Information SecurityOverview of Technologies & Solutions

Information SecurityIntroductionThe Enterprise NetworkDefense in DepthWhat to protect against?Technologies & SolutionsPerimeter TechnologiesInternal TechnologiesConsultingAudit, Implementation & Support

IntroductionThe security of your network is evaluated daily, the question is

Are you the one doing it?

IntroductionGood Information Security provides;Data confidentialityEnsure that no data is disclosed intentionally or unintentionallyData integrityEnsure that data is not modified by unauthorized personel, that no unauthorized changes are made by authorized personel, and that data remains consistent, both internally and externallyData availabilityProvide reliable and timely access to data and resources

The Enterprise Network

Title

Branch Office

Telecommutor

Corporate HQ

Public Internet

Defense in DepthHow?Secure the perimeterSecure the internal networkAccount for the human factor

Using a layered approach:Increases an attackers risk of detection Reduces an attackers chance of success

Defense in DepthPolicies, Procedures, & AwarenessPhysical SecurityPerimeterInternal NetworkHostApplicationDataFirewalls, VPN quarantine,Guards, locks, tracking devicesNetwork segments, IPSec, NIDSApplication hardening, antivirusACL, encryptionUser education against social engineeringOS hardening, update management, authentication

Network SecurityNetwork Security focus on perimeter and Internal Network solutionsPerimeterInternal NetworkNetwork segments (VLANs), IPSec, NIDS, Network Access Protection, Firewalls, VPN, NIDS, Anti-Spam,

Why do we need Network Security?First look at what you need to protectData (company resources)Services (applications or their individually accessible parts and the people using them)Protect against what?Malware (Viruses, Spyware,)Spam (Steals resources and productivity)Hackers (Network penetration, defacements, DoS Attacks,)Internal Users (Unauthorized access,)

Common Threat ClassificationSpoofed packets, etc.Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc.NetworkHostApplicationThreats againstthe networkThreats against the hostThreats against the application

Examples of Network Threats

Typical Pattern of an AttackEnter the network through SQL Injection etc.Install or use port proxy software to open inbound connectionsRemotely control the host to mount further attacks from inside until a domain controller is accessibleGain control of the desired resourcesErase traces of attack and remove installed software

How to protect yourself?Technologies & SolutionsSecure the perimeterSecure the internal network

Perimeter TechnologiesFirewall (Packet Filter, Stateful, Proxy)Intrusion Detection System (IDS, IPS)Virtual Private Network (IPsec, SSL)Anti-Spam (Mail relay, AV)Anti-Spyware (URL filtering, AV)Anti-Virus

Firewall Static Packet FilterEvery router is a static packet filter (including your ISP router)First incoming and last outgoing layer of your network securityFaster at screening traffic than stateful or proxy firewallsBut no knowledge of state thus less secure than most common firewalls

Firewall Stateful Most common type of Firewall todayKeeps track of state, blocks traffic that is not in its table of established connectionsSlower at screening traffic than packet filter, but more secure

Firewall - ProxyMost advanced, least common type of Firewall (is also a stateful firewall)Higher degree of security because internal and external hosts never communicate directlyExamines the entire packet to ensure compliance with the protocol that is indicated by the destination port number

Firewall Basic theory of operationExternal Network (Internet)Internal Network (LAN)Intermediate Network (DMZ)Firewall Divides your internal network from an external network (usually Internet)If the incoming connection is an answer to an outgoing connection, the connection is allowed, if not, the connection is dropped. (Stateful)Most firewalls have DMZ functionality, allowing you to further divide your network in order to supply some Internet faced services to your users.Connection allowedConnection refused

Firewall SolutionsJuniper (Formerly NetScreen)Check Point

Firewalls Juniper Integrated Firewall/IPSec VPNNetScreen 500/200/50/25/XT/GT/HSCSolution includesStateful Inspection (Perimeter defense)Deep Inspection (Application-Level Protection)Built-In Antivirus (Protects remote locations)Web filtering (Prevent inappropiate web usage)Secure Remote Acces (IPsec VPN Secure Client)

Firewalls Check PointFirewallFireWall-1Solution includes Comprehensive application protection Industry-leading management High performance

Other TechnologiesSo if we buy a Firewall we are safe?!

Why NOT?Weaknesses in TCP/IP suiteIP Address SpoofingCovert ChannelsIP Fragments AttacksTCP FlagsSYN FloodConnection Hijacking

Intrusion Detection SystemGateway Intrusion Detection SystemA network intrusion detection system which acts as a network gatewayDesigned to stop malicious traffic and generate alerts on suspicious trafficAn ideal gateway IDS is able to stop all known exploits

GIDS vs NIDS (Placement)GIDSActs as network gatewayStops suspect packetsPrevents successful intrusionsFalse positives are VERY badNIDSOnly observes network trafficLogs suspect packets and generates alertsCannot stop an intruderFalse positives are not as big of an issue

IDS Basic theory of operationMuch like a bridging firewall, IDS makes forward/drop decisions-This packet is always good so pass it into my network.-This packet is always bad so drop it and tell me about it.-This packet is sometimes bad so tell me about it, but don't drop it.

IDS SolutionsJuniperCheck Point

IDS Juniper IDS IPSNetScreen-IDP 10/100/500/1000Solution includesEight different detection methods are used to protect the network from network, application and hybrid attacks Understands state to pinpoint exactly where an attack can be perpetrated and only look there Ability to define a response action in the rulebase for detected attacks Sub-second Stateful-failover between Juniper Networks devices without losing sessions Enables closed loop investigation, linking directly from the log to the rule that triggered it and the session's packet capture

IDS Check PointIDS - IPSIntruShieldSolution includesUnprecedented flexibility of IDS deployment, including in-line, tap, and span modes to suit any network security architecture Thorough analysis of traffic at multi-gigabit rates that builds and maintains traffic state information and performs comprehensive protocol analysis. Intelligent detection of known, unknown, and DoS attacks using a combination of signature, anomaly and DoS detection techniques. Proactive capability to stop in-progress attacks coupled with a rich set of alerting and response actions. Powerful capability to set multiple, highly granular, custom intrusion policies within a single sensor.

VPN A Virtual Private Network is a service that offers a secure, reliable connection over a shared public infrastructure such as the Internet.Two main types;Remote AccessSite-to-siteTwo main technologies;IPsec (and L2TP)SSL

VPN Remote AccessSecure Remote Access for mobile users and/or home office.Using a secure software client or hardware device for IPsec, or a webbrowser for SSL based VPNIf you able to connect to the Internet, you are able to connect to the corporate network

VPN Site-to-SiteValid replacement for leased lines and Frame Relay connections to connect different sites.Using specialized VPN devices or built-in into a firewallIf both your sites have Internet connectivity, they can be connected using VPN

VPN Basic theory of operationSite-to-Site VPNRemote AccessA VPN tunnel is setup using a secure client or SSL capable webbrowser, all data send through the tunnel is encrypted, the packets can still be captured, but if they are they are encrypted.

VPN - IPsecUsually employs custom software at each of the endpoints the device and the clientNormally utilizes OSI Layer 3 Protocols (AH ESP)Authentication Header provides two-way device authentication (implemented in hard- or software)Encapsulation Security Payload protocol provides data encryption (3DES, AES)

VPN SSL Employs Webbrowser at the client side and a device at the corporate sideSSL is an network Layer ProtocolSSL uses Certificates to prove the identities of both endpointsAll trafic is encrypted using a shared key and a negotiated encryption algorithm (3DES, AES)

VPN SolutionsJuniperCheck Point

VPN Juniper IPsec VPNBuilt-in to firewall range of productsSolution includesSecure client enables adherens to security policySSL VPNNetScreen-RA 500, NetScreen-SA 1000/3000/5000Solution includesSecure access for remote/mobile employees, with no client software required Secure LAN, intranet, and extranet access for employees, business partners, and customers Hardware-based SSL acceleration Hardware-based HTTP compression Dynamic access privilege management, with three access methods

VPN Check PointIPsec VPNVPN-1, VPN-1 Edge, VPN-1 VSXSolution includes Simple VPN deployment Highest level of security Easy-to-use centralized management Unparalleled performance High availabilitySSL VPNSSL Network ExtenderSolution includesNetwork-level connectivity over SSL VPN Support for all IP-based applications Combined IPSec and SSL VPN solution Integrated with Check Point VPN-1

Anti-Spam (Spam Firewall)Acts as a mailrelay server accepts incoming mail, scans the content and forwards the mail to the back-end mailserver.Usually in combination with an Antivirus scanning engine to deliver spam- and virus-free e-mail.Prevents direct access to your e-mail server

Anti-Spam (Spam Firewall)

Anti-Spam Firewall

Anti-Spam Basic theory of operationE-mail is delivered to the Spam FirewallE-mail is checked against IP Block Lists, Antivirus scanning is performed, user rules are applied, spam fingerprint, intention analysis, Bayesian analysis and rule-based scoring checks are performedClean E-Mail is relayed to internal mailserver

Anti-Spam SolutionsBarracudaTrend Micro

Anti-Spam Barracuda Anti-Spam Firewall200/300/400/600/800Outbound Mode200/300/400/600/800Solution IncludesSpam FilterContent Based FilteringBayesian AlgorithmsDenial of Service ProtectionAnti-SpoofingAnti-PhisingVirus FilterDual-Layer Virus BlockingDecompression of ArchivesFile Type Blocking

Anti-Spam Trend MicroAnti-SpamSpam Prevention Solution (SPS 2.0)Solution includesAdvanced Filtering, Analysis, and Updating Capabilities Comprehensive Reporting and Auditing Dynamic, Flexible Heuristic Technology Ease of Administration and Configuration High Performance and Scalability Seamless Integration with Antivirus and Content Security Offerings

Anti-Spyware (Gateway)Gateway device to stop spyware installations, block spyware sites and scan for spyware signaturesSome solutions can detect spyware on user desktops and target them for cleaningUsually combined with Antivirus solutions

Anti-Spyware Basic theory of operationIf a user requests access to a website, the device checks if the site is listed in the known spyware sites list, if not the request is proxied. The content of therequested site then is scanned for spyware (and viruses) if the content is Spyware and virus free it is delivered to the client, if not it is dropped.

Spyware & AV Proxies

Anti-Spyware SolutionsBlueCoatBarracuda

Anti-Spyware BlueCoat Anti-SpywareSpyware InterceptorProxySG + ProxyAVSolution includesEasy, affordable, and effective spyware preventionAutomatically updates spyware profiles, policies, and prevention techniques. Backed by world-leading experts in web proxy performance and security at Blue Coat Labs

Anti-Spyware Barracuda Anti-SpywareSpyware Firewall 210/310/410Solution includesStops spyware downloads (including drive-by downloads) Stops virus downloads Blocks access to spyware websites Detects spyware access to the Internet Facilitates spyware removal Website Category blocking Content Inspection Flexible Policy Enforcement

Antivirus (Gateway)Provides Internet gateway protection against viruses (http, ftp, smtp traffic)If combined with internal antivirus solution provides dual layer protection (different vendors)Usually a combination of Anti-Spyware, Anti-Virus and Anti-Spam on the gateway

Anti-Virus (Gateway) Basic theory of operationRequested webcontent is scanned with antivirs engine on the proxy serverClean content is delivered to the clients.

Spyware & AV Proxies

Anti-Virus (Gateway) Solutions Trend MicroBlueCoat

Anti-Virus Trend MicroAnti-VirusInterscan Web Security SuiteSolution includesComprehensive Web Security Leading Virus Protection Anti-phishing Anti-spyware URL Filtering Module Scalable and Flexible Centralized Management and Coordination

Anti-Virus - BlueCoatAnti-VirusProxySG with Web Virus ScanningSolution includesVisual Policy ManagerPolicy processing engineCustom splash pagesContent stripping ProxyAV integrationICAP server integrationAuto sense settings

Internal TechnologiesLAN security using perimeter devicesNetwork Access ProtectionNetwork segmentation (VLANs)Strong AuthenticationMalware protectionWLAN security

LAN Security using perimeter devicesIngress and egress filtering on every routerInternal firewalls to segregate resourcesProxies to enhance performance and securityIDS sensors to function as canaries in a coal mine and monitor the internal network

Network Access ProtectionProvides endpoint security for access to your LAN.Make sure every device complies to your corporate access policy before LAN access is allowedPrevents rogue devices from accessing your network

Network Access Protection Basic theory of operationClient device request access to the network (cable is plugged in)A policy compliance check is performed by a device/server to see if the client has the necessary access rights (802.1X) and the required Anti-Virus en Operating System updates.If the client complies to policy access to the network is allowedIf the client does not comply, the client is placed in a quarantine network section and updated to comply to the corporate policy

Network Access Protection - SolutionsCheck Point

Network Access Protection Check PointNetwork Access ProtectionTotal Access ProtectionSolution includesVPN Remote Access Policy EnforcementWeb Remote Access Policy EnforcementInternal Policy Enforcement with 802.1X-compatible GatewaysRogue Access Prevention with 802.1x-compatible GatewaysInternal Policy Enforcement with InterSpectStandalone Enforcement

Network Segmentation (VLANs)Divide (Virtual LANs) your physical network in several logical entities to prevent unauthorized access to certain parts of you LANVLAN membership based on identity (802.1x)Increase security and tracebility in your local network

VLANs Basic theory of operationVLAN capable switch divides your LAN into segments only, access rulesdefine whom can access which other segement of your network. Membership to a VLAN can be based on identity of the device that requestsAccess (802.1x)

Network Segmentation Solutions HP ProCurveNortel

Network Segmentation ProCurve Network SegmentationIdentity driven managementDynamic VLANsSolution includesAccess Control Based on users business needs. Access Rights Not only based on the individuals and their group associations, but also day, time and location. Policy Enforcement On a per-user, per-session basis.

Network Segmentation NortelNetwork SegmentationDynamic VLAN assignmentSolution includes

Strong AuthenticationTraditional static password are insecure, if you can guess someones password you have access.Strong Authentication requires you to both have something (Token fingerprint, ect) and know something (pin code password)Information on Token is encrypted for added securityCan be used for computer logon, single-sign-on, secure remote access

Strong Authentication Solutions SafeWordVascoActivCard

Strong Authentication Safeword Strong AuthenticationSolution includes

Strong Authentication VascoStrong AuthenticationSolution includes

Strong Authentication ActivCardStrong AuthenticationSolution includes

Malware protectionCorporate Managed Antivirus and Anti-Spyware solutions

Malware Protection Solutions Trend Micro

WLAN securitySecure Access to you corporate LANDefend against rogue Access PointsIdentity based Wireless AccessUsage of strong encryption and key exchange protocols

WLAN SecurityPre-802.11i security (WPA) as a replacement to the insecure WEP modelIncludes TKIP (Temporal Key Integrity Protocol) and 802.1x (identity) protocols

Security Consulting ServicesAudit, design, implementation and support of your secure networking infrastructureCustomized training based on implemented solutions or at customer requestCoaching of IT division when selecting and implementing security solutions