Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Segmenting your Network for Security - The Good, the Bad and the Ugly

2,595 views

Published on

Hear expert penetration tester Mark Wolfgang and AlgoSec explain:
* Common network segmentation mistakes organizations make every day
* How to strategically segment your network for security
* How to enforce network segmentation using automated security policy management

Published in: Technology
  • Be the first to comment

Segmenting your Network for Security - The Good, the Bad and the Ugly

  1. 1. Segmenting your Network for Security The Good, The Bad and the Ugly
  2. 2. Our Speakers 2 Mark Wolfgang President Shorebreak Security Nimmy Reichenberg VP Strategy AlgoSec
  3. 3. seg·men·ta·tion
  4. 4. "Getting from a procurement portal to a cardholder data environment is a long road" “Only highly skilled hackers could find a way around such network segmentation” “… If Target gave the vendor too much access to the network the blame lies firmly with Target…”
  5. 5. 5 Poll
  6. 6. Mark Wolfgang, CISSP, RHCE • President/CEO Shorebreak Security • 14+ years experience in security testing • Co-author of two Information Security books – both on penetration testing • Author of other whitepapers and published articles on Information Security/pen testing • 8 years in the U.S. Navy
  7. 7. About Shorebreak Security • Veteran-owned small business • Boutique firm, specializing in Information Security Testing – Penetration Testing – Vulnerability Assessments – Risk Assessments • Based in Cocoa Beach, Florida “We don’t want to be the biggest, we just want to be the best”
  8. 8. Our Security Engineers – Most have over 15 years of IT experience – With at least 8 years of Information Security experience, and most of that doing penetration testing – Most have TS/SCI clearances – Most are CISSPs, with a host of other certifications – Many are published authors and experienced speakers
  9. 9. What is Penetration Testing? • Security Testing • An accurate determination of risk to your networks and systems are by emulating various threat agents and testing people, processes, and technology • A methodology, not the use of one or two (or 10) security tools • Emulation of threats varying from the script kiddie to more sophisticated and persistent attackers
  10. 10. What is Network Segmentation? • Classifying and isolating – IT assets – Data – Personnel • Where’s the money Lebowski?
  11. 11. We Understand Basic Segmentation
  12. 12. How Attackers Work • Initial entry point (access) • Gather and analyze information • Leverage and expand access
  13. 13. Example Attack – “Owned” a Large City • Conducted a full-scope assessment of a large U.S. municipality • Obtained access and full control of the building access system – Any door in the city with a prox card reader, including: – Police gun locker – Police evidence locker – Police Narcotics vault – Police holding cell – Mayor’s office – Server rooms etc • Obtained access and full control of CCTV and guard workstations • Obtained access and full control of a Windows DC • ALL FROM THE PUBLIC WIRELESS NETWORK!
  14. 14. Example Attack – Large City • Initial entry point (access) – null sa password • Gather and analyze information – dumped and cracked local Windows passwords. Scanned network and compiled a target list. • Leverage and expand access – used cracked password on ALL other Windows systems. Gained access to hundreds. • Same password was used on guard workstations, CCTV, badge & building access control server etc
  15. 15. Why? • Could I even see the critical computers? • Could I attempt to logon? • Weren’t they invisible?
  16. 16. Lack of proper network segmentation! Almost always a finding and a root cause on our pen tests.
  17. 17. Common Segmentation Mistakes • Not segmenting at all • Not segmenting enough • Over-segmenting
  18. 18. How to Segment for Security • Understand your business or organizational drivers • How does revenue enter the business stream? • Which IT assets, data, and personnel are critical to ensure continuity of business or mission?
  19. 19. Planning for Segmentation • Group and inventory assets, personnel, data • Example for assets: – Windows servers – Infrastructure (routers, switches, VPNS, VOIP) – Security (IDS, firewalls, web filter, scanners) – Financial/HR servers (Oracle, SAP, Peoplesoft, SAS)
  20. 20. Planning for Segmentation • Group and inventory assets, personnel, data • Example for personnel: – Windows server admins – Windows workstation admins – Unix admins – Security admins – Network admins – HR Dept – Executive management
  21. 21. Determine level of access based on business need. E.g. Who has a business need to: • Administer the routers, switches, VOIP phones etc? • Access the HR, Financials and other admin-related systems? • Access the security cameras? • Administer the *nix servers No business need – No access!
  22. 22. Implementing Segmentation • Start somewhere – maybe with a network admin segment • Setup VLAN named, network-admins (for their workstations) and network-devices (for routers & switches) • Log all traffic between segments – traffic analysis • Start blocking with ultimate goal of default deny • Make sure you have the controls to make sure segmentation is enforced
  23. 23. Successful Segmentation • Reduces risk – shuts down attackers • Is a part of defense-in-depth • Provides the foundation for a secure network • Is not easy, nor is it quick • As (or more) important than patching
  24. 24. Defining and Enforcing Network Segmentation Confidentia l 28
  25. 25. 29 Poll
  26. 26. Firewall Breaches Data Center Automation 5% Vulnerabilities 95% Misconfiguration The Security Management Balancing Act Confidential 30 Security Agility Prevent Cyber Attacks Enable Business Applications Resource Time to Provision Server Minutes Storage Minutes Security Access Days/Weeks
  27. 27. Security Management Challenges Confidential 31 Complexity • 1000s of security access rules • Highly-connected business critical applications Change • Data center consolidation, network re-architecting • Application connectivity requirements • New security devices Compliance • Complex regulations, industry standards and internal mandates • Time-consuming audits Collaboration • Business owners think in terms of applications • Networking teams think in terms of IPs and servers • Security teams think in terms of IT Risk Challenges
  28. 28. Firewall Analyzer Security Policy Analysis & Audit FireFlow Security Policy Change Automation BusinessFlow Business Application Connectivity Mgmt Business Applications Security Infrastructure The AlgoSec Suite 32 Application Owners AlgoSec Security Management Suite SecurityNetwork Operations
  29. 29. Demonstration Confidentia l 33
  30. 30. Q&A 34 Mark Wolfgang mark@shorebreaksecurity.com Nimmy Reichenberg nimrod.reichenberg@algosec.com Recommended Resources on AlgoSec.com
  31. 31. Connect with AlgoSec on: www.AlgoSec.com Managing Security at the Speed of Business

×