SlideShare a Scribd company logo

Network Security: Putting Theory into Practice, the Wrong Way

John ILIADIS
John ILIADIS

Invited talk, Athens International 1st Forum on IT Security, Hellenic-American Union, Athens, Greece, May 2008

1 of 34
Download to read offline
Putting Theory into Practice, the Wrong Way John Iliadis Network Security Admin TEIRESIAS S.A.
Understand the theory …sometimes even Engineers have to go back and (re)comprehend the theory, to get things done Understand the problem Actually listen to the problem before providing a solution. Provide an integrated solution A security mechanism per se is not a solution; it is merely a tool (more about that later)
Problem I want to protect confidentiality of data exchanged between network A and network B Network Network A A Network Network Service Service Provider Provider Network Network B B
Problem I want to protect confidentiality of data exchanged between network A and network B Network Network A A Network Network Service Service Provider Provider VPN Solution OK, we ‘ll implement an IPSec VPN, using preshared keys Network Network B B
Problem I want to protect confidentiality of data exchanged between network A and network B Network Network A A Network Network Service Service Provider Provider VPN Solution OK, we ‘ll implement an IPSec VPN, using preshared keys Network Network B B
Problem I want to protect confidentiality of data exchanged between network A and network B
Problem I want to protect confidentiality of data exchanged between network A and network B Solution I trade your problem with another: that of managing symmetric encryption keys
Problem I want to protect confidentiality of data exchanged between network A and network B Problem How does it sound if I send a sealed envelope with the new symmetric key every week by courier to the network admin of network B? Solution I trade your problem with another: that of managing symmetric encryption keys
Problem I want to protect confidentiality of data exchanged between network A and network B Solution I trade your problem with another: that of managing symmetric encryption keys Problem How does it sound if I send a sealed envelope with the new symmetric key every week by courier to the network admin of network B? Solution OK! I ‘ll implement the IPSec VPN and you are done!
…exchanging one problem for another, easier problem to solve
! " #% ' $& Problem I want a HIGHLY AVAILABLE network in order to access Service X over the Internet (assuming Service X is highly available) Internet Internet
! " Problem I want a HIGHLY AVAILABLE network in order to access Service X over the Internet (assuming Service X is highly available) Solution …just another day at the office… Switch A Switch B Router B Router A #% ' $& Internet Internet ISP B ISP B ISP A ISP A
! " #% ' && Switch B Switch A ISP B ISP B Router B Router A ISP A ISP A
! " #% ' && Both lines follow the same route to the Computer Room (same building shaft) Switch B Switch A ISP B ISP B Router B Router A ISP A ISP A
! " #% ' && Switch B Switch A ISP B ISP B Router B Router A Single point of entry Into the building ISP A ISP A
( " • User workstations should be equipped with centrally managed software: Antivirus Antispyware Firewall Intrusion detection Log consolidation SW/HW Inventory etc… Switch
" " • No Layer 2 authentication • The user brings his own, personal laptop • to work without being “disrupted” by all this annoying software • to try some things he couldn’t do on the network due to this annoying software Switch
" " • Enforce 802.1x authentication • Implement Port Security • Trendy add-on: Network Admission Control Switch X
# ' ! ) 1. A turnkey security solution 2. Automatic identification/notification of attacks 3. THE new security panacea (UTMs)
* % + Being given a chance to: 1. identify potential attacks in traffic 2. review related host logs 3. decide if this is indeed a security issue 4. take action ! )
% + ! ) • IDSs give us a chance to identify attacks and react • Not much of a use if network traffic is not captured there is no experienced security personnel security personnel is not reviewing IDS logs not much of a turnkey solution…
, No Encryption HTTP HTTP HTTP Way too much encryption HTTPS HTTPS HTTPS
, No Encryption HTTP HTTP HTTP Encryption/IDS Balance HTTPS HTTPS HTTP
- . ! Problem Alice needs to send a HIGHLY confidential mail to Bob once a month
- . ! Problem Alice needs to send a HIGHLY confidential mail to Bob once a month PKI Solution PKI !
Neo takes the blue pill al rn t e ne Ex Zo al rn te e In Zon Organisation Good Good Guys Guys Bad Bad Guys Guys
Neo takes the red pill
/ All services & users are born equal. Some are more equal than others Expected user experience Prerequisite (e.g. VoIP, NMS) QoS as a security mechanism (DoS, packet filtering alternative, …)
01 * * # 222 ' Single Sign-On Island Service D Service A Service B Service C Service E Service G Service F Service H Service I Service K
01 # ( * " 3 4 ' Single Sign-On Island #2 Single Sign-On Island #1 Service I Service G Service B Service H Service E Service F Service K Service D Service A Service C Threat: unauthorised access •Impact factor: 1/5 •Impact factor: 3/5 •Impact factor: 5/5
" #% ' $5 • Effect: Managers taking the wrong (securitywise) strategic decisions • (Probable) Cause: YOU did not educate them regarding security matters
" #% ' &5 • Effect: Users not being security-conscious enough • (Probable) Cause: YOU did not educate them in security matters and the HIGHER MANAGEMENT did not provide incentives and show commitment
" #% ' 55 • Effect: Stakeholders perceive Security as an obstacle to business • (Probable) Cause: Security is not a goal in itself. YOU must treat it as a business enabler, before anyone else can
/ 6

Recommended

Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
n|u - The Open Security Community
 
VPN
VPNVPN
VPN
Swarup Kumar Mall
 
Anoop_VA_CV
Anoop_VA_CVAnoop_VA_CV
Anoop_VA_CV
Anoop V A
 
Secure sockets layer, ssl presentation
Secure sockets layer, ssl presentationSecure sockets layer, ssl presentation
Secure sockets layer, ssl presentation
Amjad Bhutto
 
Router CPU Load in Home Networks
Router CPU Load in Home NetworksRouter CPU Load in Home Networks
Router CPU Load in Home Networks
Silicon Labs
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security Overview
Amazon Web Services
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
Evolving of PFM for economic policy - game of tools and rules (focus on Slove...
Evolving of PFM for economic policy - game of tools and rules (focus on Slove...Evolving of PFM for economic policy - game of tools and rules (focus on Slove...
Evolving of PFM for economic policy - game of tools and rules (focus on Slove...
OECD Governance
 

Recommended

Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
n|u - The Open Security Community
 
VPN
VPNVPN
VPN
Swarup Kumar Mall
 
Anoop_VA_CV
Anoop_VA_CVAnoop_VA_CV
Anoop_VA_CV
Anoop V A
 
Secure sockets layer, ssl presentation
Secure sockets layer, ssl presentationSecure sockets layer, ssl presentation
Secure sockets layer, ssl presentation
Amjad Bhutto
 
Router CPU Load in Home Networks
Router CPU Load in Home NetworksRouter CPU Load in Home Networks
Router CPU Load in Home Networks
Silicon Labs
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security Overview
Amazon Web Services
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
Evolving of PFM for economic policy - game of tools and rules (focus on Slove...
Evolving of PFM for economic policy - game of tools and rules (focus on Slove...Evolving of PFM for economic policy - game of tools and rules (focus on Slove...
Evolving of PFM for economic policy - game of tools and rules (focus on Slove...
OECD Governance
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
Matt Dawdy
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals
Aruba, a Hewlett Packard Enterprise company
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
Zscaler
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx
honey725342
 
GatelessVPN technology pitch
GatelessVPN technology pitchGatelessVPN technology pitch
GatelessVPN technology pitch
GVNetworks
 
Blug Talk
Blug TalkBlug Talk
Blug Talk
guestb9d7f98
 
Blug talk
Blug talkBlug talk
Blug talk
Swarup Kumar Mall
 
Building High Fidelity Data Streams (QCon London 2023)
Building High Fidelity Data Streams (QCon London 2023)Building High Fidelity Data Streams (QCon London 2023)
Building High Fidelity Data Streams (QCon London 2023)
Sid Anand
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
Sdwan webinar
Sdwan webinarSdwan webinar
Sdwan webinar
pmohapat
 
Matrix
MatrixMatrix
Matrix
Sashank Dara
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Security Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an EnablerSecurity Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an Enabler
Nordic APIs
 
What is (not) Network Security
What is (not) Network SecurityWhat is (not) Network Security
What is (not) Network Security
John ILIADIS
 
Network Design for a company
Network Design for a companyNetwork Design for a company
Network Design for a company
rosu555
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Information security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trendsInformation security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trends
John ILIADIS
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
John ILIADIS
 

More Related Content

Similar to Network Security: Putting Theory into Practice, the Wrong Way

Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
Matt Dawdy
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals
Aruba, a Hewlett Packard Enterprise company
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
Zscaler
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx
honey725342
 
GatelessVPN technology pitch
GatelessVPN technology pitchGatelessVPN technology pitch
GatelessVPN technology pitch
GVNetworks
 
Blug Talk
Blug TalkBlug Talk
Blug Talk
guestb9d7f98
 
Blug talk
Blug talkBlug talk
Blug talk
Swarup Kumar Mall
 
Building High Fidelity Data Streams (QCon London 2023)
Building High Fidelity Data Streams (QCon London 2023)Building High Fidelity Data Streams (QCon London 2023)
Building High Fidelity Data Streams (QCon London 2023)
Sid Anand
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
Sdwan webinar
Sdwan webinarSdwan webinar
Sdwan webinar
pmohapat
 
Matrix
MatrixMatrix
Matrix
Sashank Dara
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Security Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an EnablerSecurity Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an Enabler
Nordic APIs
 
What is (not) Network Security
What is (not) Network SecurityWhat is (not) Network Security
What is (not) Network Security
John ILIADIS
 
Network Design for a company
Network Design for a companyNetwork Design for a company
Network Design for a company
rosu555
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 

Similar to Network Security: Putting Theory into Practice, the Wrong Way (20)

Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx
 
GatelessVPN technology pitch
GatelessVPN technology pitchGatelessVPN technology pitch
GatelessVPN technology pitch
 
Blug Talk
Blug TalkBlug Talk
Blug Talk
 
Blug talk
Blug talkBlug talk
Blug talk
 
Building High Fidelity Data Streams (QCon London 2023)
Building High Fidelity Data Streams (QCon London 2023)Building High Fidelity Data Streams (QCon London 2023)
Building High Fidelity Data Streams (QCon London 2023)
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Sdwan webinar
Sdwan webinarSdwan webinar
Sdwan webinar
 
Matrix
MatrixMatrix
Matrix
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Security Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an EnablerSecurity Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an Enabler
 
What is (not) Network Security
What is (not) Network SecurityWhat is (not) Network Security
What is (not) Network Security
 
Network Design for a company
Network Design for a companyNetwork Design for a company
Network Design for a company
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 

More from John ILIADIS

Information security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trendsInformation security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trends
John ILIADIS
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
John ILIADIS
 
Malicious Software. In Greek.
Malicious Software. In Greek.Malicious Software. In Greek.
Malicious Software. In Greek.
John ILIADIS
 
PKI : The role of TTPs for the Development of secure Transaction Systems
PKI : The role of TTPs for the Development of secure Transaction SystemsPKI : The role of TTPs for the Development of secure Transaction Systems
PKI : The role of TTPs for the Development of secure Transaction Systems
John ILIADIS
 
Reshaping Key Management: A Tale of Two Decades
Reshaping Key Management: A Tale of Two DecadesReshaping Key Management: A Tale of Two Decades
Reshaping Key Management: A Tale of Two Decades
John ILIADIS
 
PKI: Is it worth something, or what?
PKI: Is it worth something, or what?PKI: Is it worth something, or what?
PKI: Is it worth something, or what?
John ILIADIS
 
Certificate Revocation: What Is It And What Should It Be
Certificate Revocation: What Is It And What Should It BeCertificate Revocation: What Is It And What Should It Be
Certificate Revocation: What Is It And What Should It Be
John ILIADIS
 
Evaluating Open Source Security Software
Evaluating Open Source Security SoftwareEvaluating Open Source Security Software
Evaluating Open Source Security Software
John ILIADIS
 
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
John ILIADIS
 
E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
John ILIADIS
 
PKI: Overpromising and Underdelivering
PKI: Overpromising and UnderdeliveringPKI: Overpromising and Underdelivering
PKI: Overpromising and Underdelivering
John ILIADIS
 
Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...
John ILIADIS
 

More from John ILIADIS (12)

Information security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trendsInformation security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trends
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
 
Malicious Software. In Greek.
Malicious Software. In Greek.Malicious Software. In Greek.
Malicious Software. In Greek.
 
PKI : The role of TTPs for the Development of secure Transaction Systems
PKI : The role of TTPs for the Development of secure Transaction SystemsPKI : The role of TTPs for the Development of secure Transaction Systems
PKI : The role of TTPs for the Development of secure Transaction Systems
 
Reshaping Key Management: A Tale of Two Decades
Reshaping Key Management: A Tale of Two DecadesReshaping Key Management: A Tale of Two Decades
Reshaping Key Management: A Tale of Two Decades
 
PKI: Is it worth something, or what?
PKI: Is it worth something, or what?PKI: Is it worth something, or what?
PKI: Is it worth something, or what?
 
Certificate Revocation: What Is It And What Should It Be
Certificate Revocation: What Is It And What Should It BeCertificate Revocation: What Is It And What Should It Be
Certificate Revocation: What Is It And What Should It Be
 
Evaluating Open Source Security Software
Evaluating Open Source Security SoftwareEvaluating Open Source Security Software
Evaluating Open Source Security Software
 
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
 
E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
 
PKI: Overpromising and Underdelivering
PKI: Overpromising and UnderdeliveringPKI: Overpromising and Underdelivering
PKI: Overpromising and Underdelivering
 
Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...
 

Recently uploaded

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 

Recently uploaded (20)

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 

Network Security: Putting Theory into Practice, the Wrong Way

  • 1. Putting Theory into Practice, the Wrong Way John Iliadis Network Security Admin TEIRESIAS S.A.
  • 2. Understand the theory …sometimes even Engineers have to go back and (re)comprehend the theory, to get things done Understand the problem Actually listen to the problem before providing a solution. Provide an integrated solution A security mechanism per se is not a solution; it is merely a tool (more about that later)
  • 3. Problem I want to protect confidentiality of data exchanged between network A and network B Network Network A A Network Network Service Service Provider Provider Network Network B B
  • 4. Problem I want to protect confidentiality of data exchanged between network A and network B Network Network A A Network Network Service Service Provider Provider VPN Solution OK, we ‘ll implement an IPSec VPN, using preshared keys Network Network B B
  • 5. Problem I want to protect confidentiality of data exchanged between network A and network B Network Network A A Network Network Service Service Provider Provider VPN Solution OK, we ‘ll implement an IPSec VPN, using preshared keys Network Network B B
  • 6. Problem I want to protect confidentiality of data exchanged between network A and network B
  • 7. Problem I want to protect confidentiality of data exchanged between network A and network B Solution I trade your problem with another: that of managing symmetric encryption keys
  • 8. Problem I want to protect confidentiality of data exchanged between network A and network B Problem How does it sound if I send a sealed envelope with the new symmetric key every week by courier to the network admin of network B? Solution I trade your problem with another: that of managing symmetric encryption keys
  • 9. Problem I want to protect confidentiality of data exchanged between network A and network B Solution I trade your problem with another: that of managing symmetric encryption keys Problem How does it sound if I send a sealed envelope with the new symmetric key every week by courier to the network admin of network B? Solution OK! I ‘ll implement the IPSec VPN and you are done!
  • 10. …exchanging one problem for another, easier problem to solve
  • 11. ! " #% ' $& Problem I want a HIGHLY AVAILABLE network in order to access Service X over the Internet (assuming Service X is highly available) Internet Internet
  • 12. ! " Problem I want a HIGHLY AVAILABLE network in order to access Service X over the Internet (assuming Service X is highly available) Solution …just another day at the office… Switch A Switch B Router B Router A #% ' $& Internet Internet ISP B ISP B ISP A ISP A
  • 13. ! " #% ' && Switch B Switch A ISP B ISP B Router B Router A ISP A ISP A
  • 14. ! " #% ' && Both lines follow the same route to the Computer Room (same building shaft) Switch B Switch A ISP B ISP B Router B Router A ISP A ISP A
  • 15. ! " #% ' && Switch B Switch A ISP B ISP B Router B Router A Single point of entry Into the building ISP A ISP A
  • 16. ( " • User workstations should be equipped with centrally managed software: Antivirus Antispyware Firewall Intrusion detection Log consolidation SW/HW Inventory etc… Switch
  • 17. " " • No Layer 2 authentication • The user brings his own, personal laptop • to work without being “disrupted” by all this annoying software • to try some things he couldn’t do on the network due to this annoying software Switch
  • 18. " " • Enforce 802.1x authentication • Implement Port Security • Trendy add-on: Network Admission Control Switch X
  • 19. # ' ! ) 1. A turnkey security solution 2. Automatic identification/notification of attacks 3. THE new security panacea (UTMs)
  • 20. * % + Being given a chance to: 1. identify potential attacks in traffic 2. review related host logs 3. decide if this is indeed a security issue 4. take action ! )
  • 21. % + ! ) • IDSs give us a chance to identify attacks and react • Not much of a use if network traffic is not captured there is no experienced security personnel security personnel is not reviewing IDS logs not much of a turnkey solution…
  • 22. , No Encryption HTTP HTTP HTTP Way too much encryption HTTPS HTTPS HTTPS
  • 24. - . ! Problem Alice needs to send a HIGHLY confidential mail to Bob once a month
  • 25. - . ! Problem Alice needs to send a HIGHLY confidential mail to Bob once a month PKI Solution PKI !
  • 26. Neo takes the blue pill al rn t e ne Ex Zo al rn te e In Zon Organisation Good Good Guys Guys Bad Bad Guys Guys
  • 27. Neo takes the red pill
  • 28. / All services & users are born equal. Some are more equal than others Expected user experience Prerequisite (e.g. VoIP, NMS) QoS as a security mechanism (DoS, packet filtering alternative, …)
  • 29. 01 * * # 222 ' Single Sign-On Island Service D Service A Service B Service C Service E Service G Service F Service H Service I Service K
  • 30. 01 # ( * " 3 4 ' Single Sign-On Island #2 Single Sign-On Island #1 Service I Service G Service B Service H Service E Service F Service K Service D Service A Service C Threat: unauthorised access •Impact factor: 1/5 •Impact factor: 3/5 •Impact factor: 5/5
  • 31. " #% ' $5 • Effect: Managers taking the wrong (securitywise) strategic decisions • (Probable) Cause: YOU did not educate them regarding security matters
  • 32. " #% ' &5 • Effect: Users not being security-conscious enough • (Probable) Cause: YOU did not educate them in security matters and the HIGHER MANAGEMENT did not provide incentives and show commitment
  • 33. " #% ' 55 • Effect: Stakeholders perceive Security as an obstacle to business • (Probable) Cause: Security is not a goal in itself. YOU must treat it as a business enabler, before anyone else can
  • 34. / 6