what is (not) network security

29
24/11/07 Network Security What is (not) Network Security John Iliadis Network Security Administrator TEIRESIAS S.A.

Upload: john-iliadis

Post on 28-Nov-2014

152 views

Category:

Technology


1 download

DESCRIPTION

Invited lecture, 2nd Annual Scientific Symposium of the Students of Information and Communication Systems Department, University of the Aegean, Samos, Greece, November 2007

TRANSCRIPT

Page 1: What is (not) Network Security

24/11/07

Network Security

What is (not) Network Security

John IliadisNetwork Security AdministratorTEIRESIAS S.A.

Page 2: What is (not) Network Security

Network Perimeter

• It is vital to guard our network perimeter, meaning…

• Access Control (in/out the perimeter borders)

• Confidentiality and integrity protection of information crossing network perimeters

• etc…

• Where is the network perimeter?

Page 3: What is (not) Network Security

What is (not) a network and its perimeter

No!Internet

Corporate Network

perimeter

perimeter

perimeter

perimeter

perim

eter

perim

eter

Page 4: What is (not) Network Security

What is a network and its perimeter (1)

Internet

Associate’sNetworks

RemoteUsers

network

ExternalUsers

network

Corporate Main Site

Trusted InternalNetwork

Management (Admin) Network

User Subnetwork

Corporate BranchNetworkUser

Subnetwork

Trusted InternalNetwork

Management (Admin) Network

Corporate BranchNetworkUser

Subnetwork

Trusted InternalNetwork

Management (Admin) Network

Yes!

Page 5: What is (not) Network Security

What is a network and its perimeter (2)

Trusted InternalNetwork

User Subnetwork

Services’ Subnet

A

Services’ Subnet

C

Services’ Subnet

B

Users’ Subnet

A

Users’ Subnet

C

Users’ Subnet

B

Page 6: What is (not) Network Security

Some threats

• Lack of availability

• Breach of confidentiality

• Unauthorised access

Page 7: What is (not) Network Security

Lack/degradation of availability – 10 Countermeasures

• Good network planning

• Good network planning

• Good network planning

• Good network planning

• Good network planning

• Quality of Service

• Quality of Service

• Quality of Service

• Quality of Service

• Quality of Service

Page 8: What is (not) Network Security

Good network planning (1)• Identify and document your network’s

perimeter• Subnet wisely

• Meaningful subnets• Route summarisations• Documentation• Availability of address space per

subnet• Evaluate criticality of lines, based on

business needs• Specific services’ unavailability• User dissatisfaction• Loss of income• Network security (e.g. unavailability of

security updates)

Page 9: What is (not) Network Security

Good network planning (2)

• Redundant links• Auto/Manual• Bandwidth of redundant link

depending on SLAs, estimated primary line downtime, cost

• Avoid Single Points of Failure (both primary and redundant link(s) going down)

Page 10: What is (not) Network Security

Good network planning (3) - Failover

Headquarters

Network Service Provider A

Router

Branch

Switch

Prim

ary

Line

Back

up L

ine

Router

SwitchSingle Points of Failure:

3. Switches4. Routers5. Internal building

cabling6. External building

cabling (e.g. construction work around the building)

7. Network Service Provider’s network

Page 11: What is (not) Network Security

Good network planning (4) - Failover

Network Service Provider A

Headquarters

Network Service Provider B

Router A

BranchSwitch A

Prim

ary

Line

Backup Line

Router A

Switch A

Router B

Switch B

Router B

Switch B

Page 12: What is (not) Network Security

Quality of Service (1)

All services are born equal. Some are more equal than others

• The need for QoS• Expected user experience (SLA or not)• Business traffic versus leisure traffic• Just won’t work without it (e.g. VoIP, some

network management traffic)• Protect against malicious attempts (DoS,

DDoS)

Page 13: What is (not) Network Security

Quality of Service (2)

• QoS – How To• Limit bandwidth• Limit packet rate• Guarantee bandwidth• Guarantee packet rate• Burst rates• Absolute values, fractions of total

capacity, fractions of remaining capacity

• Best Effort: children of a lesser God• Limitations imposed upon notification

from IDS/IPS (fight DoS, DDoS)• more…

Page 14: What is (not) Network Security

Breach of confidentiality (privacy?) - Countermeasures

• Encryption

• SSL• IPsec• SSH tunnels• WEP?• Others…

Page 15: What is (not) Network Security

SSL – wrong implementations

InternetWeb ServerUser

HTTPS

IDS

HTTPS HTTPS

InternetWeb ServerUser

HTTP

IDS

HTTP HTTP

X

Before

After

Page 16: What is (not) Network Security

SSL – the proper way*

InternetWeb ServerUser

HTTPS

IDS

HTTPS

InternetWeb ServerUser

HTTP

IDS

HTTP HTTP

Before

After

Reverse Proxy or

SSL VPN

HTTP HTTP

*reduced privacy…

Page 17: What is (not) Network Security

IPsec – what is it not about

• Not about “securing communications”

• Not about “protecting confidentiality”

• Not about “preventing unauthorised access”

…then what?

Page 18: What is (not) Network Security

IPsec – what is it about

• It is about cryptography, and cryptography is about shifting the domain of a problem, i.e.

• Problem: “Protect confidentiality of communication”

• Solution: “Shift the problem’s domain from confidentiality protection to key management”

Page 19: What is (not) Network Security

Key Management – Symmetric Crypto

• Problem’s domain remains confidentiality protection, but

2. Data to be protected (keys) are less

4. Frequency of data to be protected (keys) is lower

6. Data to be protected (keys) can be communicated out of band (more) easily

Page 20: What is (not) Network Security

Key Management – Asymmetric Crypto

• Problem’s domain changes to key material’s integrity protection

• Key material can (more) easily be communicated out of band

• Existing structures (e.g. PKI hierarchies, PGP web of trust, etc) to facilitate integrity protection, once the infrastructures have been jumpstarted

Page 21: What is (not) Network Security

WEP: Wireless Encryption Protocol (aka Where Everything is Permitted)

-“Good morning sir, we have a nice ADSL offering for you today. It is cheap and we can install it right away”

-”No, thanks. A company near my house is running WEP encryption for its 802.11 wireless network and they have a 20Mbps leased line to the Internet”

note1: if it’s broken, it’s brokennote2: for wireless networks, VPN over

your WEP/WPA

Page 22: What is (not) Network Security

Unauthorised Access - Countermeasures

• Before the fact• Strong authentication (e.g. two

factor)• Isolation of services• Separation of duties• Eliminate covert channels

• After the fact• Audit• Audit more…• Audit: the proper way to do it, if it

were not for privacy

Page 23: What is (not) Network Security

Strong Authentication

• What you know• Password• Passphrase

• What you have• Certificate on computer• Certificate on token (smart card,

USB device)• Pseudorandom Number Generator

device (time sync issues)

Page 24: What is (not) Network Security

Isolation of Services

• IPsec: Separate keying material per user groups and services they are authorised to access

• Subnets and packet filtering (firewalling)

• VLANs• Few (one?) service per host• Shutting down not required

services on hosts

note: contrary to popular belief, virtual machines may not be the way to go

Page 25: What is (not) Network Security

Separation of duties

• System Administrators• Network Administrators• System Security Administrators • Network Security Administrators• Auditors• Risk Analysts• Security Officers

Page 26: What is (not) Network Security

Eliminate covert channels

• Well known ones• Port knocking• Tunneling (e.g. running another IP

layer over an Application layer)• Steganographic

• Hard to detect• Solutions:

• Port knocking: allow only specific ports, limit packet rate

• Tunneling: inspect application layer contents for syntax/format violations

• Steganography: steganalysis, steganographic sanitisation

Page 27: What is (not) Network Security

Audit

Server

Server

Server

Server Router

Switch

Firewall

Switch

Router

Firewall

IDS

IDS

Logs

Logs

Logs

Logs Logs

Logs

Logs

Logs

Logs

LogsLogs

Logs

Inspectinglog files

Page 28: What is (not) Network Security

Audit more…

Server

Server

Server

Server Router

Switch

Firewall

Switch

Router

Firewall

IDS

IDS

Logs

Logs

Logs

Logs Logs

Logs

Logs

Logs

Logs

LogsLogs

Logs

Log Consolidation and Correlation Server

Inspectconsolidated,correlatedlogsandalerts

Page 29: What is (not) Network Security

Audit properly (privacy issues…)

Server

Server

Server

Server Router

Switch

Firewall

Switch

Router

Firewall

IDS

IDS

Logs

Logs

Logs

Logs Logs

Logs

Logs

Logs

Logs

LogsLogs

Logs

Log Consolidation and Correlation Server

Traffic Capturing

Inspectconsolidated,correlatedlogs,alertsand capturedtraffic possiblyrelatedto thealerts