Jason A. WesselAVP Security Services

Network Security:

A Defense-in-Depth Approach

Agenda• Origin of Defense-in-Depth• Defense-in-Depth: Information Security

– Strategies, – Security Models / Frameworks

• Attackers & the evolving threats on Information Security

• Network Defenses • Additional Defenses• Question & Answer

Origin of Defense-in-Depth

“A military strategy sometimes called elastic defense. Defense in depth seeks to delay rather than prevent the advance of an attacker, buying time and causing additional causalities by yielding space.”

http://en.wikipedia.org/wiki/Defense_in_depth

Defense-in-Depth: Information Security

“…the practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system places multiple barriers between an attacker and your business critical information resources: the deeper an attacker tries to go, the harder it gets.”

Brooke Paul, Jul 01, Security Workshop at Network Computing

Defense-in-Depth StrategyInformation Assurance Strategy

Ensuring confidentiality, integrity, and availability of data

People-Hire talented people, train and reward them

Technology -Evaluate, Implement, Test and Assess

Operations-Maintain vigilance, respond to intrusions, and be prepared to restore critical services

IAS Thomas E. Anderson Briefing Slides

Perimeter

Internal

Hosts

Applications

Data

Defense-in-Depth

Security Model

Defense-in-Depth

• Framework for Information Security– “Security is a process, not a product”

Bruce Schneier

• Ongoing process– Can’t be implemented over a weekend

• Assume control points will fail– Architecture to protect from failures

The Attackers• The Script Kiddies

– Does not target specific information or companies– Small number of exploits and search for victims to utilize exploits

against• The Skilled Hacker

– Targets specific information and companies– Performs comprehensive research on victims using multiple

exploits and social engineering techniques– Typically out for personal gain (money, glory, etc.)

• The Insider– Trusted employee, who knows where business critical information

is located– Typically out to harm business reputation, commit fraud, or financial

gain

Attack Landscape is Evolving • Viruses, Worms, Trojans, Root Kits• Shift from “Glory-Motivated-Vandals” to

“Financially-Politically-&-Fraud-Motivated-Cyber-Crime”

• “Designer Worms” and “Designer Trojans”

• Shift from Worms to Bot-Networks

From IBM Internet Security Systems

Attack Evolution Example

• Welchia Worm– Infected devices– Sprayed 20K UDP packets per second– Impacted services and network performance

based on increased traffic volume

• Zotob/Esbot– Owned devices, restricted range, local traffic – Assess first, fire only when vulnerable

From IBM Internet Security Systems

Network Defenses• Network Segmentation• Access Points • Routers and Switches• Firewalls• Content Filtering• IDS / IPS• Remote Access• Event Management• Vulnerability Management

Network Segmentation

• Create a logical security view of a network infrastructure

• Identify critical resources and information assets

• Apply security and business risk classifications

• Building block for the other network defenses

Network Segmentation

Network Access / Entry Points

• Entry points into the network infrastructure

• Classify the access points• Develop a security risk profile for each

access point • Each access point presents a threat for

unauthorized and malicious access to the network infrastructure.

Network Access Points

Routers and Switches

• Typically responsible for transporting data to all areas of the network

• Sometimes overlooked as being able to provide a defense layer

• Capable of providing an efficient and effective security role in a Defense-in-Depth strategy

Simple Router & Switch Network

Firewalls• First defenses thought of when working on a

Defense-in-Depth strategy• Provide granular access controls for a network

infrastructure• Firewall Types:

– Packet filtering– Proxy based– Stateful Inspection

• Continuing to increase their role by performing application layer defenses on the network

Firewalls

Content Filtering• Protection of application and data content

being delivered across the network• Content filtering looks for:

– Virus– File attachments– SPAM– Erroneous Web Surfing– Proprietary / Intellectual Property

• Commonly used network protocols:– SMTP, HTTP, FTP, and instant messaging

Content Filtering

IDS / IPS• Detect malicious network traffic and

unauthorized computer usage• Detection Strategies

– Signature-based – Anomaly-based– Heuristic-based– Behavioral-based

• View of traffic from a single point• Similar technologies are applied at the host and

network layers

IDS/IPS

Remote Access

• Identify all remote access points into the network infrastructure.

• Driven by the need to promote business productivity

• Expanding the perimeter

• Requires strict access controls and continuous activity monitor

Remote Access

Security Event Management

• The collection and correlation events on all devices attached to the network infrastructure.

• Provides insight into events which would go unnoticed at other individual defense layers

• Provide automated alerts of suspicious activity

Security Event Management

Vulnerability Management

• Continuous process of assessing and evaluating the network infrastructure

• Multiple views / perspectives

• Integration with Patch Management and ticketing systems

• Configuration & maintenance validation

Vulnerability Management

Additional Defenses: Connecting the Hosts & Network

• Security Policies

• Network Admission Control (NAC)

• Authentication Services

• Data Encryption

• Patch Management

• Application Layer Gateway

Network Security: A Defense-in-Depth Approach

Jason A. WesselAVP Security Services

CADRE – Information Securityjason.wessel@cadre.net

888-TO-CADRE