blueprint for security chapter 6
TRANSCRIPT
12/06/56
1
Chapter 6 Blueprint for Security
and Network Defenses
Dr.Sukchatri PRASOMSUK
School of Information Technology and Communication,
111University of Phayao
1
IS and Network Security
Resource from :
• Chapter 5 Principle of Information Security, Micheal E. Whitman, 2009
• Chapter 5 Security+ Guide to Network Security Fundamentals, Third Edition, Darril Gibson,
Upon completion of this chapter you should be able to: Understand management’s responsibilities and role in the
development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
Understand the differences between the organization’s general information security policy and the requirements and objectives of the various issue-specific and system-specific policies.
Know what an information security blueprint is and what its major components are.
Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs.
Become familiar with what viable information security architecture is, what it includes, and how it is used.
IS and Network Security
Slide 2
12/06/56
2
Management from all communities of interest must consider policies as the basis for all information security efforts
Policies direct how issues should be addressed and technologies used
Security policies are the least expensive control to execute, but the most difficult to implement
Shaping policy is difficult because: Never conflict with laws
Stand up in court, if challenged
Be properly administered
IS and Network Security
Slide 3
A policy is
A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters
Policies are organizational laws
Standards, on the other hand, are more detailed statements of what must be done to comply with policy
Practices, procedures, and guidelines effectively explain how to comply with policy
For a policy to be effective it must be properly disseminated, read, understood and agreed to by all members of the organization
IS and Network Security
Slide 4
12/06/56
3
Management defines three types of security policy:
General or security program policy
Issue-specific security policies
Systems-specific security policies
IS and Network Security
Slide 5
Figure 6-1 – Policies Standards & Practices
IS and Network Security
Slide 6
12/06/56
4
A security program policy (SPP) is also known as
A general security policy
IT security policy
Information security policy
Sets the strategic direction, scope, and tone for all security efforts within the organization
An executive-level document, usually drafted by or with, the CIO of the organization and is usually 2 to 10 pages long
IS and Network Security
Slide 7
As various technologies and processes are implemented, certain guidelines are needed to use them properly
The ISSP: addresses specific areas of technology
requires frequent updates
contains an issue statement on the organization’s position on an issue
Three approaches: Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document IS and Network Security
Slide 8
12/06/56
5
Statement of Policy
Authorized Access and Usage of Equipment
Prohibited Usage of Equipment
Systems Management
Violations of Policy
Policy Review and Modification
Limitations of Liability
IS and Network Security
Slide 9
IS and Network Security
Slide 10
12/06/56
6
While issue-specific policies are formalized as written documents, distributed to users, and agreed to in writing, SysSPs are frequently codified as standards and procedures used when configuring or maintaining systems
Systems-specific policies fall into two groups: Access control lists (ACLs) consist of the access control
lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system
Configuration rules comprise the specific configuration codes entered into security systems to guide the execution of the system
IS and Network Security
Slide 11
Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems translate ACLs into sets of configurations that administrators use to control access to their respective systems
ACLs allow configuration to restrict access from anyone and anywhere
ACLs regulate: Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from How authorized users can access the system
IS and Network Security
Slide 12
12/06/56
7
Rule policies are more specific to the operation of a system than ACLs
Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process
IS and Network Security
Slide 13
IS and Network Security
Slide 14
12/06/56
8
Policies are living documents that must be managed and nurtured, and are constantly changing and growing
Documents must be properly managed Special considerations should be made for
organizations undergoing mergers, takeovers, and partnerships
In order to remain viable, policies must have: an individual responsible for reviews a schedule of reviews a method for making recommendations for reviews a specific effective and revision date
IS and Network Security
Slide 15
The classification of information is an important aspect of policy
The same protection scheme created to prevent production data from accidental release to the wrong party should be applied to policies in order to keep them freely available, but only within the organization
In today’s open office environments, it may be beneficial to implement a clean desk policy
A clean desk policy stipulates that at the end of the business day, all classified information must be properly stored and secured
IS and Network Security
Slide 16
12/06/56
9
At this point in the Security SDLC, the analysis phase is complete and the design phase begins – many work products have been created
Designing a plan for security begins by creating or validating a security blueprint
Then use the blueprint to plan the tasks to be accomplished and the order in which to proceed
Setting priorities can follow the recommendations of published sources, or from published standards provided by government agencies, or private consultants
IS and Network Security
Slide 17
IS and Network Security
Slide 18
12/06/56
10
One approach is to adapt or adopt a published model or framework for information security
A framework is the basic skeletal structure within which additional detailed planning of the blueprint can be placed as it is developed of refined
Experience teaches us that what works well for one organization may not precisely fit another
IS and Network Security
Slide 19
IS and Network Security
Slide 20
12/06/56
11
Another approach available is described in the many documents available from the Computer Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov) – Including:
NIST SP 800-12 - The Computer Security Handbook
NIST SP 800-14 - Generally Accepted Principles and Practices for Securing IT Systems
NIST SP 800-18 - The Guide for Developing Security Plans for IT Systems
IS and Network Security
Slide 21
VISA International promotes strong security measures and has security guidelines
Developed two important documents that improve and regulate its information systems “Security Assessment Process” “Agreed Upon Procedures”
Using the two documents, a security team can develop a sound strategy for the design of good security architecture
The only down side to this approach is the very specific focus on systems that can or do integrate with VISA’s systems
IS and Network Security
Slide 22
12/06/56
12
Figure 6-16 – Spheres of Security
IS and Network Security
Slide 23
Generally speaking, the concept of the sphere is to represent the 360 degrees of security necessary to protect information at all times
The first component is the “sphere of use”
Information, at the core of the sphere, is available for access by members of the organization and other computer-based systems: To gain access to the computer systems, one must either
directly access the computer systems or go through a network connection
To gain access to the network, one must either directly access the network or go through an Internet connection
IS and Network Security
Slide 24
12/06/56
13
The “sphere of protection” overlays each of the levels of the “sphere of use” with a layer of security, protecting that layer from direct or indirect use through the next layer
The people must become a layer of security, a human firewall that protects the information from unauthorized access and use
Information security is therefore designed and implemented in three layers policies
people (education, training, and awareness programs)
technology IS and Network Security
Slide 25
Management Controls Program Management System Security Plan Life Cycle Maintenance Risk Management Review of Security Controls Legal Compliance
Operational Controls Contingency Planning Security ETA Personnel Security Physical Security Production Inputs and Outputs Hardware & Software Systems
Maintenance Data Integrity
Technical Controls Logical Access Controls
Identification, Authentication, Authorization, and Accountability
Audit Trails
Asset Classification and Control
Cryptography
IS and Network Security
Slide 26
12/06/56
16
Other key technology components
A firewall is a device that selectively discriminates against information flowing into or out of the organization
The DMZ (demilitarized zone) is a no-man’s land, between the inside and outside networks, where some organizations place Web servers
In an effort to detect unauthorized activity within the inner network, or on individual machines, an organization may wish to implement Intrusion Detection Systems or IDS
IS and Network Security
Slide 31
IS and Network Security
Slide 32
12/06/56
17
IS and Network Security
Slide 33
Resource from : Chapter 5 Network Defenses, Security+ Guide to Network Security Fundamentals,
Third Edition
Network Defenses
34
IS and Network Security
12/06/56
18
Explain how to enhance security through network design
Define network address translation and network access control
List the different types of network security devices and explain how they can be used
Slide 35
IS and Network Security
Crafting a Secure Network
36
IS and Network Security
12/06/56
19
Subnetting
IP addresses are actually two addresses: one part is a network address and one part is a host address
Subnetting or subnet addressing
Splits a large block of IP addresses into smaller groups
Slide 37
IS and Network Security
Image from Cisco CCNA Class 1
Slide 38
IS and Network Security
12/06/56
20
Image from Cisco CCNA class 1, modified
Whole College:
147.144.0.0 /16
147.144.0.1 through
147.144.255.254
CNIT Dept:
147.144.20.0 /24
147.144.20.1 through
147.144.20.254
Eng Dept:
147.144.51.0 /24
147.144.51.1 through
147.144.51.254
Slide 39
IS and Network Security
Slide 40
IS and Network Security
12/06/56
21
Each subnet can be isolated from the rest of the network
Traffic between subnets can be monitored and restricted at the routers
Subnets also allow network administrators to hide the internal network layout
Outsiders only see your public servers, not your private subnets
Slide 41
IS and Network Security
VLANs segment a network with switches, not routers
A VLAN allows scattered users to be logically grouped together even though they may be attached to different switches
Can reduce network traffic and provide a degree of security similar to subnetting: VLANs can be isolated so that sensitive data is
transmitted only to members of the VLAN
Slide 42
IS and Network Security
12/06/56
22
Slide 43
IS and Network Security
Accounting machines are
on their own VLAN
Slide 44
IS and Network Security
12/06/56
23
VLAN communication can take place in two ways All devices are connected to the same switch
Traffic is handled by the switch itself
Devices are connected to different switches A special “tagging” protocol must be used, such as the IEEE
802.1Q-2005
A VLAN is heavily dependent upon the switch for correctly directing packets Attackers could take control of the switch itself, if it has a
default or weak password
Specially crafted traffic can also "hop" from one VLAN to another
Slide 45
IS and Network Security
Telephone, data, and video all using the same IP network Voice over IP, Video over IP
Advantages Cost savings
Management
Application development
Infrastructure requirements
Reduced regulatory requirements
Increased user productivity
Slide 46
IS and Network Security
12/06/56
24
Slide 47
IS and Network Security
A separate network that sits outside the secure network perimeter
Outside users can access the DMZ but cannot enter the secure network
Slide 48
IS and Network Security
12/06/56
26
Hides the IP addresses of network devices from attackers
Private addresses IP addresses not assigned to any specific user or
organization
Function as regular IP addresses on an internal network
Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers
Slide 51
IS and Network Security
NAT removes the private IP address from the sender’s packet
And replaces it with an alias IP address
When a packet is returned to NAT, the process is reversed
An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender
Slide 52
IS and Network Security
12/06/56
27
192.1
68.1
.101
192.1
68.1
.102
192.1
68.1
.103
192.1
68.1
.51
192.1
68.1
. 1
Private IP Addresses
Address Translation
192.168.1.101 -> 147.144.1.101
192.168.1.102 -> 147.144.1.102
192.168.1.103 -> 147.144.1.103
192.168.1.151 -> 147.144.1.104
Public IP
Addresses
Slide 53
IS and Network Security
Normally performed along with NAT
Each packet is given the same IP address but a different TCP port number
Allows many machines to share the same public IP address
Slide 54
IS and Network Security
12/06/56
28
Web browser: 192.168.1.101 Port 1100
Email: 192.168.1.101 Port 1102
Web browser: 192.168.1.103 Port 1100
192.1
68.1
. 1
Address Translation
192.168.1.101 Port 1100 -> 147.144.1.1 Port 2100
192.168.1.101 Port 1102 -> 147.144.1.1 Port 2101
192.168.1.103 Port 1100 -> 147.144.1.1 Port 2102
147.1
44.1
.1
192.1
68.1
.101
192.1
68.1
.102
192.1
68.1
.103
192.1
68.1
.51
Slide 55
IS and Network Security
Examines a computer before it is allowed to connect to the network
Each computer must meet security policy first, such as
Windows patches up to date
Antivirus software
Antispyware software
Etc.
Any device that does not meet the policy is only allowed to connect to a “quarantine” network where the security deficiencies are corrected
Slide 56
IS and Network Security
12/06/56
29
Slide 57
IS and Network Security
Applying Network Security Devices
58
IS and Network Security
12/06/56
30
Firewalls
Proxy servers
Honeypots
Network intrusion detection systems
Host and network intrusion prevention systems
Protocol analyzers
Internet content filters
Integrated network security hardware
Slide 59
IS and Network Security
Typically used to filter packets
Sometimes called a packet filter
Designed to prevent malicious packets from entering the network
A firewall can be software-based or hardware-based
Hardware firewalls usually are located outside the network security perimeter
As the first line of defense
Slide 60
IS and Network Security
12/06/56
31
Slide 61
IS and Network Security
The basis of a firewall is a rule base Establishes what action the firewall should take
when it receives a packet (allow, block, and prompt)
Stateless packet filtering Looks at the incoming packet and permits or denies
it based strictly on the rule base
Stateful packet filtering Keeps a record of the state of a connection between
an internal computer and an external server Then makes decisions based on the connection as
well as the rule base
Slide 62
IS and Network Security
12/06/56
32
Slide 63
IS and Network Security
Note error in textbook in left column, 3rd row
State = Established
Slide 64
IS and Network Security
12/06/56
33
Most personal software firewalls today also filter outbound traffic as well as inbound traffic
Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading
But it annoys them with these alerts
Slide 65
IS and Network Security
I want to see
yahoo.com
I will get
yahoo.com and
save a copy Internet
Here is my
copy of
yahoo.com
Slide 66
IS and Network Security
12/06/56
34
Clients never directly connect to the Internet
This saves bandwidth, because one copy of a popular Web page can be used many times
Allows a company to block forbidden Web sites
It also prevents many attacks the same way NAT does
Reverse proxy Does not serve clients but instead routes incoming
requests to the correct server
Slide 67
IS and Network Security
Connect to
Web server 1
Slide 68
IS and Network Security
12/06/56
35
Intended to trap or trick attackers
A computer typically located in a DMZ that is loaded with software and data files that appear to be authentic Yet they are actually imitations of real data files
Three primary purposes of a honeypot: Deflect attention
Early warnings of new attacks
Examine attacker techniques
Slide 69
IS and Network Security
Network intrusion detection system (NIDS)
Watches for attempts to penetrate a network
NIDS work on the principle of comparing new behavior against normal or acceptable behavior
A NIDS looks for suspicious patterns
Passive intrusion detection just logs the traffic and sends alerts
Slide 70
IS and Network Security
12/06/56
36
Slide 71
IS and Network Security
Finds malicious traffic and deals with it immediately
Also called Active Intrusion Detection
A typical IPS response may be to block all incoming traffic on a specific port
Slide 72
IS and Network Security
12/06/56
37
Installed on each system that needs to be protected
Rely on agents installed directly on the system being protected
Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks
Slide 73
IS and Network Security
Most HIPS monitor the following desktop functions:
System calls
File system access
System Registry settings
Host input/output
HIPS are designed to integrate with existing antivirus, anti-spyware, and firewalls
HIPS provide an additional level of security that is proactive instead of reactive
Slide 74
IS and Network Security
12/06/56
38
Work to protect the entire network and all devices that are connected to it
By monitoring network traffic NIPS can immediately react to block a malicious attack
NIPS are special-purpose hardware platforms that analyze, detect, and react to security-related events
Can drop malicious traffic based on their configuration or security policy
Slide 75
IS and Network Security
Three ways for detecting a potential intrusion Detecting statistical anomalies (unusual traffic)
Examine network traffic and look for well-known patterns of attack
Use protocol analyzer technology
Protocol analyzers Can fully decode application-layer network protocols
Parts of the protocol can be analyzed for any suspicious behavior
Such as an overly long User-Agent field in an HTTP GET request
Slide 76
IS and Network Security
12/06/56
39
Internet content filters
Monitor Internet traffic and block access to preselected Web sites and files
A requested Web page is only displayed if it complies with the specified filters
Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL) or by matching keywords
Slide 77
IS and Network Security
Slide 78
IS and Network Security
12/06/56
40
Types of hardware security appliances: Dedicated security appliances provide a single
security service
Multipurpose security appliances that provide multiple security functions
Integrated network security hardware Combines or integrates multipurpose security
appliances with a traditional network device such as a switch or router
Particularly attractive for networks that use IDS
Slide 79
IS and Network Security
IS and Network Security
Slide 80