The document discusses identifying networks in a complex company. It describes challenges with the company's asset database, including many outdated or duplicate entries for operating systems and support groups. It also notes the network maps and asset database do not have a clear correspondence to the physical network. The document advocates identifying currently used versus legacy systems, their functions, vulnerabilities, and how they are arranged on the network. It contrasts firewall-based versus routing-based network planning and some pros and cons of the firewall approach.
The document discusses approaches for calculating confidence and prediction intervals in nonlinear mixed-effects models. It defines the nonlinear mixed-effects model and describes confidence interval approaches including bootstrap methods and non-bootstrap Wald and adjusted Wald intervals. It also evaluates the coverage rates of different interval approaches across a variety of nonlinear mixed-effects models. Prediction interval approaches for observed and unobserved groups are discussed as well.
This document contains information about language learning and communication. It discusses vocabulary learning strategies, linguistic terms, learning strategies like using dictionaries, ePortfolios, reading books, listening to conversations, writing introductions and essays, the evolution and influences on the English language from other languages, and recommended films and books to engage with to improve language skills. It provides topics, questions, and activities for learners to consider to help advance their language development.
BK 7210 Urban analysis and design principles – ir. Evelien Brandesjornvorn
The document discusses urban analysis and design principles through a case study of the Bovenkerk neighborhood design project. It begins with an overview of scales of urban analysis from the district to neighborhood level. Principles of road patterns, building typologies, and public space design are covered. The case study then examines the site context, conceptual plan, and final urban plan for Bovenkerk, which included considerations for traffic systems, green space, water management, and building typologies.
The document discusses approaches for calculating confidence and prediction intervals in nonlinear mixed-effects models. It defines the nonlinear mixed-effects model and describes confidence interval approaches including bootstrap methods and non-bootstrap Wald and adjusted Wald intervals. It also evaluates the coverage rates of different interval approaches across a variety of nonlinear mixed-effects models. Prediction interval approaches for observed and unobserved groups are discussed as well.
This document contains information about language learning and communication. It discusses vocabulary learning strategies, linguistic terms, learning strategies like using dictionaries, ePortfolios, reading books, listening to conversations, writing introductions and essays, the evolution and influences on the English language from other languages, and recommended films and books to engage with to improve language skills. It provides topics, questions, and activities for learners to consider to help advance their language development.
BK 7210 Urban analysis and design principles – ir. Evelien Brandesjornvorn
The document discusses urban analysis and design principles through a case study of the Bovenkerk neighborhood design project. It begins with an overview of scales of urban analysis from the district to neighborhood level. Principles of road patterns, building typologies, and public space design are covered. The case study then examines the site context, conceptual plan, and final urban plan for Bovenkerk, which included considerations for traffic systems, green space, water management, and building typologies.
Best Practices for Design Hardware APIsMatt Haines
The document describes a presentation about best practices for designing hardware APIs. It provides information about the presentation including the title "Best Practices for Designing Hardware APIs", a link to the slides, and details about the presenter including their name, company, and twitter account.
Open Source Software, Distributed Systems, Database as a Cloud ServiceSATOSHI TAGOMORI
- Treasure Data is a database as a cloud service company that collects and stores customer data beyond the cloud [1].
- It uses open source software like Fluentd and MessagePack to easily integrate and collect data from customers [2]. It also uses open source distributed systems software like Hadoop and Presto to store, process and query large amounts of customer data [3].
- As a database service, it needs to share computer resources securely for many customers. It contributes to open source to build and maintain the distributed systems software that powers its cloud database service [4].
DEFCON 23 - Ian Latter - remote access the aptFelipe Prado
The document discusses a proof of concept for using a computer screen to extract and transmit data through encoding it in quick response (QR) codes displayed on the screen. It proposes a transport protocol called TGXf that could transmit binary data in a one-way flow between devices by encoding it using QR codes with error correction and embedding transport control frames and counters. The concept is presented as a potential security risk for unauthorized data extraction from remote access or offshore partners.
The United States Patent and Trademark Office wanted a simple, lightweight, yet modern and rich discovery interface for Chinese patent data. This is the story of the Global Patent Search Network, the next generation multilingual search platform for the USPTO. GPSN, http://gpsn.uspto.gov, was the first public application deployed in the cloud, and allowed a very small development team to build a discovery interface across millions of patents.
This case study will cover:
• How we leveraged Amazon Web Services platform for data ingestion, auto scaling, and deployment at a very low price compared to traditional data centers.
• We will cover some of the innovative methods for converting XML formatted data to usable information.
• Parsing through 5 TB of raw TIFF image data and converting them to modern web friendly format.
• Challenges in building a modern Single Page Application that provides a dynamic, rich user experience.
• How we built “data sharing” features into the application to allow third party systems to build additional functionality on top of GPSN.
The "Internet of Things" (IoT) refers to an Internet like structure consisting of uniquely identified objects that expose services. The IoT is a relatively new field with all more and more connected devices being developed monthly. This presentation discusses the current state of the IoT, what it is lacking and offers up some solutions to those problems.
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...OpenSource Connections
The document discusses building a lightweight discovery interface for Chinese patents using Solr/Lucene. It describes parsing various patent file formats using Tika and building custom parsers. It also emphasizes the importance of making the search solution accessible by allowing users to export data and share results.
Why don't we have REAL IP to the Edge in Buildings?Memoori
Slides from a Q&A Webinar with Tony Marshallsay, CME at Omrania. We take a deep dive into how we can Improve Networking in Building Management Systems by taking IPv6 to the Edge.
The document discusses open source IoT building blocks for startups including ServIoTicy Datastore, an open source IoT data cloud platform that allows storing and querying sensor data and defining actions. It also discusses App Hosting using Node-RED for creating IoT workflows and GlueThings, and Discovery by integrating the iServe registry to discover APIs and services. Security is addressed through data provenance logging and authentication.
ARToolworks ARE2011: Building an Open-Source AR Business.philip_lamb
ARToolworks is the oldest open-source augmented reality company, founded in 2000 as a spin-off from HIT Lab US. It provides ARToolkit, the most popular AR toolkit with over 450,000 downloads. ARToolworks has been profitable since 2001 and has experienced 100% revenue growth over the last three years. The company identifies real needs in AR, builds great technology through its team's complementary interests, and engages developers by releasing source code and providing support, which has helped it build a large community and sustainable open-source business model.
IoT and Edge Integration with Open Source Frameworks:
Internet of Things (IoT) and edge integration is getting more important than ever before due to the massively growing number of connected devices year by year.
This session shows open source frameworks built to develop very lightweight microservices, which can be deployed on small devices or in serverless architectures with very low resources and wire together all different kinds of hardware devices, APIs and online services.
The focus of this session lies on showing open source projects such as Eclipse Kura, Node-RED or Flogo, which offer a framework plus zero-code environment with web IDE for building and deploying integration and data processing directly onto connected devices using IoT standards such as MQTT, WebSockets or CoaP, but also other interfaces such as Twitter feeds or REST services.
The end of the session discusses the relation to other components in a IoT architecture including cloud IoT platforms and big data respectively streaming analytics solutions (such as Apache Storm, Flink, Spark Streaming, Samza, StreamBase, Apama).
Fine Grain Access Control for Big Data: ORC Column EncryptionOwen O'Malley
Fine-grained data protection at a column level in data lake environments has become a mandatory requirement to demonstrate compliance with multiple local and international regulations across many industries today. ORC is a self-describing type-aware columnar file format designed for Hadoop workloads that provides optimized streaming reads, but with integrated support for finding required rows quickly. In this talk, we will outline the progress made in Apache community for adding fine-grained column level encryption natively into ORC format that will also provide capabilities to mask or redact data on write while protecting sensitive column metadata such as statistics to avoid information leakage. The column encryption capabilities will be fully compatible with Hadoop Key Management Server (KMS) and use the KMS to manage master keys providing the additional flexibility to use and manage keys per column centrally.
Hacking with the Raspberry Pi and Windows 10 IoT CoreNick Landry
Did you know that Windows 10 can run on a $35 Raspberry Pi 2 (or 3) single-board computer? Makers have taken the world by storm, creating countless gadgets and automated systems, connecting everything around them. This session is for makers – neophytes and veterans alike – who want to explore the capabilities of Windows 10 IoT Core to build hacks based on the Universal Windows Platform (UWP), basically attaching electronic sensors and outputs to their Windows 10 apps. We’ll learn about the tools, how to get started, what hardware you’ll need, and how to build your first Windows hardware project on the Raspberry Pi. Take your maker projects to the next level, and come learn valuable skills to prepare and extend your developer skills for the Internet of Things (IoT).
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...Lucidworks (Archived)
This document discusses building a lightweight discovery interface for Chinese patents. It describes using parsers and the cloud to ingest various patent file formats and metadata in order to build a search interface. It emphasizes spending adequate time on user experience design and sharing data with users and other applications.
Logmatic at ElasticSearch November Paris meetuplogmatic.io
- The company started with a data analytics tool called ActivePivot but wanted to build a tool to analyze social media, starting with a NoSQL engine but having performance issues, leading them to Elasticsearch.
- While Elasticsearch had good performance, scalability, and analytics capabilities, it did not meet their requirements due to high memory usage and lack of multi-field and metric aggregations.
- They built their own analytics plugin for Elasticsearch to add these capabilities, using it to build their Focusmatic product for social media analysis and later their Logmatic product for log analysis.
Autodesk is strengthening its operations with Splunk and AWS by using CloudTrail to log API calls across its AWS accounts and sending the logs to Splunk. This provides Autodesk with a single view of activity across all accounts for security monitoring, compliance auditing, and troubleshooting. Specifically, Autodesk can search logs to investigate incidents, identify compromised hosts, and monitor sign-in locations for security. For compliance, Autodesk can set alerts on sensitive API calls and user creations. Using CloudTrail and Splunk provides Autodesk with a scalable, cost-effective logging solution.
Using Enterprise Search at the city of Antibesfrancelabs
This is the presentation made by France Labs and the city of Antibes, about the implementation project of the open source Constellio solution. This presentation was given at the 2013 Enterprise Search Europe in London.
TIBCO Advanced Analytics Meetup (TAAM) - June 2015Bipin Singh
This document summarizes a TIBCO Advanced Analytics meetup. It includes an agenda for presentations on TIBCO Analytics and data science, predictive analytics using TERR expressions, real-time analytics, APIs, and a question/answer wrap-up session. It also provides overviews of the Spotfire platform for data visualization and analytics, Spotfire capabilities for accessing and preparing data from various sources, and supported data sources.
Sharepoint 2013 applied architecture from the field (v2)Tihomir Ignatov
The document provides an overview of SharePoint 2013 architecture from a consultant's perspective. It discusses the role of the IT architect and considerations for SharePoint infrastructure decisions and application development. Key points covered include:
- The IT architect's responsibilities in requirements engineering, design, and solution governance.
- Factors for SharePoint infrastructure like servers, capacity planning, and skills.
- Options for developing SharePoint apps, whether cloud-hosted, on-premises, or a hybrid.
- Recommended SharePoint topologies based on availability, scalability and workload.
The document discusses elements of connected products and platforms. It outlines five key elements: Purpose, People, Process, Product, and Platform. It then discusses local connectivity between devices, sensoring and local intelligence, internet connectivity, and management and application programming interfaces (APIs). The goal is to define an open IoT platform that connects many device types securely, enables remote upgrades, and provides data services through an open-source server.
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
Another day, another article praising blockchain’s untapped potential: it will start a new era, revolution the financial system, disrupt every industry and will change the world. Or will it not? and is that really what I need for my next project?
After this presentation, you will be able to:
- Understand the basic of blockchains as compared to other traditional (both centralized and distributed) technologies such as relational databases and identity management systems.
- Identify the characteristics of a potentially successful blockchain project, versus one that should be tackled with "traditional" technology.
- What are the main factors that tell an initiative is or is not a good candidate for a blockchain project, and how to find a topic which may be a good candidate within your organization.
- How to answer the excessive counter-critiques, such as that there is no good use for blockchains at all. This is obviously not true and there are very good examples of successful projects, from which we can learn the essentials.
Impact of GDPR on Third Party and M&A SecurityEQS Group
GDPR impact has been dissected and examined to death - however, M&A activities, as well as third-party security posture, can be greatly affected as well, and this aspect has not been very often pursued. This session hopes to be useful for that.
More Related Content
Similar to Architecting Security across global networks
Best Practices for Design Hardware APIsMatt Haines
The document describes a presentation about best practices for designing hardware APIs. It provides information about the presentation including the title "Best Practices for Designing Hardware APIs", a link to the slides, and details about the presenter including their name, company, and twitter account.
Open Source Software, Distributed Systems, Database as a Cloud ServiceSATOSHI TAGOMORI
- Treasure Data is a database as a cloud service company that collects and stores customer data beyond the cloud [1].
- It uses open source software like Fluentd and MessagePack to easily integrate and collect data from customers [2]. It also uses open source distributed systems software like Hadoop and Presto to store, process and query large amounts of customer data [3].
- As a database service, it needs to share computer resources securely for many customers. It contributes to open source to build and maintain the distributed systems software that powers its cloud database service [4].
DEFCON 23 - Ian Latter - remote access the aptFelipe Prado
The document discusses a proof of concept for using a computer screen to extract and transmit data through encoding it in quick response (QR) codes displayed on the screen. It proposes a transport protocol called TGXf that could transmit binary data in a one-way flow between devices by encoding it using QR codes with error correction and embedding transport control frames and counters. The concept is presented as a potential security risk for unauthorized data extraction from remote access or offshore partners.
The United States Patent and Trademark Office wanted a simple, lightweight, yet modern and rich discovery interface for Chinese patent data. This is the story of the Global Patent Search Network, the next generation multilingual search platform for the USPTO. GPSN, http://gpsn.uspto.gov, was the first public application deployed in the cloud, and allowed a very small development team to build a discovery interface across millions of patents.
This case study will cover:
• How we leveraged Amazon Web Services platform for data ingestion, auto scaling, and deployment at a very low price compared to traditional data centers.
• We will cover some of the innovative methods for converting XML formatted data to usable information.
• Parsing through 5 TB of raw TIFF image data and converting them to modern web friendly format.
• Challenges in building a modern Single Page Application that provides a dynamic, rich user experience.
• How we built “data sharing” features into the application to allow third party systems to build additional functionality on top of GPSN.
The "Internet of Things" (IoT) refers to an Internet like structure consisting of uniquely identified objects that expose services. The IoT is a relatively new field with all more and more connected devices being developed monthly. This presentation discusses the current state of the IoT, what it is lacking and offers up some solutions to those problems.
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...OpenSource Connections
The document discusses building a lightweight discovery interface for Chinese patents using Solr/Lucene. It describes parsing various patent file formats using Tika and building custom parsers. It also emphasizes the importance of making the search solution accessible by allowing users to export data and share results.
Why don't we have REAL IP to the Edge in Buildings?Memoori
Slides from a Q&A Webinar with Tony Marshallsay, CME at Omrania. We take a deep dive into how we can Improve Networking in Building Management Systems by taking IPv6 to the Edge.
The document discusses open source IoT building blocks for startups including ServIoTicy Datastore, an open source IoT data cloud platform that allows storing and querying sensor data and defining actions. It also discusses App Hosting using Node-RED for creating IoT workflows and GlueThings, and Discovery by integrating the iServe registry to discover APIs and services. Security is addressed through data provenance logging and authentication.
ARToolworks ARE2011: Building an Open-Source AR Business.philip_lamb
ARToolworks is the oldest open-source augmented reality company, founded in 2000 as a spin-off from HIT Lab US. It provides ARToolkit, the most popular AR toolkit with over 450,000 downloads. ARToolworks has been profitable since 2001 and has experienced 100% revenue growth over the last three years. The company identifies real needs in AR, builds great technology through its team's complementary interests, and engages developers by releasing source code and providing support, which has helped it build a large community and sustainable open-source business model.
IoT and Edge Integration with Open Source Frameworks:
Internet of Things (IoT) and edge integration is getting more important than ever before due to the massively growing number of connected devices year by year.
This session shows open source frameworks built to develop very lightweight microservices, which can be deployed on small devices or in serverless architectures with very low resources and wire together all different kinds of hardware devices, APIs and online services.
The focus of this session lies on showing open source projects such as Eclipse Kura, Node-RED or Flogo, which offer a framework plus zero-code environment with web IDE for building and deploying integration and data processing directly onto connected devices using IoT standards such as MQTT, WebSockets or CoaP, but also other interfaces such as Twitter feeds or REST services.
The end of the session discusses the relation to other components in a IoT architecture including cloud IoT platforms and big data respectively streaming analytics solutions (such as Apache Storm, Flink, Spark Streaming, Samza, StreamBase, Apama).
Fine Grain Access Control for Big Data: ORC Column EncryptionOwen O'Malley
Fine-grained data protection at a column level in data lake environments has become a mandatory requirement to demonstrate compliance with multiple local and international regulations across many industries today. ORC is a self-describing type-aware columnar file format designed for Hadoop workloads that provides optimized streaming reads, but with integrated support for finding required rows quickly. In this talk, we will outline the progress made in Apache community for adding fine-grained column level encryption natively into ORC format that will also provide capabilities to mask or redact data on write while protecting sensitive column metadata such as statistics to avoid information leakage. The column encryption capabilities will be fully compatible with Hadoop Key Management Server (KMS) and use the KMS to manage master keys providing the additional flexibility to use and manage keys per column centrally.
Hacking with the Raspberry Pi and Windows 10 IoT CoreNick Landry
Did you know that Windows 10 can run on a $35 Raspberry Pi 2 (or 3) single-board computer? Makers have taken the world by storm, creating countless gadgets and automated systems, connecting everything around them. This session is for makers – neophytes and veterans alike – who want to explore the capabilities of Windows 10 IoT Core to build hacks based on the Universal Windows Platform (UWP), basically attaching electronic sensors and outputs to their Windows 10 apps. We’ll learn about the tools, how to get started, what hardware you’ll need, and how to build your first Windows hardware project on the Raspberry Pi. Take your maker projects to the next level, and come learn valuable skills to prepare and extend your developer skills for the Internet of Things (IoT).
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...Lucidworks (Archived)
This document discusses building a lightweight discovery interface for Chinese patents. It describes using parsers and the cloud to ingest various patent file formats and metadata in order to build a search interface. It emphasizes spending adequate time on user experience design and sharing data with users and other applications.
Logmatic at ElasticSearch November Paris meetuplogmatic.io
- The company started with a data analytics tool called ActivePivot but wanted to build a tool to analyze social media, starting with a NoSQL engine but having performance issues, leading them to Elasticsearch.
- While Elasticsearch had good performance, scalability, and analytics capabilities, it did not meet their requirements due to high memory usage and lack of multi-field and metric aggregations.
- They built their own analytics plugin for Elasticsearch to add these capabilities, using it to build their Focusmatic product for social media analysis and later their Logmatic product for log analysis.
Autodesk is strengthening its operations with Splunk and AWS by using CloudTrail to log API calls across its AWS accounts and sending the logs to Splunk. This provides Autodesk with a single view of activity across all accounts for security monitoring, compliance auditing, and troubleshooting. Specifically, Autodesk can search logs to investigate incidents, identify compromised hosts, and monitor sign-in locations for security. For compliance, Autodesk can set alerts on sensitive API calls and user creations. Using CloudTrail and Splunk provides Autodesk with a scalable, cost-effective logging solution.
Using Enterprise Search at the city of Antibesfrancelabs
This is the presentation made by France Labs and the city of Antibes, about the implementation project of the open source Constellio solution. This presentation was given at the 2013 Enterprise Search Europe in London.
TIBCO Advanced Analytics Meetup (TAAM) - June 2015Bipin Singh
This document summarizes a TIBCO Advanced Analytics meetup. It includes an agenda for presentations on TIBCO Analytics and data science, predictive analytics using TERR expressions, real-time analytics, APIs, and a question/answer wrap-up session. It also provides overviews of the Spotfire platform for data visualization and analytics, Spotfire capabilities for accessing and preparing data from various sources, and supported data sources.
Sharepoint 2013 applied architecture from the field (v2)Tihomir Ignatov
The document provides an overview of SharePoint 2013 architecture from a consultant's perspective. It discusses the role of the IT architect and considerations for SharePoint infrastructure decisions and application development. Key points covered include:
- The IT architect's responsibilities in requirements engineering, design, and solution governance.
- Factors for SharePoint infrastructure like servers, capacity planning, and skills.
- Options for developing SharePoint apps, whether cloud-hosted, on-premises, or a hybrid.
- Recommended SharePoint topologies based on availability, scalability and workload.
The document discusses elements of connected products and platforms. It outlines five key elements: Purpose, People, Process, Product, and Platform. It then discusses local connectivity between devices, sensoring and local intelligence, internet connectivity, and management and application programming interfaces (APIs). The goal is to define an open IoT platform that connects many device types securely, enables remote upgrades, and provides data services through an open-source server.
Similar to Architecting Security across global networks (20)
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
Another day, another article praising blockchain’s untapped potential: it will start a new era, revolution the financial system, disrupt every industry and will change the world. Or will it not? and is that really what I need for my next project?
After this presentation, you will be able to:
- Understand the basic of blockchains as compared to other traditional (both centralized and distributed) technologies such as relational databases and identity management systems.
- Identify the characteristics of a potentially successful blockchain project, versus one that should be tackled with "traditional" technology.
- What are the main factors that tell an initiative is or is not a good candidate for a blockchain project, and how to find a topic which may be a good candidate within your organization.
- How to answer the excessive counter-critiques, such as that there is no good use for blockchains at all. This is obviously not true and there are very good examples of successful projects, from which we can learn the essentials.
Impact of GDPR on Third Party and M&A SecurityEQS Group
GDPR impact has been dissected and examined to death - however, M&A activities, as well as third-party security posture, can be greatly affected as well, and this aspect has not been very often pursued. This session hopes to be useful for that.
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
313 – Security Challenges in Healthcare IoT - MEEQS Group
The document discusses security challenges for medical IoT devices. It begins with background on cyber-physical systems, Industry 4.0, and the context of IoT. It then presents a threat model for medical IoT devices, outlining risks across the device lifecycle from physical security to orchestration issues. Regulatory requirements for medical device cybersecurity from the FDA and EU are summarized. Suggestions for improvement include standardizing network communication, strengthening regulations, adopting a security-by-design approach, and supporting secure and agile software updates.
Achieving PCI-DSS compliance with network security implementations - April 2011EQS Group
This document summarizes Marco Ermini's presentation on achieving PCI-DSS compliance through network security implementations. The presentation discusses using network-based approaches to meet various PCI-DSS requirements, including using network security scanners to verify password security, patch management, and system hardening. It also addresses using intrusion detection/prevention systems, web application firewalls, and database activity monitors to help meet encryption, access control, and logging requirements.
Best practices in NIPS - IDC Sofia - March 2010EQS Group
They were called "Network Intrusion Detection Systems" first - today we call them "Network Intrusion Prevention Systems". Those tools have been around for several years, and are now experiencing a second youth once they are part of new compliance requirements and helps in meet your mitigation measures and policies. But are those systems really useful and provide an effective security tool? Many says, that if not implemented correctly, they can be easily bypassed. Is that true? and so, how should I implement them? Is my current deployment really optimal? Are NIPS really worth their (high) cost? This presentation aims at shredding some light - or at least, to give some tool, to start looking at NIPS from a more realistic point of view, out of the vendors' hype.
Best practices in NIPS - Brighttalk - January 2010EQS Group
Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.
3. Confidentiality level C1 | 8 August 20113
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
“Divide et impera”
4. Confidentiality level C1 | 8 August 20114
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
“Divide et impera”
5. Confidentiality level C1 | 8 August 20115
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
“Divide et impera”
6. Confidentiality level C1 | 8 August 20116
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
2. Identify the challenges
“Divide et impera”
7. Confidentiality level C1 | 8 August 20117
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
2. Identify the challenges
3. Identify the alternatives
“Divide et impera”
8. Confidentiality level C1 | 8 August 20118
Architecti
ng
Security
across
global
networks
Identify the networks
Identify the challenges
Identify the alternatives
15. Confidentiality level C1 | 8 August 201115
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
16. Confidentiality level C1 | 8 August 201116
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
17. Confidentiality level C1 | 8 August 201117
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
18. Confidentiality level C1 | 8 August 201118
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
cs_os_name cs_os_versionnumber
SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 10 9/10 | 10 9/10
SOLARIS 10 177
SOLARIS 10 1/06 820
SOLARIS 10 10/08 1413
SOLARIS 10 10/08 | SOLARIS 10 10/08 1
SOLARIS 10 10/09 1554
SOLARIS 10 11/06 2164
SOLARIS 10 3/05 35
SOLARIS 10 5/08 259
SOLARIS 10 5/08 | SOLARIS 10 5/08 3
SOLARIS 10 5/09 725
SOLARIS 10 6/06 278
SOLARIS 10 8/07 397
SOLARIS 10 8/11 3
SOLARIS 10 9/10 3442
SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 1
SOLARIS 10 X64 10
SUN SOLARIS 10 4
19. Confidentiality level C1 | 8 August 201119
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
20. Confidentiality level C1 | 8 August 201120
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
21. Confidentiality level C1 | 8 August 201121
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
22. Confidentiality level C1 | 8 August 201122
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
23. Confidentiality level C1 | 8 August 201123
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
24. Confidentiality level C1 | 8 August 201124
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
25. Confidentiality level C1 | 8 August 201125
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
26. Confidentiality level C1 | 8 August 201126
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
27. Confidentiality level C1 | 8 August 201127
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
28. Confidentiality level C1 | 8 August 201128
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
• There is a disconnection between who created and maintains the system,
and the business objectives of it
29. Confidentiality level C1 | 8 August 201129
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
• There is a disconnection between who created and maintains the system,
and the business objectives of it
31. Confidentiality level C1 | 8 August 201131
Identify the networks
• Which hosts are still used, which ones are legacy?
32. Confidentiality level C1 | 8 August 201132
Identify the networks
• Which hosts are still used, which ones are legacy?
• What is the usage of the hosts?
– Which one needs to stay on the same subnets/logical networks?
– Which one needs to be kept separated?
33. Confidentiality level C1 | 8 August 201133
Identify the networks
• Which hosts are still used, which ones are legacy?
• What is the usage of the hosts?
– Which one needs to stay on the same subnets/logical networks?
– Which one needs to be kept separated?
• Which vulnerabilities have the hosts?
– Can you detect them?
– Can you patch them?
35. Confidentiality level C1 | 8 August 201135
How is the network planned?
• Legacy not just in the hosts, also in the networks
36. Confidentiality level C1 | 8 August 201136
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
37. Confidentiality level C1 | 8 August 201137
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
38. Confidentiality level C1 | 8 August 201138
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
39. Confidentiality level C1 | 8 August 201139
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
40. Confidentiality level C1 | 8 August 201140
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
43. Confidentiality level C1 | 8 August 201143
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
44. Confidentiality level C1 | 8 August 201144
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
45. Confidentiality level C1 | 8 August 201145
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
46. Confidentiality level C1 | 8 August 201146
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
47. Confidentiality level C1 | 8 August 201147
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
48. Confidentiality level C1 | 8 August 201148
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
49. Confidentiality level C1 | 8 August 201149
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
50. Confidentiality level C1 | 8 August 201150
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
51. Confidentiality level C1 | 8 August 201151
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
52. Confidentiality level C1 | 8 August 201152
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
53. Confidentiality level C1 | 8 August 201153
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
– No real visibility!
54. Confidentiality level C1 | 8 August 201154
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
– No real visibility!
– No real security!
55. Confidentiality level C1 | 8 August 201155
Architecti
ng
Security
across
global
networks
Identify the networks
Identify the challenges
Identify the alternatives
57. Confidentiality level C1 | 8 August 201157
No real visibility
• You cannot really enforce protocols on the firewalls
58. Confidentiality level C1 | 8 August 201158
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
59. Confidentiality level C1 | 8 August 201159
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
60. Confidentiality level C1 | 8 August 201160
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
• Projects tend to skip the processes if they are too complex
61. Confidentiality level C1 | 8 August 201161
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
• Projects tend to skip the processes if they are too complex
• When NAT/NATP is used, it becomes complex to understand real sources
and destinations
63. Confidentiality level C1 | 8 August 201163
No real security
• You will have to choose what to protect and what not
64. Confidentiality level C1 | 8 August 201164
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
65. Confidentiality level C1 | 8 August 201165
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
66. Confidentiality level C1 | 8 August 201166
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
67. Confidentiality level C1 | 8 August 201167
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
68. Confidentiality level C1 | 8 August 201168
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
69. Confidentiality level C1 | 8 August 201169
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
70. Confidentiality level C1 | 8 August 201170
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
71. Confidentiality level C1 | 8 August 201171
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
72. Confidentiality level C1 | 8 August 201172
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
• Network borders are blurred
73. Confidentiality level C1 | 8 August 201173
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
• Network borders are blurred
• Lacking proper access control mechanisms
74. Confidentiality level C1 | 8 August 201174
Architecti
ng
Security
across
global
networks
Identify the networks
Identify the challenges
Identify the alternatives
76. Confidentiality level C1 | 8 August 201176
Different security policy
• Divide the network into sensitivity zones
77. Confidentiality level C1 | 8 August 201177
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
78. Confidentiality level C1 | 8 August 201178
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
79. Confidentiality level C1 | 8 August 201179
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
80. Confidentiality level C1 | 8 August 201180
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
81. Confidentiality level C1 | 8 August 201181
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
82. Confidentiality level C1 | 8 August 201182
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
83. Confidentiality level C1 | 8 August 201183
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
84. Confidentiality level C1 | 8 August 201184
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
85. Confidentiality level C1 | 8 August 201185
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
86. Confidentiality level C1 | 8 August 201186
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
87. Confidentiality level C1 | 8 August 201187
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
88. Confidentiality level C1 | 8 August 201188
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
– Keep a forensic registration of the traffic – you may need it!
89. Confidentiality level C1 | 8 August 201189
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
– Keep a forensic registration of the traffic – you may need it!
– Produce NetFlow/PCAPs for SIEM tools
91. Confidentiality level C1 | 8 August 201191
Example of simplified network segregation
• Traffic flows for delivered
applications
92. Confidentiality level C1 | 8 August 201192
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
93. Confidentiality level C1 | 8 August 201193
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
94. Confidentiality level C1 | 8 August 201194
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
95. Confidentiality level C1 | 8 August 201195
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
96. Confidentiality level C1 | 8 August 201196
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
97. Confidentiality level C1 | 8 August 201197
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
98. Confidentiality level C1 | 8 August 201198
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
99. Confidentiality level C1 | 8 August 201199
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
100. Confidentiality level C1 | 8 August 2011100
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
101. Confidentiality level C1 | 8 August 2011101
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
102. Confidentiality level C1 | 8 August 2011102
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
103. Confidentiality level C1 | 8 August 2011103
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
104. Confidentiality level C1 | 8 August 2011104
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
105. Confidentiality level C1 | 8 August 2011105
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
106. Confidentiality level C1 | 8 August 2011106
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
107. Confidentiality level C1 | 8 August 2011107
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
108. Confidentiality level C1 | 8 August 2011108
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
109. Confidentiality level C1 | 8 August 2011109
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
110. Confidentiality level C1 | 8 August 2011110
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
111. Confidentiality level C1 | 8 August 2011111
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
112. Confidentiality level C1 | 8 August 2011112
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
113. Confidentiality level C1 | 8 August 2011113
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
114. Confidentiality level C1 | 8 August 2011114
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
115. Confidentiality level C1 | 8 August 2011115
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
116. Confidentiality level C1 | 8 August 2011116
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
117. Confidentiality level C1 | 8 August 2011117
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
118. Confidentiality level C1 | 8 August 2011118
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
119. Confidentiality level C1 | 8 August 2011119
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
120. Confidentiality level C1 | 8 August 2011120
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
121. Confidentiality level C1 | 8 August 2011121
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
122. Confidentiality level C1 | 8 August 2011122
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
123. Confidentiality level C1 | 8 August 2011123
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
124. Confidentiality level C1 | 8 August 2011124
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
125. Confidentiality level C1 | 8 August 2011125
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
126. Confidentiality level C1 | 8 August 2011126
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
127. Confidentiality level C1 | 8 August 2011127
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
128. Confidentiality level C1 | 8 August 2011128
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
129. Confidentiality level C1 | 8 August 2011129
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
130. Confidentiality level C1 | 8 August 2011130
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
131. Confidentiality level C1 | 8 August 2011131
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
132. Confidentiality level C1 | 8 August 2011132
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
– Captive portal
133. Confidentiality level C1 | 8 August 2011133
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
– Captive portal
145. Confidentiality level C1 | 8 August 2011145
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
146. Confidentiality level C1 | 8 August 2011146
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
147. Confidentiality level C1 | 8 August 2011147
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
148. Confidentiality level C1 | 8 August 2011148
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
149. Confidentiality level C1 | 8 August 2011149
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)
150. Confidentiality level C1 | 8 August 2011150
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)
151. Confidentiality level C1 | 8 August 2011151
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)
• Could we do that?
153. Confidentiality level C1 | 8 August 2011153
Next evolution?
• Interchangeable 1+10 Gb/sec ports
154. Confidentiality level C1 | 8 August 2011154
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
155. Confidentiality level C1 | 8 August 2011155
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
156. Confidentiality level C1 | 8 August 2011156
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
157. Confidentiality level C1 | 8 August 2011157
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
158. Confidentiality level C1 | 8 August 2011158
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
159. Confidentiality level C1 | 8 August 2011159
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
160. Confidentiality level C1 | 8 August 2011160
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
161. Confidentiality level C1 | 8 August 2011161
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
• Real distributed management common for bypasses, TAPs, etc.
162. Confidentiality level C1 | 8 August 2011162
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
• Real distributed management common for bypasses, TAPs, etc.
• APIs and connections with SIEM tools