Segmenting your Network for Security - The Good, the Bad and the Ugly


Published on

Hear expert penetration tester Mark Wolfgang and AlgoSec explain:
* Common network segmentation mistakes organizations make every day
* How to strategically segment your network for security
* How to enforce network segmentation using automated security policy management

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • DMZ example
  • DMZ example
  • DMZ example
  • More than ever, organizations today need to balance between security and business agility.
    The first reason we deploy security infrastructure such as firewalls, routers, secure web gateways etc. is to protect the business against cyber attacks. But with today’s complexity, advanced threats and new technologies, it is a real challenge to manage the security policy. According to Gartner 95% of firewall breaches are a result of misconfiguration, not firewall flaws.

    But firewalls have a second, and arguably more important objective – enabling connectivity for your business applications. (After all, most firewall are rules are not BLOCK rules, they are ALLOW rules). Modern datacenters are highly automated, and IT teams can provision a new server or database in minutes with just a few mouse clicks, sometimes this is a fully automated process which requires no human intervention.
    However, provisioning security for the application (I.e. ensuring all the ports and connectivity paths are enabled) is still a very manual and lengthy process that slows down the business. Security team often needs days and even weeks to identify what firewalls to change, and design and push-out the change in a secure and efficient manner.
  • Let us examine the 4 challenges that make security management so challenging (The 4 “C”s)
    Complexity – over time, firewalls accumulate thousands of rules and objects (many of which are poorly documented, go unused and/or risky). Today’s modern business applications are also complex, consisting of several servers (application servers, middleware, databases) and complex connectivity requirements. This complexity creates both business disruption and security implications.
    Change – the security policy is ever-changing: network changes are frequent, resulting for example from consolidating data centers or migrating applications to the cloud, all requiring changes in firewalls and routers which may impact application availability. Applications change frequently as well, and newer versions often need new connectivity. New security devices (E.g. next-gen firewalls) are being introduced which require even more changes)
    Communication – there are different teams that need collaborate to make security management work – risk teams, network teams and application owners. But these teams are usually siloed and don’t have good processes defined to work together. Furthermore, they speak in different languages, causing translation gaps. For example, the application team does not how to communicate requirements in terms the security team can implement, and the security team often defines a policy that the network team does not know how (or care) to enforce.
    Compliance – everything you do from a security perspective has to comply with external regulations and internal mandates. Frequent audits take a lot of time, leaving less time for strategic initiatives.
  • The AlgoSec Suite is made up of 3 separate yet tightly integrated products.
    BusinessFlow provides an application-centric approach to managing the security policy. It discovers and maintains visibility of application connectivity requirements so you can
    Process connectivity changes for applications faster and more accurately
    Securely remove access for decommissioned applications
    Understand the impact your network security infrastructure has on business applications, and vice-versa

    BusinessFlow automatically translates vague application connectivity needs into concrete firewall rules that the network teams can implement. Application owners can request connectivity in their language (E.g. connect the webserver to the database) and BusinessFlow discovers what (if any) devices and rules needs to change.

    Firewall Analyzer connects and understands your security infrastructure, including firewalls from all the leading vendors, routers, switches and web proxies. Firewall Analyzer pulls configurations from these devices and gives you complete visibility and control of your policy to automate and streamline daily firewall operations such as –
    Troubleshooting (E.g. Which firewall(s) and rule(s) are blocking traffic from point A to point B)
    Baseline configuration compliance
    Risky rule analysis and much more

    The third and final component of the suite is FireFlow, which automates the security change process. FireFlow adds network and firewall intelligence to the change process, and complements ticketing systems such as Remedy and ServiceNow, so you can process changes 2x-4x faster and with greater accuracy.
    Capabilities include automatically discovering devices and rules that need to change and automatically closing changes which “already work” – as many as 30% of requests!
    Optimal design of new rules and object minimize policy clutter, and automatic validation of correct implementation eliminates re-opening of tickets.
    FireFlow also guarantees continuous compliance by proactively simulating and checking every change before it is implements. With this approach, organizations ensure they are compliant at all times and do not have to resort to periodic “house cleaning” projects in time for an audit.
  • Segmenting your Network for Security - The Good, the Bad and the Ugly

    1. 1. Segmenting your Network for Security The Good, The Bad and the Ugly
    2. 2. Our Speakers 2 Mark Wolfgang President Shorebreak Security Nimmy Reichenberg VP Strategy AlgoSec
    3. 3. seg·men·ta·tion
    4. 4. "Getting from a procurement portal to a cardholder data environment is a long road" “Only highly skilled hackers could find a way around such network segmentation” “… If Target gave the vendor too much access to the network the blame lies firmly with Target…”
    5. 5. 5 Poll
    6. 6. Mark Wolfgang, CISSP, RHCE • President/CEO Shorebreak Security • 14+ years experience in security testing • Co-author of two Information Security books – both on penetration testing • Author of other whitepapers and published articles on Information Security/pen testing • 8 years in the U.S. Navy
    7. 7. About Shorebreak Security • Veteran-owned small business • Boutique firm, specializing in Information Security Testing – Penetration Testing – Vulnerability Assessments – Risk Assessments • Based in Cocoa Beach, Florida “We don’t want to be the biggest, we just want to be the best”
    8. 8. Our Security Engineers – Most have over 15 years of IT experience – With at least 8 years of Information Security experience, and most of that doing penetration testing – Most have TS/SCI clearances – Most are CISSPs, with a host of other certifications – Many are published authors and experienced speakers
    9. 9. What is Penetration Testing? • Security Testing • An accurate determination of risk to your networks and systems are by emulating various threat agents and testing people, processes, and technology • A methodology, not the use of one or two (or 10) security tools • Emulation of threats varying from the script kiddie to more sophisticated and persistent attackers
    10. 10. What is Network Segmentation? • Classifying and isolating – IT assets – Data – Personnel • Where’s the money Lebowski?
    11. 11. We Understand Basic Segmentation
    12. 12. How Attackers Work • Initial entry point (access) • Gather and analyze information • Leverage and expand access
    13. 13. Example Attack – “Owned” a Large City • Conducted a full-scope assessment of a large U.S. municipality • Obtained access and full control of the building access system – Any door in the city with a prox card reader, including: – Police gun locker – Police evidence locker – Police Narcotics vault – Police holding cell – Mayor’s office – Server rooms etc • Obtained access and full control of CCTV and guard workstations • Obtained access and full control of a Windows DC • ALL FROM THE PUBLIC WIRELESS NETWORK!
    14. 14. Example Attack – Large City • Initial entry point (access) – null sa password • Gather and analyze information – dumped and cracked local Windows passwords. Scanned network and compiled a target list. • Leverage and expand access – used cracked password on ALL other Windows systems. Gained access to hundreds. • Same password was used on guard workstations, CCTV, badge & building access control server etc
    15. 15. Why? • Could I even see the critical computers? • Could I attempt to logon? • Weren’t they invisible?
    16. 16. Lack of proper network segmentation! Almost always a finding and a root cause on our pen tests.
    17. 17. Common Segmentation Mistakes • Not segmenting at all • Not segmenting enough • Over-segmenting
    18. 18. How to Segment for Security • Understand your business or organizational drivers • How does revenue enter the business stream? • Which IT assets, data, and personnel are critical to ensure continuity of business or mission?
    19. 19. Planning for Segmentation • Group and inventory assets, personnel, data • Example for assets: – Windows servers – Infrastructure (routers, switches, VPNS, VOIP) – Security (IDS, firewalls, web filter, scanners) – Financial/HR servers (Oracle, SAP, Peoplesoft, SAS)
    20. 20. Planning for Segmentation • Group and inventory assets, personnel, data • Example for personnel: – Windows server admins – Windows workstation admins – Unix admins – Security admins – Network admins – HR Dept – Executive management
    21. 21. Determine level of access based on business need. E.g. Who has a business need to: • Administer the routers, switches, VOIP phones etc? • Access the HR, Financials and other admin-related systems? • Access the security cameras? • Administer the *nix servers No business need – No access!
    22. 22. Implementing Segmentation • Start somewhere – maybe with a network admin segment • Setup VLAN named, network-admins (for their workstations) and network-devices (for routers & switches) • Log all traffic between segments – traffic analysis • Start blocking with ultimate goal of default deny • Make sure you have the controls to make sure segmentation is enforced
    23. 23. Successful Segmentation • Reduces risk – shuts down attackers • Is a part of defense-in-depth • Provides the foundation for a secure network • Is not easy, nor is it quick • As (or more) important than patching
    24. 24. Defining and Enforcing Network Segmentation Confidentia l 28
    25. 25. 29 Poll
    26. 26. Firewall Breaches Data Center Automation 5% Vulnerabilities 95% Misconfiguration The Security Management Balancing Act Confidential 30 Security Agility Prevent Cyber Attacks Enable Business Applications Resource Time to Provision Server Minutes Storage Minutes Security Access Days/Weeks
    27. 27. Security Management Challenges Confidential 31 Complexity • 1000s of security access rules • Highly-connected business critical applications Change • Data center consolidation, network re-architecting • Application connectivity requirements • New security devices Compliance • Complex regulations, industry standards and internal mandates • Time-consuming audits Collaboration • Business owners think in terms of applications • Networking teams think in terms of IPs and servers • Security teams think in terms of IT Risk Challenges
    28. 28. Firewall Analyzer Security Policy Analysis & Audit FireFlow Security Policy Change Automation BusinessFlow Business Application Connectivity Mgmt Business Applications Security Infrastructure The AlgoSec Suite 32 Application Owners AlgoSec Security Management Suite SecurityNetwork Operations
    29. 29. Demonstration Confidentia l 33
    30. 30. Q&A 34 Mark Wolfgang Nimmy Reichenberg Recommended Resources on
    31. 31. Connect with AlgoSec on: Managing Security at the Speed of Business