Title: Managing Network Security
1Managing Network Security
- Assessment and policy
- Access control
- Encryption
2Myths about Business Risks in the Information Age
- Security is only about protecting things
- We dont have any information anyone would want
- Security problems have never happened here.
- Firewalls provide enough security
- Technology will solve the security problem
- The enemy is outside
- Our people wont tolerate tight security
- My PC is secure, so Im secure
- The Internet cant be used for secure
communications
3Security Policy
- Defines what's important in your enterprise, how
you are going to protect it, who's responsible
for it and what happens when the inevitable
attacker comes knocking. - Give system and network administrators something
to fall back on in a crisis, as well as guidance
for the mundane but essential day-to-day
decisions and actions - Provide approaches to problems that have been
well-thought-out and tested over time. And though
there is no magic in them, these policies bring
an organization closer to understanding its
computer and network business requirements and
risks. - Provide a framework for re-evaluation as
requirements and risks change.
4Ground rules of Security
- 1. Security and complexity are often inversely
proportional. - 2. Security and usability are often inversely
proportional. - 3. Good security now is better than perfect
security never. - 4. A false sense of security is worse than a true
sense of insecurity. - 5. Your security is only as strong as your
weakest link. - 6. It is best to concentrate on known, probable
threats. - 7. Security is an investment, not an expense.
5Developing the security management plan
6Risk assessment
- This phase encompasses asset identification and
evaluation postulation and analysis of threats
vulnerability assessment appraisal of existing
countermeasures, and cost/benefit analysis. - Numerous factors are considered, including how
information is used and managed, and how good and
relevant existing security measures are. Assets
(including information) as well as threats are
classified. The goal is to consider the things
indicated as business requirements.
7Risk assessment
- Questions
- What are we trying to protect?
- Which attacks are possible? Which are probable?
- Where are we vulnerable?
- What are we concerned about keeping? What are
these items worth? How much would it cost to
replace them? - How valuable would the following be to an
attacker (possibly a competitor) - How much would it cost an attacker to attack us?
- How much would it cost to counter?
- What security measures are in place? Are they
working?
8Risk areas
- Personnel Risk
- Background checks
- Segregation of duties
- Terminated employees
- Physical Access Risk
- Disaster Risk
- Disaster recovery
- Backup/ hot sites
9- Integrity Risk Risks associated with the
authorization, completeness and accuracy of
transactions - User interface
- Processing, error processing
- Interfaces with other systems/ databases
- Access Risk Risks associated with inappropriate
access to systems or data - Identification, authentication and nonrepudiation
- Firewalls and Guards
- Availability Risk
- Infrastructure capability
- Denial of service
10Threats
- Disaster and breakdowns
- Access and disclosure
- Alteration or destruction
- Improper use
11Business needs assessment
- The security planning team should include people
involved in different aspects of IT from
different areas of the enterprise. - Once the team is created, the first step is an
analysis of business requirements. What services
are required for business, and how might those
requirements be met securely? The hardest part is
distinguishing wants from needs. - The team, with all its members' viewpoints,
determines the business needs for computer and
network services. - For every service, team should ask repeatedly,
- "Is there a business requirement?"
12Root Security Policy
- This high-level document provides the framework
upon which all required information and
subpolicies hang. The root policy's top-down
approach makes it possible to adhere to the
guidelines and produce meaningful and useful
work. - The root security policy addresses how an
organization handles information, who may access
it and how. It also specifies allowed and denied
behavior. And it lists controls that are in
place.
13Security Architecture Guidelines
- Specify countermeasures to the threats discovered
in the risk assessment. This document dictates,
for example, where to place firewalls, when to
use encryption, where to place Web servers and
how to allow communication with Business partners
and customers. It may identify particular
products and give instruction on how to deploy
and manage them. The security architecture
guidelines specify the assurances that are in
place, the auditing and the controls. - This part requires expertise, which you may
acquire through the services of an outside
consultant or in-house through education,
including Web-based resources, books, technical
papers and conferences.
14Incident Response Procedure
- Defines What is considered an "incident" in the
first place? What happens when a security
incident is discovered? What is done when the
attacker calls? Who gets called and when? - It's useful to test the procedure with a sort of
incident-response procedure drill. When you call
them, and in what order, must be part of the
procedure. Calling too many people too soon risks
letting the cat out of the bag, so to speak, or a
crying wolf scenario. Calling too few people, too
late, risks lawsuits. - Although this process does not require any
particular technical expertise, it does require a
lot of thought. Senior managers should carefully
review this document, after receiving a briefing
based on the vulnerability assessment. The goal
is to scare them, but not too much
15Acceptable Use Policies
- The root computer and network security policy
will point to various acceptable use policies.
The number and type of policies depend on the
analysis of business requirements, risk
assessment and corporate culture. The acceptable
use policies are meant for end users. They
explain which actions are permitted and which are
prohibited. So there may be acceptable use
policies for computers, transfer of data, e-mail
communications, notebook PCs and Web access.
16System Administration Procedures
- With a proper understanding of the business
requirements and the risks, and with the security
architecture guide in place, your organization
can develop platform-specific policies and
related procedures. These often lead to lock-down
guides that address organization-specific steps
for hardening vendor-supplied systems. Lock-down
guides are usually products of the system
administration staff, with information gleaned
from experience, books and reference guides.
Also, specified here is what software must and
must not be in place, and how the systems are to
be backed up and administered.
17Do what's possible today?
- Address the known requirements and threats. This
is one of the benefits of a root policy as a
framework. It tells us what has to be done. Do
what's possible today, tag residual risks and
note tasks to be accomplished. - Will you get perfect security?
- No. Rather, you'll achieve timely, usable and
sufficient security in the midst of an
increasingly dangerous, but exciting networked
world.
18Lucent Technologies
19Corporate Computer and Network Security (CCANS)
Organization
- The preparation and dissemination of computer and
network security policy and requirement - Providing security consultation
20- The investigation of computer and network
information security violations - Monitoring for compliance with Lucent Business
Assurance Instruction (LBAI) - Conducting risk assessments
- Reviewing non-administrator and remote access
configurations - Approving all Data Connection Agreements
21Network Security Focus On
- Developers
- Resource (Data, System and Application) Owners
- Corporate Sponsors
- Supervisors
- System Administrators
- End Users
22System Administrators
- Ensuring the modification of executable programs,
network configuration data, application file
systems, network data bases, etc. is authorized - reviewing audit logs daily for evidence of
unauthorized activity and taking appropriate
action - ensuring only authorized or licensed software is
installed on their computers and servers
23End Users
- Provide profile information, as required by the
resource owner, for unique user identification - Using company approved, licensed software on
their computers
24- Reporting all actual attempted and/or suspected
misuse of computer - Complying with the security policies and
requirements identified in LBAI - Reporting the loss of Proprietary information or
similarly sensitive information to CCANS
25Access Corporate Networking - Direct Access
- Unique user Ids/Passwords
- Unique ID/Password
- No shared ID
- Disable after a period of 90 days of inactivity
- Deleted after a period of 120 days of inactivity
- Password (minimum of 7 characters)
26 STOP
This system is restricted solely to Lucent
Technologies authorized users for
legitimate business purpose only. The actual or
attempted unauthorized access, use, or
modification of this system is strictly
prohibited by Lucent Technologies. Unauthorized
users are subject to company disciplinary
proceeding and/or criminal and civil penalties
under state, federal, r other applicable
domestic and foreign laws. The use of this system
may be monitored and recorded for administrative
and security reasons. Anyone accessing this
system expressly consents to such monitoring and
is advised that if monitoring reveals possible
evidence of criminal activity. Lucent
Technologies may provide the evidence of such
activity to law enforcement officials. All users
must comply with Lucent Technologies Corporate
Instructions regarding the protection of Lucent
Technologies information assets.
I Agree
27Access Corporate Networking - Modem Pools
- No direct dial-up network connectivity to a
server - Dial up access to Lucent network must via the
Lucent Remote Access (LRA) - A ID/Passwords/Token PIN is required
28Firewall Rules
- Based on the assumption that no external users
can be trusted without strong authentication - The firewall must deny all services that are not
explicitly permitted - The only services permitted through the firewall
are those approved by CCANS - The firewall must have the ability to generate
audit logs - Bell Lab Firewall
29Abbreviated Proprietary Markings for Screens
- Screen displays containing proprietary
information must include the appropriate
proprietary marking
Lucent Technologies Proprietary Use Pursuant to
Company Instruction or Lucent Proprietary
Solely for auth persons having a need to know
30Corporate E-mail
- Lucent personnel must not send or forward
proprietary information to non-Lucent e-mail
account unless the message is encrypted - E-mail group distribution lists must not include
non-Lucent e-mail accounts - NJ E-mail security room
31Corporate Security Audits - log file
- Login attempts (successful and unsuccessful)
- Logoff
- Attempts to access files/ resources outside their
privilege level
32- Attempts to access any files/ resources that have
been identified by the owner as warranting
logging - Operating system configuration changes
- Operating system program changes
- All changes to system security, including adding
users - Failures for computer, program, communications
and operations
33Firewall
- Protect the confidential information.
- Maintain Internal network system integrity.
Firewall
34(No Transcript)
35Major Threats
- Network Packet Sniffers
- IP Spoofing
- Password Attacks
- Distribution of Sensitive Information
- Man-in-the-Middle Attacks
36Network Packet Sniffers
- A software application that uses a network
adapter card in promiscuous mode to capture all
network packets that are sent across a LAN. - Can provide meaningful and sensitive information
37IP Spoofing
- Occurs when an attacker outside your network
pretends to be a trusted computer . - Use an IP address that is within the range of IP
addresses for your network or by using an
authorized IP address that you trust
38Password Attacks
- Usually refer to repeated attempts to identify a
user account and/or password. - Often the attack is performed using a program
that runs across the network and attempts to log
into a shared resource, like a server.
39Distribution of Sensitive Information
- An internal user can easily place sensitive
information on an external computer or share a
drive on the network with other users. - A disgruntled present or former employee can
distribute sensitive information to competitors .
40Man-in-the-Middle Attacks
- This attack requires that the attackers have
access to network packets that come across
networks. - Possible uses theft of information, denail of
service, corruption of transmitted data, and etc.
41Types of Firewalls
- IP Firewalls
- Application Firewalls
- Stateful Inspection Firewalls
42IP Firewalls
- Works at the internet layer by examining the
source and destination address of each incoming
IP packet - Can not prevent IP spoofing.
43(No Transcript)
44Application Firewalls
- Take into account of the behavior of application.
- Also called proxy firewalls.
- All input is not sent directly to the receiver
but a different port, closing a straight path
between two networks.
45(No Transcript)
46Stateful Inspection Firewalls
- Problem with proxy server formal proxy rules can
be established for only some applications. - Observe a series of transaction and keep track of
states. - Do not need distinct proxies to be created for
each application.
47Case Study
48Background Information
- Company TicketExpress
- Location Malaysia
- Product/Service Intranet and e-commerce
solutions - TicketExpress is the is the official Commonwealth
Games Ticketing Office. - Goal to change the way that the world
buys tickets
49Challenges
- Primary Challenge developing a secure and
convenient method for people across the world to
purchase tickets to the Commonwealth Games - TicketExpress developed a partnership with
Hypermedia Communications and, together, they
used a WatchGuard Security System to address
their problem.
50Network Architecture
- Software was written in C and run on a UNIX
Operating System - Software was a multi-operator system that tracks
multiple events , producers, and venues - The UNIX Operating System, along with a database
made by TicketExpress, helped to speed
information retrieval
51Network Architecture (2)
- Security is of extreme importance in this case
because of the link that is established between
all pertinent information about the patron and
the activity.
52The WatchGuard Firewall System
- Slogan You cant afford to work without it.
Network security at an affordable price. - Developed by Seattle Software Labs in response to
the growing need for secure networking - WatchGuard system components
- WatchGuard Firebox
- network security appliance featuring a Pentium
Processor and WatchGuard Security Management
System (SMS) - Software that runs on Windows NT, Windows 95, and
Linux
53Advantages of the WatchGuard System
- Meets current network protection requirements
- Fits well with normal network management
procedures - Easy installation and configuration
- Automatic warning of security-related events
occurring at the Firewall
54Philosophy of WatchGuard
- WatchGuard is built on two premises
- The external user is denied an inbound
connection, unless it has authorization for a
specific activity - An ability to enforce security, even if your
network fails (ie, it shuts off access to its
network if it thinks that its software has been
tampered with)
55The Firebox
- A hardware firewall platform
- Runs transparent proxies and dynamic stateful
packet filter - Does not allow user log-ins and only supports
encrypted connections to the Firebox - Resides between router and local trusted network
- Provides interface for an optional bastion
network for FTP, WWW, etc.
56Firebox Features
- Real-time firewall operating system
- Stream-lined firewall engine
- Camouflages internal addresses
- Tamper-proof operations
- Inspects and blocks unwanted traffic
- Rackmount option available
- Utilizes Secure Socket Layer (SSL) encryption,
the highest level of security available on the
Internet
57Solution for TicketExpress
- Of primary importance is the feeling of security
by the customer - Watch Guard assisted Hypermedia Communications in
installing and running the system
58Results
- Creation of a secure website to allow patrons to
see details of different tickets that were
available. - Ability to purchase tickets easily and safely
from anywhere in the world, thanks to the Firebox.
59Encryption
- Used when
- Data can be intercepted, read or modified
illegally - Function
- Encodes data to prevent tampering
60Process of Encryption
- Cipher - set of rules to transform original
information to the coded form. - Both the sender and the receiver must know the
cipher. - Example
- Add an arbitrary number of characters to
- all characters in a message.
61Encryption Components
- Algorithm
- Key
- Cryptographic Algorithm
- Is a mathematical function that combines plain
text or other intelligible information with a
string of digits, called a key, to produce cipher
text.
62Key
- Number of possible keys for an algorithm depends
on the number of bits in the key. (256 possible
combinations for an 8 bit key) - The greater the number of possible keys, the more
difficult it is to rack an encrypted message.
63Types of Encryption
- Symmetric Encryption
- Both sender and receiver possess the same key to
encrypt and decrypt a message. - Asymmetric Encryption
- Public key
64Public Key
- Based on the concept of key pair.
- One public key (associated with the owner)
- One private key (known only by designated
owner) - Messages encoded by either key can be decoded by
the other.
65Public Key
66Digital Certificates
- Public keys are distributed by Certification
Authority who issue a Digital Certificate which
serves as a proof of Owners identity. - Verisign, Cybertrust, Nortel, USPS
67- Level of knowledge necessary
- Resources
68(No Transcript)
69Curriculum for Systems Administrators
Curriculum for Managers
70(No Transcript)
71Resources
- Government
- Advisors
- WWW, Documents, FAQ, etc
72Government Impact
- Role of government agencies
- Set standards for the design, implementation, and
certification of security technologies - Control the export of technologies to companies
international location
73Government Agencies
- The Computer Security Resource Clearinghouse
(CSRC) - Raise awareness of all computer systems users
about computer security - The Computer Technology Center (CSTC)
- Operational Incident Response
- Advance Security Projects
- Secure Systems Services
74- Awareness of National Security Issues and
Response (ANSIR) - Provide unclassified warning information and
national security issues - National Institute of Standards and Technology
(NIST) - Issues publications that deals with computer
security standards and guidelines
75- National Computer Security Center (NCSC)
- Provide guidelines to the industry designed to
help them develop trusted systems - Provide security certification programs called
The Trusted Computer System Evaluation Criteria
(TCSEC) commonly referred as - The orange Book
- Computer Emergency Response Team (CERT)
- Started by the U.S. Department of Defense
- Originally work as incident response center
- Coordinate large-scales incidents, provide
training and research causes - Private Key http//www.cert.org/pgp/cert_pgp_ke
y.asc
76Advisors
- Independent groups
- Forum of Incident Response and Security Teams
- CIAC Security Bulletins
- From vendors
- Linux Security Alert
- Microsoft Security Advisor
- OpenBSD
77(No Transcript)