This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
1. Beware the
Firewall, My Son!
The Jaws That Bite,
The Claws That
Catch!*
*With apologies to Lewis Carroll
2. Who Am I?
• Michele Chubirka, aka Mrs. Y.
• Senior security architect.
• Blogs and hosts Healthy
Paranoia, information security
podcast channel of
Packetpushers.
• Researches and pontificates
on topics such as security
architecture and best
practices.
3. Discussion Points
• Firewall State of the Union
• Current Design Models
• Challenges
• Security Vs. Compliance
• Recommendations
5. Recent Findings
According to Trustwave’s 2012 Global Security Report:
• Customer records make up 89% of breached data
investigated.
• The most common password used by organizations is
“Password1” because it satisfies the default Microsoft
Active Directory complexity setting.
• Anti-virus detected less than 12% of malware samples
collected during 2011 investigations.
• SANS Institute declared the “death of AV.”
6. Findings Con’t
Only 16% of
compromises
were self-
detected and
attackers had
an average of
173.5 days
before
detection.
7. Verizon Data Breach Report 2013
“WHEN YOU CONSIDER THE METHODS USED BY
ATTACKERS TO GAIN A FOOTHOLD IN
ORGANIZATIONS—BRUTE FORCE, STOLEN CREDS,
PHISHING, TAMPERING—IT’S REALLY NOT ALL THAT
SURPRISING THAT NONE RECEIVE THE HIGHLY
DIFFICULT RATING. WOULD YOU FIRE A GUIDED
MISSILE AT AN UNLOCKED SCREEN DOOR?”
“…three-quarters of breaches are of low or very
low difficulty for initial compromise, and the rest
land in the moderate category.”
8. Verizon Data Breach Report 2013
Figure 43: Percent of breaches discovered
external to victim
G
G
G
G
G
G
75%
69%
61%
86%
92%
69%
<2008
2008
2009
2010
2011
2012
Figure 42: Percent of breaches that remain
undiscovered for months or more
67%
55%
44% 41%
55%
66%
<2008
2008
2009 2010
2011
2012
G
G
G
G
G
G
9. Verizon Data Breach Report 2013
Figure 41: Timespan of events
Overall
11% 13%
60%
13%
2% 1%
15% 18%
36%
3%
10%
18%
0% 1%
9% 11% 12%
62%
4%
2% 2%
18%
41%
14%
22%
Compromise(n=180)Exfiltration(n=39)Discovery(n=221)Containment(n=49)
Seconds Minutes Hours Days Weeks Months Years
Financial Espionage Other
10. High Profile Attacks
• Major news media organizations compromised.
• DDoS attacks against financial institutions.
• Breach of processor Global Payments went
undetected for over a year with 7 million
accounts compromised.
• Prominent defense contractors penetrated via
information stolen from RSA Security.
Do you think they had firewalls?
11. Why Do We Use Firewalls?
• Infosec design “best practice.”
• Because compliance rules and auditors say
so.
• To protect applications, servers and user
systems from attacks.
• FUD
12. Why Do We Still Use Firewalls?
• According to Infoworld’s Roger Grimes, they
“…need to go away.”
• Most attacks are client-side (http and https)
and can bypass the firewall rules.
• Network choke-points.
• Rules are a mess, often breaking access.
• Management is difficult, at best.
• More of a problem than a solution.
13. April Fool’s RFC 3514
Firewalls [CBR03], packet filters, intrusion
detection systems, and the like often have
difficulty distinguishing between packets that
have malicious intent and those that are merely
unusual. The problem is that making such
determinations is hard. To solve this problem,
we define a security flag, known as the "evil"
bit, in the IPv4 [RFC791] header.
14. April Fool’s RFC 3093
We propose the Firewall Enhancement Protocol
(FEP).… Our methodology is to layer any
application layer Transmission Control Protocol/
User Datagram Protocol (TCP/UDP) packets over
the HyperText Transfer Protocol (HTTP) protocol,
since HTTP packets are typically able to transit
Firewalls. … FEP allows the best of both worlds:
the security of a firewall, and transparent tunneling
through the firewall.
16. Definitions
Defense-in-depth
According to the Committee on National
Security Systems Instruction No. 4009,
National Information Assurance Glossary, it is
defined as:
IA [information assurance] strategy integrating
people, technology, and operations capabilities
to establish variable barriers across multiple
layers and dimensions of networks.
18. Definitions Con’t
Firewall
From The Oxford American Dictionary:
A wall or partition designed to inhibit or prevent
the spread of fire. Any barrier that is intended to
thwart the spread of a destructive agent.
A firewall does not prevent a fire.
19. So rested she by
the DMZ,
And stood
awhile in
thought.
21. Typical Network Security
Segmentation
• INET : Public facing, the internet.
• CORP : Corporate network, aka the user community.
• DATA : Database segment, might be subdivided into PCI
and non-PCI.
• APP: Application segment, might be subdivided into PCI
and non-PCI.
• DMZ : Anything requiring public access; web-front ends,
mail, DNS, might be subdivided into PCI and non-PCI
segments.
• MGMT : management segment providing access
between user/corp and production segments.
• BKUP: backup network.
22. Typical Data Classification
• Routine: Information not presenting a risk to the business if it
were compromised. The lowest degree of protection.
• Confidential: Information not of value to an attacker, but it
might provide information that could be useful in an attack.
• Business-Critical: Data containing details about how the
organization operates its business. Could affect the
organization's competitive advantage or have a financial
impact if it were compromised.
• Private: Private data is information that the organization is
required to keep secure, either by regulation or to maintain the
confidence of its customers. This data is the most secure
information on the network.
24. And, as in
uffish thought
she stood,
The firewall,
with eyes of
flame,
25. The Challenge
• A Network Security team is responsible for
managing the technical or logical controls for
accessing data.
• They are data custodians for the data
owners.
• The challenge is to ensure that they closely
align the network security segmentation
design with an information classification
matrix.
27. Security Vs. Compliance
• Adherence to PCI-DSS, SOX, HIPAA or any
other compliance standard does not equate
to organizational security.
• Compliance is conformance to a standard
dictated by a governing body.
28. Definitions
• Compliance - the act of conforming, acquiescing, or
yielding. A tendency to yield readily to others, especially
in a weak and subservient way. Conformity; accordance:
in compliance with orders. Cooperation or obedience.
• Security - freedom from danger, risk, etc.; safety.
Freedom from care, anxiety, or doubt; well-founded
confidence. Something that secures or makes safe;
protection; defense. Precautions taken to guard against
crime, attack, sabotage, espionage, etc.
From The American Heritage Dictionary
31. One, two! One,
two! And
through and
through
The vorpal
blade went
snicker-snack!
32. Information Classification Best
Practices
• Data represents the digital assets of a company.
• Different data has varying levels of value, organized
according to sensitivity to loss, disclosure, or
unavailability.
• Data is segmented according to level, then security
controls are applied.
• An information classification matrix represents the
foundation of a security design.
For additional information, see “Understanding Data
Classification Based On Business and Security
Requirements” by Rafael Etges and Karen McNeil
33. Implementing Good Network
Segmentation: Phase One
1. Establish a new network segmentation model, based
upon some of the existing or implicit standards from
your security team.
2. Verify that this will meet current compliance needs,
proactively.
3. Document this fully and get sign off, so that there is an
agreed upon model or standard for all divisions.
4. Build new systems and networks on this design,
migrating legacy systems where possible with minimal
impact to customers and when required for compliance.
34. Implementing Good Network
Segmentation: Phase Two
1. Build a business and service technical catalog, then a
full data classification matrix.
2. Develop the next generation of network segmentation
based upon the data classification matrix.
3. Document this fully, so that there is an agreed upon
model or standard.
Implementation of phase one, will make phase two feasible.
The goal is a thoughtful design that meets the needs of all
customers and divisions within an organization.
35. She left it dead, and with its NAT
policy, she went galumphing back.
36. Operational Security To Do List
• Focus on containment.
• Improve standardization and documentation.
• Gather metrics.
• Event monitoring (and no, that doesn’t mean
email alerts).
• Consolidate when possible.
• Consistently audit access.
• Emphasize a proactive over reactive posture.
37. The Goal: Enterprise Security
Architecture
• Integration of security into the enterprise
architecture.
• Design driven by business needs.
• Built in, not bolted on.
• Utilize frameworks or models such as:
OSA (Open Security Architecture)
SABSA (Sherwood Applied Business
Security Architecture)
38. OSA Design Principles
The
design
ar5facts
that
describe
how
the
security
controls
(=
security
countermeasures)
are
posi5oned,
and
how
they
relate
to
the
overall
IT
Architecture.
40. A New and Improved DMZ Sandwich
Actor: Security Operations
Default rule: DENY ALL
Enable specific port
and IP addresses/ranges
Stateful inspection
External
Firewall
OSA is licensed according to Creative Commons Share-alike.
Please see:http://www.opensecurityarchitecture.org/cms/about/license-terms.
AC-04 Information Flow
Enforcement
AC-06 Least Privilege
AC-07 Unsuccessful Login
Attempts
AC-12 Session Termination
AU-02 Auditable Events
AU-03 Content Of Audit
Records
AU-04 Audit Storage
Capacity
AU-05 Response To Audit
Processing Failures
AU-06 Audit Monitoring,
Analysis, And Repor..
AU-07 Audit Reduction And
Report Generation
AU-08 Time Stamps
AU-09 Protection Of Audit
Information
AU-10 Non-Repudiation
AU-11 Audit Record
Retention
CA-03 Information System
Connections
CA-04 Security
Certification
CA-05 Plan Of Action And
Milestones
CM-07Least Functionality
RA-05 Vulnerability
Scanning
SC-05 Denial Of Service
Protection
SC-07 Boundary Protection
SC-10 Network Disconnect
SC-20 Secure Name /
Address Resolution ..
SC-21 Secure Name /
Address Resolution ..
SC-22 Architecture And
Provisioning For Na..
SC-23 Session Authenticity
SI-03 Malicious Code
Protection
SI-04 Information System
Monitoring Tools An..
SI-05 Security Alerts And
Advisories
SI-06 Security
Functionality Verif..
SI-07 Software And
Information Integri..
SI-08 Spam Protection
Default rule: DENY ALL
Enable specific port
and IP addresses.
Stateful inspection and
DOS protection
Load balance/High
availability
Internal
Firewall
DNS IDS/IPS
Bastion
Host
Trusted network
e.g. CorpNet
Untrusted public network
e.g. Internet
Proxy/Gateway/Web
-minimal services
-hardened configuration
-management/monitoring
by seperate network
interfaces/VLAN
Internal
Services
External
Services
Configuration of
environment
Monitoring and response
to emerging threats
http://www.opensecurityarchitecture.org/cms/images/OSA_ima...
hBp://www.opensecurityarchitecture.org/
cms/en/library/paBernlandscape/286-‐
sp-‐016-‐dmz-‐module
41. Tips To Improve a Network Security
Architecture Or “Mandiant Said So”
• Document and understand critical applications’ network
data flows
• Periodically validate network device rulesets
• Implement network segmentation
• Implement web application firewalls to reduce the risk of
web application vulnerabilities
• Implement web proxies for all users, restricting access to
“uncategorized” web sites
• Build restricted, high security zones for critical data and
applications
From the Mandiant M-Trend 2012 Report
42. And, has thou slain the Firewall?
Come to my arms, my beamish girl!
O stateful day! Callooh! Callay!'
She chortled in her joy.
43. Where Am I?
Spending quality time in kernel mode practicing
and refining my particular form of snark.
www.healthyparanoia.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
networksecurityprincess@gmail.com
chubirka@packetpushers.net
44. References
Covert, Edwin. Using Enterprise Security Architecture S to Align Business
Goals and IT Security within an Organization. Tech. Columbia: Applied
Network Solutions, n.d. Print.
Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15 May
2012. Web. 15 May 2012. <http://www.infoworld.com/d/security/why-you-
dont-need-firewall-193153?page=0,1>.
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May
2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-
payments-breach-window-expands/>.
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May
2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-
payments-breach-now-dates-back-to-jan-2011/>.
Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation
Created for Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012.
Web. 16 Apr. 2013. <http://computer-forensics.sans.org/blog/2012/04/09/is-
anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-
yields-surprising-results>.
M-Trends 2012: An Evolving Threat. Rep. Alexandria: Mandiant, 2012.
Print.
45. References Con’t
"Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17
Apr. 2013.
Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog.
Antian Security, 3 Jan. 2013. Web. 16 Apr. 2013.
"SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013.
Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web.
Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web.
Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S.
Computers to Chinese Military." Washington Post. The Washington Post, 19
Feb. 2013. Web. 16 Apr. 2013. <http://www.washingtonpost.com/world/report-
ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/
2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html>.
Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting
Compromise." Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr.
2013. <http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/
>.