architecting security across global networks
Post on 19-Jan-2017
67 Views
Preview:
TRANSCRIPT
Confidentiality level C1 | 8 August 20111
Architecting Security
across global networks
Presented by Marco Ermini8 August 2011
Confidentiality level C1 | 8 August 20112
A huge topic: where to start?
“Divide et impera”
Confidentiality level C1 | 8 August 20113
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
“Divide et impera”
Confidentiality level C1 | 8 August 20114
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
“Divide et impera”
Confidentiality level C1 | 8 August 20115
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
“Divide et impera”
Confidentiality level C1 | 8 August 20116
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
2. Identify the challenges
“Divide et impera”
Confidentiality level C1 | 8 August 20117
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
2. Identify the challenges
3. Identify the alternatives
“Divide et impera”
Confidentiality level C1 | 8 August 20118
Architecting Securityacross global networks
Identify the networks
Identify the challenges
Identify the alternatives
Confidentiality level C1 | 8 August 20119
Identify the networks
• Network maps anyone?
Confidentiality level C1 | 8 August 201110
Identify the networks
• Network maps anyone?
Confidentiality level C1 | 8 August 201111
Identify the networks
• Network maps anyone?
Confidentiality level C1 | 8 August 201112
Identify the networks
• Network maps anyone?
Confidentiality level C1 | 8 August 201113
Identify the networks
Confidentiality level C1 | 8 August 201114
Identify the networks
• Asset DB anyone?
Confidentiality level C1 | 8 August 201115
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
Confidentiality level C1 | 8 August 201116
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
Confidentiality level C1 | 8 August 201117
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
Confidentiality level C1 | 8 August 201118
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
cs_os_name cs_os_versionnumber
SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 10 9/10 | 10 9/10
SOLARIS 10 177
SOLARIS 10 1/06 820
SOLARIS 10 10/08 1413
SOLARIS 10 10/08 | SOLARIS 10 10/08 1
SOLARIS 10 10/09 1554
SOLARIS 10 11/06 2164
SOLARIS 10 3/05 35
SOLARIS 10 5/08 259
SOLARIS 10 5/08 | SOLARIS 10 5/08 3
SOLARIS 10 5/09 725
SOLARIS 10 6/06 278
SOLARIS 10 8/07 397
SOLARIS 10 8/11 3
SOLARIS 10 9/10 3442
SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 1
SOLARIS 10 X64 10
SUN SOLARIS 10 4
Confidentiality level C1 | 8 August 201119
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
Confidentiality level C1 | 8 August 201120
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
Confidentiality level C1 | 8 August 201121
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
Confidentiality level C1 | 8 August 201122
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
Confidentiality level C1 | 8 August 201123
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
Confidentiality level C1 | 8 August 201124
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
Confidentiality level C1 | 8 August 201125
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
Confidentiality level C1 | 8 August 201126
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
Confidentiality level C1 | 8 August 201127
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
Confidentiality level C1 | 8 August 201128
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
• There is a disconnection between who created and maintains the system,
and the business objectives of it
Confidentiality level C1 | 8 August 201129
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
• There is a disconnection between who created and maintains the system,
and the business objectives of it
Confidentiality level C1 | 8 August 201130
Identify the networks
Confidentiality level C1 | 8 August 201131
Identify the networks
• Which hosts are still used, which ones are legacy?
Confidentiality level C1 | 8 August 201132
Identify the networks
• Which hosts are still used, which ones are legacy?
• What is the usage of the hosts?
– Which one needs to stay on the same subnets/logical networks?
– Which one needs to be kept separated?
Confidentiality level C1 | 8 August 201133
Identify the networks
• Which hosts are still used, which ones are legacy?
• What is the usage of the hosts?
– Which one needs to stay on the same subnets/logical networks?
– Which one needs to be kept separated?
• Which vulnerabilities have the hosts?
– Can you detect them?
– Can you patch them?
Confidentiality level C1 | 8 August 201134
How is the network planned?
Confidentiality level C1 | 8 August 201135
How is the network planned?
• Legacy not just in the hosts, also in the networks
Confidentiality level C1 | 8 August 201136
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
Confidentiality level C1 | 8 August 201137
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
Confidentiality level C1 | 8 August 201138
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
Confidentiality level C1 | 8 August 201139
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
Confidentiality level C1 | 8 August 201140
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based
Confidentiality level C1 | 8 August 201141
Firewall-based network
Confidentiality level C1 | 8 August 201142
Firewall-based network
• Pros (supposed…):
Confidentiality level C1 | 8 August 201143
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
Confidentiality level C1 | 8 August 201144
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
Confidentiality level C1 | 8 August 201145
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
Confidentiality level C1 | 8 August 201146
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
Confidentiality level C1 | 8 August 201147
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
Confidentiality level C1 | 8 August 201148
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
Confidentiality level C1 | 8 August 201149
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
Confidentiality level C1 | 8 August 201150
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
Confidentiality level C1 | 8 August 201151
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
Confidentiality level C1 | 8 August 201152
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
Confidentiality level C1 | 8 August 201153
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
– No real visibility!
Confidentiality level C1 | 8 August 201154
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
– No real visibility!
– No real security!
Confidentiality level C1 | 8 August 201155
Architecting Securityacross global networks
Identify the networks
Identify the challenges
Identify the alternatives
Confidentiality level C1 | 8 August 201156
No real visibility
Confidentiality level C1 | 8 August 201157
No real visibility
• You cannot really enforce protocols on the firewalls
Confidentiality level C1 | 8 August 201158
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
Confidentiality level C1 | 8 August 201159
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
Confidentiality level C1 | 8 August 201160
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
• Projects tend to skip the processes if they are too complex
Confidentiality level C1 | 8 August 201161
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
• Projects tend to skip the processes if they are too complex
• When NAT/NATP is used, it becomes complex to understand real sources
and destinations
Confidentiality level C1 | 8 August 201162
No real security
Confidentiality level C1 | 8 August 201163
No real security
• You will have to choose what to protect and what not
Confidentiality level C1 | 8 August 201164
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
Confidentiality level C1 | 8 August 201165
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
Confidentiality level C1 | 8 August 201166
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
Confidentiality level C1 | 8 August 201167
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
Confidentiality level C1 | 8 August 201168
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
Confidentiality level C1 | 8 August 201169
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
Confidentiality level C1 | 8 August 201170
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
Confidentiality level C1 | 8 August 201171
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
Confidentiality level C1 | 8 August 201172
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
• Network borders are blurred
Confidentiality level C1 | 8 August 201173
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
• Network borders are blurred
• Lacking proper access control mechanisms
Confidentiality level C1 | 8 August 201174
Architecting Securityacross global networks
Identify the networks
Identify the challenges
Identify the alternatives
Confidentiality level C1 | 8 August 201175
Different security policy
Confidentiality level C1 | 8 August 201176
Different security policy
• Divide the network into sensitivity zones
Confidentiality level C1 | 8 August 201177
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
Confidentiality level C1 | 8 August 201178
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
Confidentiality level C1 | 8 August 201179
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
Confidentiality level C1 | 8 August 201180
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
Confidentiality level C1 | 8 August 201181
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
Confidentiality level C1 | 8 August 201182
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
Confidentiality level C1 | 8 August 201183
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
Confidentiality level C1 | 8 August 201184
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
Confidentiality level C1 | 8 August 201185
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
Confidentiality level C1 | 8 August 201186
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
Confidentiality level C1 | 8 August 201187
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
Confidentiality level C1 | 8 August 201188
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
– Keep a forensic registration of the traffic – you may need it!
Confidentiality level C1 | 8 August 201189
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
– Keep a forensic registration of the traffic – you may need it!
– Produce NetFlow/PCAPs for SIEM tools
Confidentiality level C1 | 8 August 201190
Example of simplified network segregation
Confidentiality level C1 | 8 August 201191
Example of simplified network segregation
• Traffic flows for delivered
applications
Confidentiality level C1 | 8 August 201192
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 201193
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 201194
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 201195
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 201196
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 201197
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 201198
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 201199
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
Confidentiality level C1 | 8 August 2011100
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011101
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011102
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011103
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011104
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011105
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011106
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011107
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
Confidentiality level C1 | 8 August 2011108
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
Confidentiality level C1 | 8 August 2011109
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
Confidentiality level C1 | 8 August 2011110
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
Confidentiality level C1 | 8 August 2011111
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
Confidentiality level C1 | 8 August 2011112
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
Confidentiality level C1 | 8 August 2011113
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
Confidentiality level C1 | 8 August 2011114
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
Confidentiality level C1 | 8 August 2011115
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
Confidentiality level C1 | 8 August 2011116
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
Confidentiality level C1 | 8 August 2011117
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
Confidentiality level C1 | 8 August 2011118
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
Confidentiality level C1 | 8 August 2011119
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
Confidentiality level C1 | 8 August 2011120
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
Confidentiality level C1 | 8 August 2011121
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
Confidentiality level C1 | 8 August 2011122
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
Confidentiality level C1 | 8 August 2011123
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
Confidentiality level C1 | 8 August 2011124
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
Confidentiality level C1 | 8 August 2011125
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
Confidentiality level C1 | 8 August 2011126
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
Confidentiality level C1 | 8 August 2011127
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
Confidentiality level C1 | 8 August 2011128
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
Confidentiality level C1 | 8 August 2011129
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
Confidentiality level C1 | 8 August 2011130
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
Confidentiality level C1 | 8 August 2011131
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
Confidentiality level C1 | 8 August 2011132
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
– Captive portal
Confidentiality level C1 | 8 August 2011133
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
– Captive portal
Confidentiality level C1 | 8 August 2011134
Multiple applications deployment – old approach
Confidentiality level C1 | 8 August 2011135
Multiple applications deployment – old approach
Confidentiality level C1 | 8 August 2011136
Multiple applications deployment – old approach
Confidentiality level C1 | 8 August 2011137
Multiple applications deployment – new policy
Confidentiality level C1 | 8 August 2011138
Multiple applications deployment – new policy
Confidentiality level C1 | 8 August 2011139
Multiple applications deployment – new policy
Confidentiality level C1 | 8 August 2011140
Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011141
Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011142
Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011143
Security Monitoring with the new policy
Confidentiality level C1 | 8 August 2011144
Next evolution?
Confidentiality level C1 | 8 August 2011145
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
Confidentiality level C1 | 8 August 2011146
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
Confidentiality level C1 | 8 August 2011147
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
Confidentiality level C1 | 8 August 2011148
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
Confidentiality level C1 | 8 August 2011149
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)
Confidentiality level C1 | 8 August 2011150
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)
Confidentiality level C1 | 8 August 2011151
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)
• Could we do that?
Confidentiality level C1 | 8 August 2011152
Next evolution?
Confidentiality level C1 | 8 August 2011153
Next evolution?
• Interchangeable 1+10 Gb/sec ports
Confidentiality level C1 | 8 August 2011154
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
Confidentiality level C1 | 8 August 2011155
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
Confidentiality level C1 | 8 August 2011156
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
Confidentiality level C1 | 8 August 2011157
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
Confidentiality level C1 | 8 August 2011158
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
Confidentiality level C1 | 8 August 2011159
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
Confidentiality level C1 | 8 August 2011160
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
Confidentiality level C1 | 8 August 2011161
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
• Real distributed management common for bypasses, TAPs, etc.
Confidentiality level C1 | 8 August 2011162
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
• Real distributed management common for bypasses, TAPs, etc.
• APIs and connections with SIEM tools
Confidentiality level C1 | 8 August 2011163
Confidentiality level C1 | 8 August 2011164
Thank you
top related