Securing your presence at the perimeter

622 views

Published on

Presentation: Securing your presence at the perimeter.

Given by: Ben Rothke

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
622
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Securing your presence at the perimeter

  1. 1. Securing your presence at the perimeter Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
  2. 2. About me….• Ben Rothke (too many certifications)• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every Employee Should KnowBT Americas Inc. 2
  3. 3. The perimeter is not necessarily dead• Firewalls and border routers are still the cornerstone for perimeter security• Always will be a place for VPNs• Attacks occur at the application layer – So ensure app securityBT Professional Services 3
  4. 4. But the perimeter it is getting blurred…• VPNs• complicated network connections with multiple partners – contractors, consultants – 3rd party collaboration – vendors• wireless networks• laptops• malicious insiders – worms (compromised computers can be seen as malicious insiders)BT Professional Services 4
  5. 5. Ok, the perimeter is dead, the cloud proves itBT Professional Services 5
  6. 6. Perimeter challenges• Determining proper firewall design• access to resources for remote users• effective monitoring and reporting• need for enhanced packet inspection• security standards compliance• long-term maintenance• ensuring attackers don’t find that single vulnerability• data leakageBT Professional Services 6
  7. 7. Was your perimeter designed in 30 minutes?BT Professional Services 7
  8. 8. Key points• Perimeter security is popular – cheap, convenient, somewhat effective – firewalls and IDS most common tools for network security• Firewalls and IDS fighting an uphill battle – both attackers and legitimate users struggle to avoid/evade them• Security management is a key challengeBT Professional Services 8
  9. 9. Securing network perimeters• Goal is to provide adequate access without jeopardizing confidential or mission-critical areas• Elements: – firewalls, IDS, bastion host, Network Address Translation (NAT), proxy servers – combined with authentication mechanisms• Bastion host – provides Web, FTP, e-mail, or other services running on a specially secured serverBT Professional Services 9
  10. 10. But the firewall is not a panacea• Malicious traffic that is passed on open ports and not inspected by the firewall• any traffic that passes through an encrypted tunnel or session• attacks after a network has been penetrated• traffic that appears legitimate• users and administrators who intentionally or accidentally install viruses• administrators who use weak passwordsBT Professional Services 10
  11. 11. Policy is required to secure a perimeter• Firewall policies typically lists of allow or deny rules• what should the default rule be?• Default allow: – convenient since doesn’t interfere with legitimate activity• Default deny: – more secure, since every allowed use undergoes security review – if policy too restrictive, people complain and it gets fixed – if policy too permissive, only learn about it too late after an attackBT Professional Services 11
  12. 12. Other policy issues• Scale – Large organizations have thousands of rules – How do you process them efficiently? – How do you know they are correct?• Ingress vs. egress filtering – Ingress: filter packets from the Internet – Egress: filter traffic to the Internet (why?)BT Professional Services 12
  13. 13. Operational weaknessess• Technology – firewall rules not adequately maintained – system configurations and access not being monitored – passwords• Standards – unpatched software/firmware – no criteria for hiring outside auditors and IT pros – no consistent security assessments – production data being used for dev/QA appsBT Professional Services 13
  14. 14. Start thinking about DLP• Small data leaks lead to major damage – a minor water leak… – becomes major structural damageBT Professional Services 14
  15. 15. There is a lot DLP can do• Detect sensitive content in any combination of network traffic, data at rest or endpoint operations• Detect sensitive content using – sophisticated content-aware detection techniques, including partial/exact document matching, structured data fingerprinting, statistical analysis, extended regular expression matching, conceptual and lexicon analysis, and more• Support detection of sensitive data content in structured and unstructured data, using registered or described data definitions• Block email communication policy violationsBT Professional Services 15
  16. 16. Do you have authority over your data?• DLP enables you to finally control your data: – Identify: know where your data resides – Monitor: what is happening, who did it, when – Warning: user alerted when moving sensitive data – Prevention: unauthorized actions are thwarted – Control: only approved devices can be used – Reporting: compliance reports (SoX, PCI, HIPAA / HITECH, GLBA, Euro-SoX, and more)BT Professional Services 16
  17. 17. Testing• Publicly-accessible systems – IP-hosts – all web apps – web services• Web interfaces: – routers – firewalls – email• WirelessBT Professional Services 17
  18. 18. Ask lots of questions and fill up whiteboards1. What are we doing beyond vulnerability scans to find security flaws?2. Are we looking at all of our critical perimeter systems?3. When are we going to get to everything else?4. What are the results of our latest external security assessment?5. What’s being done to resolve these issues?6. Even if nothing is turned up, when’s our next round of testing scheduled for?7. Have we started thinking about the data?8. Should we consider DLP?BT Professional Services 18
  19. 19. Use tools• There are myriad tools, use them judiciously – QualysGuard – WebInspect – Acunetix WVS – CommView for WiFi – Web browsers – Google – other exploit tools – Make sure your staff reads Security Strategy: From Requirements to Reality – http://amzn.to/fT2yG6BT Professional Services 19
  20. 20. Creating and maintaining a strong perimeter• Good design• updated design• built and designed by engineers – with management oversight• risk-based• business needs understood• maintained – competent staff – maintained at an adequate levelBT Professional Services 20
  21. 21. Contact info…• Ben Rothke, CISSP CISA• Senior Security Consultant• BT Professional Services• www.linkedin.com/in/benrothke• www.twitter.com/benrothke• www.slideshare.net/benrothkeBT Professional Services 21

×