290 likes | 412 Vues
Building and Managing Secure Networks. An exercise in security best practices and an examination of the recent Code Red outbreak. How to design secure networks. Planning vs. Implementation Understanding user and access needs Building a security policy
E N D
Building and Managing Secure Networks An exercise in security best practices and an examination of the recent Code Red outbreak
How to design secure networks • Planning vs. Implementation • Understanding user and access needs • Building a security policy • Executing a design based on the security policy
Agenda • We will cover the two aspects of designing secure and manageable networks • Creating a Security Policy • Implementing the Security Design
The Security Policy • Comprised of 3 components • Preparation • Prevention • Response Preparation Response Prevention
Preparation • Create usage policies • What is the acceptable use by the users and the administrators • Prepare and publish usage guidelines and statements • Define how administration will be performed
Preparation • Conduct a Risk Analysis • Identify the network resources and the attacks that are possible for each resource • Define levels of risk to network resources • Low Risk – Minimum impact, Can’t be leveraged for greater access • Medium Risk – Moderate disruption to services, could have legal ramifications • High Risk – Major disruption of services, significant revenue loss
Preparation • Conduct a Risk Analysis • Define the types of users • Administrators – Trusted Users • Privileged Internal Users – Need for greater access, for example help desk and technicians • Users – Standard users who generally need the same access to “normal” resources • Partners – These are external users that need access to resources via extranet, etc. • Others – This is everyone else.
Preparation • Conduct a risk analysis • Assign risk levels to resources and users • Define the risk for the resource, then define the access each group of users require. • Grant only the access required to the users who require it.
Preparation • Establish a Security Team Structure and define 3 areas of responsibility • Policy Development – The team needs establish and review the security policies • Practice – Start practicing the policies that have been defined. Identify responsibilities. • Response – The best networks get breached, the team needs to define how to react to a security threat
Prevention • There are 2 main categories of prevention • Approving Security Changes • Monitoring Security of your network
Prevention • Approving Security Changes • Implement a strict change control process • Review firewall changes • Review ACL changes • Review SNMP and RMON changes • Software and hardware changes and updates • Implement password policies • Change them frequently • Use multi-case and character passwords
Prevention • Restrict device access to only those who need it • Don’t use the everyone groups – it’s lazy • Don’t use “community” passwords • Audit your network • Don’t just create logs, *read* the logs on a routine basis
Prevention • Monitoring Security of your Network • Create a monitoring policy for each device in the network • Define what needs to be monitored and how often. Low risk devices might be able to be monitored weekly, high risk might be daily, hourly or even real-time • Implement Firewalls, ACLs and policies. • Cisco PIX Firewall • Checkpoint Firewall-1 • Symantec Enterprise Firewall • Microsoft ISA Server
Prevention • Monitoring Security of your Network • Utilize third party monitoring and management tools and resources • BMC Software PATROL 2000, PATROL for Firewalls, Visualis, DashBoard and INCONTROL • HP Openview • NetIQ End2End Performance Suite and WebTrends Firewall Suite • Micromuse NetCool • Netscout nGenius • CA Unicenter • Tivoli Netview and SecureWay
Prevention • Monitoring Security of your Network • Utilize an IDS for automated monitoring and response • Cisco Secure IDS • ISS RealSecure and BlackICE Defender • Symantec Netprowler • eEye SecureIIS • Test with port and vulnerability scanners • Nmap for Windows and Unix • Nessus (Unix only) • eEye Retina and Iris • ISS Internet Scanner
Response • Define the response for the 3 types of scenarios • Security Violations – What to do when a system is being compromised • Restoration – How to fix the system that was compromised • Review – How did the compromise happen, how can you stop it from occurring again.
Response • Security Violations – Plan on the appropriate reaction to a violation • Perform drills to ensure everyone know their responsibilities • Notify the security team • Identify what leeway the team has to address the issue • Identify corrective actions • Implement changes to prevent further access • Isolating/disconnecting the compromised system • Contacting the provider to begin tracing the attack • Using recording devices, logs and sniffers to gather evidence • Contacting authorities • Restoring systems according to a prioritized list • Notifying management and legal personnel
Response • Forensic Tasks • Collect the data related to the attack for future learning, and legal use • Record the event using sniffers, copies of log files and tools like PATROL Visualis to playback the network traffic • Disable any accounts used, disconnect compromised equipment and if need be, disconnect from the Internet • Backup the compromised system to provide a long term record • Look for other signs of compromise. Remember that if a system has been compromised once that you know of, it might have been compromised twice that you didn’t • Maintain and review security and device logs to use as a reference as to the nature of the attack
Response • Restoration • Define and provide restoration procedures that will be used • Establish a good backup policy • Utilize TFTP for network device imaging • Define what will and will not be restored
Response • Review – Security is a living process that requires constant scrutiny • Policy Review – Ensure that your policies is both functional as well as protective • Posture Review – Check you security posture against the expected posture your policies defined. Have outside auditors check your network • Practice Review – Test your policies by practicing. • Use Drills to test response • Test with scanners and vulnerability tools
The Secure Design • A good network design takes into consideration • The Enemies – you have to know what you are defending against to know how to defend against it • The Risk – you need to understand the risks your network is under to properly mitigate those risks • The Fixes – Once you understand the enemies and the risk, you can focus on how to address them
The Enemies!! • Hackers • The majority are simply looking for “something to do” and are not malicious in any way • Unaware Staff • These are the “unwitting victims” that hackers love to take advantage of via techniques like Social Engineering • Disgruntled Employees • This is potentially the largest risk to your systems. These people may well have been “trusted” and now that they are upset, they have the knowledge to really take apart the networks they once used • Snoops • This is your classic “curious” user. The junior tech who is taking a class and wants to put some knowledge to work, or the accountant who is bored and decides to go looking around the network “to see what is out there”
The Risks • Viruses • The single most prevalent threat today • Trojan Horse Programs • Performing tasks from data destruction to remote control • Vandalism • The cyber equivalent of graffiti • Attacks • Reconnaissance Attacks aimed at information gathering • Access Attacks aimed at gaining access to the system • DoS attacks aimed at preventing legitimate access to all or part of a system
The Risks • Data Interception • Attempting to capture data via methods like TCP Hijacking, IP Spoofing and sniffing the network • Social Engineering • One of the most successful methods of attack, social engineering preys on the users of the network by the hacker acting like he is a legitimate user and attempting to gain information from the real users • Spam • While Spam may go good with eggs, bacon, spam and spam, it goes poorly with everything else. While not malicious in it’s intent, Spam has the ability to congest systems and servers, as well as inviting retribution if you are the unknowing spammer
The Fixes • Anti-Virus Software • Keep it up to date and have routine scans performed • Access Control • Require authentication for access to systems, both servers and network equipment • Similar to handing out badges to your people • Firewalls • While not a panacea, they are the single biggest impact you can have to mitigate outside risk • Similar to a locked door
The Fixes • Encryption • Ensuring that private data stays just that. Great for VPN’s • Similar to armored cars delivering the data • Intrusion Detection • Looks at the traffic passing through the system to test the validity of the traffic • Similar to a surveillance camera
The Fixes • Network Scanning • Simply checking your systems and running port scans and penetration and vulnerability tests • Similar to checking to make sure all the doors are locked • Updates • Ensure that you are staying on top of the updates that are released by the vendors • Expertise • Both internal and external • Bring in external consultants to perform audits
Summary • Security is not a device, it’s a policy and a philosophy • Plan for security before you implement • Implement firewalls and an IDS • Run Virus protection software • Apply updates in a timely fashion • Read. Read. Read. RFC’s and whitepapers, while the most boring things ever written, are invaluable in maintaining the expertise to build secure and manageable networks