Implementing and Automating Critical Control 19: Secure Network Engineering for Next Generation Data Center Networks

1. Aron Warren, George Khalil, Michael Hoehl February 2012 Implementing and AutomatingCritical Control 19: Secure Network EngineeringforNext Generation Data Center Networks SANS Technology Institute - Candidate for Master of Science Degree

2. Objectives • Introduction • Secure Network Engineering • Challenges for Next Generation Networks • Functional Requirements • Key Risk Considerations • High-Level Design and Build Approach • N-Tier Application and Infrastructure Control Checklist • Lessons Learned SANS Technology Institute - Candidate for Master of Science Degree

3. Introduction • SANS 20 Critical Security Controls for Effective Cyber Defense • Security Control 19 “Secure Network Engineering” • Technical approaches to advance this control • Scope is for Web/Mobile App and 40GbE SANS Technology Institute - Candidate for Master of Science Degree

4. Secure Network Engineering • Document Gatheringis First Step • Understand Data Flows • Log Events and Correlate • Apply Least Privileged Principles • Divide and Secure • Establish Trust and Validate Data Integrity • Test and Validate Routinely SANS Technology Institute - Candidate for Master of Science Degree

5. Challenges for Next Generation Networks • 40GbE is still early in “hype” cycle for Enterprises • Throughput speed ≠ Wire speed • Uncertainty increases relative to speed • Limited forensic team experience with 40 GbE • Existing operations resource capacity SANS Technology Institute - Candidate for Master of Science Degree

6. Functional Requirements Virtual and Blade Servers Vulnerability and Threat Mgt Log Mgt Asset Mgt Access Mgt Performance Mgt Forensic Mgt Service Mgt Documentation Data Center Physical Controls Enclaves Firewalls and Security Apps Internet Access DNS Hardening Config and Change Mgt SANS Technology Institute - Candidate for Master of Science Degree

7. Key Risk Considerations • Mixing assets of different value • Integrating security and network controls • High event volume and Impact of false negatives • Understanding data flows and security policies • Performance impact of inspection • Protecting high authority access • Configuration errors and product defects SANS Technology Institute - Candidate for Master of Science Degree

8. High-level Design and Build Approach SANS Technology Institute - Candidate for Master of Science Degree

9. N-Tier ApplicationControl Checklist • Enclave for each app function • Dedicated Internet Access Firewall • Security Fabric • Separate Infrastructure Firewall • SSL Accelerator and Proxies • Tiered DNS • Virtualization and Blade Servers • Netflow • Network Address Translation • Network Monitoring Switch • Load Balancers SANS Technology Institute - Candidate for Master of Science Degree

10. InfrastructureControl Checklist • Enclave for each function • No direct Internet access • Infrastructure Firewall • Dedicated Enterprise Firewall • Customer Authentication • Admin Authentication • Jump Boxes • Network Access Control (NAC) • Business-to-Business (B2B) • VPN • System and Security Event Mgt SANS Technology Institute - Candidate for Master of Science Degree

11. Lessons Learned • Pitfalls • Poor Documentation • Too many ACLs and Flows • Netflow “meltdown” • 4 x10 Port Aggregation • Virtual Switch Overload • Poorly designed QoS • Forensic Teams Promising Solutions • Security Fabric • Firewall Policy Mgt • Virtual Switch Replacement • IEEE 802.1AE (MACsec) SANS Technology Institute - Candidate for Master of Science Degree

12. Benefits • Improved Security • Increased Design Credibility • Better Manageability • Lower Total Costs • Faster Response to Threats Ultimately, adopting these design recommendations will provide a solid foundation for safeguarding infrastructure and data at the highest speeds available today—and tomorrow. SANS Technology Institute - Candidate for Master of Science Degree