Hear expert penetration tester Mark Wolfgang and AlgoSec explain:
* Common network segmentation mistakes organizations make every day
* How to strategically segment your network for security
* How to enforce network segmentation using automated security policy management
4. "Getting from a procurement portal to a
cardholder data environment is a long road"
“Only highly skilled hackers could find a way
around such network segmentation”
“… If Target gave the vendor too much access
to the network the blame lies firmly with
Target…”
6. Mark Wolfgang, CISSP, RHCE
• President/CEO Shorebreak Security
• 14+ years experience in security testing
• Co-author of two Information Security books –
both on penetration testing
• Author of other whitepapers and published articles
on Information Security/pen testing
• 8 years in the U.S. Navy
7. About Shorebreak Security
• Veteran-owned small business
• Boutique firm, specializing in Information Security Testing
– Penetration Testing
– Vulnerability Assessments
– Risk Assessments
• Based in Cocoa Beach, Florida
“We don’t want to be the biggest, we just want to be the best”
8. Our Security Engineers
– Most have over 15 years of IT experience
– With at least 8 years of Information Security
experience, and most of that doing penetration
testing
– Most have TS/SCI clearances
– Most are CISSPs, with a host of other certifications
– Many are published authors and experienced
speakers
9. What is Penetration Testing?
• Security Testing
• An accurate determination of risk to your networks and
systems are by emulating various threat agents and
testing people, processes, and technology
• A methodology, not the use of one or two (or 10)
security tools
• Emulation of threats varying from the script kiddie to
more sophisticated and persistent attackers
10. What is Network Segmentation?
• Classifying and isolating
– IT assets
– Data
– Personnel
• Where’s the money Lebowski?
15. How Attackers Work
• Initial entry point (access)
• Gather and analyze information
• Leverage and expand access
16. Example Attack – “Owned” a Large City
• Conducted a full-scope assessment of a large U.S. municipality
• Obtained access and full control of the building access system
– Any door in the city with a prox card reader, including:
– Police gun locker
– Police evidence locker
– Police Narcotics vault
– Police holding cell
– Mayor’s office
– Server rooms etc
• Obtained access and full control of CCTV and guard workstations
• Obtained access and full control of a Windows DC
• ALL FROM THE PUBLIC WIRELESS NETWORK!
17. Example Attack – Large City
• Initial entry point (access) – null sa password
• Gather and analyze information – dumped and cracked
local Windows passwords. Scanned network and
compiled a target list.
• Leverage and expand access – used cracked password
on ALL other Windows systems. Gained access to
hundreds.
• Same password was used on guard workstations, CCTV,
badge & building access control server etc
18. Why?
• Could I even see the critical computers?
• Could I attempt to logon?
• Weren’t they invisible?
19. Lack of proper network
segmentation!
Almost always a finding and a root cause on
our pen tests.
21. How to Segment for Security
• Understand your business or organizational drivers
• How does revenue enter the business stream?
• Which IT assets, data, and personnel are critical to
ensure continuity of business or mission?
22. Planning for Segmentation
• Group and inventory assets, personnel, data
• Example for assets:
– Windows servers
– Infrastructure (routers, switches, VPNS, VOIP)
– Security (IDS, firewalls, web filter, scanners)
– Financial/HR servers (Oracle, SAP, Peoplesoft, SAS)
23. Planning for Segmentation
• Group and inventory assets, personnel, data
• Example for personnel:
– Windows server admins
– Windows workstation admins
– Unix admins
– Security admins
– Network admins
– HR Dept
– Executive management
24. Determine level of access based on business
need.
E.g. Who has a business need to:
• Administer the routers, switches, VOIP phones etc?
• Access the HR, Financials and other admin-related systems?
• Access the security cameras?
• Administer the *nix servers
No business need – No access!
25. Implementing Segmentation
• Start somewhere – maybe with a network admin
segment
• Setup VLAN named, network-admins (for their
workstations) and network-devices (for routers &
switches)
• Log all traffic between segments – traffic analysis
• Start blocking with ultimate goal of default deny
• Make sure you have the controls to make sure
segmentation is enforced
26. Successful Segmentation
• Reduces risk – shuts down attackers
• Is a part of defense-in-depth
• Provides the foundation for a secure network
• Is not easy, nor is it quick
• As (or more) important than patching
30. Firewall Breaches Data Center Automation
5% Vulnerabilities
95% Misconfiguration
The Security Management Balancing Act
Confidential 30
Security
Agility
Prevent Cyber
Attacks
Enable Business
Applications
Resource Time to
Provision
Server Minutes
Storage Minutes
Security
Access Days/Weeks
31. Security Management Challenges
Confidential 31
Complexity
• 1000s of security access rules
• Highly-connected business
critical applications
Change
• Data center consolidation,
network re-architecting
• Application connectivity
requirements
• New security devices
Compliance
• Complex regulations, industry
standards and internal
mandates
• Time-consuming audits
Collaboration
• Business owners think in
terms of applications
• Networking teams think in
terms of IPs and servers
• Security teams think in terms
of IT Risk
Challenges
32. Firewall
Analyzer
Security Policy
Analysis & Audit
FireFlow
Security Policy
Change Automation
BusinessFlow
Business Application
Connectivity Mgmt
Business
Applications
Security
Infrastructure
The AlgoSec Suite
32
Application Owners
AlgoSec Security Management Suite
SecurityNetwork Operations
35. Connect with AlgoSec on:
www.AlgoSec.com
Managing Security at the Speed of Business
Editor's Notes
DMZ example
DMZ example
DMZ example
More than ever, organizations today need to balance between security and business agility.
The first reason we deploy security infrastructure such as firewalls, routers, secure web gateways etc. is to protect the business against cyber attacks. But with today’s complexity, advanced threats and new technologies, it is a real challenge to manage the security policy. According to Gartner 95% of firewall breaches are a result of misconfiguration, not firewall flaws.
But firewalls have a second, and arguably more important objective – enabling connectivity for your business applications. (After all, most firewall are rules are not BLOCK rules, they are ALLOW rules). Modern datacenters are highly automated, and IT teams can provision a new server or database in minutes with just a few mouse clicks, sometimes this is a fully automated process which requires no human intervention.
However, provisioning security for the application (I.e. ensuring all the ports and connectivity paths are enabled) is still a very manual and lengthy process that slows down the business. Security team often needs days and even weeks to identify what firewalls to change, and design and push-out the change in a secure and efficient manner.
Let us examine the 4 challenges that make security management so challenging (The 4 “C”s)
Complexity – over time, firewalls accumulate thousands of rules and objects (many of which are poorly documented, go unused and/or risky). Today’s modern business applications are also complex, consisting of several servers (application servers, middleware, databases) and complex connectivity requirements. This complexity creates both business disruption and security implications.
Change – the security policy is ever-changing: network changes are frequent, resulting for example from consolidating data centers or migrating applications to the cloud, all requiring changes in firewalls and routers which may impact application availability. Applications change frequently as well, and newer versions often need new connectivity. New security devices (E.g. next-gen firewalls) are being introduced which require even more changes)
Communication – there are different teams that need collaborate to make security management work – risk teams, network teams and application owners. But these teams are usually siloed and don’t have good processes defined to work together. Furthermore, they speak in different languages, causing translation gaps. For example, the application team does not how to communicate requirements in terms the security team can implement, and the security team often defines a policy that the network team does not know how (or care) to enforce.
Compliance – everything you do from a security perspective has to comply with external regulations and internal mandates. Frequent audits take a lot of time, leaving less time for strategic initiatives.
The AlgoSec Suite is made up of 3 separate yet tightly integrated products.
BusinessFlow provides an application-centric approach to managing the security policy. It discovers and maintains visibility of application connectivity requirements so you can
Process connectivity changes for applications faster and more accurately
Securely remove access for decommissioned applications
Understand the impact your network security infrastructure has on business applications, and vice-versa
BusinessFlow automatically translates vague application connectivity needs into concrete firewall rules that the network teams can implement. Application owners can request connectivity in their language (E.g. connect the webserver to the database) and BusinessFlow discovers what (if any) devices and rules needs to change.
Firewall Analyzer connects and understands your security infrastructure, including firewalls from all the leading vendors, routers, switches and web proxies. Firewall Analyzer pulls configurations from these devices and gives you complete visibility and control of your policy to automate and streamline daily firewall operations such as –
Troubleshooting (E.g. Which firewall(s) and rule(s) are blocking traffic from point A to point B)
Auditing
Baseline configuration compliance
Risky rule analysis and much more
The third and final component of the suite is FireFlow, which automates the security change process. FireFlow adds network and firewall intelligence to the change process, and complements ticketing systems such as Remedy and ServiceNow, so you can process changes 2x-4x faster and with greater accuracy.
Capabilities include automatically discovering devices and rules that need to change and automatically closing changes which “already work” – as many as 30% of requests!
Optimal design of new rules and object minimize policy clutter, and automatic validation of correct implementation eliminates re-opening of tickets.
FireFlow also guarantees continuous compliance by proactively simulating and checking every change before it is implements. With this approach, organizations ensure they are compliant at all times and do not have to resort to periodic “house cleaning” projects in time for an audit.