Blueprint For Security Chapter 6

12/06/56

1

Chapter 6 Blueprint for Security

and Network Defenses

Dr.Sukchatri PRASOMSUK

School of Information Technology and Communication,

111University of Phayao

1

IS and Network Security

Resource from :

• Chapter 5 Principle of Information Security, Micheal E. Whitman, 2009

• Chapter 5 Security+ Guide to Network Security Fundamentals, Third Edition, Darril Gibson,

Upon completion of this chapter you should be able to: Understand management’s responsibilities and role in the

development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines

Understand the differences between the organization’s general information security policy and the requirements and objectives of the various issue-specific and system-specific policies.

Know what an information security blueprint is and what its major components are.

Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs.

Become familiar with what viable information security architecture is, what it includes, and how it is used.


Slide 2

12/06/56

2

Management from all communities of interest must consider policies as the basis for all information security efforts

Policies direct how issues should be addressed and technologies used

Security policies are the least expensive control to execute, but the most difficult to implement

Shaping policy is difficult because: Never conflict with laws

Stand up in court, if challenged

Be properly administered


Slide 3

A policy is

A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters

Policies are organizational laws

Standards, on the other hand, are more detailed statements of what must be done to comply with policy

Practices, procedures, and guidelines effectively explain how to comply with policy

For a policy to be effective it must be properly disseminated, read, understood and agreed to by all members of the organization


Slide 4

12/06/56

3

Management defines three types of security policy:

General or security program policy

Issue-specific security policies

Systems-specific security policies


Slide 5

Figure 6-1 – Policies Standards & Practices


Slide 6

12/06/56

4

A security program policy (SPP) is also known as

A general security policy

IT security policy

Information security policy

Sets the strategic direction, scope, and tone for all security efforts within the organization

An executive-level document, usually drafted by or with, the CIO of the organization and is usually 2 to 10 pages long


Slide 7

As various technologies and processes are implemented, certain guidelines are needed to use them properly

The ISSP: addresses specific areas of technology

requires frequent updates

contains an issue statement on the organization’s position on an issue

Three approaches: Create a number of independent ISSP documents

Create a single comprehensive ISSP document

Create a modular ISSP document IS and Network Security

Slide 8

12/06/56

5

Statement of Policy

Authorized Access and Usage of Equipment

Prohibited Usage of Equipment

Systems Management

Violations of Policy

Policy Review and Modification

Limitations of Liability


Slide 9


Slide 10

12/06/56

6

While issue-specific policies are formalized as written documents, distributed to users, and agreed to in writing, SysSPs are frequently codified as standards and procedures used when configuring or maintaining systems

Systems-specific policies fall into two groups: Access control lists (ACLs) consist of the access control

lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system

Configuration rules comprise the specific configuration codes entered into security systems to guide the execution of the system


Slide 11

Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems translate ACLs into sets of configurations that administrators use to control access to their respective systems

ACLs allow configuration to restrict access from anyone and anywhere

ACLs regulate: Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from How authorized users can access the system


Slide 12

12/06/56

7

Rule policies are more specific to the operation of a system than ACLs

Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process


Slide 13


Slide 14

12/06/56

8

Policies are living documents that must be managed and nurtured, and are constantly changing and growing

Documents must be properly managed Special considerations should be made for

organizations undergoing mergers, takeovers, and partnerships

In order to remain viable, policies must have: an individual responsible for reviews a schedule of reviews a method for making recommendations for reviews a specific effective and revision date


Slide 15

The classification of information is an important aspect of policy

The same protection scheme created to prevent production data from accidental release to the wrong party should be applied to policies in order to keep them freely available, but only within the organization

In today’s open office environments, it may be beneficial to implement a clean desk policy

A clean desk policy stipulates that at the end of the business day, all classified information must be properly stored and secured


Slide 16

12/06/56

9

At this point in the Security SDLC, the analysis phase is complete and the design phase begins – many work products have been created

Designing a plan for security begins by creating or validating a security blueprint

Then use the blueprint to plan the tasks to be accomplished and the order in which to proceed

Setting priorities can follow the recommendations of published sources, or from published standards provided by government agencies, or private consultants


Slide 17


Slide 18

12/06/56

10

One approach is to adapt or adopt a published model or framework for information security

A framework is the basic skeletal structure within which additional detailed planning of the blueprint can be placed as it is developed of refined

Experience teaches us that what works well for one organization may not precisely fit another


Slide 19


Slide 20

12/06/56

11

Another approach available is described in the many documents available from the Computer Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov) – Including:

NIST SP 800-12 - The Computer Security Handbook

NIST SP 800-14 - Generally Accepted Principles and Practices for Securing IT Systems

NIST SP 800-18 - The Guide for Developing Security Plans for IT Systems


Slide 21

VISA International promotes strong security measures and has security guidelines

Developed two important documents that improve and regulate its information systems “Security Assessment Process” “Agreed Upon Procedures”

Using the two documents, a security team can develop a sound strategy for the design of good security architecture

The only down side to this approach is the very specific focus on systems that can or do integrate with VISA’s systems


Slide 22

12/06/56

12

Figure 6-16 – Spheres of Security


Slide 23

Generally speaking, the concept of the sphere is to represent the 360 degrees of security necessary to protect information at all times

The first component is the “sphere of use”

Information, at the core of the sphere, is available for access by members of the organization and other computer-based systems: To gain access to the computer systems, one must either

directly access the computer systems or go through a network connection

To gain access to the network, one must either directly access the network or go through an Internet connection


Slide 24

12/06/56

13

The “sphere of protection” overlays each of the levels of the “sphere of use” with a layer of security, protecting that layer from direct or indirect use through the next layer

The people must become a layer of security, a human firewall that protects the information from unauthorized access and use

Information security is therefore designed and implemented in three layers policies

people (education, training, and awareness programs)

technology IS and Network Security

Slide 25

Management Controls Program Management System Security Plan Life Cycle Maintenance Risk Management Review of Security Controls Legal Compliance

Operational Controls Contingency Planning Security ETA Personnel Security Physical Security Production Inputs and Outputs Hardware & Software Systems

Maintenance Data Integrity

Technical Controls Logical Access Controls

Identification, Authentication, Authorization, and Accountability

Audit Trails

Asset Classification and Control

Cryptography


Slide 26

12/06/56

14


Slide 27


Slide 28

12/06/56

15


Slide 29


Slide 30

12/06/56

16

Other key technology components

A firewall is a device that selectively discriminates against information flowing into or out of the organization

The DMZ (demilitarized zone) is a no-man’s land, between the inside and outside networks, where some organizations place Web servers

In an effort to detect unauthorized activity within the inner network, or on individual machines, an organization may wish to implement Intrusion Detection Systems or IDS


Slide 31


Slide 32

12/06/56

17


Slide 33

Resource from : Chapter 5 Network Defenses, Security+ Guide to Network Security Fundamentals,

Third Edition

Network Defenses

34


12/06/56

18

Explain how to enhance security through network design

Define network address translation and network access control

List the different types of network security devices and explain how they can be used

Slide 35


Crafting a Secure Network

36


12/06/56

19

Subnetting

IP addresses are actually two addresses: one part is a network address and one part is a host address

Subnetting or subnet addressing

Splits a large block of IP addresses into smaller groups

Slide 37


Image from Cisco CCNA Class 1

Slide 38


12/06/56

20

Image from Cisco CCNA class 1, modified

Whole College:

147.144.0.0 /16

147.144.0.1 through

147.144.255.254

CNIT Dept:

147.144.20.0 /24

147.144.20.1 through

147.144.20.254

Eng Dept:

147.144.51.0 /24

147.144.51.1 through

147.144.51.254

Slide 39


Slide 40


12/06/56

21

Each subnet can be isolated from the rest of the network

Traffic between subnets can be monitored and restricted at the routers

Subnets also allow network administrators to hide the internal network layout

Outsiders only see your public servers, not your private subnets

Slide 41


VLANs segment a network with switches, not routers

A VLAN allows scattered users to be logically grouped together even though they may be attached to different switches

Can reduce network traffic and provide a degree of security similar to subnetting: VLANs can be isolated so that sensitive data is

transmitted only to members of the VLAN

Slide 42


12/06/56

22

Slide 43


Accounting machines are

on their own VLAN

Slide 44


12/06/56

23

VLAN communication can take place in two ways All devices are connected to the same switch

Traffic is handled by the switch itself

Devices are connected to different switches A special “tagging” protocol must be used, such as the IEEE

802.1Q-2005

A VLAN is heavily dependent upon the switch for correctly directing packets Attackers could take control of the switch itself, if it has a

default or weak password

Specially crafted traffic can also "hop" from one VLAN to another

Slide 45


Telephone, data, and video all using the same IP network Voice over IP, Video over IP

Advantages Cost savings

Management

Application development

Infrastructure requirements

Reduced regulatory requirements

Increased user productivity

Slide 46


12/06/56

24

Slide 47


A separate network that sits outside the secure network perimeter

Outside users can access the DMZ but cannot enter the secure network

Slide 48


12/06/56

25

Slide 49


Slide 50


12/06/56

26

Hides the IP addresses of network devices from attackers

Private addresses IP addresses not assigned to any specific user or

organization

Function as regular IP addresses on an internal network

Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers

Slide 51


NAT removes the private IP address from the sender’s packet

And replaces it with an alias IP address

When a packet is returned to NAT, the process is reversed

An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender

Slide 52


12/06/56

27

192.1

68.1

.101

192.1

68.1

.102

192.1

68.1

.103

192.1

68.1

.51

192.1

68.1

. 1

Private IP Addresses

Address Translation

192.168.1.101 -> 147.144.1.101

192.168.1.102 -> 147.144.1.102

192.168.1.103 -> 147.144.1.103

192.168.1.151 -> 147.144.1.104

Public IP

Addresses

Slide 53


Normally performed along with NAT

Each packet is given the same IP address but a different TCP port number

Allows many machines to share the same public IP address

Slide 54


12/06/56

28

Web browser: 192.168.1.101 Port 1100

Email: 192.168.1.101 Port 1102

Web browser: 192.168.1.103 Port 1100

192.1

68.1

. 1

Address Translation

192.168.1.101 Port 1100 -> 147.144.1.1 Port 2100

192.168.1.101 Port 1102 -> 147.144.1.1 Port 2101

192.168.1.103 Port 1100 -> 147.144.1.1 Port 2102

147.1

44.1

.1

192.1

68.1

.101

192.1

68.1

.102

192.1

68.1

.103

192.1

68.1

.51

Slide 55


Examines a computer before it is allowed to connect to the network

Each computer must meet security policy first, such as

Windows patches up to date

Antivirus software

Antispyware software

Etc.

Any device that does not meet the policy is only allowed to connect to a “quarantine” network where the security deficiencies are corrected

Slide 56


12/06/56

29

Slide 57


Applying Network Security Devices

58


12/06/56

30

Firewalls

Proxy servers

Honeypots

Network intrusion detection systems

Host and network intrusion prevention systems

Protocol analyzers

Internet content filters

Integrated network security hardware

Slide 59


Typically used to filter packets

Sometimes called a packet filter

Designed to prevent malicious packets from entering the network

A firewall can be software-based or hardware-based

Hardware firewalls usually are located outside the network security perimeter

As the first line of defense

Slide 60


12/06/56

31

Slide 61


The basis of a firewall is a rule base Establishes what action the firewall should take

when it receives a packet (allow, block, and prompt)

Stateless packet filtering Looks at the incoming packet and permits or denies

it based strictly on the rule base

Stateful packet filtering Keeps a record of the state of a connection between

an internal computer and an external server Then makes decisions based on the connection as

well as the rule base

Slide 62


12/06/56

32

Slide 63


Note error in textbook in left column, 3rd row

State = Established

Slide 64


12/06/56

33

Most personal software firewalls today also filter outbound traffic as well as inbound traffic

Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading

But it annoys them with these alerts

Slide 65


I want to see

yahoo.com

I will get

yahoo.com and

save a copy Internet

Here is my

copy of

yahoo.com

Slide 66


12/06/56

34

Clients never directly connect to the Internet

This saves bandwidth, because one copy of a popular Web page can be used many times

Allows a company to block forbidden Web sites

It also prevents many attacks the same way NAT does

Reverse proxy Does not serve clients but instead routes incoming

requests to the correct server

Slide 67


Connect to

Web server 1

Slide 68


12/06/56

35

Intended to trap or trick attackers

A computer typically located in a DMZ that is loaded with software and data files that appear to be authentic Yet they are actually imitations of real data files

Three primary purposes of a honeypot: Deflect attention

Early warnings of new attacks

Examine attacker techniques

Slide 69


Network intrusion detection system (NIDS)

Watches for attempts to penetrate a network

NIDS work on the principle of comparing new behavior against normal or acceptable behavior

A NIDS looks for suspicious patterns

Passive intrusion detection just logs the traffic and sends alerts

Slide 70


12/06/56

36

Slide 71


Finds malicious traffic and deals with it immediately

Also called Active Intrusion Detection

A typical IPS response may be to block all incoming traffic on a specific port

Slide 72


12/06/56

37

Installed on each system that needs to be protected

Rely on agents installed directly on the system being protected

Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks

Slide 73


Most HIPS monitor the following desktop functions:

System calls

File system access

System Registry settings

Host input/output

HIPS are designed to integrate with existing antivirus, anti-spyware, and firewalls

HIPS provide an additional level of security that is proactive instead of reactive

Slide 74


12/06/56

38

Work to protect the entire network and all devices that are connected to it

By monitoring network traffic NIPS can immediately react to block a malicious attack

NIPS are special-purpose hardware platforms that analyze, detect, and react to security-related events

Can drop malicious traffic based on their configuration or security policy

Slide 75


Three ways for detecting a potential intrusion Detecting statistical anomalies (unusual traffic)

Examine network traffic and look for well-known patterns of attack

Use protocol analyzer technology

Protocol analyzers Can fully decode application-layer network protocols

Parts of the protocol can be analyzed for any suspicious behavior

Such as an overly long User-Agent field in an HTTP GET request

Slide 76


12/06/56

39

Internet content filters

Monitor Internet traffic and block access to preselected Web sites and files

A requested Web page is only displayed if it complies with the specified filters

Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL) or by matching keywords

Slide 77


Slide 78


12/06/56

40

Types of hardware security appliances: Dedicated security appliances provide a single

security service

Multipurpose security appliances that provide multiple security functions

Integrated network security hardware Combines or integrates multipurpose security

appliances with a traditional network device such as a switch or router

Particularly attractive for networks that use IDS

Slide 79



Slide 80