Enterprise Cyber Security Fundamentals

Presented by Matt Constable

Module 3
Enterprise Cyber Security Short Course
Based on subject :
ITI581: IT Security Fundamentals

Part of the :
Master of Networking and Systems Administration
Master of Management (IT)
Overview
• Secure Design
• Defense in Depth
• The Perimeter
• System Security
• Network Security
• Best Practice Design Principles
Security Implementation
Defense in Depth
• *Many* models
Defense in Depth
• An information assurance (IA) concept in which multiple layers of
security controls (defense) are placed throughout an information
technology (IT) system.
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

• Idea that multiple layers are harder to defeat

Perimeter
• Closely associated principle
• Concept has changed radically
• Wireless/Mobile technologies
• Internetworking/VPNs
• Where does it lay?
• You must know in order to be able to defend
Implementing System Security
• Chain is only as strong as weakest link
• Secure all individual systems
• Desktops
• Servers
• Mobile devices
• Laptops
Implementing System Security
• Personal Firewalls
• Most useful for desktops/laptops
• Windows, Linux, Wrappers
• Servers often protected by enterprise FW
• Host IDS
• Can cause issues if too tight!
Implementing System Security
• Malware protection
• Patch management
• AV/Anti-Spam/Spyware/Adware
• Phish filters
• Popup Blockers
• Safe web surfing
Implementing System Security
• Device Security
• Mainly physical
• Prevent prying eyes
• Theft prevention
• Data Security
• Encryption
• Screen locks
• Password protection
• Biometrics
• File/Share permissions
Implementing Network Security
Firewalls
• Basically used to filter packets on some set criteria

• Designed to prevent malicious packets from entering the network

• Firewall can be software-based or hardware-based

Firewall Principles
• The basis of a firewall is a rule base
• Establishes traffic treatment

• Stateless packet filtering

• Strictly based on rule

• Stateful packet filtering

• Keeps connection state information
• Access based on the connection state & rule base
Firewall Principles
• Application Layer
• Able to decode and understand layer 7 protocols
• Cannot decrypt so fail for SSL applications (SSH, HTTPS)
• UTM
• All in one wonder box
• Firewall, IDS/IDP, AV, web content filtering
• True layer 7…probably more even!
Firewall Necessities
• At a minimum must be application aware
• Layers 3  7

• Application fingerprinting
• Must be able to correctly identify applications flowing through them by traffic contents

• Granular Application control

• Must identify & characterize application features in order to control those applications
strictly

• QoS
Core Functions
• NAT
• Static, dynamic, PAT
• Often debated as a valid security measure

• Audit & logging

• Preferably to a separate and secure management system
• Can consume vast quantities of disk space
What else can Firewalls do?
• Malware blocking
• Detection, stopping, logging
• AV
• Used as an additional layer of defense in conjunction with other technologies
• IDS/IDP
• Again…as an addition to specific IDS/IDP devices
• URL filtering/caching
• Being at the perimeter FWs are perfectly placed
• Many FWs are brilliant at this…which saves you!
What else can Firewalls do?
• SPAM Filtering
• Similar to web filtering

• Wire speed transmission

Secure Firewall Design
• Irrespective of type of firewall used location is the most important
factor of design
• Poorly placed firewalls = false sense of security
• All comm’s in/out of protected networks should flow through a
firewall
• Only authorized traffic is permitted to pass
• Be explicit with permissions, everything = blocked!
• Must fail closed!
• Must be able to recognize, resist & log attacks on itself
Rule Base Practices
• Build rules from most to least specific
• Rules are generally processed top to bottom and stop once a match is found
• Place most active rules at the top
• Saves CPU and memory
• Drop unroutable packets without question
• RFC1918, internal addresses or broadcasts
Intrusion Detection (IDS)
• Monitors & IDs specific malicious traffic
• Anything anomalous to the baseline
• Traffic
• Access or attempted access
• Unauthorized changes
• Unusual log messages or events
• File manipulation
• Elevation of rights
• System changes
• This list is not exhaustive
Threats that ID protects against
• Attacks
• Unauthorized activity with malicious intent
• Network protocol attacks
• Flag Exploits
• Fragmentation & reassembly
• Application attacks
• Content obfuscation
• Data normalization
Threats that ID cannot detect
• Attacks that use encryption
• “Misuse” attacks
• Copying documents
• Posting documents to portals
• Social engineering
Types of IDS & Detection Models
• Anomaly detection
• Looks at patterns of behavior and changes or abnormalities
• Signature
• Uses specific knowledge profiles to match against traffic patterns
• Active
• Triggers some configurable action
• Passive
• Logs only
HIDS
• Installed on a host device
• Server, workstation, router, printer, gateway etc
• Installs as a service
• Intercepts and scans traffic before any other process
• Excels at examining application layer interactions
• Realtime
• Always looks for attacks and events
• Takes up a lot of system resources
• Snapshot
• Takes snapshots to show the differences between a known good state and a corrupt
state
NIDS
• Protects networks
• Most popular form of IDS
• Capture & analyze live traffic
• Designed to protect more than one host (cf HIDS)
• Configuration required to ensure detection and analysis is turned on
• Requires some form of VLAN or part based traffic mirroring or network tap to
work correctly
IPS
• Along with detection & reporting IPS can stop attacks in real time
• Can sometimes overact!
• False positives can sometimes lead to traffic starvation
Which should I use?
• It depends……
• What do you want to protect?
• Host, subnet, entire network?
• Do you provide network services to customers or are you an enterprise?
• What is your network topology?
• Anomaly Detection or Signature?

• There is rarely one solution to a problem but there is often a best

solution
UTM
• Unified Threat Management
• All in one security appliance
• Firewall
• Gateway AV
• IDS/IDP
• SMTP filtering
• Web filtering
• VPN
• Great for blended attacks
• Reduces complexity of deployment of security services
Other “Tools”
Subnetting

• Decreased network traffic

• Flexibility
• Ease of troubleshooting
• Utilization of available addresses
• Less impact on routers
• Actual reflection of network topology or function
Advantages of Subnetting
• Security is enhanced by subnetting a single network
• Multiple smaller subnets isolates groups of hosts

• Network administrators can utilize network security tools at subnet

boundary

• Subnets also allow network administrators to hide the internal

network layout
VLANs – Layer 2 “subnets”
• Virtual LAN (VLAN)
• Layer 2 construct analogous to subnets
• A VLAN allows scattered users to be logically grouped together even though
they may be attached to different switches
• Can reduce network traffic and provide a degree of security similar to
subnetting
VLAN Example
DMZ
• Demilitarized Zone (DMZ)
• Used extensively in the modern world
• A separate network that sits outside the secure network “perimeter”
• Outside users can access the DMZ but cannot enter the secure network
DMZ Example
More IP Tools
• Network Address Translation (NAT)
• Hides the IP addresses of network devices from attackers
• Private addresses
• IP addresses not assigned to any specific user or organization
• Function as regular IP addresses on an internal network
• Non-routable addresses
NAC
• Network Access/Admission Control
• Examines status of potential users/devices
• Policy based examination
• Uses remediation zones
• Non “healthy” hosts redirected
• “Fixes” applied
NAC Example
Proxy Servers
• Proxy server
• A computer system (or an application program) that intercepts internal user
requests and then processes that request on behalf of the user
• Goal is to hide the IP address of client systems inside the secure network
• Reverse proxy
• Does not serve clients but instead routes incoming requests to the correct
server
Proxy v Reverse Proxy
Honeypots
• A computer typically located in a DMZ that is loaded with software
and data files that appear to be authentic

• Three primary purposes of a honeypot:

• Deflect attention
• Early warnings of new attacks
• Examine attacker techniques
Honeypots
• Production or Research based

• Information gained from honeypots can be both useful as well as

alarming

• Information gained from studies using honeypots can be helpful in

identifying attacker behavior and crafting defenses
Next Week
• Physical Security, DR & BCP
• Physical security principles & concepts
• Introduction to Risk Analysis
• Risk Mitigation
• Understanding DR & BCP
Questions?