SlideShare a Scribd company logo

Architecting Security across global networks

EQS Group
EQS Group

The document discusses identifying networks in a complex company. It describes challenges with the company's asset database, including many outdated or duplicate entries for operating systems and support groups. It also notes the network maps and asset database do not have a clear correspondence to the physical network. The document advocates identifying currently used versus legacy systems, their functions, vulnerabilities, and how they are arranged on the network. It contrasts firewall-based versus routing-based network planning and some pros and cons of the firewall approach.

1 of 164
Download to read offline
Confidentiality level C1 | 8 August 20111 Architecting Security across global networks Presented by Marco Ermini 8 August 2011
Confidentiality level C1 | 8 August 20112 A huge topic: where to start? “Divide et impera”
Confidentiality level C1 | 8 August 20113 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. “Divide et impera”
Confidentiality level C1 | 8 August 20114 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: “Divide et impera”
Confidentiality level C1 | 8 August 20115 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: 1. Identify the networks “Divide et impera”
Confidentiality level C1 | 8 August 20116 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: 1. Identify the networks 2. Identify the challenges “Divide et impera”
Confidentiality level C1 | 8 August 20117 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: 1. Identify the networks 2. Identify the challenges 3. Identify the alternatives “Divide et impera”
Confidentiality level C1 | 8 August 20118 Architecti ng Security across global networks Identify the networks Identify the challenges Identify the alternatives
Confidentiality level C1 | 8 August 20119 Identify the networks • Network maps anyone?
Confidentiality level C1 | 8 August 201110 Identify the networks • Network maps anyone?
Confidentiality level C1 | 8 August 201111 Identify the networks • Network maps anyone?
Confidentiality level C1 | 8 August 201112 Identify the networks • Network maps anyone?
Confidentiality level C1 | 8 August 201113 Identify the networks
Confidentiality level C1 | 8 August 201114 Identify the networks • Asset DB anyone?
Confidentiality level C1 | 8 August 201115 Identify the networks • Asset DB anyone? • Examples of our Asset DB:
Confidentiality level C1 | 8 August 201116 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields
Confidentiality level C1 | 8 August 201117 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number!
Confidentiality level C1 | 8 August 201118 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! cs_os_name cs_os_versionnumber SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 10 9/10 | 10 9/10 SOLARIS 10 177 SOLARIS 10 1/06 820 SOLARIS 10 10/08 1413 SOLARIS 10 10/08 | SOLARIS 10 10/08 1 SOLARIS 10 10/09 1554 SOLARIS 10 11/06 2164 SOLARIS 10 3/05 35 SOLARIS 10 5/08 259 SOLARIS 10 5/08 | SOLARIS 10 5/08 3 SOLARIS 10 5/09 725 SOLARIS 10 6/06 278 SOLARIS 10 8/07 397 SOLARIS 10 8/11 3 SOLARIS 10 9/10 3442 SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 1 SOLARIS 10 X64 10 SUN SOLARIS 10 4
Confidentiality level C1 | 8 August 201119 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number!
Confidentiality level C1 | 8 August 201120 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities
Confidentiality level C1 | 8 August 201121 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated
Confidentiality level C1 | 8 August 201122 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality
Confidentiality level C1 | 8 August 201123 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!)
Confidentiality level C1 | 8 August 201124 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it
Confidentiality level C1 | 8 August 201125 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous
Confidentiality level C1 | 8 August 201126 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant
Confidentiality level C1 | 8 August 201127 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant – No one is accountable for the data, only for the Asset DB tool in itself
Confidentiality level C1 | 8 August 201128 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant – No one is accountable for the data, only for the Asset DB tool in itself • There is a disconnection between who created and maintains the system, and the business objectives of it
Confidentiality level C1 | 8 August 201129 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant – No one is accountable for the data, only for the Asset DB tool in itself • There is a disconnection between who created and maintains the system, and the business objectives of it
Confidentiality level C1 | 8 August 201130 Identify the networks
Confidentiality level C1 | 8 August 201131 Identify the networks • Which hosts are still used, which ones are legacy?
Confidentiality level C1 | 8 August 201132 Identify the networks • Which hosts are still used, which ones are legacy? • What is the usage of the hosts? – Which one needs to stay on the same subnets/logical networks? – Which one needs to be kept separated?
Confidentiality level C1 | 8 August 201133 Identify the networks • Which hosts are still used, which ones are legacy? • What is the usage of the hosts? – Which one needs to stay on the same subnets/logical networks? – Which one needs to be kept separated? • Which vulnerabilities have the hosts? – Can you detect them? – Can you patch them?
Confidentiality level C1 | 8 August 201134 How is the network planned?
Confidentiality level C1 | 8 August 201135 How is the network planned? • Legacy not just in the hosts, also in the networks
Confidentiality level C1 | 8 August 201136 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it?
Confidentiality level C1 | 8 August 201137 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
Confidentiality level C1 | 8 August 201138 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
Confidentiality level C1 | 8 August 201139 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
Confidentiality level C1 | 8 August 201140 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
Confidentiality level C1 | 8 August 201141 Firewall-based network
Confidentiality level C1 | 8 August 201142 Firewall-based network • Pros (supposed…):
Confidentiality level C1 | 8 August 201143 Firewall-based network • Pros (supposed…): – Each application/network is “separate”
Confidentiality level C1 | 8 August 201144 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session
Confidentiality level C1 | 8 August 201145 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests
Confidentiality level C1 | 8 August 201146 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections
Confidentiality level C1 | 8 August 201147 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!):
Confidentiality level C1 | 8 August 201148 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed!
Confidentiality level C1 | 8 August 201149 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other
Confidentiality level C1 | 8 August 201150 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools
Confidentiality level C1 | 8 August 201151 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses
Confidentiality level C1 | 8 August 201152 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses – Projects get bored and just ask for “allow all”
Confidentiality level C1 | 8 August 201153 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses – Projects get bored and just ask for “allow all” – No real visibility!
Confidentiality level C1 | 8 August 201154 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses – Projects get bored and just ask for “allow all” – No real visibility! – No real security!
Confidentiality level C1 | 8 August 201155 Architecti ng Security across global networks Identify the networks Identify the challenges Identify the alternatives
Confidentiality level C1 | 8 August 201156 No real visibility
Confidentiality level C1 | 8 August 201157 No real visibility • You cannot really enforce protocols on the firewalls
Confidentiality level C1 | 8 August 201158 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces
Confidentiality level C1 | 8 August 201159 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces • Even if you TAP them, they will bypass you
Confidentiality level C1 | 8 August 201160 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces • Even if you TAP them, they will bypass you • Projects tend to skip the processes if they are too complex
Confidentiality level C1 | 8 August 201161 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces • Even if you TAP them, they will bypass you • Projects tend to skip the processes if they are too complex • When NAT/NATP is used, it becomes complex to understand real sources and destinations
Confidentiality level C1 | 8 August 201162 No real security
Confidentiality level C1 | 8 August 201163 No real security • You will have to choose what to protect and what not
Confidentiality level C1 | 8 August 201164 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence”
Confidentiality level C1 | 8 August 201165 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment
Confidentiality level C1 | 8 August 201166 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data
Confidentiality level C1 | 8 August 201167 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points
Confidentiality level C1 | 8 August 201168 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks
Confidentiality level C1 | 8 August 201169 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers
Confidentiality level C1 | 8 August 201170 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above
Confidentiality level C1 | 8 August 201171 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above • End to end encryption takes out the usefulness of the firewall
Confidentiality level C1 | 8 August 201172 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above • End to end encryption takes out the usefulness of the firewall • Network borders are blurred
Confidentiality level C1 | 8 August 201173 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above • End to end encryption takes out the usefulness of the firewall • Network borders are blurred • Lacking proper access control mechanisms
Confidentiality level C1 | 8 August 201174 Architecti ng Security across global networks Identify the networks Identify the challenges Identify the alternatives
Confidentiality level C1 | 8 August 201175 Different security policy
Confidentiality level C1 | 8 August 201176 Different security policy • Divide the network into sensitivity zones
Confidentiality level C1 | 8 August 201177 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
Confidentiality level C1 | 8 August 201178 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements
Confidentiality level C1 | 8 August 201179 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together”
Confidentiality level C1 | 8 August 201180 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification
Confidentiality level C1 | 8 August 201181 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too!
Confidentiality level C1 | 8 August 201182 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring
Confidentiality level C1 | 8 August 201183 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
Confidentiality level C1 | 8 August 201184 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls
Confidentiality level C1 | 8 August 201185 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time!
Confidentiality level C1 | 8 August 201186 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to
Confidentiality level C1 | 8 August 201187 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to – Deal with encryption
Confidentiality level C1 | 8 August 201188 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to – Deal with encryption – Keep a forensic registration of the traffic – you may need it!
Confidentiality level C1 | 8 August 201189 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to – Deal with encryption – Keep a forensic registration of the traffic – you may need it! – Produce NetFlow/PCAPs for SIEM tools
Confidentiality level C1 | 8 August 201190 Example of simplified network segregation
Confidentiality level C1 | 8 August 201191 Example of simplified network segregation • Traffic flows for delivered applications
Confidentiality level C1 | 8 August 201192 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 201193 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 201194 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 201195 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 201196 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 201197 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 201198 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 201199 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
Confidentiality level C1 | 8 August 2011100 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011101 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011102 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011103 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011104 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011105 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011106 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011107 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
Confidentiality level C1 | 8 August 2011108 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
Confidentiality level C1 | 8 August 2011109 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
Confidentiality level C1 | 8 August 2011110 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
Confidentiality level C1 | 8 August 2011111 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
Confidentiality level C1 | 8 August 2011112 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
Confidentiality level C1 | 8 August 2011113 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
Confidentiality level C1 | 8 August 2011114 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
Confidentiality level C1 | 8 August 2011115 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls
Confidentiality level C1 | 8 August 2011116 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes
Confidentiality level C1 | 8 August 2011117 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes
Confidentiality level C1 | 8 August 2011118 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes
Confidentiality level C1 | 8 August 2011119 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection
Confidentiality level C1 | 8 August 2011120 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection
Confidentiality level C1 | 8 August 2011121 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection
Confidentiality level C1 | 8 August 2011122 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration
Confidentiality level C1 | 8 August 2011123 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration
Confidentiality level C1 | 8 August 2011124 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC
Confidentiality level C1 | 8 August 2011125 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC
Confidentiality level C1 | 8 August 2011126 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring
Confidentiality level C1 | 8 August 2011127 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring
Confidentiality level C1 | 8 August 2011128 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners
Confidentiality level C1 | 8 August 2011129 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners
Confidentiality level C1 | 8 August 2011130 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication
Confidentiality level C1 | 8 August 2011131 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication
Confidentiality level C1 | 8 August 2011132 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication – Captive portal
Confidentiality level C1 | 8 August 2011133 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication – Captive portal
Confidentiality level C1 | 8 August 2011134 Multiple applications deployment – old approach
Confidentiality level C1 | 8 August 2011135 Multiple applications deployment – old approach
Confidentiality level C1 | 8 August 2011136 Multiple applications deployment – old approach
Confidentiality level C1 | 8 August 2011137 Multiple applications deployment – new policy
Confidentiality level C1 | 8 August 2011138 Multiple applications deployment – new policy
Confidentiality level C1 | 8 August 2011139 Multiple applications deployment – new policy
Confidentiality level C1 | 8 August 2011140 Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011141 Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011142 Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011143 Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011144 Next evolution?
Confidentiality level C1 | 8 August 2011145 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
Confidentiality level C1 | 8 August 2011146 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
Confidentiality level C1 | 8 August 2011147 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
Confidentiality level C1 | 8 August 2011148 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
Confidentiality level C1 | 8 August 2011149 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch • Capacity can scale to 768 x 10 Gb/sec ports • However, real throughput depends on the fabric connectors (generally 40 Gb/sec)
Confidentiality level C1 | 8 August 2011150 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch • Capacity can scale to 768 x 10 Gb/sec ports • However, real throughput depends on the fabric connectors (generally 40 Gb/sec)
Confidentiality level C1 | 8 August 2011151 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch • Capacity can scale to 768 x 10 Gb/sec ports • However, real throughput depends on the fabric connectors (generally 40 Gb/sec) • Could we do that?
Confidentiality level C1 | 8 August 2011152 Next evolution?
Confidentiality level C1 | 8 August 2011153 Next evolution? • Interchangeable 1+10 Gb/sec ports
Confidentiality level C1 | 8 August 2011154 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD
Confidentiality level C1 | 8 August 2011155 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer
Confidentiality level C1 | 8 August 2011156 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP
Confidentiality level C1 | 8 August 2011157 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer
Confidentiality level C1 | 8 August 2011158 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro
Confidentiality level C1 | 8 August 2011159 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures
Confidentiality level C1 | 8 August 2011160 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures • Correlation of sources/destinations/NAC tokens with real users (AD accounts)
Confidentiality level C1 | 8 August 2011161 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures • Correlation of sources/destinations/NAC tokens with real users (AD accounts) • Real distributed management common for bypasses, TAPs, etc.
Confidentiality level C1 | 8 August 2011162 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures • Correlation of sources/destinations/NAC tokens with real users (AD accounts) • Real distributed management common for bypasses, TAPs, etc. • APIs and connections with SIEM tools
Confidentiality level C1 | 8 August 2011163
Confidentiality level C1 | 8 August 2011164 Thank you

Recommended

ARToolworks ARE 2011 Presentation
ARToolworks ARE 2011 PresentationARToolworks ARE 2011 Presentation
ARToolworks ARE 2011 Presentation
Mark Billinghurst
 
Coves delToll
Coves delTollCoves delToll
Coves delToll
Araceli Arias Roy
 
5 8 к
5 8 к5 8 к
5 8 к
sk1ll
 
Presentation
PresentationPresentation
Presentation
Teja Turk
 
5 клас урок 8
5 клас урок 85 клас урок 8
5 клас урок 8
Olga Sokolik
 
C1 Topic 1 Language and Communication
C1 Topic 1 Language and CommunicationC1 Topic 1 Language and Communication
C1 Topic 1 Language and Communication
Nina's Cabbages
 
Geografija 7-klas-bojko
Geografija 7-klas-bojkoGeografija 7-klas-bojko
Geografija 7-klas-bojko
kreidaros1
 
BK 7210 Urban analysis and design principles – ir. Evelien Brandes
BK 7210 Urban analysis and design principles – ir. Evelien BrandesBK 7210 Urban analysis and design principles – ir. Evelien Brandes
BK 7210 Urban analysis and design principles – ir. Evelien Brandes
jornvorn
 

Recommended

ARToolworks ARE 2011 Presentation
ARToolworks ARE 2011 PresentationARToolworks ARE 2011 Presentation
ARToolworks ARE 2011 Presentation
Mark Billinghurst
 
Coves delToll
Coves delTollCoves delToll
Coves delToll
Araceli Arias Roy
 
5 8 к
5 8 к5 8 к
5 8 к
sk1ll
 
Presentation
PresentationPresentation
Presentation
Teja Turk
 
5 клас урок 8
5 клас урок 85 клас урок 8
5 клас урок 8
Olga Sokolik
 
C1 Topic 1 Language and Communication
C1 Topic 1 Language and CommunicationC1 Topic 1 Language and Communication
C1 Topic 1 Language and Communication
Nina's Cabbages
 
Geografija 7-klas-bojko
Geografija 7-klas-bojkoGeografija 7-klas-bojko
Geografija 7-klas-bojko
kreidaros1
 
BK 7210 Urban analysis and design principles – ir. Evelien Brandes
BK 7210 Urban analysis and design principles – ir. Evelien BrandesBK 7210 Urban analysis and design principles – ir. Evelien Brandes
BK 7210 Urban analysis and design principles – ir. Evelien Brandes
jornvorn
 
Best Practices for Design Hardware APIs
Best Practices for Design Hardware APIsBest Practices for Design Hardware APIs
Best Practices for Design Hardware APIs
Matt Haines
 
Open Source Software, Distributed Systems, Database as a Cloud Service
Open Source Software, Distributed Systems, Database as a Cloud ServiceOpen Source Software, Distributed Systems, Database as a Cloud Service
Open Source Software, Distributed Systems, Database as a Cloud Service
SATOSHI TAGOMORI
 
DEFCON 23 - Ian Latter - remote access the apt
DEFCON 23 - Ian Latter - remote access the aptDEFCON 23 - Ian Latter - remote access the apt
DEFCON 23 - Ian Latter - remote access the apt
Felipe Prado
 
Building a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patentsBuilding a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patents
OpenSource Connections
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)
Steve Posick
 
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
OpenSource Connections
 
Why don't we have REAL IP to the Edge in Buildings?
Why don't we have REAL IP to the Edge in Buildings?Why don't we have REAL IP to the Edge in Buildings?
Why don't we have REAL IP to the Edge in Buildings?
Memoori
 
Open Source IoT Building Blocks for Startups
Open Source IoT Building Blocks for StartupsOpen Source IoT Building Blocks for Startups
Open Source IoT Building Blocks for Startups
Charalampos Doukas
 
ARToolworks ARE2011: Building an Open-Source AR Business.
ARToolworks ARE2011: Building an Open-Source AR Business.ARToolworks ARE2011: Building an Open-Source AR Business.
ARToolworks ARE2011: Building an Open-Source AR Business.
philip_lamb
 
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
Kai Wähner
 
Fine Grain Access Control for Big Data: ORC Column Encryption
Fine Grain Access Control for Big Data: ORC Column EncryptionFine Grain Access Control for Big Data: ORC Column Encryption
Fine Grain Access Control for Big Data: ORC Column Encryption
Owen O'Malley
 
Hacking with the Raspberry Pi and Windows 10 IoT Core
Hacking with the Raspberry Pi and Windows 10 IoT CoreHacking with the Raspberry Pi and Windows 10 IoT Core
Hacking with the Raspberry Pi and Windows 10 IoT Core
Nick Landry
 
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Lucidworks (Archived)
 
Logmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetupLogmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetup
logmatic.io
 
AWS Webcast - Splunk and Autodesk
AWS Webcast - Splunk and AutodeskAWS Webcast - Splunk and Autodesk
AWS Webcast - Splunk and Autodesk
Amazon Web Services
 
Using Enterprise Search at the city of Antibes
Using Enterprise Search at the city of AntibesUsing Enterprise Search at the city of Antibes
Using Enterprise Search at the city of Antibes
francelabs
 
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
Bipin Singh
 
Continuum Analytics and Python
Continuum Analytics and PythonContinuum Analytics and Python
Continuum Analytics and Python
Travis Oliphant
 
Sharepoint 2013 applied architecture from the field (v2)
Sharepoint 2013 applied architecture from the field (v2)Sharepoint 2013 applied architecture from the field (v2)
Sharepoint 2013 applied architecture from the field (v2)
Tihomir Ignatov
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected Products
Jordan Husney
 
Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
EQS Group
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 

More Related Content

Similar to Architecting Security across global networks

Best Practices for Design Hardware APIs
Best Practices for Design Hardware APIsBest Practices for Design Hardware APIs
Best Practices for Design Hardware APIs
Matt Haines
 
Open Source Software, Distributed Systems, Database as a Cloud Service
Open Source Software, Distributed Systems, Database as a Cloud ServiceOpen Source Software, Distributed Systems, Database as a Cloud Service
Open Source Software, Distributed Systems, Database as a Cloud Service
SATOSHI TAGOMORI
 
DEFCON 23 - Ian Latter - remote access the apt
DEFCON 23 - Ian Latter - remote access the aptDEFCON 23 - Ian Latter - remote access the apt
DEFCON 23 - Ian Latter - remote access the apt
Felipe Prado
 
Building a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patentsBuilding a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patents
OpenSource Connections
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)
Steve Posick
 
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
OpenSource Connections
 
Why don't we have REAL IP to the Edge in Buildings?
Why don't we have REAL IP to the Edge in Buildings?Why don't we have REAL IP to the Edge in Buildings?
Why don't we have REAL IP to the Edge in Buildings?
Memoori
 
Open Source IoT Building Blocks for Startups
Open Source IoT Building Blocks for StartupsOpen Source IoT Building Blocks for Startups
Open Source IoT Building Blocks for Startups
Charalampos Doukas
 
ARToolworks ARE2011: Building an Open-Source AR Business.
ARToolworks ARE2011: Building an Open-Source AR Business.ARToolworks ARE2011: Building an Open-Source AR Business.
ARToolworks ARE2011: Building an Open-Source AR Business.
philip_lamb
 
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
Kai Wähner
 
Fine Grain Access Control for Big Data: ORC Column Encryption
Fine Grain Access Control for Big Data: ORC Column EncryptionFine Grain Access Control for Big Data: ORC Column Encryption
Fine Grain Access Control for Big Data: ORC Column Encryption
Owen O'Malley
 
Hacking with the Raspberry Pi and Windows 10 IoT Core
Hacking with the Raspberry Pi and Windows 10 IoT CoreHacking with the Raspberry Pi and Windows 10 IoT Core
Hacking with the Raspberry Pi and Windows 10 IoT Core
Nick Landry
 
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Lucidworks (Archived)
 
Logmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetupLogmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetup
logmatic.io
 
AWS Webcast - Splunk and Autodesk
AWS Webcast - Splunk and AutodeskAWS Webcast - Splunk and Autodesk
AWS Webcast - Splunk and Autodesk
Amazon Web Services
 
Using Enterprise Search at the city of Antibes
Using Enterprise Search at the city of AntibesUsing Enterprise Search at the city of Antibes
Using Enterprise Search at the city of Antibes
francelabs
 
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
Bipin Singh
 
Continuum Analytics and Python
Continuum Analytics and PythonContinuum Analytics and Python
Continuum Analytics and Python
Travis Oliphant
 
Sharepoint 2013 applied architecture from the field (v2)
Sharepoint 2013 applied architecture from the field (v2)Sharepoint 2013 applied architecture from the field (v2)
Sharepoint 2013 applied architecture from the field (v2)
Tihomir Ignatov
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected Products
Jordan Husney
 

Similar to Architecting Security across global networks (20)

Best Practices for Design Hardware APIs
Best Practices for Design Hardware APIsBest Practices for Design Hardware APIs
Best Practices for Design Hardware APIs
 
Open Source Software, Distributed Systems, Database as a Cloud Service
Open Source Software, Distributed Systems, Database as a Cloud ServiceOpen Source Software, Distributed Systems, Database as a Cloud Service
Open Source Software, Distributed Systems, Database as a Cloud Service
 
DEFCON 23 - Ian Latter - remote access the apt
DEFCON 23 - Ian Latter - remote access the aptDEFCON 23 - Ian Latter - remote access the apt
DEFCON 23 - Ian Latter - remote access the apt
 
Building a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patentsBuilding a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patents
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)
 
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
Building a Lightweight Discovery Interface for China's Patents@NYC Solr/Lucen...
 
Why don't we have REAL IP to the Edge in Buildings?
Why don't we have REAL IP to the Edge in Buildings?Why don't we have REAL IP to the Edge in Buildings?
Why don't we have REAL IP to the Edge in Buildings?
 
Open Source IoT Building Blocks for Startups
Open Source IoT Building Blocks for StartupsOpen Source IoT Building Blocks for Startups
Open Source IoT Building Blocks for Startups
 
ARToolworks ARE2011: Building an Open-Source AR Business.
ARToolworks ARE2011: Building an Open-Source AR Business.ARToolworks ARE2011: Building an Open-Source AR Business.
ARToolworks ARE2011: Building an Open-Source AR Business.
 
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
IoT Open Source Integration Comparison (Kura, Node-RED, Flogo, Apache Nifi, S...
 
Fine Grain Access Control for Big Data: ORC Column Encryption
Fine Grain Access Control for Big Data: ORC Column EncryptionFine Grain Access Control for Big Data: ORC Column Encryption
Fine Grain Access Control for Big Data: ORC Column Encryption
 
Hacking with the Raspberry Pi and Windows 10 IoT Core
Hacking with the Raspberry Pi and Windows 10 IoT CoreHacking with the Raspberry Pi and Windows 10 IoT Core
Hacking with the Raspberry Pi and Windows 10 IoT Core
 
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
 
Logmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetupLogmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetup
 
AWS Webcast - Splunk and Autodesk
AWS Webcast - Splunk and AutodeskAWS Webcast - Splunk and Autodesk
AWS Webcast - Splunk and Autodesk
 
Using Enterprise Search at the city of Antibes
Using Enterprise Search at the city of AntibesUsing Enterprise Search at the city of Antibes
Using Enterprise Search at the city of Antibes
 
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
 
Continuum Analytics and Python
Continuum Analytics and PythonContinuum Analytics and Python
Continuum Analytics and Python
 
Sharepoint 2013 applied architecture from the field (v2)
Sharepoint 2013 applied architecture from the field (v2)Sharepoint 2013 applied architecture from the field (v2)
Sharepoint 2013 applied architecture from the field (v2)
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected Products
 

More from EQS Group

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
EQS Group
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
EQS Group
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
EQS Group
 
Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010
EQS Group
 
Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
EQS Group
 
Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010
EQS Group
 

More from EQS Group (9)

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
 
Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010
 
Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
 
Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010
 

Architecting Security across global networks

  • 1. Confidentiality level C1 | 8 August 20111 Architecting Security across global networks Presented by Marco Ermini 8 August 2011
  • 2. Confidentiality level C1 | 8 August 20112 A huge topic: where to start? “Divide et impera”
  • 3. Confidentiality level C1 | 8 August 20113 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. “Divide et impera”
  • 4. Confidentiality level C1 | 8 August 20114 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: “Divide et impera”
  • 5. Confidentiality level C1 | 8 August 20115 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: 1. Identify the networks “Divide et impera”
  • 6. Confidentiality level C1 | 8 August 20116 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: 1. Identify the networks 2. Identify the challenges “Divide et impera”
  • 7. Confidentiality level C1 | 8 August 20117 A huge topic: where to start? • This will not be about how to architect a network, or about network security in general - it is about network visibility. • You land in this complex company (or you acquire it) and you divide your tasks: 1. Identify the networks 2. Identify the challenges 3. Identify the alternatives “Divide et impera”
  • 8. Confidentiality level C1 | 8 August 20118 Architecti ng Security across global networks Identify the networks Identify the challenges Identify the alternatives
  • 9. Confidentiality level C1 | 8 August 20119 Identify the networks • Network maps anyone?
  • 10. Confidentiality level C1 | 8 August 201110 Identify the networks • Network maps anyone?
  • 11. Confidentiality level C1 | 8 August 201111 Identify the networks • Network maps anyone?
  • 12. Confidentiality level C1 | 8 August 201112 Identify the networks • Network maps anyone?
  • 13. Confidentiality level C1 | 8 August 201113 Identify the networks
  • 14. Confidentiality level C1 | 8 August 201114 Identify the networks • Asset DB anyone?
  • 15. Confidentiality level C1 | 8 August 201115 Identify the networks • Asset DB anyone? • Examples of our Asset DB:
  • 16. Confidentiality level C1 | 8 August 201116 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields
  • 17. Confidentiality level C1 | 8 August 201117 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number!
  • 18. Confidentiality level C1 | 8 August 201118 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! cs_os_name cs_os_versionnumber SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 10 9/10 | 10 9/10 SOLARIS 10 177 SOLARIS 10 1/06 820 SOLARIS 10 10/08 1413 SOLARIS 10 10/08 | SOLARIS 10 10/08 1 SOLARIS 10 10/09 1554 SOLARIS 10 11/06 2164 SOLARIS 10 3/05 35 SOLARIS 10 5/08 259 SOLARIS 10 5/08 | SOLARIS 10 5/08 3 SOLARIS 10 5/09 725 SOLARIS 10 6/06 278 SOLARIS 10 8/07 397 SOLARIS 10 8/11 3 SOLARIS 10 9/10 3442 SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 1 SOLARIS 10 X64 10 SUN SOLARIS 10 4
  • 19. Confidentiality level C1 | 8 August 201119 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number!
  • 20. Confidentiality level C1 | 8 August 201120 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities
  • 21. Confidentiality level C1 | 8 August 201121 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated
  • 22. Confidentiality level C1 | 8 August 201122 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality
  • 23. Confidentiality level C1 | 8 August 201123 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!)
  • 24. Confidentiality level C1 | 8 August 201124 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it
  • 25. Confidentiality level C1 | 8 August 201125 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous
  • 26. Confidentiality level C1 | 8 August 201126 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant
  • 27. Confidentiality level C1 | 8 August 201127 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant – No one is accountable for the data, only for the Asset DB tool in itself
  • 28. Confidentiality level C1 | 8 August 201128 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant – No one is accountable for the data, only for the Asset DB tool in itself • There is a disconnection between who created and maintains the system, and the business objectives of it
  • 29. Confidentiality level C1 | 8 August 201129 Identify the networks • Asset DB anyone? • Examples of our Asset DB: – “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free text fields – “OS”: circa 240 counted, without including the version number! – “DB” and “Computers” counted as different entities – 80+ support groups (!!!) many of which clearly legacy or duplicated – No unique correspondence between Asset DB entry and physical reality – IP address field has space for only one entry (!!!) – No way to do an automatic import, therefore many departments don’t use it – It relies on a special tool to fetch the data, but the tool is not ubiquitous – Almost 35000 entries, but no one knows if the data is qualitatively relevant – No one is accountable for the data, only for the Asset DB tool in itself • There is a disconnection between who created and maintains the system, and the business objectives of it
  • 30. Confidentiality level C1 | 8 August 201130 Identify the networks
  • 31. Confidentiality level C1 | 8 August 201131 Identify the networks • Which hosts are still used, which ones are legacy?
  • 32. Confidentiality level C1 | 8 August 201132 Identify the networks • Which hosts are still used, which ones are legacy? • What is the usage of the hosts? – Which one needs to stay on the same subnets/logical networks? – Which one needs to be kept separated?
  • 33. Confidentiality level C1 | 8 August 201133 Identify the networks • Which hosts are still used, which ones are legacy? • What is the usage of the hosts? – Which one needs to stay on the same subnets/logical networks? – Which one needs to be kept separated? • Which vulnerabilities have the hosts? – Can you detect them? – Can you patch them?
  • 34. Confidentiality level C1 | 8 August 201134 How is the network planned?
  • 35. Confidentiality level C1 | 8 August 201135 How is the network planned? • Legacy not just in the hosts, also in the networks
  • 36. Confidentiality level C1 | 8 August 201136 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it?
  • 37. Confidentiality level C1 | 8 August 201137 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
  • 38. Confidentiality level C1 | 8 August 201138 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
  • 39. Confidentiality level C1 | 8 August 201139 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
  • 40. Confidentiality level C1 | 8 August 201140 How is the network planned? • Legacy not just in the hosts, also in the networks • Was there a policy when the network was planned? – Was the policy actually usable? – Did they use it? • Firewall based versus routing based
  • 41. Confidentiality level C1 | 8 August 201141 Firewall-based network
  • 42. Confidentiality level C1 | 8 August 201142 Firewall-based network • Pros (supposed…):
  • 43. Confidentiality level C1 | 8 August 201143 Firewall-based network • Pros (supposed…): – Each application/network is “separate”
  • 44. Confidentiality level C1 | 8 August 201144 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session
  • 45. Confidentiality level C1 | 8 August 201145 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests
  • 46. Confidentiality level C1 | 8 August 201146 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections
  • 47. Confidentiality level C1 | 8 August 201147 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!):
  • 48. Confidentiality level C1 | 8 August 201148 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed!
  • 49. Confidentiality level C1 | 8 August 201149 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other
  • 50. Confidentiality level C1 | 8 August 201150 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools
  • 51. Confidentiality level C1 | 8 August 201151 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses
  • 52. Confidentiality level C1 | 8 August 201152 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses – Projects get bored and just ask for “allow all”
  • 53. Confidentiality level C1 | 8 August 201153 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses – Projects get bored and just ask for “allow all” – No real visibility!
  • 54. Confidentiality level C1 | 8 August 201154 Firewall-based network • Pros (supposed…): – Each application/network is “separate” – Only allowed IP/port pairs can establish a session – Possible to implement a precise change management for firewall requests – Possible to implement monitoring of connections • Cons (certain!): – Lots of firewalls are needed! – Rules just accumulate, possibly duplicate and overlap and shadow each other – Lots of personnel/operational efforts – Difficult to implement security/monitoring/compliance tools – Waste of IP addresses – Projects get bored and just ask for “allow all” – No real visibility! – No real security!
  • 55. Confidentiality level C1 | 8 August 201155 Architecti ng Security across global networks Identify the networks Identify the challenges Identify the alternatives
  • 56. Confidentiality level C1 | 8 August 201156 No real visibility
  • 57. Confidentiality level C1 | 8 August 201157 No real visibility • You cannot really enforce protocols on the firewalls
  • 58. Confidentiality level C1 | 8 August 201158 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces
  • 59. Confidentiality level C1 | 8 August 201159 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces • Even if you TAP them, they will bypass you
  • 60. Confidentiality level C1 | 8 August 201160 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces • Even if you TAP them, they will bypass you • Projects tend to skip the processes if they are too complex
  • 61. Confidentiality level C1 | 8 August 201161 No real visibility • You cannot really enforce protocols on the firewalls • You cannot possibly TAP all of these interfaces • Even if you TAP them, they will bypass you • Projects tend to skip the processes if they are too complex • When NAT/NATP is used, it becomes complex to understand real sources and destinations
  • 62. Confidentiality level C1 | 8 August 201162 No real security
  • 63. Confidentiality level C1 | 8 August 201163 No real security • You will have to choose what to protect and what not
  • 64. Confidentiality level C1 | 8 August 201164 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence”
  • 65. Confidentiality level C1 | 8 August 201165 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment
  • 66. Confidentiality level C1 | 8 August 201166 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data
  • 67. Confidentiality level C1 | 8 August 201167 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points
  • 68. Confidentiality level C1 | 8 August 201168 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks
  • 69. Confidentiality level C1 | 8 August 201169 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers
  • 70. Confidentiality level C1 | 8 August 201170 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above
  • 71. Confidentiality level C1 | 8 August 201171 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above • End to end encryption takes out the usefulness of the firewall
  • 72. Confidentiality level C1 | 8 August 201172 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above • End to end encryption takes out the usefulness of the firewall • Network borders are blurred
  • 73. Confidentiality level C1 | 8 August 201173 No real security • You will have to choose what to protect and what not • Often reduced to only “perimeter defence” • Projects will tend to bypass monitored points seeking for simplicity in deployment • If you enable logging on big pipes, you will get huge amount of data • Firewalls tends to become congestion points • Subject to DoS attacks • Often traffic spoofing is disabled – firewall used as routers • Does not understand OSI Layer 4 and above • End to end encryption takes out the usefulness of the firewall • Network borders are blurred • Lacking proper access control mechanisms
  • 74. Confidentiality level C1 | 8 August 201174 Architecti ng Security across global networks Identify the networks Identify the challenges Identify the alternatives
  • 75. Confidentiality level C1 | 8 August 201175 Different security policy
  • 76. Confidentiality level C1 | 8 August 201176 Different security policy • Divide the network into sensitivity zones
  • 77. Confidentiality level C1 | 8 August 201177 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
  • 78. Confidentiality level C1 | 8 August 201178 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements
  • 79. Confidentiality level C1 | 8 August 201179 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together”
  • 80. Confidentiality level C1 | 8 August 201180 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification
  • 81. Confidentiality level C1 | 8 August 201181 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too!
  • 82. Confidentiality level C1 | 8 August 201182 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring
  • 83. Confidentiality level C1 | 8 August 201183 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
  • 84. Confidentiality level C1 | 8 August 201184 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls
  • 85. Confidentiality level C1 | 8 August 201185 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time!
  • 86. Confidentiality level C1 | 8 August 201186 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to
  • 87. Confidentiality level C1 | 8 August 201187 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to – Deal with encryption
  • 88. Confidentiality level C1 | 8 August 201188 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to – Deal with encryption – Keep a forensic registration of the traffic – you may need it!
  • 89. Confidentiality level C1 | 8 August 201189 Different security policy • Divide the network into sensitivity zones – Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc. • Simplify the requirements – Identify what is really important and what can be “drawn together” • Take the responsibility and accountability for simplification • Secure the end point too! • Employ better tools for network monitoring – Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc. – Application-aware tools – Next Generation Firewalls – Select and slice the data that you want to analyse – in real time! – Identify to which user a traffic belongs to – Deal with encryption – Keep a forensic registration of the traffic – you may need it! – Produce NetFlow/PCAPs for SIEM tools
  • 90. Confidentiality level C1 | 8 August 201190 Example of simplified network segregation
  • 91. Confidentiality level C1 | 8 August 201191 Example of simplified network segregation • Traffic flows for delivered applications
  • 92. Confidentiality level C1 | 8 August 201192 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 93. Confidentiality level C1 | 8 August 201193 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 94. Confidentiality level C1 | 8 August 201194 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 95. Confidentiality level C1 | 8 August 201195 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 96. Confidentiality level C1 | 8 August 201196 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 97. Confidentiality level C1 | 8 August 201197 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 98. Confidentiality level C1 | 8 August 201198 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 99. Confidentiality level C1 | 8 August 201199 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning
  • 100. Confidentiality level C1 | 8 August 2011100 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 101. Confidentiality level C1 | 8 August 2011101 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 102. Confidentiality level C1 | 8 August 2011102 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 103. Confidentiality level C1 | 8 August 2011103 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 104. Confidentiality level C1 | 8 August 2011104 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 105. Confidentiality level C1 | 8 August 2011105 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 106. Confidentiality level C1 | 8 August 2011106 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 107. Confidentiality level C1 | 8 August 2011107 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party
  • 108. Confidentiality level C1 | 8 August 2011108 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
  • 109. Confidentiality level C1 | 8 August 2011109 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
  • 110. Confidentiality level C1 | 8 August 2011110 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
  • 111. Confidentiality level C1 | 8 August 2011111 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
  • 112. Confidentiality level C1 | 8 August 2011112 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
  • 113. Confidentiality level C1 | 8 August 2011113 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
  • 114. Confidentiality level C1 | 8 August 2011114 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform
  • 115. Confidentiality level C1 | 8 August 2011115 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls
  • 116. Confidentiality level C1 | 8 August 2011116 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes
  • 117. Confidentiality level C1 | 8 August 2011117 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes
  • 118. Confidentiality level C1 | 8 August 2011118 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes
  • 119. Confidentiality level C1 | 8 August 2011119 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection
  • 120. Confidentiality level C1 | 8 August 2011120 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection
  • 121. Confidentiality level C1 | 8 August 2011121 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection
  • 122. Confidentiality level C1 | 8 August 2011122 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration
  • 123. Confidentiality level C1 | 8 August 2011123 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration
  • 124. Confidentiality level C1 | 8 August 2011124 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC
  • 125. Confidentiality level C1 | 8 August 2011125 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC
  • 126. Confidentiality level C1 | 8 August 2011126 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring
  • 127. Confidentiality level C1 | 8 August 2011127 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring
  • 128. Confidentiality level C1 | 8 August 2011128 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners
  • 129. Confidentiality level C1 | 8 August 2011129 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners
  • 130. Confidentiality level C1 | 8 August 2011130 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication
  • 131. Confidentiality level C1 | 8 August 2011131 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication
  • 132. Confidentiality level C1 | 8 August 2011132 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication – Captive portal
  • 133. Confidentiality level C1 | 8 August 2011133 Example of simplified network segregation • Traffic flows for delivered applications – Internet application to allow customers’ self service provisioning – Outsourced management of the office LAN to a third party – Mobile customer with a dedicated APN, accessing a mobile management platform • Security point of controls – Next Generation Firewalls/IPSes – Web Application Firewalls/DoS protection – Session Registration – NAC – Database Activity Monitoring – Vulnerability Scanners – Two factors authentication – Captive portal
  • 134. Confidentiality level C1 | 8 August 2011134 Multiple applications deployment – old approach
  • 135. Confidentiality level C1 | 8 August 2011135 Multiple applications deployment – old approach
  • 136. Confidentiality level C1 | 8 August 2011136 Multiple applications deployment – old approach
  • 137. Confidentiality level C1 | 8 August 2011137 Multiple applications deployment – new policy
  • 138. Confidentiality level C1 | 8 August 2011138 Multiple applications deployment – new policy
  • 139. Confidentiality level C1 | 8 August 2011139 Multiple applications deployment – new policy
  • 140. Confidentiality level C1 | 8 August 2011140 Security Monitoring with the new policy
  • 141. Confidentiality level C1 | 8 August 2011141 Security Monitoring with the new policy
  • 142. Confidentiality level C1 | 8 August 2011142 Security Monitoring with the new policy
  • 143. Confidentiality level C1 | 8 August 2011143 Security Monitoring with the new policy
  • 144. Confidentiality level C1 | 8 August 2011144 Next evolution?
  • 145. Confidentiality level C1 | 8 August 2011145 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
  • 146. Confidentiality level C1 | 8 August 2011146 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
  • 147. Confidentiality level C1 | 8 August 2011147 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
  • 148. Confidentiality level C1 | 8 August 2011148 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch
  • 149. Confidentiality level C1 | 8 August 2011149 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch • Capacity can scale to 768 x 10 Gb/sec ports • However, real throughput depends on the fabric connectors (generally 40 Gb/sec)
  • 150. Confidentiality level C1 | 8 August 2011150 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch • Capacity can scale to 768 x 10 Gb/sec ports • However, real throughput depends on the fabric connectors (generally 40 Gb/sec)
  • 151. Confidentiality level C1 | 8 August 2011151 Next evolution? • Fabric path interception • Packets are routed and switched only on the main switching/routing instance • There is no switching or routing happening on the access switch • Capacity can scale to 768 x 10 Gb/sec ports • However, real throughput depends on the fabric connectors (generally 40 Gb/sec) • Could we do that?
  • 152. Confidentiality level C1 | 8 August 2011152 Next evolution?
  • 153. Confidentiality level C1 | 8 August 2011153 Next evolution? • Interchangeable 1+10 Gb/sec ports
  • 154. Confidentiality level C1 | 8 August 2011154 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD
  • 155. Confidentiality level C1 | 8 August 2011155 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer
  • 156. Confidentiality level C1 | 8 August 2011156 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP
  • 157. Confidentiality level C1 | 8 August 2011157 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer
  • 158. Confidentiality level C1 | 8 August 2011158 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro
  • 159. Confidentiality level C1 | 8 August 2011159 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures
  • 160. Confidentiality level C1 | 8 August 2011160 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures • Correlation of sources/destinations/NAC tokens with real users (AD accounts)
  • 161. Confidentiality level C1 | 8 August 2011161 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures • Correlation of sources/destinations/NAC tokens with real users (AD accounts) • Real distributed management common for bypasses, TAPs, etc.
  • 162. Confidentiality level C1 | 8 August 2011162 Next evolution? • Interchangeable 1+10 Gb/sec ports • 10 Gb/sec iBypass HD • Chassis-based bypass/load balancer • Programmable bypass or TAP • Higher ports density xBalancer • Real application detection on the xBalancer/Director Pro • “Passive checks” for tool failures • Correlation of sources/destinations/NAC tokens with real users (AD accounts) • Real distributed management common for bypasses, TAPs, etc. • APIs and connections with SIEM tools
  • 163. Confidentiality level C1 | 8 August 2011163
  • 164. Confidentiality level C1 | 8 August 2011164 Thank you