Turning the Network Inside Out

1
Turning the Network Inside Out

• Joel Snyder, Ph.D.
• Senior Partner
• Opus One
• jms_at_opus1.com

2
Most networks focus on perimeter defense

• ATTs gateway creates a sort of crunchy shell
  around a soft, chewy center. (Bill Cheswick,
  Design of a Secure Internet Gateway, April, 1990)

3
Perimeter defense has its flaws

• Protecting your network with a perimeter
  firewall is like putting a stake in the middle of
  a field and expecting the other team to run into
  it.
• include ltstatistic on insider break-in percentgt
• If your position is invisible, the most
  carefully concealed spies will not be able to get
  a look at it. (Sun-Tzu)

Virus
4
Defense in Depth is the alternative

• Make the network crunchy, not soft and chewy
  throughout.
• Turn the network inside-out the security is on
  the inside, not on the outside

5
We dont do defense-in-depth because...

• Cost
• The cost of adding firewall brains has been
  prohibitive
• Performance
• Firewalls are slower than Gigabit switches
• Management
• Determining the many-to-many relationships are
  difficult

• Authentication
• How do you know who has that IP address anyway?
  What about NATed users?
• Policy
• Its hard to describe the security policy for
  inside users its much easier to describe the
  Internet-oriented policy

6
Whoops. I lied. My bad.

• Cost
• dropping
• Performance
• increasing
• Management
• getting better

• Authentication
• solved
• Policy
• OK, there had to be something we couldnt solve
  with technology

7
You can implement Defense-in-Depth

• Not-so-bleeding-edge
• MAC lock-down on ports
• Authenticated routing updates
• Rate-limiting (DoS resistance)
• Host-based IDS
• RADIUS-based authentication
• SSH (Secure Shell) for management
• SNMPv3 and not SNMPv2
• Access Ethernet dedicated management network

• New and Exciting
• 802.1X Authentication
• Digital Certificates
• VLANs as Security Barriers
• Multiple levels of ACLs
• Firewall/VPN on the NIC
• Network Intrusion Detection/Prevention Systems

8
802.1X is the new standard for layer 2
authentication
EAP over RADIUS
Supplicant
EAP over WirelessEAP over LAN
Authentication Server (e.g., RADIUS server)
Authenticators
Supplicant
The World
9
802.1X on every port adds security

• In the wireless environment, 802.1X is absolutely
  required
• 802.11i and WPA (Wi-Fi Protected Access) use
  802.1X
• Pure 802.1X for authentication solves most WEP
  problems (if implemented with mutual
  authentication methods TLS, TTLS or PEAP)

10
802.1X on every port adds security, II

• In the wired environment, 802.1X adds security
• Microsoft gives it to you for free with W2K and
  XP
• Many wireless vendors too...

802.1X ties to RADIUS which means... ...you can
use RADIUS to push authorization information to
wired and wireless equipment VLAN information
ACL (access control list) information
11
What are pitfalls and caveats with 802.1X?

• 802.1X does not mandate an authentication method
• So you have to pick one (TLS, TTLS, or PEAP)
• There are a bunch of choices and a bunch of
  interoperability problems (TTLS vs. PEAP)
• Strategy hold off until this battle is settled
  by the IETF
• 802.1X does not require you to swap out your
  RADIUS infrastructure
• You can get a new, small server which will proxy
  to your existing RADIUS servers
• 802.1X will not immediately be full featured
• Authorization information, such as ACLs and
  VLANs, is still awaiting industry agreement

12
Public/Private Cryptography enables ...
n pq d e-1 mod((p-1)(q-1))

• Authentication
• Using public/private cryptography, I can strongly
  prove my identity
• Integrity Checking
• Using public/private cryptography, I can
  digitally sign documents and ensure that they
  cannot be tampered with
• Digitally signed documents have proof of sender
  as well
• Encryption
• Using public/private cryptography, I can encrypt
  short and long strings of data effectively

13
Digital Certificates enable public/private
cryptography
n pq d e-1 mod((p-1)(q-1))
A Certificate can be many things and have many
forms, but fundamentally is a binding of a
public key to an identity
14
Many existing IT applications can use certificates

• Encryption
• E-mail (S/MIME clients)

• Authentication
• SSL-based Web servers
• VPNs Remote User Authentication
• Windows 2K/XP Login
• 802.1X Network Authentication
• E-mail (Netscape, Outlook, others supporting
  S/MIME)

Certificate-based techniques can also be used to
pass encryption keys for secret key encryption
disk partitions, for example
And they all can use the same certificate!
15
So, why isnt everyone using them?

• PKI manufacturers have made it more complex than
  it needs to be
• Solve all the problems up front, for
  country-wide deployments seems to be their
  strategy
• And expensive!
• Certificate Revocation List strategies have not
  been coherent
• Online Certificate Status Protocol may help
• Certificate Enrollment is chaotic
• Four different protocols in common use
• Plus a few proprietary ones

16
VLANs arent just for breakfast anymore

• 802.1q (Virtual LANs) can be used to combine, yet
  not mix, traffic from multiple networks

Originally Management Domains
Now Security Domains
tagged VLANs
17
Use VLANs to distribute protected and
unprotected services
3rd Floor
1st Floor
2nd Floor
4th Floor
18
Using VLANs for security has its risks

• If packets jump from one VLAN to the other... the
  game is over
• Management of switching infrastructure is now as
  important as management of firewalls
• Your switches are your weak links
• Attacks
• Bugs
• Switch vendors have a very bad reputation in this
  area

Risk/Benefit Analysis
19
All Access Control Lists are not created equal

• Some are more equal than others

• Static Packet Filters
• Typically look only IP layer
• Cannot be used for port-based controls
• Are commonly implemented
• High performance

• Extended Access Lists (Packet Filters)
• Look at things within IP and TCP or UDP header
  (such as port number and flags)
• Can be used for limited port-based controls
• Available on many, but not all, platforms
• High performance

• StatefulPacket Filters
• Look at entire datagram and try and simulate
  higher layer state machines
• Considered very secure at layer 3 (Check Point,
  Cisco depend on them)
• Slower and more CPU/memory intensive

20
ACLs can be spread throughout your network to
increase security
Allow traffic to HR server only from HR VLAN
Block SMTP not from Internet.
Kiosk PCs cant get to inside net
Pre-filter protocols (such as SNMP) you never
want to let in block spoofed packets
User can get to departmental servers and Internet
only
21
ACLs everywhere is a tricky situation

• Static ACLs on ports can be difficult to manage
  and maintain (at this time)
• 802.1X-derived ACLs dont have sufficient context
  to work at IP layer (yet)
• Not every device has the capability
• Not every policy-based security server has the
  ability

But this is a technology coming very soon to a
theatre near you!
Put the user on VLAN x and heres what he has
access to...
22
You can put a firewall on a NIC

• Technically, this is not making the network
  itself crunchy and more secure
• Defense in Depth isnt too concerned with labels

Policy
Policy
Policy Server
Vendors 3COM, Snap, OmniCluster, NetMaster,
Corrent
23
You can make a network which has deep defenses
The Network
24
Thank you.Questions, comments?