1 / 25

Surviving in a hostile world

Surviving in a hostile world. The myth of fortress applications Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden. The view of the 90’s. Modems are used for remote access The Internet is used primarily for email, news and later also world wide web (www)

egiuseppe
Download Presentation

Surviving in a hostile world

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Surviving in a hostile world • The myth of fortress applications • Tomas OlovssonCTO, AppgateProfessor at Goteborg University, Sweden

  2. The view of the 90’s • Modems are used for remote access • The Internet is used primarily for email,news and later also world wide web (www) • 1994 there were 500 web servers • 1995 there were 10,000 • 2000 there were 30,000,000 • Security? • Private modem pools are managed and regarded as secure enough • A firewall is enough to protect the network from Internet threats • 1997: Question is what to buy: Stateful inspection firewall or application level firewall [Rik Farrow]

  3. Around year 2000 • Mobile devices are becoming increasingly popular • Mobility: Computers move between networks – virus problem • Software: New software follow the tracks ofmobile computers • Information: Internal information can easily be transferred • Devices: USB disks and memories begin to see the world • Internal security is now being addressed • Not all devices are secure and trustworthy • Malicious software cannot be allowed to spread freely • Information cannot be trusted to all staff (“need to know”) • The firewall? • It is still probably doing its job as intended

  4. Traditional Internal Security Other are segmented with firewalls, switches, routers and other equipment Many networks lack internal protection Firewalls Users Switches and Routers Servers IDS system Users Personal firewalls protect workstations Personal FW WLAN IDS systems monitor traffic

  5. Large networks are beginning to be partitioned Customersupport Management ! Accounting Tech.department

  6. Today – Devices • Internal security is more important than ever • Mobile devices are in everyone’s possession • Devices will be moved to and from corporate networks:Laptops, USB sticks, portable disks, phones, PDAs, … • We should be able to check them before granting access • Some devices should not be allowed • Better control over internal information (authorisation, access control) • WLAN access exist on many places • Networks are extended outside the firewall • Traffic from the outside may not even pass the firewall… • Our users communicate – risk for wiretapping • Other users use them without our authorisation • VoIP will be the next thing to integrate

  7. Internal segmentation is evenmore important Firewall Customersupport Management WLAN ! ! Accounting Tech.department

  8. Today and communications • The Internet has replaced modems for remote access • All users have access to mail and www • Companies without web servers do not exist • Many threats to www (scripts, malicious software, etc.) • We need to access data from other organisations • Computers used to connect to ext. systems and share data • Systems automatically connect to home servers • Software updates, anti-virus, etc. (“phone home”) • Users are located everywhere • At home, remote offices, partners, customers, etc. • Information must be shared – it’s a business enabler • Applications (e.g. p2p) can be disguised as p2p app’s • They use port 80 for “firewall friendly” access – no control

  9. We can no longer hide behind a firewall Home workers Remote office WLAN Access Suppliers Consultants THE COMPANY Employees Contractors Outsourced resources Product partners Partners

  10. Many complex solutions exist… Users Mobile userswith VPN Firewall withIPSec VPN Push-emailsystem Management dep’t. SSLVPN Internet IDS Internal firewalls Wireless Network Productdevelopment Servers

  11. Mail VPN Legacy Firewalls Proxies Legacy VoIP Web IM The problem with a Firewall-centric view Firewall Over time, the firewallwill have many holes

  12. Firewall Remote access – a simple problem? “VPN tunnel” Server Server Internet Internal network Remoteuser Corporate network

  13. Firewall This is the same picture! Server Server Internet Internal network Remoteuser Corporate network

  14. This is what we the firewall implements…

  15. But once you are on the inside… • It used to be a modem… • Now we have: • Mobile computers • USB memories • PDA:s • Software • Remote execution • Internet access • Remote access • WLAN, 3G access • www • p2p • VoIP • mail, viruses • hacking tools • personal firewalls • outsourced administration • etc.

  16. Protection must be where the assets are Protection at the source  It does not matter howyou got to the inside!

  17. This would be easy to implement – provided... • Each application server and client can protect itself • There’s central authentication system for all users • Applications should not have to deal with authentication • And a distributed authorisation system • Each project (data owner) can decide who can do what • User roles must depend on authentication method, user’s role, type of device, client location, time of day, etc. • Applications are only visible to authorised users Then: • No perimeter firewall would be needed (we would still keep it) • No difference between local access and remote access! • It would not even be necessary to have an internal network!

  18. NAC – Network Access Control • Goal: check the connecting device before granting network access • Non-accepted devices can be connected to quarantine-networks where they can update software, etc. • Some products may support identity-based access control to networks • Emerging technology initiated by many vendors: • But with different names (McAfee, Microsoft, Symantec, Cisco, …)

  19. NAC – Network Access Control • An interesting approach • Vendor approach to solve the problem with disappearing network boundaries • Means that the problems mentioned here are recognised • Requires an infrastructure on the network which implements the protection • Protection is enforced by the network, not the end devices • Does not enable secure end-to-end communication with mutual authentication • May mean we get more point products to manage…

  20. Network Access Control (NAC) • NAC is complicated: • Checks whether endpoints meet security policies and updates configurations • Checks for and isolates endpoints and users that have made it onto the network and seem to be breaching security policies • Management is done from different platforms depending on device and access type • RAS policies would be enforced by a VPN gateway • LAN user access enforced by switches and similar equipment • Does not offer mutual trust – just checking the connecting device

  21. Network Access Control (NAC) • Forrester believes NAC is not the future • Next version is PERM - proactive endpoint risk management • “Policy-based software technology that manage risk by integrating endpoint security, access control, identity and configuration management.”

  22. What is de-perimeterisation? (short version of the Jericho Forum approach) • Move security control closer to the source – to the end-points • Be in total control of all users’ access rights • Be in control of the connecting device • Add policies that dictate how and under what circumstances eachuser can access each service • Make access ”seamless” and base it on cooperation between applications and users and the use of secure protocols

  23. Move protection closer to application servers

  24. The Jericho Forum Blueprint • In a de-perimeterised world companies will have more systems not connecting to “their” network, but transacting via inherently secure protocols • Tools: encryption, secure protocols, secure computer systems and data-level authentication • User access can be granted based on his/her identity, authentication strength, location, time, type of device, etc.

  25. Connectivity External collaboration [Private connections] Internet ConnectivityWeb, e-Mail, Telnet, FTP Connectivity forInternet e-Mail Connected LANsinteroperating protocols Local Area NetworksIslands by technology Stand-alone Computing [Mainframe, Mini, PC’s] Time Drivers: Cost, flexibility, faster working Full de-perimeterised working Drivers: B2B & B2C integration, flexibility, M&A Full Internet-based Collaboration Consumerisation [Cheap IP based devices] Drivers: Low cost and feature rich devices Today Limited Internet-based Collaboration Drivers: Outsourcing and off-shoring External WorkingVPN based Effective breakdown of perimeter

More Related