs Anti-Virus DLP Embedded Systems SDN Controllers Firewall Routers Switches WAN optimization Web Application Firewalls Load balancers Secure Web gateways VPN devices IPS Embedded Systems Cloud Apps (Iaas) Applications Cloud Apps (Saas/Paas)
- 9. A BRIEF HISTORY Then Now Service Chaining SD-WAN and Firewall VNFs Courtesy: Silver Peak Systems Inc.
- 10. A BRIEF HISTORY Then Now Centralized Orchestrator, Distributed Devices Courtesy: Silver Peak Systems Inc.
- 11. A BRIEF HISTORY Then Now Courtesy: Silver Peak Systems Inc.
- 12. • FIPS boundaries - hardware vs. software only • TPM for virtual • Common Criteria – Evolving => Assurance levels to Protection Profiles • IPSec/SSL encryption – commodity hardware, AES NI instructions Compliance Considerations
- 13. New Threat Vectors •Virtualization – Hypervisor, Containers Courtesy: Docker
- 14. New Threat Vectors & Considerations •Programmability • DDoS on REST APIs • Authentication • Distributed Data Plane – Backward & Forward compatibility •‘Outside the Box’ - Secure communications
- 15. RISING OPEN SOURCE USAGE Copy-left vs. Permissive licenses Vendors Publish ALL 3rd party licenses Publish source code for modified copy-left licenses Maintain tabs on Bill of Materials Provide trickle-down SLAs for open source vulnerabilities Courtesy: Blackduck Software
- 16. “SHARE MY PIE” Vendors Enterprises Vulnerability Assessment • OWASP top 10 • SANS 25 • TCP/IP attacks Penetration Testing • Privilege escalations • Availability • Security Posture
- 17. DEVOPS AND HOSTED CLOUD APPLICATIONS The release is dead, long live the release! Network vendors with physical, virtual, IaaS products Follow (Agile) software release cycles Enterprises with cloud or web services Saas/Paas products Devops model Risks Availability, Stability, DDoS Courtesy: http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
- 18. SUMMARY Enterprise networks are adapting to network virtualization and cloud applications Programmable, hardware agnostic products introduce new threat vectors Vendor compliance standards help in enterprise IT security & compliance Vendor best practices for open source usage & vulnerability assessment
Notes de l'éditeur
- Alphabet soup of IT security What applies to vendors - FIPS, ICSA, Common Criteria, NSS FIPS - crypto implementation, key management, random bit generation, X.509 certificates =>no weak protocols, physical security in level 2 and above CC - secure Communication channel (data in transit), RBAC, Audit logs, System services, protect stored keys (data at rest), ICSA, and NSS are firewall, network security certifications ICSA – basic firewall, NSS – effectiveness, price, performance Common requirements Encrypt data at rest, in transit – make sure crypto is right, RBAC, Audit logs, change management, Business Continuity, disaster recovery , NTP time sync, Firewall/IPS implementation is right - ICSA Hardware CB - safety of electrical and electronic components, CE for EU UL – independent 3rd party testing FCC – radiation DVT – very product centric. Includes functional, performance, environmental, mechanical, MTBF, electro magnetic tests after prototyping TPM, export compliance What doesn't apply to us, but what we design for - Industry-level certifications - PCI, HIPPA, SOX, FedRAMP, FISMA, ISO2700x, NERC, GLBA SOX – publicly traded company GLBA – bank, insurance, fin serv FISMA – govt, govt contractors, PCI – credit card merchants NERC – electric generator, provider etc.tc.
- FIPS: Vendor dilemma, should I certify h/w or s/w – physical, virtual, cloud, should I pay my FIPS lab 3 times (expensive) TPM virtual – commodity h/w, not for virtual, how do I secure private keys in virtual? Encryption has changed – no h/w accelerators, though they are not going away. Intel processors have AES NI instructions. So AES encryption is now more popular than 3DES.
- Hypervisor security Ex: lockdown on host OS, ensures that you enforce guest OS user access Can I copy and paste between VM consoles CPU, memory, storage are shared. Can one VM over-ride the other – have to restrict Container – set of namespaces or resource groups, without the overhead of a virtual/guest OS Containers with root privileges – privilege escalation , unintended Most networking vendors have Containers in their roadmap Container – 2016 survey – 16% of orgs already using containers in production – mostly for development, testing, 30% have headaches about security, isolation (Cloud Foundry survey – Leading paas platform, pivotal built on top, GE Predix cloud is built over it) Answers: Right now, onus is on enterprises, not on vendors for IAAS, virtual products.
- “Many moving parts”- Centralized orchestrator, multiple devices in the network. TLS/Ipsec between each control/data connection ?
- A permissive licence is as it says, and allows the user to copy, repackage, sell, or change the code in any way the user likes, as long as some form of attribution is given. A copyleft licence, such as the GPL, gives similar rights but ensures reciprocity by obliging those who distribute the code to pass on the same rights to others How it affects end user organizations – Opensource is a product security issue – it affects IP rights, right to commercially buy and sell a product Google has aimed to remove all GPLed software from Android's userland, and Apple won't allow GPLed software to be sold through its App Store,
- Enterprise IT –” uncover all issues in my org, network and security posture” Vendors – “are all my products vul free, opensource components patched in a timely manner” Vendors leaning on vulnerability assessment vs. enterprises leaning towards pen test Vul assess frameworks OWASP top 10 – design for XSS, SQL inject, input-output vuln, session authentication, SANS 25 TCP/IP vulnerabilities – RFC compliance, FTP bounce attacks, IP smurf attacks, spoofed TCP resets
- Started in 2009 with flickr – 10 deploys per day, model is do away with releases always develop on trunk, head of your code, so number of revisions doesn’t matter Fix fast, deploying faster, one step build and deploy Most web services, cloud apps Network vendors still use release cycles- Agile, from waterfall, not entirely devops Cloud apps are devops style Fix fast, Patching quicker, Responsible software development – one step development, build and deploy