780 likes | 986 Views
Information Security. Overview of Technologies & Solutions. Information Security. Introduction The Enterprise Network Defense in Depth What to protect against? Technologies & Solutions Perimeter Technologies Internal Technologies Consulting Audit, Implementation & Support. Introduction.
E N D
Information Security Overview of Technologies & Solutions
Information Security • Introduction • The Enterprise Network • Defense in Depth • What to protect against? • Technologies & Solutions • Perimeter Technologies • Internal Technologies • Consulting • Audit, Implementation & Support
Introduction The security of your network is evaluated daily, the question is… “Are you the one doing it?”
Introduction • Good Information Security provides; • Data confidentiality • Ensure that no data is disclosed intentionally or unintentionally • Data integrity • Ensure that data is not modified by unauthorized personel, that no unauthorized changes are made by authorized personel, and that data remains consistent, both internally and externally • Data availability • Provide reliable and timely access to data and resources
Defense in Depth • How? • Secure the perimeter • Secure the internal network • Account for the human factor • Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success
Defense in Depth Policies, Procedures, & Awareness Physical Security ACL, encryption Data Application Application hardening, antivirus OS hardening, update management, authentication Host Internal Network Network segments, IPSec, NIDS Firewalls, VPN quarantine,… Perimeter Guards, locks, tracking devices User education against social engineering
Network Security • Network Security – focus on perimeter and Internal Network solutions Internal Network Network segments (VLANs), IPSec, NIDS, Network Access Protection, … Perimeter Firewalls, VPN, NIDS, Anti-Spam, …
Why do we need Network Security? • First look at what you need to protect • Data (company resources) • Services (applications or their individually accessible parts and the people using them) • Protect against what? • Malware (Viruses, Spyware,…) • Spam (“Steals” resources and productivity) • Hackers (Network penetration, defacements, DoS Attacks,…) • Internal Users (Unauthorized access,…) • …
Common Threat Classification Network Host Application Threats against the network Spoofed packets, etc. Buffer overflows, illicit paths, etc. Threats against the host SQL injection, XSS, input tampering, etc. Threats against the application
Typical Pattern of an Attack • Enter the network through SQL Injection etc. • Install or use port proxy software to open inbound connections • Remotely control the host to mount further attacks from inside until a domain controller is accessible • Gain control of the desired resources • Erase traces of attack and remove installed software
How to protect yourself? • Technologies & Solutions • Secure the perimeter • Secure the internal network
Perimeter Technologies • Firewall (Packet Filter, Stateful, Proxy) • Intrusion Detection System (IDS, IPS) • Virtual Private Network (IPsec, SSL) • Anti-Spam (Mail relay, AV) • Anti-Spyware (URL filtering, AV) • Anti-Virus
Firewall – Static Packet Filter • Every router is a static packet filter (including your ISP router) • First incoming and last outgoing layer of your network security • Faster at screening traffic than stateful or proxy firewalls • But no knowledge of “state” thus less secure than most common firewalls
Firewall – Stateful • Most common type of Firewall today • Keeps track of “state”, blocks traffic that is not in its table of established connections • Slower at screening traffic than packet filter, but more secure
Firewall - Proxy • Most advanced, least common type of Firewall (is also a stateful firewall) • Higher degree of security because internal and external hosts never communicate directly • Examines the entire packet to ensure compliance with the protocol that is indicated by the destination port number
Firewall – Basic theory of operation Intermediate Network (DMZ) Connection allowed External Network (Internet) Internal Network (LAN) Connection refused Firewall Divides your internal network from an external network (usually Internet) If the incoming connection is an “answer” to an outgoing connection, the connection is allowed, if not, the connection is dropped. (Stateful) Most firewalls have DMZ functionality, allowing you to further divide your network in order to supply some “Internet faced services” to your users.
Firewall Solutions • Juniper (Formerly NetScreen) • Check Point
Firewalls – Juniper • Integrated Firewall/IPSec VPN • NetScreen 500/200/50/25/XT/GT/HSC • Solution includes • Stateful Inspection (Perimeter defense) • Deep Inspection (Application-Level Protection) • Built-In Antivirus (Protects remote locations) • Web filtering (Prevent inappropiate web usage) • Secure Remote Acces (IPsec VPN – Secure Client)
Firewalls – Check Point • Firewall • FireWall-1 • Solution includes • Comprehensive application protection • Industry-leading management • High performance
Other Technologies • So if we buy a Firewall we are safe?! • Why NOT? • Weaknesses in TCP/IP suite • IP Address Spoofing • Covert Channels • IP Fragments Attacks • TCP Flags • SYN Flood • Connection Hijacking • …
Intrusion Detection System • Gateway Intrusion Detection System • A network intrusion detection system which acts as a network gateway • Designed to stop malicious traffic and generate alerts on suspicious traffic • An “ideal” gateway IDS is able to stop all known exploits
GIDS vs NIDS (Placement) GIDS • Acts as network gateway • Stops suspect packets • Prevents successful intrusions • False positives are VERY bad NIDS • Only observes network traffic • Logs suspect packets and generates alerts • Cannot stop an intruder • False positives are not as big of an issue
IDS – Basic theory of operation • Much like a bridging firewall, IDS makes forward/drop decisions… • -This packet is always good so pass it into my network. • -This packet is always bad so drop it and tell me about it. • -This packet is sometimes bad so tell me about it, but don't drop it.
IDS Solutions • Juniper • Check Point
IDS – Juniper • IDS – IPS • NetScreen-IDP 10/100/500/1000 • Solution includes • Eight different detection methods are used to protect the network from network, application and hybrid attacks • Understands state to pinpoint exactly where an attack can be perpetrated and only look there • Ability to define a response action in the rulebase for detected attacks • Sub-second Stateful-failover between Juniper Networks devices without losing sessions • Enables closed loop investigation, linking directly from the log to the rule that triggered it and the session's packet capture
IDS – Check Point • IDS - IPS • IntruShield • Solution includes • Unprecedented flexibility of IDS deployment, including in-line, tap, and span modes to suit any network security architecture • Thorough analysis of traffic at multi-gigabit rates that builds and maintains traffic state information and performs comprehensive protocol analysis. • Intelligent detection of known, unknown, and DoS attacks using a combination of signature, anomaly and DoS detection techniques. • Proactive capability to stop in-progress attacks coupled with a rich set of alerting and response actions. • Powerful capability to set multiple, highly granular, custom intrusion policies within a single sensor.
VPN • A Virtual Private Network is a service that offers a secure, reliable connection over a shared public infrastructure such as the Internet. • Two main types; • Remote Access • Site-to-site • Two main technologies; • IPsec (and L2TP) • SSL
VPN – Remote Access • Secure Remote Access for mobile users and/or home office. • Using a secure software client or hardware device for IPsec, or a webbrowser for SSL based VPN • If you able to connect to the Internet, you are able to connect to the corporate network
VPN – Site-to-Site • Valid replacement for leased lines and Frame Relay connections to connect different sites. • Using specialized VPN devices or built-in into a firewall • If both your sites have Internet connectivity, they can be connected using VPN
VPN – Basic theory of operation Site-to-Site VPN Remote Access A VPN tunnel is setup using a secure client or SSL capable webbrowser, all data send through the tunnel is encrypted, the packets can still be captured, but if they are they are encrypted.
VPN - IPsec • Usually employs custom software at each of the endpoints – the device and the client • Normally utilizes OSI Layer 3 Protocols (AH – ESP) • Authentication Header provides two-way device authentication (implemented in hard- or software) • Encapsulation Security Payload protocol provides data encryption (3DES, AES)
VPN – SSL • Employs Webbrowser at the client side and a device at the corporate side • SSL is an network Layer Protocol • SSL uses Certificates to prove the identities of both endpoints • All trafic is encrypted using a shared key and a negotiated encryption algorithm (3DES, AES)
VPN Solutions • Juniper • Check Point
VPN – Juniper • IPsec VPN • Built-in to firewall range of products • Solution includes • Secure client enables adherens to security policy • SSL VPN • NetScreen-RA 500, NetScreen-SA 1000/3000/5000 • Solution includes • Secure access for remote/mobile employees, with no client software required • Secure LAN, intranet, and extranet access for employees, business partners, and customers • Hardware-based SSL acceleration • Hardware-based HTTP compression • Dynamic access privilege management, with three access methods
VPN – Check Point • IPsec VPN • VPN-1, VPN-1 Edge, VPN-1 VSX • Solution includes • Simple VPN deployment • Highest level of security • Easy-to-use centralized management • Unparalleled performance • High availability • SSL VPN • SSL Network Extender • Solution includes • Network-level connectivity over SSL VPN • Support for all IP-based applications • Combined IPSec and SSL VPN solution • Integrated with Check Point VPN-1
Anti-Spam (Spam Firewall) • Acts as a mailrelay server – accepts incoming mail, scans the content and forwards the mail to the back-end mailserver. • Usually in combination with an Antivirus scanning engine to deliver spam- and virus-free e-mail. • Prevents direct access to your e-mail server
Anti-Spam – Basic theory of operation • E-mail is delivered to the Spam Firewall • E-mail is checked against IP Block Lists, Antivirus scanning is performed, user rules are applied, spam fingerprint, intention analysis, Bayesian analysis and rule-based scoring checks are performed • Clean E-Mail is relayed to internal mailserver
Anti-Spam Solutions • Barracuda • Trend Micro
Anti-Spam – Barracuda • Anti-Spam Firewall • 200/300/400/600/800 • Outbound Mode • 200/300/400/600/800 • Solution Includes • Spam Filter • Content Based Filtering • Bayesian Algorithms • Denial of Service Protection • Anti-Spoofing • Anti-Phising • Virus Filter • Dual-Layer Virus Blocking • Decompression of Archives • File Type Blocking
Anti-Spam – Trend Micro • Anti-Spam • Spam Prevention Solution (SPS 2.0) • Solution includes • Advanced Filtering, Analysis, and Updating Capabilities • Comprehensive Reporting and Auditing • Dynamic, Flexible Heuristic Technology • Ease of Administration and Configuration • High Performance and Scalability • Seamless Integration with Antivirus and Content Security Offerings
Anti-Spyware (Gateway) • Gateway device to stop spyware installations, block spyware sites and scan for spyware signatures • Some solutions can detect spyware on user desktops and target them for cleaning • Usually combined with Antivirus solutions
Anti-Spyware – Basic theory of operation If a user requests access to a website, the device checks if the site is listed in the known spyware sites list, if not the request is proxied. The content of the requested site then is scanned for spyware (and viruses) if the content is Spyware and virus free it is delivered to the client, if not it is dropped.
Anti-Spyware Solutions • BlueCoat • Barracuda
Anti-Spyware – BlueCoat • Anti-Spyware • Spyware Interceptor • ProxySG + ProxyAV • Solution includes • Easy, affordable, and effective spyware prevention • Automatically updates spyware profiles, policies, and prevention techniques. • Backed by world-leading experts in web proxy performance and security at Blue Coat Labs™
Anti-Spyware – Barracuda • Anti-Spyware • Spyware Firewall 210/310/410 • Solution includes • Stops spyware downloads (including drive-by downloads) • Stops virus downloads • Blocks access to spyware websites • Detects spyware access to the Internet • Facilitates spyware removal • Website Category blocking • Content Inspection • Flexible Policy Enforcement
Antivirus (Gateway) • Provides Internet gateway protection against viruses (http, ftp, smtp traffic) • If combined with internal antivirus solution provides dual layer protection (different vendors) • Usually a combination of Anti-Spyware, Anti-Virus and Anti-Spam on the gateway
Anti-Virus (Gateway) – Basic theory of operation Requested webcontent is scanned with antivirs engine on the proxy server Clean content is delivered to the clients.