Network Security

1
Network Security

• Protecting the pipeline.
• Presented by Marc Vael

15 May 1998 ISACA
2
Table of contents

• Introduction
• Network security challenges
• Network security solutions
• Network audit considerations
• Future of network security
• Conclusions

3
Table of contents

• Introduction
• New security threats
• Network security challenges
• Network security solutions
• Network audit considerations
• Future of network security
• Conclusions

4
Introduction

• Purpose
• Identifying major risks and challenges relating
  to security in networked systems.
• Introduce techniques which can help make networks
  more secure

5
Introduction

• Current Top 10 IT trends helping executing
  organisational mission
• Electronic Commerce Internet
• Groupware, Intranet Knowledge Mgt
• Business Intelligence Data warehousing
• Network computing
• Object Orientation
• IT asset management
• IT security management
• ERP Packages boom
• Telecommunication deregulations
• Outsourcing evolution

6
Introduction

• Current Telecommunication Trends
• Internet (I2, NGI)
• Decentralization of telecom hardware
• Centralization of telecom management
• Proliferation of network services
• Wide Area Networking
• Information Dependencies
• Third-Party Connectivity
• Socialization

7
Introduction

• Main management concerns
• Investment in Technology
• Information Accessibility
• Visibility
• Susceptible to Targeting
• Strategic Business Component
• Technology Dynamics

8
Introduction

• Main management concerns Investment in
  Technology
• Typical IT Expenditures Include
• Hardware
• Software
• Network
• Personnel

9
Introduction

• Main management concerns Information
  Accessibility
• Proprietary Data
• Customer Information
• Trade Secrets
• Sales, Pricing, Billings, Vendors, etc.
• Security Parameters
• RD Projects
• Network Configurations and Addresses
• Electronic Trading Partner Information

10
Introduction

• Main management concerns Visibility
• Failure of Systems May Cause External Impact
• Financial Loss
• Information Compromise
• Depletion of Market Share
• Regulatory Sanction

11
Introduction

• Main management concerns Susceptible to
  Targeting
• Information Vandalism, Compromise, Alteration
• Worms
• Viruses
• Sniffers
• Spoofing

12
Introduction

• Main management concerns Strategic Business
  Component
• Achieve Business Objectives
• Maintain Competitive Advantage
• New Products and Services
• Business Partnerships

13
Introduction

• Main management concerns Technology Dynamics
• Effective Support of User Needs
• Technology Changes
• User Requirement Changes

14
Introduction

• Main Network Objectives
• Message received as sent
• Delivery on time
• Message protected as needed

15
Table of contents

• Introduction
• New security threats
• Network security challenges
• Network security solutions
• Network audit considerations
• Future of network security
• Conclusions

16
New security threats

• What is wrong with Security in companies?

• Users do not change passwords frequently enough
• User access to information is too broad
• Inconsistent application of security rules for
  new users
• Passwords are easily guessed
• User identifications are inactive

90 40 35 20 15
Based on Intrusion Detection
17
New security threats

• Major Security Problems?
• Viruses 75
• In-advertant errors 70
• Non-disaster downtime 60
• Malicious acts by employees 40
• Natural disasters 30
• External malicious acts 20
• Industrial espionage 10

Based on Information Week
18
Network Security Challenges

• Due to C/S computing and focus on system
  security, security policies need to be extended
  beyond traditional computer access. PC security
  has become as important as network equipment.
• Network security tools and strategies do not
  eliminate the security management tasks and
  awareness / training programs.
• Damage control procedures in case of security
  breaches
• Change management control

19
Network Security Challenges

• No organisation is an island Third parties
  have access to business systems
• business partners
• vendors
• consultants
• customers
• off-site employees
• Information and knowledge on networks has become
  more and more valuable.

20
Network Security Challenges

• Networks are designed to maximize ease of
  connection and should be considered as completely
  open
• Due to the Internet (boom since 1992), specific
  business services have been and are still created
  / used every day
• E-mail is used by almost all companies
• More and more services of companies are
  outsourced. Also network management can be
  outsourced.

21
Network Security Challenges

• Location of insecurity
• 90 within the organization - unconscious
  / unknown - known (misusage, fraud)
• 10 outside the organization
• (mostly disgruntled or ex-employees)
• - eavesdropping and burglary - copying
  and theft of data - viruses and backdoors
• - modification and destruction

22
Network Security Challenges
Access paths
PREVIOUS
PRESENT
Access here!
Access here!
Network
Application System Software Access
Access here!
Access here!
Access here!
23
Network Security Challenges
Eavesdropping and/or manipulating of data during
the communication
Interception
Message sent
Message received
Transfer 10.000 to the account of Robert Y.
24
Network Security Challenges
Denial of service
When someone decides to make your environment
useless by - attacks - disrupting - crashing -
jamming - flooding Due to distributed nature of
the network gt very hard to prevent upstream
disruption of your network OR of the network your
network connects to. Solution Business
Continuity Planning
25
Network Security Challenges

• Major Network Security Problems
• Physical damage
• Unauthorized disclosure of confidential,
  proprietary or other sensitive information
• Fraud, account and access laundering.
• Computer viruses
• Repudiation of electronic transactions
• Loss of audit trails
• Storage and exchange of illegal material.
• Companies prefer to hide security failures
• Public embarrassment.

26
Network Security Challenges

• Operations risks
• Implementation costs
• Network may not meet expectations
• Unauthorized processing / access
• Excessive reliance on external parties
• Information compromise
• Service degradation

27
Network risks Risks due to external connectivity

• External users in-bound
• Masquerading (spoofing)
• Browsing (sniffing)
• Unauthorized Access
• Compromise
• Alteration
• Internal users out-bound
• Incidental Access
• Possible liability (to business partners)
• Unauthorized transactions

28
Network risks Risks due to external connectivity

• File Transfer
• Lost Data
• Mis-sent Data
• Viruses or Worms
• Non-Business Use
• Forged Mail

29
New security threats

• Major Security Trends?
• Comprehensive corporate security strategy
  including central security administration,
  records management, external access controls,
  information security awareness and personnel
  security agreements
• Business Continuity Planning
• Internet including monitoring of activities
• Strong PC controls including secure access,
  message authentication codes, single sign-on
  (SSO) software and PC hardware security devices
• Client/Server computing including monitoring of
  networks (LAN, MAN, WAN)
• IT Incident response strategy

30
Table of contents

• Introduction
• New security threats
• Network security challenges
• Network security solutions
• Network audit considerations
• Future of network security
• Conclusions

31
Main business security commandments

• Classify all security goals according to business
  risks
• Prevent damage or loss of business assets
• Plan security in all projects from the start
• Consider all factors (data/information/knowledge,
  people, hardware, software, facilities)
• Economic efficiency of security (TCO)
• Overall widespread measures
• Reduction of external dependency
• Synchronization of technical, organisational and
  personnel measures
• Training of users in security awareness and
  measures
• Anticipate evolution in IT environment

32
Network Security
A Structured Approach...
UNDERSTAND THE NETWORK SECURITY
ASSESS NETWORK RISK MANAGEMENT CONTROLS
DETERMINE RESIDUAL RISK
33
Network Security Elements
MAIN NETWORK RISK OBJECTIVES

• Integrity (accuracy and authenticity)
• Goal safeguard critical data from deliberate or
  accidental unauthorized modification or deletion
• risk associated with the authorization,
  completeness and accuracy of transactions as they
  are entered into, processed by, summarized by and
  reported on by the various application systems
  deployed by an organization.
• Solid identification between each party
• Non-repudiationundeniable determination to prove
  the origin or delivery of a message / data

34
Network Security Elements
MAIN NETWORK RISK OBJECTIVES

• Confidentiality / Access
• Goal shield personal and valuable data from
  deliberate or accidental unauthorized disclosure.
• risk that access to information will be
  inappropriately granted or refused. Inappropriate
  people may be able to access confidential
  information.
• Network access
• Application system access
• Functional access
• Processing environment access

35
Network Security Elements
MAIN NETWORK RISK OBJECTIVES

• Availability
• Goal prevent denial of service and unauthorized
  withholding to the IT system and data to bona
  fide users
• risk that information will not be available when
  needed
• Relevance
• risk that information is not relevant to the
  purpose for which it is collected, maintained or
  distributed.

36
Network Security Elements
MAIN NETWORK RISK OBJECTIVES

• Infrastructure
• risk that the organization does not have an
  effective IT infrastructure to effectively
  support the current and future needs of the
  business in an efficient, cost-effective and
  well-controlled fashion.
• Organizational planning
• Application system definition, deployment and
  change management
• Physical security
• Computer and network operations

37
Network Security Elements
MAIN CONTROL OBJECTIVES

• Protect our Turf protect the company, its
  information/knowledge and its reputation from
  inappropriate resource usage, security
  vulnerabilities/risks and legal liability
• Ensure that employees use the network efficiently
  and effectively to perform their tasks.

38
Network security strategy

• 1. Awareness and estimation of all the network
  risks
• 2. Development of a Network Security Policy

39
Network Security strategy
NETWORK SECURITY ELEMENTS
NetworkSecurity Policy Procedures
Network Security Detection
Network Security Implementation
Network Security
Network Incident Response
Network Security Education Change
40
Network security strategy

• Corporate security policy
• High level security blueprint with a clear
  business orientation on how the organization
  uses, enforces and manages security (services and
  mechanisms)
• Security types
• paranoid no external connections, everything is
  forbidden
• prudent everything is forbidden except what
  explicitly is allowed
• permissive allow everything except what
  explicitly is forbidden
• promiscuous everything is allowed

41
Network security strategy

• Network security management administration
• Network Organization
• Network Capacity Planning
• network budget
• network personnel
• network technology
• Network Security Administration
• Ethics of Computer Security
• Information classification
• Employee / Consultant disclosure form
• Risk acceptance
• Planning implementation

42
Network Security Strategy elements
NETWORK SECURITY CHECKLIST

• POLICY PROCEDURES
• Develop and implement a comprehensive network
  security policy based on risk assessment
• business critical processes
• identification of real issues
• business continuity processes
• Policies are short, general and difficult to
  change
• Procedures are long, easy to change and product
  related

43
Network security strategy

• Network security implementation
• network processes and devices to become secure
  including
• identification
• authentification
• encryption
• firewalls
• host based security
• outsourcing of security services
• network security audits
• network security policy and risk determination
• network implementation security monitoring
• network security forensics and recovery

44
Network Security Strategy elements
NETWORK SECURITY CHECKLIST

• IMPLEMENTATION
• Decide on budgets and responsibilities
• Inventory of existing security and gap analysis
• Plan and deploy specific security devices
• Test and ensure compliance with Network Security
  Policies and Procedures
• Security implementation verification by third
  party
• Develop checklists and detailed documentation
• Develop password or authentication system

45
Network security strategy

• Network security detection
• ability to see when intruders are hacking into
  the network (in real-time) via network scanning
  intrusion detection tools and techniques
• also used to test the strengths of
• OS and NOS
• servers and web servers
• network connections
• fixing vulnerabilities via patches, security
  products or turning off vulnerable processes

46
Network Security Strategy elements
NETWORK SECURITY CHECKLIST

• DETECTION
• Install real-time intrusion detection systems to
  alarm IT managers when attacks are started
• Establish counter attack and clean-up scenarios
• Testing and verification via penetration study
• Continuous monitoring and evaluation of (log)
  network information
• Update of network documentation

47
Network security strategy

• Network incident response
• cost reduction in the event of an incident or a
  successful attack
• most common prevention technique data backup
  to prevent data loss
• network incident security team emergency
  helpdesk action
• legal enforcement (law)
• external help for intrusion prevention
• communication strategy (internal external)

48
Network Security Strategy elements
NETWORK SECURITY CHECKLIST

• INCIDENT RESPONSE
• Back up systems regularly and store this data in
  a secure off-site location
• Establish the company reaction on intrusions or
  violations of security policy

49
Network security strategy

• Network security education and change
• feedback system for (network) security policy
  dynamic approach due to changes in
• technology
• business objectives
• IT structure
• attacker behaviour
• second best weapon trained personnel
• security awareness
• training on network security techniques
• regular updates on network security

50
Network Security Strategy elements
NETWORK SECURITY CHECKLIST

• EDUCATION CHANGE
• Evaluate weak points, threats and risks in
  network via security audits on a regular basis
• Upgrade security vulnerability areas in hosts,
  OS, applications, connected devices, programs,
  etc.
• Education of network security awareness
  expertise (on security techniques behavior) on
  a regular basis (just like any technology) for
• users
• IT systems network people
• IT management

51
Network Security Strategy elements
TYPICAL MISSING ELEMENTS

• Business Continuity Plans for Network
• Network Security Planning and Risk Management
• Internal traffic isolation
• Password protection for routers bridges
• Internal firewalls for data network segments
• Network management tools
• Network access logs and audit trails
• Network documentation (inventory,maps,etc.)
• Management support for security risk

52
Network Security Strategy elements
MAIN THINGS TO DO

• Sell network security internally
• Define the network security goals / plan
• Evaluate the current network security position
• Choose specific battles (added value)
• Project management of each battle

53
Network Security Elements

• PHYSICAL security PROCEDURAL
  securityTECHNICAL security

54
Network Security Elements Physical security

• Be cautious about the network connections
  shield the access to network server computers and
  applications
• Consider isolating sensitive systems (either
  partially or completely)

55
Network Security Elements Physical security

• Physical access to network equipment should be
  extremely limited
• front-ends and network servers
• wiring closets and patch panels
• encryption devices
• cabling
• PBX
• Access to network analysis tools should be
  carefully controlled
• Susceptibility of communications media being used
  to wiretapping should be considered
• For extremely sensitive networks eavesdropping
  risks using electronic emanations should be
  considered.

56
Network Security Elements Physical security

• Other vulnerable systems
• Modems
• Voice / PBX systems
• EFT / POS
• E-mail servers
• EDI servers
• Internet servers

57
Network Security Elements Access security
principles

• Something you know
• simplest, least expensive and weakest mean of
  user identification (passwords like PIN code,
  birth date)
• Something you own
• stronger mean of user identification any
  mechanism that must be in your possession to
  provide network access (smart card, ATM bank
  card, hard or soft token)
• Something you are
• mechanisms which rely on unique biological
  characteristics to provide network access
  (fingerprints, voice print or retinal scan)

58
Network Security Elements Procedural security

• Virus precautions
• - viruses are often introduced to the system
  accidentally and can spread rapidly to the high
  degree of interconnectivity in todays networks
• - Increasing movement towards open systems,
  Internet and common applications tends to make
  them more vulnerable to computer viruses

59
Network Security Elements Procedural security

• Most common virus types
• - macro virus VB applications to infect suite
  of products like Office 97
• - polymorphic virus changes when creating
  copies of itself. Clones are as functional or
  better
• than the original to defeat antivirus
  software (AVS).
• - stealth virus hide from system by keeping an
  eye on system resources and avoid detection
  by telling the system or AVS they dont exist
• - trojan horse program which pretends to be
  something it is not. Can create copies or
  reformat harddisk upon execution

60
Practical Virus Protection Measures
Network Security Elements Procedural security

• Educate users about virus risks and safe
  computing practices
• Use access control software to restrict access to
  the system and protect critical program data
  files
• Consider isolating critical systems as much as
  possible
• Use both virus scanners integrity shells to
  detect viruses before they can do significant
  damage
• Develop reasonable policies for downloading and
  testing media and software from outside sources
• Maintain proper backups of important program
  data files
• Develop a plan for isolating and eliminating
  viruses as soon as they are detected

61
Network Security Elements Procedural security

• Monitoring (controls on access and usage)
• Hardware controls monitor security on all host
  systems attached to the network
• Software controls carefully and continuously
  review new versions of Internet software,
  Operating Systems software
• Policy controls penalties for violations

62
Network Security Elements Technical security

• The technologies needed to provide the
  appropriate network protection and support
  critical processes.
• These include various security mechanisms, at
  various levels

• Network Infrastructure
• Access / Authentication
• Intrusion Detection
• Firewall
• Monitoring
• Dial Up
• Encryption

• End-User Computing
• Access
• Administration
• Monitoring

• Network Servers
• Data Access
• Firewall
• Monitoring
• Change Control

• Workstation
• Virus Control
• Physical Access
• Logical Access

• Network Applications
• Access
• Authorization
• Function Segregation
• Monitoring

• Network Database
• Access
• Fallback / Recovery
• Administration
• Monitoring

63
Network Security Elements Technical security

• Most important technical security features
• Encryption methods
• Message authentication codes (MACs)
• Digital (electronic) signatures
• Callback devices
• Firewalls
• Token devices
• Smart cards

64
Network Security Encryption techniques

• ENCRYPTION is the main protection technique
• UNENCRYPTED COMMUNICATION text on a postcard
• Encryption for user and data authentication
• Digital Signatures (eg. RSA)
• Trusted Third Party Certificates (eg. Kerberos,
  VeriSign, Belsign)
• Traditional problems connected with encryption
• Encryption and Key management uniform
  deployment, proprietary solutions, secure key
  exchange, certification process, key storage
• User transparancy complex manipulations in
  order to use encryption correctly
• National legislation issues from prohibited to
  allowed (especially when moving to Extranet usage)

65
Network Security Encryption techniques

• Private Key (Secret Key) the same key for
  encryption and decryption. Tends to be fast and
  is good for data encryption. However, the key
  management issues associated with private key can
  be significant.E.g. DES Data Encryption
  Standard (IBM) IDEA International Data
  Encryption Algorithm
• Public Key a publicly known key for encryption
  and a private key for decryption. The solution
  for secure distribution of the encryption key.
  Tends to be slow and is generally only useful for
  encrypting small amounts of data (such as
  passwords and PINs.) E.g. RSA Rivest, Shamir,
  Adleman PGP Pretty Good Privacy (Phil
  Zimmerman)

66
Network Security Private Key Encryption
User A
User B
Encrypted Message
Message
Message
Remark the secret key has to be known by the
sender and the recipient.
67
Network Security Public Key Encryption
User Bs Public Key
User Bs Private Key
User A
User B
Encrypted message
Message
Message
Remark high powered encryption techniques are
not everywhere legally allowed
68
Network Security Key management considerations

• Effective key management procedures are essential
  to an effective encryption scheme
• Often at least two sets of keys are used
• Terminal key
• remains the same over long time periods
• stored in Tamper Resistant Module (TRM) once it
  has been loaded into the terminal
• used to encrypt session key
• Session key
• changes each session

69
Network Security End-to-End (off-line)
encryption

• Using this method, the message is encrypted from
  point of origin to destination, but data link
  header is in clear text thus no protection
  against traffic analysis.
• Key management issues can be significant since it
  requires encoding decoding devices to be in
  synch, particular if you talk to a number of
  systems each with a different key

70
Network Security Link (on-line) encryption

• Applied independently per network link, it is the
  responsibility of the network provider.
• Simple to implement but potentially expensive
  since encryption devices are required for each
  link.
• Message is encrypted and decrypted in each node
  in the path but data is unprotected in
  intermediate node

71
Network Security Message Authentication Codes
(MAC)
Attach to Message
Generate Cryptographic Checksum (MAC)
Secret Key
Message Data
MAC

• MACs are a tool which can help ensure data
  integrity.

72
Network Security Message Authentication Codes
(MAC)

• Purpose ensure that a message supposedly sent
  by A to B did in fact come from A and was not
  altered by anyone else before it reached B
• Usually authentication is accomplished by
  applying some computation to the message
  (checksum) which only A and B know about
• MAC are obtained by encrypting significant fields
  of a message using the DES algorithm and
  transmitting the result along with the message.
  Since the sender and receiver share a common key,
  the receiver can decipher the MAC and
  authenticate the message.

73
Network Security Digital signatures
User As Private Key
User As Public Key
User A
User B
Digital Signature
Confirmedmessage or data
Message or data

• Used for the certification of messages.

74
Network Security Callback devices

• Easy to implement and relatively inexpensive.
• Provides good protection for network dialup
  ports.
• Does not provide any protection for other types
  of network access.
• Tends to be inflexible and slow.
• Can be fooled by a determined hacker if not
  configured properly.
• Can include supplemental password controls as
  well.

75
Network Security Firewalls

• Firewall
• any one of several ways of protecting one network
  from another untrusted network.
• For example, protecting the network ofMarketing
  towards the network of RD
• BASIC PRINCIPLES
• Keep everything outside from getting in.
• Permit users inside to get outside when allowed
  to.

76
Network Security Firewalls

• Firewall examples
• Checkpoint Firewall-1
• Network-1 Firewall/Plus
• Raptor Eagle
• TIS Gauntlet
• Digital AltaVista Firewall
• Technologic Interceptor

77
Network Security Token devices

• Offer vast improvements over traditional
  password controls through intelligence.
• Enables passwords to be changed with each use.
• Can be used in connection with Secure Gateways.
• Can be fairly expensive because of the management
  implications (two or more parties involved)
  depending upon the number of users.
• E.g. Vasco

Enter PIN

C
M
1
2
3
-
R
4
5
6
E N T E R
7
8
9
0

78
Network Security Smart Cards

• Include an embedded microprocessor and memory.
• Can serve as secure storage for lengthy sequences
  of digits (such as private keys used to generate
  a digital signature for example).
• Can process logic designed to validate a users
  PIN, etc.
• Can provide similar functions to a token device ,
  but a smart card reader is needed.
• Again management issues.
• E.g. Utimaco.

Smart Key
1045 2300 5698 3470
Embedded Microprocessor
79
Network Security Elements Technical security

• HPG (Handheld Password Generators)
• Generate a unique password for each access
  attempt
• Similar to handheld calculator in size and
  appearance
• Generally require the user to supply some secret
  information (such as a PIN)
• Designed to self-destruct if tampered with
• Provide much more effective access control than a
  password alone
• Can be fairly expensive and inconvenient
  depending on the user population

80
Conclusions
MAIN NETWORK SECURITY STEPS

• Network security policy to ensure information and
  knowledge protection
• Security implementation and analysis on
  firewalls, encryption, passwords, SSO and other
  security technologies
• Security detection program
• Network security education and awareness program
  around risks and precautions
• Network incident response team
• handle network intrusions, viruses, security
  breaches
• trace attack patterns to close security holes