Managing Network Security

1
Managing Network Security

• Assessment and policy
• Access control
• Encryption

2
Myths about Business Risks in the Information Age

• Security is only about protecting things
• We dont have any information anyone would want
• Security problems have never happened here.
• Firewalls provide enough security
• Technology will solve the security problem
• The enemy is outside
• Our people wont tolerate tight security
• My PC is secure, so Im secure
• The Internet cant be used for secure
  communications

3
Security Policy

• Defines what's important in your enterprise, how
  you are going to protect it, who's responsible
  for it and what happens when the inevitable
  attacker comes knocking.
• Give system and network administrators something
  to fall back on in a crisis, as well as guidance
  for the mundane but essential day-to-day
  decisions and actions
• Provide approaches to problems that have been
  well-thought-out and tested over time. And though
  there is no magic in them, these policies bring
  an organization closer to understanding its
  computer and network business requirements and
  risks.
• Provide a framework for re-evaluation as
  requirements and risks change.

4
Ground rules of Security

• 1. Security and complexity are often inversely
  proportional.
• 2. Security and usability are often inversely
  proportional.
• 3. Good security now is better than perfect
  security never.
• 4. A false sense of security is worse than a true
  sense of insecurity.
• 5. Your security is only as strong as your
  weakest link.
• 6. It is best to concentrate on known, probable
  threats.
• 7. Security is an investment, not an expense.

5
Developing the security management plan
6
Risk assessment

• This phase encompasses asset identification and
  evaluation postulation and analysis of threats
  vulnerability assessment appraisal of existing
  countermeasures, and cost/benefit analysis.
• Numerous factors are considered, including how
  information is used and managed, and how good and
  relevant existing security measures are. Assets
  (including information) as well as threats are
  classified. The goal is to consider the things
  indicated as business requirements.

7
Risk assessment

• Questions
• What are we trying to protect?
• Which attacks are possible? Which are probable?
• Where are we vulnerable?
• What are we concerned about keeping? What are
  these items worth? How much would it cost to
  replace them?
• How valuable would the following be to an
  attacker (possibly a competitor)
• How much would it cost an attacker to attack us?
• How much would it cost to counter?
• What security measures are in place? Are they
  working?

8
Risk areas

• Personnel Risk
• Background checks
• Segregation of duties
• Terminated employees
• Physical Access Risk
• Disaster Risk
• Disaster recovery
• Backup/ hot sites

9

• Integrity Risk Risks associated with the
  authorization, completeness and accuracy of
  transactions
• User interface
• Processing, error processing
• Interfaces with other systems/ databases
• Access Risk Risks associated with inappropriate
  access to systems or data
• Identification, authentication and nonrepudiation
• Firewalls and Guards
• Availability Risk
• Infrastructure capability
• Denial of service

10
Threats

• Disaster and breakdowns
• Access and disclosure
• Alteration or destruction
• Improper use

11
Business needs assessment

• The security planning team should include people
  involved in different aspects of IT from
  different areas of the enterprise.
• Once the team is created, the first step is an
  analysis of business requirements. What services
  are required for business, and how might those
  requirements be met securely? The hardest part is
  distinguishing wants from needs.
• The team, with all its members' viewpoints,
  determines the business needs for computer and
  network services.
• For every service, team should ask repeatedly,
• "Is there a business requirement?"

12
Root Security Policy

• This high-level document provides the framework
  upon which all required information and
  subpolicies hang. The root policy's top-down
  approach makes it possible to adhere to the
  guidelines and produce meaningful and useful
  work.
• The root security policy addresses how an
  organization handles information, who may access
  it and how. It also specifies allowed and denied
  behavior. And it lists controls that are in
  place.

13
Security Architecture Guidelines

• Specify countermeasures to the threats discovered
  in the risk assessment. This document dictates,
  for example, where to place firewalls, when to
  use encryption, where to place Web servers and
  how to allow communication with Business partners
  and customers. It may identify particular
  products and give instruction on how to deploy
  and manage them. The security architecture
  guidelines specify the assurances that are in
  place, the auditing and the controls.
• This part requires expertise, which you may
  acquire through the services of an outside
  consultant or in-house through education,
  including Web-based resources, books, technical
  papers and conferences.

14
Incident Response Procedure

• Defines What is considered an "incident" in the
  first place? What happens when a security
  incident is discovered? What is done when the
  attacker calls? Who gets called and when?
• It's useful to test the procedure with a sort of
  incident-response procedure drill. When you call
  them, and in what order, must be part of the
  procedure. Calling too many people too soon risks
  letting the cat out of the bag, so to speak, or a
  crying wolf scenario. Calling too few people, too
  late, risks lawsuits.
• Although this process does not require any
  particular technical expertise, it does require a
  lot of thought. Senior managers should carefully
  review this document, after receiving a briefing
  based on the vulnerability assessment. The goal
  is to scare them, but not too much

15
Acceptable Use Policies

• The root computer and network security policy
  will point to various acceptable use policies.
  The number and type of policies depend on the
  analysis of business requirements, risk
  assessment and corporate culture. The acceptable
  use policies are meant for end users. They
  explain which actions are permitted and which are
  prohibited. So there may be acceptable use
  policies for computers, transfer of data, e-mail
  communications, notebook PCs and Web access.

16
System Administration Procedures

• With a proper understanding of the business
  requirements and the risks, and with the security
  architecture guide in place, your organization
  can develop platform-specific policies and
  related procedures. These often lead to lock-down
  guides that address organization-specific steps
  for hardening vendor-supplied systems. Lock-down
  guides are usually products of the system
  administration staff, with information gleaned
  from experience, books and reference guides.
  Also, specified here is what software must and
  must not be in place, and how the systems are to
  be backed up and administered.

17
Do what's possible today?

• Address the known requirements and threats. This
  is one of the benefits of a root policy as a
  framework. It tells us what has to be done. Do
  what's possible today, tag residual risks and
  note tasks to be accomplished.
• Will you get perfect security?
• No. Rather, you'll achieve timely, usable and
  sufficient security in the midst of an
  increasingly dangerous, but exciting networked
  world.

18
Lucent Technologies
19
Corporate Computer and Network Security (CCANS)
Organization

• The preparation and dissemination of computer and
  network security policy and requirement
• Providing security consultation

20

• The investigation of computer and network
  information security violations
• Monitoring for compliance with Lucent Business
  Assurance Instruction (LBAI)
• Conducting risk assessments
• Reviewing non-administrator and remote access
  configurations
• Approving all Data Connection Agreements

21
Network Security Focus On

• Developers
• Resource (Data, System and Application) Owners
• Corporate Sponsors
• Supervisors
• System Administrators
• End Users

22
System Administrators

• Ensuring the modification of executable programs,
  network configuration data, application file
  systems, network data bases, etc. is authorized
• reviewing audit logs daily for evidence of
  unauthorized activity and taking appropriate
  action
• ensuring only authorized or licensed software is
  installed on their computers and servers

23
End Users

• Provide profile information, as required by the
  resource owner, for unique user identification
• Using company approved, licensed software on
  their computers

24

• Reporting all actual attempted and/or suspected
  misuse of computer
• Complying with the security policies and
  requirements identified in LBAI
• Reporting the loss of Proprietary information or
  similarly sensitive information to CCANS

25
Access Corporate Networking - Direct Access

• Unique user Ids/Passwords
• Unique ID/Password
• No shared ID
• Disable after a period of 90 days of inactivity
• Deleted after a period of 120 days of inactivity
• Password (minimum of 7 characters)

26

STOP
This system is restricted solely to Lucent
Technologies authorized users for
legitimate business purpose only. The actual or
attempted unauthorized access, use, or
modification of this system is strictly
prohibited by Lucent Technologies. Unauthorized
users are subject to company disciplinary
proceeding and/or criminal and civil penalties
under state, federal, r other applicable
domestic and foreign laws. The use of this system
may be monitored and recorded for administrative
and security reasons. Anyone accessing this
system expressly consents to such monitoring and
is advised that if monitoring reveals possible
evidence of criminal activity. Lucent
Technologies may provide the evidence of such
activity to law enforcement officials. All users
must comply with Lucent Technologies Corporate
Instructions regarding the protection of Lucent
Technologies information assets.
I Agree
27
Access Corporate Networking - Modem Pools

• No direct dial-up network connectivity to a
  server
• Dial up access to Lucent network must via the
  Lucent Remote Access (LRA)
• A ID/Passwords/Token PIN is required

28
Firewall Rules

• Based on the assumption that no external users
  can be trusted without strong authentication
• The firewall must deny all services that are not
  explicitly permitted
• The only services permitted through the firewall
  are those approved by CCANS
• The firewall must have the ability to generate
  audit logs
• Bell Lab Firewall

29
Abbreviated Proprietary Markings for Screens

• Screen displays containing proprietary
  information must include the appropriate
  proprietary marking

Lucent Technologies Proprietary Use Pursuant to
Company Instruction or Lucent Proprietary
Solely for auth persons having a need to know
30
Corporate E-mail

• Lucent personnel must not send or forward
  proprietary information to non-Lucent e-mail
  account unless the message is encrypted
• E-mail group distribution lists must not include
  non-Lucent e-mail accounts
• NJ E-mail security room

31
Corporate Security Audits - log file

• Login attempts (successful and unsuccessful)
• Logoff
• Attempts to access files/ resources outside their
  privilege level

32

• Attempts to access any files/ resources that have
  been identified by the owner as warranting
  logging
• Operating system configuration changes
• Operating system program changes
• All changes to system security, including adding
  users
• Failures for computer, program, communications
  and operations

33
Firewall

• Protect the confidential information.
• Maintain Internal network system integrity.

Firewall
34
(No Transcript)
35
Major Threats

• Network Packet Sniffers
• IP Spoofing
• Password Attacks
• Distribution of Sensitive Information
• Man-in-the-Middle Attacks

36
Network Packet Sniffers

• A software application that uses a network
  adapter card in promiscuous mode to capture all
  network packets that are sent across a LAN.
• Can provide meaningful and sensitive information

37
IP Spoofing

• Occurs when an attacker outside your network
  pretends to be a trusted computer .
• Use an IP address that is within the range of IP
  addresses for your network or by using an
  authorized IP address that you trust

38
Password Attacks

• Usually refer to repeated attempts to identify a
  user account and/or password.
• Often the attack is performed using a program
  that runs across the network and attempts to log
  into a shared resource, like a server.

39
Distribution of Sensitive Information

• An internal user can easily place sensitive
  information on an external computer or share a
  drive on the network with other users.
• A disgruntled present or former employee can
  distribute sensitive information to competitors .

40
Man-in-the-Middle Attacks

• This attack requires that the attackers have
  access to network packets that come across
  networks.
• Possible uses theft of information, denail of
  service, corruption of transmitted data, and etc.

41
Types of Firewalls

• IP Firewalls
• Application Firewalls
• Stateful Inspection Firewalls

42
IP Firewalls

• Works at the internet layer by examining the
  source and destination address of each incoming
  IP packet
• Can not prevent IP spoofing.

43
(No Transcript)
44
Application Firewalls

• Take into account of the behavior of application.
  
• Also called proxy firewalls.
• All input is not sent directly to the receiver
  but a different port, closing a straight path
  between two networks.

45
(No Transcript)
46
Stateful Inspection Firewalls

• Problem with proxy server formal proxy rules can
  be established for only some applications.
• Observe a series of transaction and keep track of
  states.
• Do not need distinct proxies to be created for
  each application.

47
Case Study

• FIREWALLS
• TicketExpress

48
Background Information

• Company TicketExpress
• Location Malaysia
• Product/Service Intranet and e-commerce
  solutions
• TicketExpress is the is the official Commonwealth
  Games Ticketing Office.
• Goal to change the way that the world
  buys tickets

49
Challenges

• Primary Challenge developing a secure and
  convenient method for people across the world to
  purchase tickets to the Commonwealth Games
• TicketExpress developed a partnership with
  Hypermedia Communications and, together, they
  used a WatchGuard Security System to address
  their problem.

50
Network Architecture

• Software was written in C and run on a UNIX
  Operating System
• Software was a multi-operator system that tracks
  multiple events , producers, and venues
• The UNIX Operating System, along with a database
  made by TicketExpress, helped to speed
  information retrieval

51
Network Architecture (2)

• Security is of extreme importance in this case
  because of the link that is established between
  all pertinent information about the patron and
  the activity.

52
The WatchGuard Firewall System

• Slogan You cant afford to work without it.
  Network security at an affordable price.
• Developed by Seattle Software Labs in response to
  the growing need for secure networking
• WatchGuard system components
• WatchGuard Firebox
• network security appliance featuring a Pentium
  Processor and WatchGuard Security Management
  System (SMS)
• Software that runs on Windows NT, Windows 95, and
  Linux

53
Advantages of the WatchGuard System

• Meets current network protection requirements
• Fits well with normal network management
  procedures
• Easy installation and configuration
• Automatic warning of security-related events
  occurring at the Firewall

54
Philosophy of WatchGuard

• WatchGuard is built on two premises
• The external user is denied an inbound
  connection, unless it has authorization for a
  specific activity
• An ability to enforce security, even if your
  network fails (ie, it shuts off access to its
  network if it thinks that its software has been
  tampered with)

55
The Firebox

• A hardware firewall platform
• Runs transparent proxies and dynamic stateful
  packet filter
• Does not allow user log-ins and only supports
  encrypted connections to the Firebox
• Resides between router and local trusted network
• Provides interface for an optional bastion
  network for FTP, WWW, etc.

56
Firebox Features

• Real-time firewall operating system
• Stream-lined firewall engine
• Camouflages internal addresses
• Tamper-proof operations
• Inspects and blocks unwanted traffic
• Rackmount option available
• Utilizes Secure Socket Layer (SSL) encryption,
  the highest level of security available on the
  Internet

57
Solution for TicketExpress

• Of primary importance is the feeling of security
  by the customer
• Watch Guard assisted Hypermedia Communications in
  installing and running the system

58
Results

• Creation of a secure website to allow patrons to
  see details of different tickets that were
  available.
• Ability to purchase tickets easily and safely
  from anywhere in the world, thanks to the Firebox.

59
Encryption

• Used when
• Data can be intercepted, read or modified
  illegally
• Function
• Encodes data to prevent tampering

60
Process of Encryption

• Cipher - set of rules to transform original
  information to the coded form.
• Both the sender and the receiver must know the
  cipher.
• Example
• Add an arbitrary number of characters to
• all characters in a message.

61
Encryption Components

• Algorithm
• Key
• Cryptographic Algorithm
• Is a mathematical function that combines plain
  text or other intelligible information with a
  string of digits, called a key, to produce cipher
  text.

62
Key

• Number of possible keys for an algorithm depends
  on the number of bits in the key. (256 possible
  combinations for an 8 bit key)
• The greater the number of possible keys, the more
  difficult it is to rack an encrypted message.

63
Types of Encryption

• Symmetric Encryption
• Both sender and receiver possess the same key to
  encrypt and decrypt a message.
• Asymmetric Encryption
• Public key

64
Public Key

• Based on the concept of key pair.
• One public key (associated with the owner)
• One private key (known only by designated
  owner)
• Messages encoded by either key can be decoded by
  the other.

65
Public Key
66
Digital Certificates

• Public keys are distributed by Certification
  Authority who issue a Digital Certificate which
  serves as a proof of Owners identity.
• Verisign, Cybertrust, Nortel, USPS

67

• Level of knowledge necessary
• Resources

68
(No Transcript)
69
Curriculum for Systems Administrators
Curriculum for Managers
70
(No Transcript)
71
Resources

• Government
• Advisors
• WWW, Documents, FAQ, etc

72
Government Impact

• Role of government agencies
• Set standards for the design, implementation, and
  certification of security technologies
• Control the export of technologies to companies
  international location

73
Government Agencies

• The Computer Security Resource Clearinghouse
  (CSRC)
• Raise awareness of all computer systems users
  about computer security
• The Computer Technology Center (CSTC)
• Operational Incident Response
• Advance Security Projects
• Secure Systems Services

74

• Awareness of National Security Issues and
  Response (ANSIR)
• Provide unclassified warning information and
  national security issues
• National Institute of Standards and Technology
  (NIST)
• Issues publications that deals with computer
  security standards and guidelines

75

• National Computer Security Center (NCSC)
• Provide guidelines to the industry designed to
  help them develop trusted systems
• Provide security certification programs called
  The Trusted Computer System Evaluation Criteria
  (TCSEC) commonly referred as
• The orange Book
• Computer Emergency Response Team (CERT)
• Started by the U.S. Department of Defense
• Originally work as incident response center
• Coordinate large-scales incidents, provide
  training and research causes
• Private Key http//www.cert.org/pgp/cert_pgp_ke
  y.asc

76
Advisors

• Independent groups
• Forum of Incident Response and Security Teams
• CIAC Security Bulletins
• From vendors
• Linux Security Alert
• Microsoft Security Advisor
• OpenBSD

77
(No Transcript)