9.35 The Armored Network

1
9.35 The Armored Network

• I know of no undetected penetrations of the ATT
  network.
• Attributed to Bill Cheswick by Amoroso and Sharp

2
Presenters

• Dave Wordhouse
• VP Network Technologies
• dwordhouse_at_cuanswers.com
• Jim Lawrence
• Internal Network Manager
• jlawrence_at_cuanswers.com
• Tony Walliczek
• Internal Network Coordinator
• twalliczek_at_cuanswers.com
• Jim Vickers
• Internal Network Coordinator
• jvickers_at_cuanswers.com
• Fred Damstra
• Internal Network Coordinator
• fdamstra_at_cuanswers.com

3
Agenda

• Five Basic Levels of Information System Defense
• Applied Network Security at CUAnswers
• Components of the IT Administrators Toolbox
• Security Audit Checklist
• Additional Resources

4
Five Basic Levels of Information System Defense
5
Five Basic Levels of Information System Defense

• Perimeter Level
• Where your network interacts with untrusted
  networks
• Network Level
• Trusted network devices/systems interact
• Servers, clients, switches, hubs, printers
• Host Level
• Each individual device/system on your trusted
  network
• Operating System, physical access
• Application Level
• Programs running on the device/system
• Mail server, web server, database
• Data Level
• Data accessed by programs
• File permissions, encryption

6
Network Security at CUAnswers

• http//www.cuanswers.com/client_pm_bp_securprec.ph
  p
• http//www.wesconet.com
• Offers professional assistance with
• Independent Auditing
• Network Defense
• Training
• Data Archival
• High Availability

7
The IT Administrators Toolbox

• Blueprint (Security Policy)
• Physical security
• Firewall(s)
• Layered anti-virus protection
• Intrusion detection/prevention systems
• Hardened servers and hosts
• Vulnerability scanners to test/adjust your
  security
• Encryption to protect your data
• Data archive strategy
• Security audit checklist

8
The Security Blueprint (Security Policy)

• Security Policy should include
• Acceptable use policy
• Security incident handling procedures
• Incident escalation procedures
• Remote access policy
• Firewall management policy
• Disaster recovery policy
• Must be communicated to and understood by all
  staff
• Review and audit often.

9
Physical Security

• Physical access to your network devices and media
• Wiring closets
• Server rooms
• Unattended workstations
• Open wall jacks (data)
• Redundancy, high availability
• Multiple power supplies
• Multiple power sources
• Protection against natural disasters
• Power

10
Firewall(s)

• Firewall at the perimeter.
• Appliance
• (Sonicwall, etc.)
• Software based
• (Checkpoint, etc.)
• Firewall on the host(s).
• Centrally managed.
• Trend Micro Officescan
• Dont just set it and forget it.
• Periodic firewall policy review.
• Threats change, so must your protection.
• Log administration.
• Know whats being logged and whats not being
  logged.
• Penetration testing.
• - Nessus, Qualys, etc.

11
Anti-virus Protection

• Centralized deployment.
• Central download, deployment, logging, alerting.
• Quarantine infected workstation.
• At the gateway and on the hosts.
• Layered approach.
• Spyware protection.
• Most commercial packages protect against Spyware
• Trend Micro Officescan
• Educate users about attached and downloading
  files.
• Last layer of protection is the user at the
  keyboard/mouse.

12
Intrusion Detection and/or Prevention

• Intrusion Detection vs Intrusion Prevention.
• Pros and Cons of each.
• Now bundled as a feature of new generation
  firewalls.
• Sonicwall
• Host based vs Network based.
• Combination of both is preferred.
• Log administration.
• Its not just whats getting logged but also
  whats not getting logged.

13
Hardened Servers and Hosts

• New hardware checklist.
• www.microsoft.com/security for best practices.
• Keep systems patched.
• Operating Systems and Applications.
• Patch management software available.
• Shavlik Pro
• Microsoft SUS, WUS
• Implement proper ACLs.
• Remove any unnecessary services.
• Install anti-virus and host-based IDS.
• Microsoft Baseline Security Analyzer.
• Other tools available from Microsoft.
• Monitor System, Application, Event logs.

14
Vulnerability Scanners

• Scan your network for vulnerabilities that could
  be exploited by an attacker.
• Port scanner vs Application scanner.
• Three types of analysis
• Signature Intrusion Analysis
• Looks for specific attacks against known weak
  points of a system.
• Statistical Intrusion Analysis
• Based on observations of deviations from normal
  system usage patterns.
• Integrity Analysis
• Reveals whether a file or object has been
  modified

15
Data Encryption

• Protect your data while in transit and on the
  media.
• Encryption Technologies can solve these problems
• Prevent unauthorized access.
• Guarantee data integrity.
• Authenticate users.
• Provide non-repudiation of actors involved by
  using digital signatures.
• Secure Socket Layer (SSL) Encryption.

16
Data Archive Strategy

• The best backup strategy starts with the Restore!
• Determine what data needs to be archived.
• Create a plan.
• Base backup.
• Incremental backup
• Differential backup
• Frequency and speed of data restore.
• Consider your network environment.
• Operating systems (Windows, Unix, etc.)
• Firewalls (bandwidth, etc.)
• Switches, hubs.
• CUAnswers uses Syncsort Backup Express.
• Carefully consider the backup media.
• NAS (Network Attached Storage) devices offer
  speed at a cost.
• Tapes come in hundreds of types/speeds/storage
  capacities.

17
The promise of High Availability

• HA offers Application Resiliency.
• Critical Applications can remain active even when
  the primary hardware they rely on goes down.
• Applications can remain active through
  maintenance cycles and backups.
• HA offers the promise of minimal down time.
• Staff can remain working on HA equipment almost
  transparently.
• Customers can keep using services instead of
  receiving unavailable messages.
• Some disaster situations are eliminated
  completely.
• HA does require more administration.
• Configuration.
• Testing.
• Training.

18
CUAnswers High Availability Solution

• i-Tera Echo2
• Uses Remote Journaling to transmit data changes
  between the production and backup node at the
  operating system level over TCP/IP.
• Simplified roll-over process for testing and real
  emergencies.
• Roll-over process takes less than 30 minutes.

19
Security Audit Checklist

• Some questions you may be asked
• Are passwords difficult to crack?
• Are there access control lists (ACLs) in place on
  network devices to control who has access to
  shared data?
• Are there audit logs to record who accesses data?
  
• Are the audit logs reviewed?
• Are the security settings for operating systems
  in accordance with accepted industry security
  practices?
• Have all unnecessary applications and computer
  services been eliminated for each system?
• Are these operating systems and commercial
  applications patched to current levels?
• How is backup media stored?
• Who has access to it?
• Is it up-to-date?
• Is there a disaster recovery plan?
• Have the participants and stakeholders ever
  rehearsed the disaster recovery plan?

20
Additional Resources

• CUAnswers has two CISSP (Certified Information
  Systems Security Professional) on staff.
• Randy Brinks (rbrinks_at_wesconet.com)
• Joe Couture (jcouture_at_wesconet.com)
• CERT (www.cert.org)
• Home computer security document
• Home computer security checklist handout
• SANS (www.sans.org)
• Microsoft Product Security Notification
• http//www.microsoft.com/technet/treeview/?url/te
  chnet/security/bulletin/notify.asp
• (http//www.microsoft.com/security/)
• BugTraq (www.securityfocus.com)

21
Additional Resources

• Other SECURE-U courses
• 9.15 Security Essentials
• Essential security and privacy issues
• 9.35 The Armored Network
• Network security at CUAnswers
• 9.55 The Human Side of Security
• Social Engineering and other exploits
• 9.65 Disaster Recovery and Business
  Continuity
• The CUAnswers plan

22
Questions and Answers

• ???