1 / 19

Network Policy

Network Policy. (slides by Jeremy, Brian, and Daniel). What Network Policy IS. Includes a set of preconditions required for network access and to maintain that access (access policy) Some Examples: Must be running the organization’s specified antivirus product with latest virus definitions

aleta
Download Presentation

Network Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Policy (slides by Jeremy, Brian, and Daniel)

  2. What Network Policy IS • Includes a set of preconditions required for network access and to maintain that access (access policy) • Some Examples: • Must be running the organization’s specified antivirus product with latest virus definitions • Must have personal firewall enabled • Egress/ingress, particular ports, protocols, etc. • Must pass a scan for known vulnerabilities (like CMU)

  3. What Else Network Policy IS • Specifies access controls for systems and resources • Examples: • Bank teller can only connect to the bank network during regular business hours • Staff not employed by the payroll department must not access payroll records.

  4. Anything Else? • What is allowed on the network • Hotmail, Ebay, Ameritrade, Pornography? • What is monitored • How long do you keep the logs • What do you do with them after that time period • Who handles these logs • Who is responsible for auditing them

  5. Network Policy is NOT • A firewall, IDS, IPS, etc • A certification • Something you download and print • Something you purchase It is a custom tailored process!

  6. The IKEA Analogy for Network Policy • No policy is like having no instructions for securing the network • Seems simple but actually a million complicated pieces with complex interactions • “Universal Tool” – Not the best solution • It works great until it falls apart and needs to be redone the right way • Find out what those extra parts do after the fact • Frustrating? • Quality Issues?

  7. But Policy is Just Paper • True, policy needs to be enforced • People are either ignorant of or don’t care what is on the paper. • Survey: Who has knows CMU’s Network Policy? • How to enforce Network Policy? • Technology: firewalls, ACLs, Nessus, card readers, network monitors, encryption, active directory etc. • Can’t effectively deploy these tools without policy • Can’t build sturdy furniture (security) without directions(policy) • Policy = Directions

  8. Designing Network Policy • Very specific to the organization’s needs • No “one size fits all” • Try to follow best practices • Least Privilege • Defense in Depth • ACTIVE MONITORING • Build this into the policy! • Threats constantly evolve, security must do the same.

  9. The Case: Issues to Consider • Least Privilege • Sponsors – “What do you mean I can’t do xyz, I paid for this thing to happen!” • Money Talks, but making exceptions can break down security of entire system • People want money spent on something visible • Make case for security supporting visibility? Does it? • People want invisible security • If it is a hassle, they will circumvent it • Media – use venue as backdoor

  10. More Issues: Insiders • Organizations implicitly trust them • Intimate knowledge of system and its weak points • May be sympathetic to protesters • Physical access to critical areas • Easy to plug in a rogue WAP on the wired network • Many new temporary employees • Where is their loyalty?

  11. Showdown: Wireless Policy VS

  12. Wireless Policy Considerations • Basic requirements for event • Can enough cable be run at the venue to support all wired connections? • Do the participants need wireless? Why? • Who is in charge? • Delegate who is in charge and who takes responsibility for problems • Establishes accountability and point of contact

  13. What is the Risk? • Perform a Risk Assessment • Potential Threats: • DoS, Session hijacking, sniffing, MITM, ad-hoc connections • Wardrive/Warwalk to determine physical exposure • What is the wireless going to be used for? • casual websurfing (low risk) • Media/sponsor access (medium risk) • Confidential scheduling and voting (high risk) • How frequently to assess risk? • Do the threats outweigh the benefits? • See NIST 800-30 for more formal information

  14. Consider Wireless Topology • Network Topology • Wireless as untrusted network • Wired as trusted network • Separate them with a gateway • Install filter to control/monitor traffic at that junction • Active monitoring goes in the wireless policy!

  15. Other Considerations • How to Authenticate • Cost, ease of implementation, ease of use • PKI may be too much, Open may be too little • Maintaining Confidentiality • Encryption – WEP, WPA, IPSec • Selection based on sensitivity of data • Key management • How to distribute • Can we change it faster than it can be cracked? • Availability • Most noticeable • Productivity losses • Media backlash

  16. No WiFi For You! • Do we allow it or not? • Is the threat greater than the benefit? • Difficult to quantify • Do we also allow limited wired access if wireless goes down? • What if wireless keys are shared with outsiders? • Many other “what if’s” • See NIST 800-48 for a wealth of information

  17. This Can Be Really Tough! • Difficulty will cause users to circumvent security measures • Prepare for your first line of defense to fail (D.I.D.) • Perhaps we need something more rigorous • A formal framework with better metrics for making critical decisions

  18. Conclusion • Are Network Policies such as the ones described tonight silver bullets?? • The answer is NO!!!!

  19. Conclusion • These are guidelines that need to be enforced, understood, documented and evaluated constantly because the environmental variables (such as new technology) change over time

More Related