SlideShare a Scribd company logo

Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!

Michele Chubirka
Michele Chubirka

This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.

Technology
1 of 45
Download to read offline
Beware the Firewall, My Son! The Jaws That Bite, The Claws That Catch!* *With apologies to Lewis Carroll
Who Am I? •  Michele Chubirka, aka Mrs. Y. •  Senior security architect. •  Blogs and hosts Healthy Paranoia, information security podcast channel of Packetpushers. •  Researches and pontificates on topics such as security architecture and best practices.
Discussion Points •  Firewall State of the Union •  Current Design Models •  Challenges •  Security Vs. Compliance •  Recommendations
Beware the proxy server, and shun The frumious packet filter!
Recent Findings According to Trustwave’s 2012 Global Security Report: •  Customer records make up 89% of breached data investigated. •  The most common password used by organizations is “Password1” because it satisfies the default Microsoft Active Directory complexity setting. •  Anti-virus detected less than 12% of malware samples collected during 2011 investigations. •  SANS Institute declared the “death of AV.”
Findings Con’t Only 16% of compromises were self- detected and attackers had an average of 173.5 days before detection.
Verizon Data Breach Report 2013 “WHEN YOU CONSIDER THE METHODS USED BY ATTACKERS TO GAIN A FOOTHOLD IN ORGANIZATIONS—BRUTE FORCE, STOLEN CREDS, PHISHING, TAMPERING—IT’S REALLY NOT ALL THAT SURPRISING THAT NONE RECEIVE THE HIGHLY DIFFICULT RATING. WOULD YOU FIRE A GUIDED MISSILE AT AN UNLOCKED SCREEN DOOR?” “…three-quarters of breaches are of low or very low difficulty for initial compromise, and the rest land in the moderate category.”
Verizon Data Breach Report 2013 Figure 43: Percent of breaches discovered external to victim G G G G G G 75% 69% 61% 86% 92% 69% <2008 2008 2009 2010 2011 2012 Figure 42: Percent of breaches that remain undiscovered for months or more 67% 55% 44% 41% 55% 66% <2008 2008 2009 2010 2011 2012 G G G G G G
Verizon Data Breach Report 2013 Figure 41: Timespan of events Overall 11% 13% 60% 13% 2% 1% 15% 18% 36% 3% 10% 18% 0% 1% 9% 11% 12% 62% 4% 2% 2% 18% 41% 14% 22% Compromise(n=180)Exfiltration(n=39)Discovery(n=221)Containment(n=49) Seconds Minutes Hours Days Weeks Months Years Financial Espionage Other
High Profile Attacks •  Major news media organizations compromised. •  DDoS attacks against financial institutions. •  Breach of processor Global Payments went undetected for over a year with 7 million accounts compromised. •  Prominent defense contractors penetrated via information stolen from RSA Security. Do you think they had firewalls?
Why Do We Use Firewalls? •  Infosec design “best practice.” •  Because compliance rules and auditors say so. •  To protect applications, servers and user systems from attacks. •  FUD
Why Do We Still Use Firewalls? •  According to Infoworld’s Roger Grimes, they “…need to go away.” •  Most attacks are client-side (http and https) and can bypass the firewall rules. •  Network choke-points. •  Rules are a mess, often breaking access. •  Management is difficult, at best. •  More of a problem than a solution.
April Fool’s RFC 3514 Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header.
April Fool’s RFC 3093 We propose the Firewall Enhancement Protocol (FEP).… Our methodology is to layer any application layer Transmission Control Protocol/ User Datagram Protocol (TCP/UDP) packets over the HyperText Transfer Protocol (HTTP) protocol, since HTTP packets are typically able to transit Firewalls. … FEP allows the best of both worlds: the security of a firewall, and transparent tunneling through the firewall.
She took her vorpal sword in hand:   Long time the TCP flow she sought --
Definitions Defense-in-depth According to the Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, it is defined as: IA [information assurance] strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks.
Defense-in-depth is comprised of multiple types of controls, not only multiples of the same controls.
Definitions Con’t Firewall From The Oxford American Dictionary: A wall or partition designed to inhibit or prevent the spread of fire. Any barrier that is intended to thwart the spread of a destructive agent. A firewall does not prevent a fire.
So rested she by the DMZ,   And stood awhile in thought.
Current Model: The Sandwich
Typical Network Security Segmentation •  INET : Public facing, the internet. •  CORP : Corporate network, aka the user community. •  DATA : Database segment, might be subdivided into PCI and non-PCI. •  APP: Application segment, might be subdivided into PCI and non-PCI. •  DMZ : Anything requiring public access; web-front ends, mail, DNS, might be subdivided into PCI and non-PCI segments. •  MGMT : management segment providing access between user/corp and production segments. •  BKUP: backup network.
Typical Data Classification •  Routine: Information not presenting a risk to the business if it were compromised. The lowest degree of protection. •  Confidential: Information not of value to an attacker, but it might provide information that could be useful in an attack. •  Business-Critical: Data containing details about how the organization operates its business. Could affect the organization's competitive advantage or have a financial impact if it were compromised. •  Private: Private data is information that the organization is required to keep secure, either by regulation or to maintain the confidence of its customers. This data is the most secure information on the network.
What You Really End Up With
And, as in uffish thought she stood, The firewall, with eyes of flame,
The Challenge •  A Network Security team is responsible for managing the technical or logical controls for accessing data. •  They are data custodians for the data owners. •  The challenge is to ensure that they closely align the network security segmentation design with an information classification matrix.
Came whiffling through the Ethernet, And burbled as it came!
Security Vs. Compliance •  Adherence to PCI-DSS, SOX, HIPAA or any other compliance standard does not equate to organizational security. •  Compliance is conformance to a standard dictated by a governing body.
Definitions •  Compliance - the act of conforming, acquiescing, or yielding. A tendency to yield readily to others, especially in a weak and subservient way. Conformity; accordance: in compliance with orders. Cooperation or obedience. •  Security - freedom from danger, risk, etc.; safety. Freedom from care, anxiety, or doubt; well-founded confidence. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. From The American Heritage Dictionary
Compliance or Security?
Compliance != Security Venn  diagram  courtesy  of  @grecs  
One, two! One, two! And through and through   The vorpal blade went snicker-snack!
Information Classification Best Practices •  Data represents the digital assets of a company. •  Different data has varying levels of value, organized according to sensitivity to loss, disclosure, or unavailability. •  Data is segmented according to level, then security controls are applied. •  An information classification matrix represents the foundation of a security design. For additional information, see “Understanding Data Classification Based On Business and Security Requirements” by Rafael Etges and Karen McNeil
Implementing Good Network Segmentation: Phase One 1.  Establish a new network segmentation model, based upon some of the existing or implicit standards from your security team. 2.  Verify that this will meet current compliance needs, proactively. 3.  Document this fully and get sign off, so that there is an agreed upon model or standard for all divisions. 4.  Build new systems and networks on this design, migrating legacy systems where possible with minimal impact to customers and when required for compliance.
Implementing Good Network Segmentation: Phase Two 1.  Build a business and service technical catalog, then a full data classification matrix. 2.  Develop the next generation of network segmentation based upon the data classification matrix. 3.  Document this fully, so that there is an agreed upon model or standard. Implementation of phase one, will make phase two feasible. The goal is a thoughtful design that meets the needs of all customers and divisions within an organization.
She left it dead, and with its NAT policy, she went galumphing back.
Operational Security To Do List •  Focus on containment. •  Improve standardization and documentation. •  Gather metrics. •  Event monitoring (and no, that doesn’t mean email alerts). •  Consolidate when possible. •  Consistently audit access. •  Emphasize a proactive over reactive posture.
The Goal: Enterprise Security Architecture •  Integration of security into the enterprise architecture. •  Design driven by business needs. •  Built in, not bolted on. •  Utilize frameworks or models such as: OSA (Open Security Architecture) SABSA (Sherwood Applied Business Security Architecture)
OSA Design Principles The  design  ar5facts  that  describe  how  the  security  controls  (=   security  countermeasures)  are  posi5oned,  and  how  they  relate  to   the  overall  IT  Architecture.    
SABSA Framework
A New and Improved DMZ Sandwich Actor: Security Operations Default rule: DENY ALL Enable specific port and IP addresses/ranges Stateful inspection External Firewall OSA is licensed according to Creative Commons Share-alike. Please see:http://www.opensecurityarchitecture.org/cms/about/license-terms. AC-04 Information Flow Enforcement AC-06 Least Privilege AC-07 Unsuccessful Login Attempts AC-12 Session Termination AU-02 Auditable Events AU-03 Content Of Audit Records AU-04 Audit Storage Capacity AU-05 Response To Audit Processing Failures AU-06 Audit Monitoring, Analysis, And Repor.. AU-07 Audit Reduction And Report Generation AU-08 Time Stamps AU-09 Protection Of Audit Information AU-10 Non-Repudiation AU-11 Audit Record Retention CA-03 Information System Connections CA-04 Security Certification CA-05 Plan Of Action And Milestones CM-07Least Functionality RA-05 Vulnerability Scanning SC-05 Denial Of Service Protection SC-07 Boundary Protection SC-10 Network Disconnect SC-20 Secure Name / Address Resolution .. SC-21 Secure Name / Address Resolution .. SC-22 Architecture And Provisioning For Na.. SC-23 Session Authenticity SI-03 Malicious Code Protection SI-04 Information System Monitoring Tools An.. SI-05 Security Alerts And Advisories SI-06 Security Functionality Verif.. SI-07 Software And Information Integri.. SI-08 Spam Protection Default rule: DENY ALL Enable specific port and IP addresses. Stateful inspection and DOS protection Load balance/High availability Internal Firewall DNS IDS/IPS Bastion Host Trusted network e.g. CorpNet Untrusted public network e.g. Internet Proxy/Gateway/Web -minimal services -hardened configuration -management/monitoring by seperate network interfaces/VLAN Internal Services External Services Configuration of environment Monitoring and response to emerging threats http://www.opensecurityarchitecture.org/cms/images/OSA_ima... hBp://www.opensecurityarchitecture.org/ cms/en/library/paBernlandscape/286-­‐ sp-­‐016-­‐dmz-­‐module  
Tips To Improve a Network Security Architecture Or “Mandiant Said So” •  Document and understand critical applications’ network data flows •  Periodically validate network device rulesets •  Implement network segmentation •  Implement web application firewalls to reduce the risk of web application vulnerabilities •  Implement web proxies for all users, restricting access to “uncategorized” web sites •  Build restricted, high security zones for critical data and applications From the Mandiant M-Trend 2012 Report
And, has thou slain the Firewall?  Come to my arms, my beamish girl! O stateful day! Callooh! Callay!'   She chortled in her joy.
Where Am I? Spending quality time in kernel mode practicing and refining my particular form of snark. www.healthyparanoia.com Twitter @MrsYisWhy Google+ MrsYisWhy networksecurityprincess@gmail.com chubirka@packetpushers.net
References Covert, Edwin. Using Enterprise Security Architecture S to Align Business Goals and IT Security within an Organization. Tech. Columbia: Applied Network Solutions, n.d. Print. Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15 May 2012. Web. 15 May 2012. <http://www.infoworld.com/d/security/why-you- dont-need-firewall-193153?page=0,1>. Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global- payments-breach-window-expands/>. Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global- payments-breach-now-dates-back-to-jan-2011/>. Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012. Web. 16 Apr. 2013. <http://computer-forensics.sans.org/blog/2012/04/09/is- anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data- yields-surprising-results>. M-Trends 2012: An Evolving Threat. Rep. Alexandria: Mandiant, 2012. Print.
References Con’t "Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17 Apr. 2013. Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog. Antian Security, 3 Jan. 2013. Web. 16 Apr. 2013. "SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013. Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web. Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web. Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S. Computers to Chinese Military." Washington Post. The Washington Post, 19 Feb. 2013. Web. 16 Apr. 2013. <http://www.washingtonpost.com/world/report- ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/ 2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html>. Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting Compromise." Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr. 2013. <http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/ >.

Recommended

Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapDATA SECURITY SOLUTIONS
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdfPencilData
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Cissp exam outline 121417- final (2)
Cissp exam outline 121417- final (2)Cissp exam outline 121417- final (2)
Cissp exam outline 121417- final (2)Joshua Fonseca
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 

Recommended

Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapDATA SECURITY SOLUTIONS
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdfPencilData
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Cissp exam outline 121417- final (2)
Cissp exam outline 121417- final (2)Cissp exam outline 121417- final (2)
Cissp exam outline 121417- final (2)Joshua Fonseca
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Study to attract and retain fresh talent
Study to attract and retain fresh talentStudy to attract and retain fresh talent
Study to attract and retain fresh talentHarshaMotwani10
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
Cybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxCybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxArt Ocain
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskMighty Guides, Inc.
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and ResponseDigital Transformation EXPO Event Series
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityShujun Li
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?Aaron Clark-Ginsberg
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1Setia Juli Irzal Ismail
 
03 fmea表格使用說明
03 fmea表格使用說明03 fmea表格使用說明
03 fmea表格使用說明營松 林
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptxmishogelashvili28
 

More Related Content

What's hot

Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Study to attract and retain fresh talent
Study to attract and retain fresh talentStudy to attract and retain fresh talent
Study to attract and retain fresh talentHarshaMotwani10
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Cybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxCybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxArt Ocain
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskMighty Guides, Inc.
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityShujun Li
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
03 fmea表格使用說明
03 fmea表格使用說明03 fmea表格使用說明
03 fmea表格使用說明營松 林
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 

What's hot (20)

Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Study to attract and retain fresh talent
Study to attract and retain fresh talentStudy to attract and retain fresh talent
Study to attract and retain fresh talent
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
Cybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxCybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptx
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity Risk
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets Usability
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
03 fmea表格使用說明
03 fmea表格使用說明03 fmea表格使用說明
03 fmea表格使用說明
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 

Similar to Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!

Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Kirti Ahirrao
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
Presentation 10 (1).pdf
Presentation 10 (1).pdfPresentation 10 (1).pdf
Presentation 10 (1).pdfKARANSINGHD
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowNuuko, Inc.
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptxKnownId
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Stephen Abram
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 

Similar to Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch! (20)

Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
Shadow Data Exposed
Shadow Data ExposedShadow Data Exposed
Shadow Data Exposed
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Presentation 10 (1).pdf
Presentation 10 (1).pdfPresentation 10 (1).pdf
Presentation 10 (1).pdf
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!

  • 1. Beware the Firewall, My Son! The Jaws That Bite, The Claws That Catch!* *With apologies to Lewis Carroll
  • 2. Who Am I? •  Michele Chubirka, aka Mrs. Y. •  Senior security architect. •  Blogs and hosts Healthy Paranoia, information security podcast channel of Packetpushers. •  Researches and pontificates on topics such as security architecture and best practices.
  • 3. Discussion Points •  Firewall State of the Union •  Current Design Models •  Challenges •  Security Vs. Compliance •  Recommendations
  • 4. Beware the proxy server, and shun The frumious packet filter!
  • 5. Recent Findings According to Trustwave’s 2012 Global Security Report: •  Customer records make up 89% of breached data investigated. •  The most common password used by organizations is “Password1” because it satisfies the default Microsoft Active Directory complexity setting. •  Anti-virus detected less than 12% of malware samples collected during 2011 investigations. •  SANS Institute declared the “death of AV.”
  • 6. Findings Con’t Only 16% of compromises were self- detected and attackers had an average of 173.5 days before detection.
  • 7. Verizon Data Breach Report 2013 “WHEN YOU CONSIDER THE METHODS USED BY ATTACKERS TO GAIN A FOOTHOLD IN ORGANIZATIONS—BRUTE FORCE, STOLEN CREDS, PHISHING, TAMPERING—IT’S REALLY NOT ALL THAT SURPRISING THAT NONE RECEIVE THE HIGHLY DIFFICULT RATING. WOULD YOU FIRE A GUIDED MISSILE AT AN UNLOCKED SCREEN DOOR?” “…three-quarters of breaches are of low or very low difficulty for initial compromise, and the rest land in the moderate category.”
  • 8. Verizon Data Breach Report 2013 Figure 43: Percent of breaches discovered external to victim G G G G G G 75% 69% 61% 86% 92% 69% <2008 2008 2009 2010 2011 2012 Figure 42: Percent of breaches that remain undiscovered for months or more 67% 55% 44% 41% 55% 66% <2008 2008 2009 2010 2011 2012 G G G G G G
  • 9. Verizon Data Breach Report 2013 Figure 41: Timespan of events Overall 11% 13% 60% 13% 2% 1% 15% 18% 36% 3% 10% 18% 0% 1% 9% 11% 12% 62% 4% 2% 2% 18% 41% 14% 22% Compromise(n=180)Exfiltration(n=39)Discovery(n=221)Containment(n=49) Seconds Minutes Hours Days Weeks Months Years Financial Espionage Other
  • 10. High Profile Attacks •  Major news media organizations compromised. •  DDoS attacks against financial institutions. •  Breach of processor Global Payments went undetected for over a year with 7 million accounts compromised. •  Prominent defense contractors penetrated via information stolen from RSA Security. Do you think they had firewalls?
  • 11. Why Do We Use Firewalls? •  Infosec design “best practice.” •  Because compliance rules and auditors say so. •  To protect applications, servers and user systems from attacks. •  FUD
  • 12. Why Do We Still Use Firewalls? •  According to Infoworld’s Roger Grimes, they “…need to go away.” •  Most attacks are client-side (http and https) and can bypass the firewall rules. •  Network choke-points. •  Rules are a mess, often breaking access. •  Management is difficult, at best. •  More of a problem than a solution.
  • 13. April Fool’s RFC 3514 Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header.
  • 14. April Fool’s RFC 3093 We propose the Firewall Enhancement Protocol (FEP).… Our methodology is to layer any application layer Transmission Control Protocol/ User Datagram Protocol (TCP/UDP) packets over the HyperText Transfer Protocol (HTTP) protocol, since HTTP packets are typically able to transit Firewalls. … FEP allows the best of both worlds: the security of a firewall, and transparent tunneling through the firewall.
  • 15. She took her vorpal sword in hand:   Long time the TCP flow she sought --
  • 16. Definitions Defense-in-depth According to the Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, it is defined as: IA [information assurance] strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks.
  • 17. Defense-in-depth is comprised of multiple types of controls, not only multiples of the same controls.
  • 18. Definitions Con’t Firewall From The Oxford American Dictionary: A wall or partition designed to inhibit or prevent the spread of fire. Any barrier that is intended to thwart the spread of a destructive agent. A firewall does not prevent a fire.
  • 19. So rested she by the DMZ,   And stood awhile in thought.
  • 20. Current Model: The Sandwich
  • 21. Typical Network Security Segmentation •  INET : Public facing, the internet. •  CORP : Corporate network, aka the user community. •  DATA : Database segment, might be subdivided into PCI and non-PCI. •  APP: Application segment, might be subdivided into PCI and non-PCI. •  DMZ : Anything requiring public access; web-front ends, mail, DNS, might be subdivided into PCI and non-PCI segments. •  MGMT : management segment providing access between user/corp and production segments. •  BKUP: backup network.
  • 22. Typical Data Classification •  Routine: Information not presenting a risk to the business if it were compromised. The lowest degree of protection. •  Confidential: Information not of value to an attacker, but it might provide information that could be useful in an attack. •  Business-Critical: Data containing details about how the organization operates its business. Could affect the organization's competitive advantage or have a financial impact if it were compromised. •  Private: Private data is information that the organization is required to keep secure, either by regulation or to maintain the confidence of its customers. This data is the most secure information on the network.
  • 23. What You Really End Up With
  • 24. And, as in uffish thought she stood, The firewall, with eyes of flame,
  • 25. The Challenge •  A Network Security team is responsible for managing the technical or logical controls for accessing data. •  They are data custodians for the data owners. •  The challenge is to ensure that they closely align the network security segmentation design with an information classification matrix.
  • 26. Came whiffling through the Ethernet, And burbled as it came!
  • 27. Security Vs. Compliance •  Adherence to PCI-DSS, SOX, HIPAA or any other compliance standard does not equate to organizational security. •  Compliance is conformance to a standard dictated by a governing body.
  • 28. Definitions •  Compliance - the act of conforming, acquiescing, or yielding. A tendency to yield readily to others, especially in a weak and subservient way. Conformity; accordance: in compliance with orders. Cooperation or obedience. •  Security - freedom from danger, risk, etc.; safety. Freedom from care, anxiety, or doubt; well-founded confidence. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. From The American Heritage Dictionary
  • 30. Compliance != Security Venn  diagram  courtesy  of  @grecs  
  • 31. One, two! One, two! And through and through   The vorpal blade went snicker-snack!
  • 32. Information Classification Best Practices •  Data represents the digital assets of a company. •  Different data has varying levels of value, organized according to sensitivity to loss, disclosure, or unavailability. •  Data is segmented according to level, then security controls are applied. •  An information classification matrix represents the foundation of a security design. For additional information, see “Understanding Data Classification Based On Business and Security Requirements” by Rafael Etges and Karen McNeil
  • 33. Implementing Good Network Segmentation: Phase One 1.  Establish a new network segmentation model, based upon some of the existing or implicit standards from your security team. 2.  Verify that this will meet current compliance needs, proactively. 3.  Document this fully and get sign off, so that there is an agreed upon model or standard for all divisions. 4.  Build new systems and networks on this design, migrating legacy systems where possible with minimal impact to customers and when required for compliance.
  • 34. Implementing Good Network Segmentation: Phase Two 1.  Build a business and service technical catalog, then a full data classification matrix. 2.  Develop the next generation of network segmentation based upon the data classification matrix. 3.  Document this fully, so that there is an agreed upon model or standard. Implementation of phase one, will make phase two feasible. The goal is a thoughtful design that meets the needs of all customers and divisions within an organization.
  • 35. She left it dead, and with its NAT policy, she went galumphing back.
  • 36. Operational Security To Do List •  Focus on containment. •  Improve standardization and documentation. •  Gather metrics. •  Event monitoring (and no, that doesn’t mean email alerts). •  Consolidate when possible. •  Consistently audit access. •  Emphasize a proactive over reactive posture.
  • 37. The Goal: Enterprise Security Architecture •  Integration of security into the enterprise architecture. •  Design driven by business needs. •  Built in, not bolted on. •  Utilize frameworks or models such as: OSA (Open Security Architecture) SABSA (Sherwood Applied Business Security Architecture)
  • 38. OSA Design Principles The  design  ar5facts  that  describe  how  the  security  controls  (=   security  countermeasures)  are  posi5oned,  and  how  they  relate  to   the  overall  IT  Architecture.    
  • 40. A New and Improved DMZ Sandwich Actor: Security Operations Default rule: DENY ALL Enable specific port and IP addresses/ranges Stateful inspection External Firewall OSA is licensed according to Creative Commons Share-alike. Please see:http://www.opensecurityarchitecture.org/cms/about/license-terms. AC-04 Information Flow Enforcement AC-06 Least Privilege AC-07 Unsuccessful Login Attempts AC-12 Session Termination AU-02 Auditable Events AU-03 Content Of Audit Records AU-04 Audit Storage Capacity AU-05 Response To Audit Processing Failures AU-06 Audit Monitoring, Analysis, And Repor.. AU-07 Audit Reduction And Report Generation AU-08 Time Stamps AU-09 Protection Of Audit Information AU-10 Non-Repudiation AU-11 Audit Record Retention CA-03 Information System Connections CA-04 Security Certification CA-05 Plan Of Action And Milestones CM-07Least Functionality RA-05 Vulnerability Scanning SC-05 Denial Of Service Protection SC-07 Boundary Protection SC-10 Network Disconnect SC-20 Secure Name / Address Resolution .. SC-21 Secure Name / Address Resolution .. SC-22 Architecture And Provisioning For Na.. SC-23 Session Authenticity SI-03 Malicious Code Protection SI-04 Information System Monitoring Tools An.. SI-05 Security Alerts And Advisories SI-06 Security Functionality Verif.. SI-07 Software And Information Integri.. SI-08 Spam Protection Default rule: DENY ALL Enable specific port and IP addresses. Stateful inspection and DOS protection Load balance/High availability Internal Firewall DNS IDS/IPS Bastion Host Trusted network e.g. CorpNet Untrusted public network e.g. Internet Proxy/Gateway/Web -minimal services -hardened configuration -management/monitoring by seperate network interfaces/VLAN Internal Services External Services Configuration of environment Monitoring and response to emerging threats http://www.opensecurityarchitecture.org/cms/images/OSA_ima... hBp://www.opensecurityarchitecture.org/ cms/en/library/paBernlandscape/286-­‐ sp-­‐016-­‐dmz-­‐module  
  • 41. Tips To Improve a Network Security Architecture Or “Mandiant Said So” •  Document and understand critical applications’ network data flows •  Periodically validate network device rulesets •  Implement network segmentation •  Implement web application firewalls to reduce the risk of web application vulnerabilities •  Implement web proxies for all users, restricting access to “uncategorized” web sites •  Build restricted, high security zones for critical data and applications From the Mandiant M-Trend 2012 Report
  • 42. And, has thou slain the Firewall?  Come to my arms, my beamish girl! O stateful day! Callooh! Callay!'   She chortled in her joy.
  • 43. Where Am I? Spending quality time in kernel mode practicing and refining my particular form of snark. www.healthyparanoia.com Twitter @MrsYisWhy Google+ MrsYisWhy networksecurityprincess@gmail.com chubirka@packetpushers.net
  • 44. References Covert, Edwin. Using Enterprise Security Architecture S to Align Business Goals and IT Security within an Organization. Tech. Columbia: Applied Network Solutions, n.d. Print. Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15 May 2012. Web. 15 May 2012. <http://www.infoworld.com/d/security/why-you- dont-need-firewall-193153?page=0,1>. Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global- payments-breach-window-expands/>. Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global- payments-breach-now-dates-back-to-jan-2011/>. Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012. Web. 16 Apr. 2013. <http://computer-forensics.sans.org/blog/2012/04/09/is- anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data- yields-surprising-results>. M-Trends 2012: An Evolving Threat. Rep. Alexandria: Mandiant, 2012. Print.
  • 45. References Con’t "Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17 Apr. 2013. Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog. Antian Security, 3 Jan. 2013. Web. 16 Apr. 2013. "SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013. Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web. Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web. Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S. Computers to Chinese Military." Washington Post. The Washington Post, 19 Feb. 2013. Web. 16 Apr. 2013. <http://www.washingtonpost.com/world/report- ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/ 2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html>. Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting Compromise." Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr. 2013. <http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/ >.