We will discuss the importance of network infrastructure and how we can minimize risks of attacks in our IT by segregating and segmenting our network infrastructure.
Main points that have been covered are:
• Why it’s always a primary target for attacks?
• What are the segmented networks?
• How can it be used?
Presenter:
Our presenter for this webinar is Mohamed Tawfik, who is a qualified Technocrat, and a seasoned IT/Telecom Professional having over 20 years of solid experience with multi-national corporate organizations planning, deployment, governance, audit and enforcing policy on Information Security Practice, while having in-depth knowledge of IT/Telecom Infrastructure and with a proven record of customer satisfaction.
Link of the recorded session published on YouTube:https://youtu.be/sKhihzgElH8
2. 2
Mohamed M. Tawfik
Job Positions
Mohamed Tawfik is a qualified Technocrat, and a seasoned
IT/Telecom Professional having over 20 years of solid experience with
multi-national corporate organizations planning, deployment,
governance, audit and enforcing policy on Information Security
Practice, while having in-depth knowledge of IT/Telecom Infrastructure
and with a proven record of customer satisfaction
+201223189496
mohamed.tawfik1974@gmail.com www.globalknowledge.com
https://sa.linkedin.com/in/mohamed-m-tawfik-a300211b
Contact Information
3. 33 3
Introduction
Network infrastructure is the most critical backbone of
business.
Greater diversity and complexity of the enterprise IT
infrastructure creates corresponding challenges to the
enterprise's ability to maintain some sort of balance
between functionality, performance and security.
4. 44 4
Usage!
Corporate end-users increasingly have huge dependency
on network resources for:
• access to enterprise email, calendar and contacts
• Instant Messaging and VoIP
• access to enterprise web-based apps
• access to corporate network or Wi-Fi internet access
• Increase in personal device usage (BYOD)
5. 55 5
A common target
Usually Network is the primary target for attacks,
considering that all traffic it’s carrying, has a huge amount
of useful information for the attacker.
Some can just be satisfied by sniffing packets, and getting
their hands on any information that can be used to achieve
further control.
Others simply aim to a DOS objective.
6. 66 6
Let’s make it harder for the attacker?
Once an attacker gains unauthorized access, network
segmentation can provide effective controls to mitigate the
next step of a network intrusion and to limit further
movement across the network or propagation of a threat.
By properly segregating the network, you are essentially
minimizing the level of access to sensitive information or
applications, servers, and people who don’t need it, while
enabling access for those that do.
8. 88 8
Segmented Networks
By segmenting a network, and applying appropriate
controls, we can break a network into a multiple attack
surface that prevents threat agents from reaching our
critical network resources
9. 99 9
What is the difference between
network segmentation and segregation?
Network
segmentation:
is about partitioning the network into
smaller networks.
Network
segregation:
is developing and enforcing a ruleset
controlling which computing devices
are permitted to communicate with
which other computing devices.
10. 101010
Network segmentation and segregation
Benefits
When we implement network segmentation and
segregation we minimize the level of access to corporate
sensitive information, whilst not stopping our Business from
operating effectively.
11. 111111
Examples of multiple networks
Many different networks can co-exist in a corporate that
requires multiple networks.
• Datacenter
• VoIP
• R&D / LAB / Test environment
• Users LAN
• Technical Management Network
• DMZ
• Dedicated networks ( handling secret / confidential
information / special purposes)
• WLAN
• Territory / site LANs
12. 121212
What’s the Risk?
Enterprise risks include:
Loss or exposure of sensitive Information
Huge availability concerns
Introduction of malware and exploiting resources
Leakage of sensitive data including the inadvertent, the well intentioned and
the malicious
Unauthorized access to resources
Increased pressure on existing resources by business processes (e.g.,
backups, increasing volumes of traffic, managing non-business related traffic,
provisioning of access to supported applications, help desk support) to
support a highly diverse population of resources.
Additional requirements for audit, reporting, e-discovery and forensics
13. 131313
How to mitigate it?
some of the common technologies and methods used
include:
i. Implementing demilitarized zones (DMZ)
ii. Implementing server and domain isolation
iii. Implementing storage based segmentation
14. 141414
Implementing demilitarized zones (DMZ)
Implementing demilitarized zones (DMZ) to segregate
different security domains, utilizing technologies such as:
i. Separate physical links and systems;
ii. Traffic flow filters;
iii. Virtual Local Area Networks (VLANs);
iv. Network and host‐based Firewalls;
v. Application Firewalls, Proxies;
vi. Content based filtering.
vii. AAA services
viii. Network Access Control;
15. 151515
Drawbacks
Security comes with a price!
Having multiple networks, means extra overheads for:
i. Provisioning access
ii. Administration
iii. Configuration management
iv. Support and implementation costs,
v. Also additional HW costs
16. 161616
What can we do to overcome the
drawbacks?
i. Maintain an up to date architecture diagrams of your
network, and make sure they are always reflecting
critical changes
ii. Implement AAA solution, so you can reduce some of
the administration overheads
iii. Implement Network Access Control solution
17. 171717
What is NAC?
i. Network Access Control (NAC) also called network
admission control, is a method of bolstering the security
of a proprietary network by restricting the availability of
network resources to endpoint devices that comply with
a defined security policy
ii. NAC restricts the data that each particular user can
access
iii. NAC can regulate and restrict the things individual
subscribers can do once they are connected
18. 181818
What are the benefits?
i. Keeps rogue devices off our network
ii. Ensures 100% of endpoints on your network are
compliant or quarantined until they are remediated
iii. Prevents vulnerabilities – security software (anti-virus,
personal firewall, etc.) is compliant and up-to-date (OS
and patches are current)
iv. Lowers support costs – automatic remediation of non-
compliant machines
20. 202020
How is this addressed in ISO 27001:2013?
introduction
ISO/IEC 27002 defines 12 security domains, namely:
security policy, asset management, organizing information
security, human resources, physical and environment,
communication and operations management, access
control, information system acquisition, development and
maintenance, information security incident management,
business continuity management and compliance.
Out of the 12 security domains, Communication Security is
of great importance in order to protect critical network
information.
21. 212121
How is this addressed in ISO 27001?
ISO 27002
13 Communications security
13.1 Network security management
Objective: To ensure the protection of information in
networks and its supporting information processing
Facilities.
22. 22222222
27001:2013 Annex A
A.13 Communications Security
A.13.1 Network Security Management
Objective: To ensure the protection of information in networks and its supporting
information processing facilities.
How is this addressed in ISO 27001?
A.13.1.1 Network
controls
Networks shall be managed and controlled to protect
information in systems and applications.
A.13.1.2 Security of
network
services
Security mechanisms, service levels and management
requirements of all network services shall be identified
and included in network services agreements, whether
these services are provided in-house or outsourced.
A.13.1.3 Segregation
in networks
Groups of information services, users and information
systems shall be segregated on networks.
23. 232323
How is this addressed in ISO 27002?
A.13.1.3 Segregation in networks
Control
Groups of information services, users and information systems should be segregated on networks.
Implementation guidance
One method of managing the security of large networks is to divide them into separate network domains.
The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along
organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple
organizational units).
The segregation can be done using either physically different networks or by using different logical networks (e.g.virtual private
networking).
The perimeter of each domain should be well defined. Access between network domains is allowed, but
should be controlled at the perimeter using a gateway (e.g. firewall, filtering router).
The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based
on an assessment of the security requirements of each domain. The assessment should be in accordance with the access control
policy (see 9.1.1), access requirements, value and classification of information processed and also take account of the relative cost
and performance impact of incorporating suitable gateway technology.
Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration
should be made to treat all wireless access as external connections and to segregate this access from internal networks until the
access has passed through a gateway in accordance with network controls policy (see 13.1.1) before granting access to internal
systems.
The authentication, encryption and user level network access control technologies of modern, standards based wireless networks
may be sufficient for direct connection to the organization’s internal network when properly implemented.
Other information Networks often extend beyond organizational boundaries, as business partnerships are formed that require the
interconnection or sharing of information processing and networking facilities. Such
extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of
which require protection from other network users because of their sensitivity or criticality.
24. 24
ISO 27001 Training Courses
ISO/IEC 27001 Introduction
1 Day Course
ISO/IEC 27001 Foundation
2 Days Course
ISO/IEC 27001 Lead Implementer
5 Days Course
ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-iec-27001-training-courses| www.pecb.com/events