Eximbank security presentation

Agenda
SECURITY OVERVIEW
TYPES OF ATTACK
SECURITY BLUEPRINT
FIREWALL AND IDS
ANTIVIRUS SYSTEM
SECURITY SCANNER SYSTEM
SECURITY CENTRAL MANAGEMENT SYSTEM
IDENTITY
SECURITY DESIGN SOLUTION FOR
EXIMBANK

What is Network Security?
 A process, not a product
 An integrated system
 Network security requires defense in depth, which
includes:
 Firewalls and router access control lists (ACLs)
 Network- and host-based intrusion detection systems
(NIDS and HIDS)
 Scanners
 Centralized security and policy management
 Authentication, authorization, and accounting (AAA),
access control servers, and certificate authorities
 Encryption and virtual private networks (VPNs)

Why Integrated Network Security?
 Everything is a target
 Routers, switches, hosts, networks, applications,
information, management tools
 New breed of network attacks have multiple vectors
that cannot be blocked by one device
 Network security requires an integrated system
 Layers of security are required
 Embedded security throughout the network
 Integrated security in network devices
 Network management and reporting must be secure

Network Security Evolution—
From Detection to ProtectionOperationalcapability
Applications to services and complexity of network security
Adaptive networks
- Self-managing, self-healing
- Security-aware networks
Protection from threats
- Comprehensive, integrated solutions
Detection of threats
- Reactive point products, some automation
Block and hide
- Manual, crypto solves all
1995
1985
Future
Today
Detection
Protection

Complete
Content
Protection
Network Security Must Evolve
1990 2000
Email Spam
Viruses
Trojans
Worms
Inappropriate
Web Content
INTELLIGENCE&THREATCOVERAGE
1995 2005
Denial of
Service Attacks
Deep
Packet
Inspection
Sophisticated
Intrusions
Simple
intrusions
Stateful
Inspection

0
5000
10000
15000
20000
25000
1988 1990 1992 1994 1996 1998 2000
Number of
Intrusions Sophistic
ation
of hacker
tools
Source: CERT, Carnegie Mellon University
Sweepers
Disabling
Audits
Packet Forging/
Spoofing
Password
Guessing
Self Replicating
Code Password
Cracking
Back
Doors Sniffers
Stealth
Diagnostics
DDOS
Technical
knowledge
required of
hacker
Exploiting Known
Vulnerabilities
Security Threats—
On the rise, more dangerous, easier to launch

Service Name Port Number 30 day history Explanation
epmap 135 DCE endpoint resolution
nterm 1026 remote_login network_terminal
icq 1027 icq instant messanger
ms-sql-m 1434 Microsoft-SQL-Monitor
netbios-ns 137 NETBIOS Name Service
microsoft-ds 445 Win2k+ Server Message Block
dabber 9898 [trojan] Dabber Worm backdoor
sasser-ftp 5554 [trojan] Sasser Worm FTP Server
mydoom 3127 W32/MyDoom, W32.Novarg.A backdoor
netbios-ssn 139 NETBIOS Session Service
Microsoft Security Bulletins for June 2004
Source: The SANS Institute
Last update June 08, 2004 21:43 pm GMT

 Attack the listeners
 Exploit bugs and misconfigurations
 Buffer Overflow
 Spoof the Client
 Attack the Stack
 Packet Mangling
• Oversize, Fragmentation
 Flooding

Who might attack you?
 Hackers
 A few talented people provide tools for
thousands of kids
 rootshell.com, insecure.org contain hundreds
of tools
 Opportunity targets
 Customers
 Themselves
 Through stolen/guessed passwords

Who might attack you? (2)
 Insiders
 Through malice
 Carelessness
 Overwork
 Competitors
 “Denial of Service” attacks make you look bad
 Customer lists for marketing

How Outsiders Attack
 Look for known weaknesses
 Misconfigured Software
 Lots of sw has “more secure” configuration
which is not turned on out of the box
 Outdated software with known problems
 Bad passwords

How outsiders attack (2)
 Scanning tools (SATAN, sscan)
 Make finding problems easy
 Exploit tools
 Make taking advantage of problems easy
 Stealth tools
 Make erasing logs easy

How insiders attack
 Exactly the same as outsiders
 Except that they are more effective

The Security Wheel
Corporate
Security
Policy
Monitor and Respond
Audit/Test
Manage and Improve
Proactive Network
Vulnerability Assessment
Real-Time
Intrusion
Detection
Secure
Firewall, Encryption, Authentication
Network Operations and
Security Professionals

Deploy Security as an Integrated System
Secure transport
Card readers
Security room CCTV
Secured doors and vaults
Surveillance and alarms
Patrolling security guard
Firewalls and router ACLs
Network- and host-based
intrusion detection Scanner
Centralized security and
policy management
Identity, AAA, access
control servers, and
certificate authorities
Encryption and virtual
private networks (VPNs)
Extended perimeter security Intrusion protection
Intrusion protection
Security management and policy Secure connectivityIdentity services
II

The types of Firewall
 Dedicated Firewall Appliance
 Cisco PIX Firewall
 CrossBeam Security Service Switch
 Application Firewall
 CheckPoint Software
 Microsoft ISA Server

The types of Firewall
 Stateless Firewall
 Stateful Firewall

Perimeter Networks
Inside Network
WWW DNS Email
NT
RAS
Cisco
Secure
Java
ActiveX
URL
Block
Proxy
Server
Outside Network
Internet
PIX Firewall Topology

Cisco PIX Firewall 525
 Supports up to eight 10/100 Fast Ethernet interfaces or three Gigabit
Ethernet interfaces
 More than 330 Mbps of firewall throughput
 Handle more than 280,000 simultaneous sessions
 High-availability services
 Integrated hardware VPN acceleration
 Up to 155 Mbps of Triple Data Encryption Standard (3DES) VPN
throughput
 170 Mbps of Advanced Encryption Standard-256 (AES) VPN
throughput

 Support 16 10/100 Ethernet interfaces and 2 fiber or copper Gigabit
Ethernet interfaces
 High speed Ethernet backplane with stack ports to guarantee high
bandwidth between the Network Interface Module and Application Module
 02 Gbps of firewall throughput
 02 10/100 management ports
 Broadcom BCM 1250 Network Processor and Pentium III 1.26 GHz
Crossbeam Security Service Switch C30

Accelerated, Integrated
Depth-of-Defense

 Anomaly vs. Signature Detection
 Anomaly detection: Define normal, authorized activity, and
consider everything else to be potential malicious
 Misuse/signature detection: Explicitly define what activity
should be considered malicious
 Most commercial IDS products are signature- based
 Host vs. Network-Based
 Host- based: “Agent” software monitoring activity on hosts
 Network-based: Collects and analyzes data from the
network
Intrusion Detection Systems

IDS Sensor Placement
31
Remote
Office
Corporate
Network
IDS Director
Web Server Email Server
Security Sensor
Internet
Engineering Finance
Network
Operation Center
Hacker
Inside
Router
Alert
Encrypted VPN
Pix Firewall Router
Security Sensor
Security Sensor
Security Sensor
Service
Provider

$12.1 billion
Melissa:
$385m
$17.5
Billion
ILOVEYOU:
$6.7 billion
Sources: Total cost 1999: $12.1B, Computer Economics; Melissa various sources
Total cost 2000: $1.5 T, Information Week Research fielded
w/PricewaterhouseCoopers ; 10 billion, Computer Economics
Annual Estimated Costs
Computer Virus Damage
2000:
1999:
Need an effective way to protect
your corporate assets

E-mail is now the biggest virus threat!
87% of
viruses come
from email!
*Source: ICSA
(International Computer
Security Association)
Computer Virus
Prevalence Survey 2000

Firewall’s functions
Firewall
STOP!
Stop illegal entry
1. Authentication
2. Permission Check

What firewall can not do
FireWall doesn’t check contents
How can you
find the bomb?

Stop malicious code at the gateway
Firewall
Interscan Viruswall
STOP!

 Automated network vulnerability assessment across
servers, desktops, and infrastructure devices.
 Integration with Enterprise Protection Platform for
distributed vulnerability assessment and IDS/IPS
correlation.
 X-Force Security Intelligence
ISS Internet Scanner

 Identifying security exposures in leading database
applications.
 Run independently of the database and quickly generates
detailed reports with all the information needed to correctly
configure and secure databases.
 Automated Penetration Testing
ISS Database Scanner

SECURITY CENTRAL
MANAGEMENT SYSTEM

Solsoft Security Designer
 Security Policy Definition by drag-and-drop of rules and objects
instead of manual, complex coding.
 Visual, object-oriented interface for creating firewall, firewall
clusters, anti-spoofing, NAT, and VPN policies.
 Importing of existing maps, objects and policies
 Single security management application for all network security
devices (switches, routers, firewalls, VPNs)
 Class and Meta Class definitions
 Security review on any network object

Solsoft Policy Server
 Policy Based Management
 Firewall and configuration including PKI and Pre-shared key
support
 Support for cluster configurations
 Automatic validation and deployment of security rules
 Policy versioning
 Strong Auditing capabilities
 Simple import and migration between devices of different brands
including import from HP OpenView NAT rules generation
 IPsec VPN

Solsoft Policy Server (Cont)
 Centralized repository
 User roles, privileges and workflow management
 Support for all major security device vendors including Cisco,
Check Point Systems, NetScreen and Nortel Networks as well as a
number of challengers
 Compatibility and interoperability with other network management
systems
 IPsec VPN

Solsoft Policy Server (Cont)
Solsoft offers a true open platform for multi-vendor
and multi-product support.

The Expanding Access Environment

What is AAA?
AUTHENTICATION – Who is allowed access?
AUTHORIZATION – What are they allowed to do?
ACCOUNTING – What did they do?

Cisco Access Control Server (ACS)

Putting All Together:
THE SECURITY
DESIGN SOLUTION
FOR EXIMBANK

Catalyst 4003
Router 3620 with IOS
Firewall Router 3620
CHỢ LỚN
HÀ NỘI ĐÀ NẴNG CẦN THƠ
VPN
VPN
VPN
VPN
Firewall
Firewall
2 x Router 3640
Firewall
HÒA BÌNH
VPN
VPN
PIX Firewall 525
Web Server Mail Relay Proxy
Antivirus
Server
WEB SenseWeb Cache
Database
Server
Server Storage
CA Server Aplication ServerMail Server
IDS 4235
CrossBeam
Firewall X45
Security Scanner
HỘI SỞ
Central Management
Server
URL filter and Antivirus Module
DMZ Module
APPLICATION SERVER MODULE
DATABASE SERVER & STORAGE MODULE
MANAGEMENT MODULE

How Is TRUST Achieved?
A handshake
meant trust.
But now in an e-Business world...
How do you build
an infrastructure
of trust?

Two-Factor Authentication
Applications in Healthcare
Intranet
Mainframe
Enterprise
Unix
Web Server
Applications
&
Resources
RAS
RSA
Agent
Remote Access
RSA
ACE/Server
Internet
RSA
Agent
Internet
Access
VPN or
Firewall
E-Business
Enterprise
Access

The Expanding RSA SecurID Family
 RSA SecurID hardware
tokens
 RSA SecurID software tokens
 RSA SecurID smart cards
 RSA SecurID for the Palm
Computing Platform

Instrustion Prevention System
 Assure the availability and security of desktops, application
servers, and web service engines
 Real-time detection and prevention of network intrusions
against networks
 Intelligent attack detection
Identifying threats to business and blocking them
Network Activity
Example
Overall Activity
Approx 2.5
Gbytes/day
Noise - Below the Radar
One Effort – Looking Inside the Noise

CiscoWorks Security Information
Management Solution (CW SIMS)
Provides:
 Complete Event Monitoring for SAFE
 Real-time Event Correlation
 Advanced Visualization
 Integrated Threat Assessment
 Comprehensive Reporting & Forensics
 netForensics is a Primary Component of CW SIMS

netForensics SIM Technology
Powerful and flexible 3-Tier architecture
scales to any enterprise size
 All netForensics components are fully
distributable from one server to many
 Console for Centralized configuration,
reporting & maintenance of software
 Agents Perform Event Collection &
Normalization
 Engines Aggregate & Correlate Events
 Integrated database facilitates
reporting, auditing & analysis
 Master Engine supports Visualization
of Correlated Events

Eximbank security presentation

Eximbank security presentation

More Related Content

What's hot

Viewers also liked

Similar to Eximbank security presentation

More from laonap166

Recently uploaded

Eximbank security presentation