150 likes | 285 Vues
Erfolgreiche Auswahl von Intrusion Prevention Systemen - IPS. Dimension Data Germany AG & Co. KG Steffen Göpel – Solution Architect. Überblick. Networks today – Security anywhere
E N D
Erfolgreiche Auswahl von Intrusion Prevention Systemen- IPS Dimension Data Germany AG & Co. KG Steffen Göpel – Solution Architect
Überblick • Networks today – Security anywhere • Selection of an Intrusion Prevention System (IPS) device, as with any technology investment, is never a simple exercise. • IPS solutions are designed to be implemented inline as opposed to passive monitoring devices -> increases the criticality of selection • Industry research and analysis organisations have their own criteria for recommendations. • valuable insight into the industry and raise awareness of the solutions available, • few of these papers assist an enterprise with their own selection of a service • What are the key selection criteria? • What questions should I be asking of the vendor? • What aspects of the technology may impact my business?
Key objectives • As an integrator, we integrate more and more non-traditional network components • Our strategy is to specialise in each of these integration points Networking Solutions – Security everywhere OperatingEnvironment VoiceIntegration Networking Security Security Datacenter Solutions CustomerInteractiveSolutions Security Security Security
The issue we face • Threats are becoming more sophisticated. • Networks are becoming more complex and integrated. • Increasing diversity in devices connecting. • Newer technologies such as Wireless. • Security can no longer be considered a Boolean function. “Through 2008, enterprise insiders, working alone or in conspiracy with outsiders, will account for a majority of financial losses resulting from unauthorised use of computers and networks” – Gartner, July 2003.
Security needs a new Perimeter definition • Modern networks defy standard perimeter definition. • Security controls would be spread too thinly. • Previous notions of “Internal” and “External” no longer apply. • The nature of network communications, applications, protocols and devices is such that there is no easy way to contain it all.
Already Available • Control • Firewall, Desktop Firewall • Network Antivirus • IPS • Well established authentication mechanisms • x509 certificates • RADIUS • SecurID • Private networking • Network access : 802.1x, 802.11q VLANs • VPNs / IPSec • VRF • Readily available credential stores • Active Directory
What is our PLAN • Convergence of Networking and Security • Covering all infrastructure technologies • Apply efficiently all Security Means • It is NOW time to prepare for the new technologiesand improve our security posture. BUILD A MODEL
Identify Computer User System
Classify Apply CLASS from Corporate Directory Computer User System
Infrastructure Isolate ONE infrastructure Multiple Isolated Traffic Flows Apply CLASS from Corporate Directory Computer User System Applicable on all Connectivity Technology
Infrastructure Control ONE infrastructure Multiple Isolated Traffic Flows Targeted Controls to obtain Adapted Security Response Apply CLASS from Corporate Directory Computer User System Applicable on all Connectivity Technology
Identify • Identification is the keystone of any security implementation • The identification phase confirms the identity and credentials of the individual and their environment. Entity • Based on the identity of the entity we are able to apply the corporate security policy in a manner specific to that “class” of entity. • Each category or class may be likened to a trust level, each may require definite controls and or restrictions as appropriate to that level. Classify Isolation Class Infrastructure • The purpose of the isolation phase is to guarantee that the network traffic flows of each distinct isolation class or trust level remains separated from all other classes or levels Isolate Logical Separation Control The ASI Model • As a result of the previous stages, each isolation class is forced through the appropriate security controls, as defined by the corporate standards. • This positioning makes the adoption, placement and use of security controls a far simpler and cost effective task. Targeted Enforcement
Infrastructure Credentials Check IPS Host Certificate RADIUS 802.1X IP IP How does it work? (802.1x example) Authentication Successful Active Directory RADIUS Server Isolation Criteria Based on predefined classification Isolated Traffic Flows Client Traffic flow 802.1x Auth Request Host Certificate Host connects on switch port Client Host Network Access Switch Targeted Security Controls
IPS - Key Selection Criteria • Selection criteria, with respect to IPS solutions, are wide and varied, encompassing deep technical aspects, financial and administrative as well as managerial points. • Based on the concentration of industry information + Dimension Data’s own experience 4 base criteria are used by Dimension Data’s Professional Services departments to evaluate IPS solutions • Security Accuracy • Reliability / Stability • Performance • Usability • Typically a sufficiently detailed understanding of the individual business processes and requirements of a particular enterprise is lacking
Summary • Enforcement of Security policies in the Infrastructure • New Network Paradigm to secure End points • Risk Analysis and Security-Assessment as first step of a holistic Security Strategy • A Must : Holisitic Security instead of point solutions and support of the management of Security Architectures • Positioning of IPS based on • Security Accuracy • Reliability / Stability • Performance • Usability