security frameworks - ccc

Security Frameworks

An Enterprise Approachto Security

Robert “Belka” Frazier, CISSP

[email protected]

Security

Security is recognized as essential to protectvital processes and the systems that providethose processes

Security is not something you buy, it issomething you do

What is Security?

Security is no longer just controlling theperimeter or layered

Transactions use all of the network, fromDMZ to Database

ALL of the network and resident systemshave to be secured

What Securing All of the EnterpriseReally Means…..

– Firewalls, routers, applications, passwords

– Intrusion detection – NIDS and HIDS

– Proactive scanning, pen testing

– System Configuration Monitoring – “Health Checking”

– VoiP, Wireless, Embedded Systems

– 24x7 Monitoring

– Analytical review and correlation

– Policies, Procedures, Personnel

What Is Effective Security

– Combination of appliances, software, alarms, andvulnerability scans working together in a well-thought out architecture

– Extends to policies, procedures, and people

– Monitored 24x7

– Designed to support the security goals of theEnterprise

The Security Framework

– The Security Framework is a coordinated systemof security tools

– Similar to the Enterprise management framework

– Extends end to end of the customer enterprisearchitecture

– Security data centrally monitored 24x7 in aSecurity Operations Center

– Data analyzed using correlation tools

Security Framework Considerations

– Mapped to the customer’s architecture to provideend to end security

– Uses existing commercial and open source tools

– Leverages existing security infrastructure toquickly build out the security framework

Benefits of a Security Framework

Provides Enterprise security that is :– Consistent– Constant– Covers everything

Characteristics of Good Enterprise Securityare:– Reliable– Robust– Repeatable

Benefits of a Security Framework(continued)

An Effective Security Framework is:– Monitored

– Managed

– Maintained

This is the “raison d’être” for a SecurityFramework

Security Frameworks

Using the FrameworkApproach

Map Security Framework toEnterprise Architecture

The Security framework follows structure ofOpen Systems Interconnect (OSI) 7-LayerNetwork Reference Model

1. Physical

2. Data Link

3. Network

4. Transport

5. Session

6. Presentation

7. Application

Additional Layers of the SecurityFramework

– The security framework adds the financialand “political” layer (8 & 9)

The Security Framework --Physical Layer

Physically secure and mange the cable plant

– Wiring closets

– WAN connections

– CSU/DSU

Physically secure and control access to networking equipment

– Routers

– Hubs

– Switches

Physically secure and control access to servers, mainframes

Provide redundant power and WAN connections

The Security Framework-- DataLink and Network Layers

VPNs protecting the links between networks

Network Intrusion Detection Systems (NIDS) watching traffic forattacks

Host Intrusion Detection Systems (HIDS) protectingconnections to critical servers/hosts

Virus scanning taking place on traffic coming in from outsidethe customer’s network.

The Security Framework-- Networkand Transport Layer

Firewall performing stateful inspection of incoming andoutgoing packets

Router Access Control Lists (ACLs) filtering packets boundbetween networks

Virus scanning of attachments at the e-mail gateways

The Security Framework-- Session,Presentation and Application Layers

OS and application hardening at the system level

Conduct security health checking to determine if securitypolices for types of applications allowed to run, passwordcomposition and length, services allowed on hosts, etc. arebeing followed

Provide vulnerability scanning to test the configuration ofapplications and systems, looking for vulnerabilities, missingpatches, etc.

Conduct penetration tests to determine if machines can beexploited and privileged access gained

The Security Framework-- Presentationand Application Layers

User account management on the network

User account management on individual systems

User account management for specific applications, RDBMS,etc.

Virus scanning and updates on individual machines and userdesktops

Role & Rules Based Access Control (RBAC)

PKI and digital certificates

The Security Framework--Financial Layer

Leverages existing security infrastructure to reduce costs

Provides an operational framework for conducting regularsecurity checks

Lends itself to outsourcing to a managed security serviceprovider

New technologies can be incorporated into the securityframework

Security costs are easier to identify, budget, and control.

Security Framework– the “Political”Layer

Provides a platform to align security with business goals just asenterprise system management normalizes the enterprise

Framework is extensible to and modular, flexible to meetchanging business objectives.

Security Frameworks

A More DetailedTechnical Look

Mapping Security FrameworkComponents to the Architecture

Monitor network traffic and system logs to comparewhat's happening in real-time to known methods ofhackers. When a suspicious event is detected, an alarmis kicked off. In addition the Intrusion Detection systemmay suspend or drop the offending connection, all whilerecording as much information as possible

Layer 2/3 – Data Link andNetwork LayersNetwork Intrusion

Detection (NIDS)

HIDS Sensor scans bit streams as they reach the hostsystem to match patterns and signatures that areindicative of an attack against the host or its applications.When a malicious pattern is detected the HID sends outan alert.

Layer 2/3 – Data Link andNetwork LayersHost Intrusion Detection

VPN tunnels encrypt data flowing over the data link toprotect it from outside scrutiny. Bit stream is encrypted,sent over the wire, and unencrypted at the far end.

Layer 2/3 – Data Link andNetwork LayersVirtual Private Networks

(VPN)

The Data Center controls physical cable pant connectingarchitecture together in a network. Provides physicalsecurity to networking components and hardware.Provides physical security to server hardware.Redundant power and WAN connections.

Layer 1 - Physical LayerService Delivery Center(SDC)

Architecture Component DescriptionArchitecture LayerSecurityComponent


Use Cisco IOS to create access control lists (ACLs) to filterIP packets. ACLs on routers can shape traffic and restricttraffic flow between network segments. IP addressschemes can segment the architecture by network, makingACLS and firewalls rules easier to manage.

Layer 3 & 4 – Network andTransport LayersRouters

Virus scanning software opens attachments entering andleaving the network to check for patterns and signatures thewould indicate malicious code.

Layer 3 & 4 – Network andTransport LayersVirus scanning of

attachments

A device or software that blocks Internet communicationsaccess to a private resource. The resource can be anetwork server running a firewall as an application or anappliance with firewall application running as firmware.

Layer 3 & 4 – Network andTransport Layers

Firewalls and firewallappliances

Virus canning software looks at bit streams flowing acrossdata link to match signature patterns that indicate maliciouscode and viruses.

Layer 2 & 3 – Data Link andNetwork Layers

Virus Scanning

Architecture Component DescriptionArchitecture Layer SecurityComponent


Team of trained ethical hackers attempt to gain access totarget machine, simulating a real world attack as amalicious intruder would to test the security architecture.

Layer 5, 6, 7 – Session,Presentation, ApplicationLayers

Vulnerability Assessment

Tool to scan for vulnerabilities, missing patches, new knownvulnerabilities and exploits. Tools are updated regularlyfrom CERT advisories, bug lists, and new exploit notices.


Vulnerability Scanning

Process of ensuring OS patches are up to date,unnecessary services are turned off, unneeded applicationsand tools are removed, and applications are patched.


OS & system Hardening

Mechanisms used by legacy systems to control access tosecure resources. These can include RACF, Top Secret,ACF2 and NT Domain Security. Legacy access controlscan also be used as part of credential synchronization(single sign-on) systems.

Layer 5 – Session Layer forLegacy systems

Legacy Access Control



Updates to anti-virus applications, scan engines, virussignatures, etc.

Layers 6 & 7, Presentation andApplication LayersVirus scan engine and

signature updates

Manage access to software and applications such asRDBMS, etc.

Layers 6 & 7, Presentation andApplication Layers

User accountmanagement onapplications

User account management on individual system.Management of privileged accounts, separation of dutiesbetween administrators

Layers 6 & 7, Presentation andApplication LayersUser account

management on systems

Managing user accounts on and access to the network.Uses Network NOS, Active Directory, LDAP, etc. toauthenticate.

Layers 6 & 7, Presentation andApplication Layers

User accountmanagement on thenetwork



24 x 7 security management using SOC to manage andmonitor security architecture. Ensures real time monitoringof the security of the network.

Layer 8 - Financial LayerSecurity OperationsCenter (SOC)

The security engine responsible for definition and decisionmaking around all security policies. Applications delegatesecurity decision making to the security engine. Thisdelegation occurs through existing security extension pointswithin the application domain. Security is seamless andnon-intrusive from the application's point of view

Layer 6 & 7 – Presentation andApplication Layers

Role Based AccessControl (RBAC)

Provides capabilities for the management of user credentialinformation. This information can be a user id, password,PKI, digital certificate or biometric information.

Layer 6 & 7 – Presentation andApplication Layers

PKI & CredentialManagement



A security framework can be implemented by usingmanaged security services that build, monitor, andmanage security across the enterprise.

Layer 8 – Financial LayerLends itself tooutsourced managedsecurity services

Security becomes part of the enterprise operations,providing consistent security management in the samefashion as enterprise system management. In the sameway, the security framework reduces the total cost ofsecurity.

Layer 8 – Financial LayerProvides an operationalframework for regularsecurity checks

Security tools, connections, trained personnel areleveraged to provide security services and build a securityframework for less than the cost to duplicate the sameservices as point security solutions

Layer 8 – Financial LayerUsing Existing SecurityInfrastructure



The cost of providing security becomes more predictableand manageable. Security costs are consolidated into theframework, facilitating budget and planning.

Layer 8 – Financial LayerSecurity cost are morepredictable

If new technology such as wireless networks are adopted,security controls can be added to the framework to managethe new initiatives. Networks added through acquisitionscan be quickly added to the security framework.

Layer 9 – Political LayerSecurity Framework ismodular, quicklyextensible

Security framework can be used to manage securityconsistently to meet business goals just as the enterprisesystem management manages the IT infrastructure to meetthe company objectives.

Layer 9 – Political LayerProvides a platform toalign security withbusiness goals

As network grow and merge, the framework can extendinto these new segments. New technologies such aswireless, VoIP, smart HVAC systems can also be managedand monitored by the security framework.

Layer 8 – Financial LayerExtensible to newnetworks andtechnologies


Security Framework by Services

Physical

Data Link

Network

Transport

Session

Presentation

Application

Wiring closets,cable plant, buildingaccess control,power, HVAC


Physical

Data Link

Network

Transport

Session

Presentation

Application

NIDS, HIDS

Virus Scanning


Physical

Data Link

Network

Transport

Session

Presentation

Application

Firewall, Routers, AccessControl Lists (ACLs), IPschemes, E-Mail AttachmentScanning


Physical

Data Link

Network

Transport

Session

Presentation

Application OS Hardening, Security HealthChecking, VulnerabilityScanning, Pen-Testing,


Physical

Data Link

Network

Transport

Session

Presentation

Application User Account Management on Systems,Role/Rule Bases Access Control, ApplicationSecurity, Virus Updates, Virus Signatures

Security Frameworks - Summary

To sum it all up

– Security Frameworks provide end to end security – from theDMZ to the Database

– Security is managed and monitored consistently andcontinually

– The security framework becomes the technology that turnssecurity policies into practice

– New technologies and new networks can plug into thesecurity framework

– Security costs become more predictable and manageable

Security Frameworks – More Q/A

Questions?

security frameworks - ccc

Documents