240 likes | 342 Views
Turning the Network Inside Out. Joel Snyder, Ph.D. Senior Partner Opus One jms@opus1.com. Big Bad Internet. Most networks focus on perimeter defense.
E N D
Turning the Network Inside Out Joel Snyder, Ph.D. Senior Partner Opus One jms@opus1.com
Big Bad Internet Most networks focus on perimeter defense • “[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)
Big Bad Internet Perimeter defense has its flaws • “Protecting your network with a perimeter firewall is like putting a stake in the middle of a field and expecting the other team to run into it.” • #include <statistic on insider break-in percent> • “If your position is invisible, the most carefully concealed spies will not be able to get a look at it.” (Sun-Tzu) Virus
Defense in Depth is the alternative • Make the network “crunchy,” not soft and chewy throughout. • Turn the network inside-out: the security is on the inside, not on the outside
Cost The cost of adding firewall “brains” has been prohibitive Performance Firewalls are slower than Gigabit switches Management Determining the “many-to-many” relationships are difficult We don’t do defense-in-depth because... • Authentication • How do you know who has that IP address anyway? What about NATed users? • Policy • It’s hard to describe the security policy for inside users; it’s much easier to describe the Internet-oriented policy
Cost dropping Performance increasing Management getting better Whoops. I lied. My bad. • Authentication • solved • Policy • OK, there had to be something we couldn’t solve with technology
New and Exciting 802.1X Authentication Digital Certificates VLANs as Security Barriers Multiple levels of ACLs Firewall/VPN on the NIC Network Intrusion Detection/Prevention Systems Not-so-bleeding-edge MAC lock-down on ports Authenticated routing updates Rate-limiting (DoS resistance) Host-based IDS RADIUS-based authentication SSH (Secure Shell) for management SNMPv3 and not SNMPv2 “Access Ethernet” dedicated management network You can implement Defense-in-Depth
802.1X is the new standard for layer 2 authentication EAP over RADIUS Supplicant EAP over WirelessEAP over LAN Authentication Server (e.g., RADIUS server) Authenticators Supplicant The World
In the wireless environment, 802.1X is absolutely required 802.11i and WPA (Wi-Fi Protected Access) use 802.1X Pure 802.1X for authentication solves most WEP problems (if implemented with mutual authentication methods TLS, TTLS or PEAP) EAP over RADIUS “Here’s your WEP key for the next 30 seconds...” “Put the user on VLAN x and here’s what he has access to...” 802.1X on every port adds security
802.1X on every port adds security, II • In the wired environment, 802.1X adds security • Microsoft gives it to you for free with W2K and XP • Many wireless vendors too... • * 802.1X ties to RADIUS which means... • ...you can use RADIUS to push authorization information to wired and wireless equipment • * VLAN information • * ACL (access control list) information
What are pitfalls and caveats with 802.1X? • 802.1X does not mandate an authentication method • So you have to pick one (TLS, TTLS, or PEAP) • There are a bunch of choices and a bunch of interoperability problems (TTLS vs. PEAP) • Strategy: hold off until this battle is settled by the IETF • 802.1X does not require you to swap out your RADIUS infrastructure • You can get a new, small server which will proxy to your existing RADIUS servers • 802.1X will not immediately be “full featured” • Authorization information, such as ACLs and VLANs, is still awaiting “industry agreement”
Public/Private Cryptography enables ... n = p•q d = e-1 mod((p-1)(q-1)) • Authentication • Using public/private cryptography, I can strongly prove my identity • Integrity Checking • Using public/private cryptography, I can digitally sign documents and ensure that they cannot be tampered with • Digitally signed documents have “proof of sender” as well • Encryption • Using public/private cryptography, I can encrypt short and long strings of data effectively
n = p•q d = e-1 mod((p-1)(q-1)) Digital Certificates enable public/private cryptography A Certificate can be many things and have many forms, but fundamentally is a binding of a public keyto an identity
Authentication SSL-based Web servers VPNs Remote User Authentication Windows 2K/XP Login 802.1X Network Authentication E-mail (Netscape, Outlook, others supporting S/MIME) Encryption E-mail (S/MIME clients) Many existing IT applications can use certificates Certificate-based techniques can also be used to pass encryption keys for secret key encryption: disk partitions, for example And they all can use the same certificate!
So, why isn’t everyone using them? • PKI manufacturers have made it more complex than it needs to be • “Solve all the problems up front, for country-wide deployments” seems to be their strategy • And expensive! • Certificate Revocation List strategies have not been coherent • Online Certificate Status Protocol may help • Certificate Enrollment is chaotic • Four different protocols in common use • Plus a few proprietary ones
VLANs aren’t just for breakfast anymore Originally: Management Domains Now: Security Domains • 802.1q (Virtual LANs) can be used to combine, yet not mix, traffic from multiple networks “tagged” VLANs
3rd Floor 2nd Floor 1st Floor 4th Floor Use VLANs to distribute protected and unprotected services
Using VLANs for security has its risks • If packets jump from one VLAN to the other... the game is over • Management of switching infrastructure is now as important as management of firewalls • Your switches are your weak links • Attacks • Bugs • Switch vendors have a very bad reputation in this area Risk/Benefit Analysis
Some are more equal than others Static Packet Filters Typically look only IP layer Cannot be used for port-based controls Are commonly implemented High performance All Access Control Lists are not created equal “Extended” Access Lists (Packet Filters) • Look at things within IP and TCP or UDP header (such as port number and flags) • Can be used for limited port-based controls • Available on many, but not all, platforms • High performance StatefulPacket Filters • Look at entire datagram and try and simulate higher layer state machines • Considered very secure at layer 3 (Check Point, Cisco depend on them) • Slower and more CPU/memory intensive
ACLs can be spread throughout your network to increase security Allow traffic to HR server only from HR VLAN Block SMTP not from Internet. Kiosk PCs can’t get to inside net Pre-filter protocols (such as SNMP) you never want to let in; block spoofed packets User can get to departmental servers and Internet only
ACLs everywhere is a tricky situation • Static ACLs on ports can be difficult to manage and maintain (at this time) • 802.1X-derived ACLs don’t have sufficient context to work at IP layer (yet) • Not every device has the capability • Not every policy-based security server has the ability But this is a technology coming very soon to a theatre near you! “Put the user on VLAN x and here’s what he has access to...”
You can put a firewall on a NIC • Technically, this is not making the network itself crunchy and more secure • “Defense in Depth” isn’t too concerned with labels Policy Policy Policy Server Vendors: 3COM, Snap, OmniCluster, NetMaster, Corrent
Wireless Secure wireless LAN, using 802.1X and/or802.11i and/or IPsec Segmentation VLANs as managementand as securitydomains Multi-Level SecurityPush ACLs everywherethey can go,dynamic, too. Layer 2Authentication 802.1X Network Login authenticates users IDS/IPS Intrusion Detectionand Preventionfor forensics andprevention Internal Security Embedded Firewall secures desktops and servers PerimeterFirewallsand VPNs Old Standbys still useful! PKI AuthenticationUniform approach toauthentication givesstrongest security You can make a network which has deep defenses The Network