Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Planning for Network Security Security Planning Susan Lincke

advertisement 
Planning for
Network Security
Security Planning
Susan Lincke
Security Planning: An Applied Approach | 6/21/2016 | 2
Objectives
The student should be able to:
Define attacks: script kiddy, social engineering, logic bomb, Trojan horse, phishing,
pharming, war driving, war dialing, man-in-the-middle attack, SQL injection, virus, worm,
root kit, dictionary attack, brute force attack, DOS, DDOS, botnet, spoofing, packet reply.
Describe defenses: defense in depth, bastion host, content filter, packet filter, stateful
inspection, circuit-level firewall, application-level firewall, de-militarized zone, multihomed firewall, IDS, IPS, NIDS, HIDS, signature-based IDS, statistical-based IDS, neural
network, VPN, network access server (RADIUS/TACACS), honeypot, honeynet, hash,
secret key encryption, public key encryption, digital signature, PKI, vulnerability
assessment
Identify techniques (what they do): SHA1/SHA2, MD2/MD4/MD5, DES, AES, RSA, ECC.
Describe and define security goals: confidentiality, authenticity, integrity, non-repudiation
Define service’s & server’s data in the correct sensitivity class and roles with access
Define services that can enter and leave a network
Draw network Diagram with proper zones and security equipment
Security Planning: An Applied Approach | 6/21/2016 | 3
The Problem of Network Security
The Internet allows an attacker
to attack from anywhere in the
world from their home desk.
They just need to find one
vulnerability: a security analyst
need to close every
vulnerability.
Solution: Layered defense
Security Planning: An Applied Approach | 6/21/2016 | 4
Stages of a
Cyber-Operation
Target Identification
Reconnaissance
Target Identification
Opportunistic Attack: focuses
on any easy-to-break-into site
Gaining Access
Targeted Attack: specific victim
in mind
Hiding Presence
• Searches for a vulnerability that
will work.
Establish Persistence
Execution
Assessment
Security Planning: An Applied Approach | 6/21/2016 | 5
Registrant:
Microsoft Corporation
Hacking Networks
Reconnaissance Stage
Physical Break-In
Dumpster Diving
Google, Newsgroups, Web sites
Social Engineering
• Phishing: fake email
• Pharming: fake web pages
WhoIs Database & arin.net
Domain Name Server
Interrogations
One Microsoft Way
Redmond, WA 98052
US
Domain name: MICROSOFT.COM
Administrative Contact:
Administrator, Domain domains@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Technical Contact:
Hostmaster, MSN msnhst@microsoft.com
One Microsoft Way
Redmond, WA 98052 US
+1.4258828080
Registration Service Provider:
DBMS VeriSign, dbms-support@verisign.com
800-579-2848 x4
Please contact DBMS VeriSign for domain updates, DNS/Nam
changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Security Planning: An Applied Approach | 6/21/2016 | 6
Hacking Networks
Reconnaissance Stage
War Driving: Can I find a wireless network?
War Dialing: Can I find a modem to connect to?
Network Scanning: What IP addresses, open ports, applications
exist?
Protocol Sniffing: What is being sent over communications lines?
Security Planning: An Applied Approach | 6/21/2016 | 7
Passive Attacks
Eavesdropping: Listen to
packets from other parties =
Sniffing
Traffic Analysis: Learn about
network from observing traffic
patterns
Footprinting: Test to determine
software installed on system =
Network Mapping
Login: Ginger Password: Snap
Jennie
Carl
Bob
Security Planning: An Applied Approach | 6/21/2016 | 8
Hacking Networks:
Gaining Access Stage
Network Attacks:
IP Address Spoofing
Man-in-the-Middle
a
aa
ab
ac
…
ba
bb
…
aaa
aab
aac
…
System Attacks:
Buffer Overflow
Password Cracking
SQL Injection
Web Protocol Abuse
Watering Hole Attack
Trap Door
Virus, Worm, Trojan horse
Security Planning: An Applied Approach | 6/21/2016 | 9
Bill
Some Active Attacks
Denial of Service: Message did
not make it; or service could not
run
Masquerading or Spoofing: The
actual sender is not the claimed
sender
Message Modification: The
message was modified in
transmission
Packet Replay: A past packet is
transmitted again in order to gain
access or otherwise cause
damage
Denial of Service
Joe
Bill
Ann
Spoofing
Joe (Actually Bill)
Ann
Message
Modification
Joe
Packet Replay
Joe
Bill
Bill
Ann
Ann
Security Planning: An Applied Approach | 6/21/2016 | 10
Man-in-the-Middle Attack
10.1.1.1
10.1.1.3
(2) Login
(1) Login
(4) Password
(3) Password
10.1.1.2
Security Planning: An Applied Approach | 6/21/2016 | 11
SQL Injection
Java Original: “SELECT * FROM users_table WHERE
username=” + “’” + username + “’” + “ AND password
= “ + “’” + password + “’”;
Inserted Password: Aa’ OR ‘’=’
Java Result: “SELECT * FROM users_table WHERE
username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
Welcome to My System
Login:
Inserted Password: foo’;DELETE FROM users_table
WHERE username LIKE ‘%
Java Result: “SELECT * FROM users_table WHERE
username=’anyname’ AND password = ‘foo’; DELETE
FROM users_table WHERE username LIKE ‘%’
Inserted entry: ‘|shell(“cmd /c echo “ & char(124) &
“format c:”)|’
Password:
Security Planning: An Applied Approach | 6/21/2016 | 12
Review: Password Cracking:
Dictionary Attack & Brute Force
Pattern
Calculation
Result
Time to Guess
(2.6x1018/month)
Personal Info: interests, relatives
20
Manual 5 minutes
Social Engineering
1
Manual 2 minutes
80,000
< 1 second
American Dictionary
4 chars: lower case alpha
264
5x105
8 chars: lower case alpha
268
2x1011
8 chars: alpha
528
5x1013
8 chars: alphanumeric
628
2x1014
3.4 min.
8 chars alphanumeric +10
728
7x1014
12 min.
8 chars: all keyboard
958
7x1015
2 hours
12 chars: alphanumeric
6212
3x1021
96 years
12 chars: alphanumeric + 10
7212
2x1022
500 years
12 chars: all keyboard
9512
5x1023
NIST SP 800-118 Draft16
5x1028
16 chars: alphanumeric
62
Security Planning: An Applied Approach | 6/21/2016 | 13
Hacking Networks:
Hiding Presence; Establishing Persistence
Control system:
system commands,
log keystrokes, pswd
Backdoor
Trojan Horse
Useful utility actually
creates a backdoor.
Replaces system
User-Level Rootkit executables: e.g.
Login, ls, du
Command & Control
Slave forwards/performs
Replaces OS kernel:
commands;
Spyware/Adware
Kernel-Level e.g. process or file
Spyware: Keystroke logger
Rootkit
control to hide
Bot
collects info: passwords,
Spread & infect,
collect credit card #s,
list email addrs,
AdWare: insert ads,
DDOS attacks
filter search results
Security Planning: An Applied Approach | 6/21/2016 | 14
Bots & Distributed Denial of Service
Zombies
Attacker
Handler
Victim
Russia
Bulgaria
United
States
Can barrage a victim
server with requests,
causing the network
to fail to respond to anyone
Zombies
Security Planning: An Applied Approach | 6/21/2016 | 15
Question
1.
2.
3.
4.
An attack where multiple computers send connection packets
to a server simultaneously to slow the firewall is known as:
Spoofing
DDOS
Worm
Rootkit
Security Planning: An Applied Approach | 6/21/2016 | 16
Question
1.
2.
3.
4.
A man in the middle attack is implementing which additional
type of attack:
Spoofing
DoS
Phishing
Pharming
Security Planning: An Applied Approach | 6/21/2016 | 17
Network Defense
Encryption
NETWORK SECURITY
Security Planning: An Applied Approach | 6/21/2016 | 18
Security: Defense in Depth
Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access Controls
Security Planning: An Applied Approach | 6/21/2016 | 19
Bastion Host
Computer fortified against
attackers
Applications turned off
Operating system patched
Security configuration
tightened
Security Planning: An Applied Approach | 6/21/2016 | 20
Attacking the Network
What ways do you see of getting in?
Border Router/Firewall
The Internet
De-Militarized
Zone
Commercial Network
WLAN
Internal Firewall
Private Network
Security Planning: An Applied Approach | 6/21/2016 | 21
Filters: Firewalls & Routers
The good, the bad &
the ugly…
Filter
The Good
The bad &
the ugly
Route Filter: Verifies source/destination IP addresses
Packet Filter: Scans headers of packets
Content Filter: Scans contents of packet (e.g., IPS)
Default Deny: Any packet not explicitly permitted is rejected
Fail Safe or Fail Secure: If router fails, it fails shut
Security Planning: An Applied Approach | 6/21/2016 | 22
Packet Filter Firewall
Web Response
Illegal Dest IP Address
Web Request
Email Response
SSH Connect Request
DNS Request
Ping Request
Illegal Source IP Address
Email Response
FTP request
Microsoft NetBIOS Name Service
Email Connect Request
Telnet Request
Web
Response
Security Planning: An Applied Approach | 6/21/2016 | 23
Informal Path of Logical Access
Students &
Instructors
Login
Desire2
Learn
Campus Library
Register
Public:
Potential Students
Graduates
Legend
Advisors &
Registrars
Public
Web
Lab
Students &
Instructors
Staff
Nurses
Public
Private
Confidential
PoS
Health
Services
Security Planning: An Applied Approach | 6/21/2016 | 24
Step 1: Determine Services:
Who, What, Where?
Service
(e.g., web, sales
database)
Source
(e.g., home, world, local
computer)
Workbook
Destination
(local server, home,
world, etc.)
Registration,
Desire2Learn
Students and Instructors:
Anywhere in the World
Computer Service Servers
Registration
Registrars and Advisers: On
campus
On campus students and staff.
Off-campus requires login
Computer Service Servers
Health Services
On campus: nurses office
Computer Service Servers
External (Internet)
web services
On campus: Campus labs, dorms, Anywhere in the world
faculty offices
Library databases
Specific off-site library
facilities
Security Planning: An Applied Approach | 6/21/2016 | 25
Step 2: Determine
Sensitivity of Services
Service Name
(E.g., web,
email)
Desire2-Learn
Workbook
Sensitivity Class
Roles
(E.g.,
(E.g., sales, engineering)
Confidential)
Private
Current Students, Instructors
Server
(*=Virtual)
Student_
Scholastic
Registration
Confidential
Health Service Confidential
Web Pages:
activities,
news,
departments,
…
Public
Current Students, Registration,
Accounting, Advising,
Instructors
Nurses
Student_
Students, Employees, Public
Web_Services*
Register
Health_Services
Security Planning: An Applied Approach | 6/21/2016 | 26
Isolation & Compartmentalization
Compartmentalize network
• by Sensitivity Class & Role
Segment Network into Regions = Zones
• E.g., DMZ, wireless, Payment Card
Isolate Apps on Servers:
• physical vs. virtual (e.g. VMware)
• Virtual Servers combine onto one Physical server.
has own OS and limited section of disk.
Hypervisor software is interface between virtual system’s OS and real
computer’s OS.
Security Planning: An Applied Approach | 6/21/2016 | 27
Multi-Homed Firewall:
Separate Zones
Internet
Screening
Device:
Router
Private
Payment Card
Zone
Screened
Host
IPS
ECommerce
The router serves as a screen for the
Firewall, preventing Denial of Service
attacks to the Firewall.
Demilitarized Zone
External
DNS
Protected
Internal
Network
Zone
IDS
Database/File
Servers
Web
Server
Email
Server
Security Planning: An Applied Approach | 6/21/2016 | 28
Step 3: Allocate Network Zones
Workbook
Zone
Services
Internet
De-Militarized Zone
Wireless
Network
Web,
Email, DNS
Wireless local
employees
Private
Databases
Server Zone
Confidential Payment
card, health,
Zone
grades info
Private user Wired staff/
Zone
students
Student Lab Student labs
Zone
Zone Description
(You may delete or add rows as necessary)
This zone is external to the organization.
This zone houses services the public are allowed to access in our
network.
This zone connects wireless/laptop employees/students (and
crackers) to our internal network. They have wide access.
This zone hosts our student learning databases, faculty servers,
and student servers.
This highly-secure zone hosts databases with payment and other
confidential (protected by law) information.
This zone hosts our wired/fixed employee/classroom computer
terminals. They have wide univ. & external access.
This zone hosts our student lab computers, which are highly
vulnerable to malware. They have wide access
Security Planning: An Applied Approach | 6/21/2016 | 29
Step 4: Define Controls
Workbook
Zone
DeMilitarized
Zone
Server
(*=Virtual)
Service
Web_
Web,
Services*,
Email,
Email_Serve DNS
r
DNS_Server
Wireless
Wireless local
Network
users
StudentScho Classroom
Private
Server Zone lastic
software,
Student_File Faculty &
student
s
Faculty_File storage.
s
Required Controls
(Conf., Integrity, Auth., Nonrepud., with tools:
e.g., Encryption/VPN, hashing, IPS)
Hacking: Intrusion Prevention System,
Monitor alarm logs, Anti-virus software
within Email package.
Confidentiality: WPA2 Encryption
Authentication: WPA2 Authentication
Confidentiality: Secure Web (HTTPS), Secure
Protocols (SSH, SFTP).
Authentication: Single Sign-on through
TACACS
Hacking: Monitor logs
Security Planning: An Applied Approach | 6/21/2016 | 30
Bill
Data Privacy
Confidentiality: Unauthorized
parties cannot access
information
Confidentiality Authenticity
Joe
Joe (Actually Bill)
Bill
(->Secret Key Encryption)
Authenticity: Ensures claimed
sender = actual sender.
(->Public Key Encryption)
Integrity: Ensures the message
is not modified in transmission.
Ann
Integrity
Joe
(->Digital Signature)
Non-Repudiation
Joe
Bill
(->Hashing)
Nonrepudiation: Ensures
sender cannot later deny
sending message.
Ann
Ann
Ann
Security Planning: An Applied Approach | 6/21/2016 | 31
Confidentiality:
Encryption – Secret Key
Examples: DES, AES
plaintext
Encrypt
Ksecret
ciphertext
Decrypt
Ksecret
plaintext
Sender, Receiver have IDENTICAL keys
Plaintext = Decrypt(Ksecret, Encrypt(Ksecret,Plaintext))
NIST Recommended: 3DES w. CBC
AES 128 Bit
Security Planning: An Applied Approach | 6/21/2016 | 32
Confidentiality, Authentication, Non-Repudiation
Public Key Encryption
Examples: RSA, ECC, Quantum
Sender, Receiver have Complimentary Keys
Plaintext = Decrypt(kPRIV, Encrypt(kPUB,Plaintext))
Joe
Joe
Encrypt
Kpublic
Decrypt
Kpublic
Encryption
(e.g., RCS)
Message,
private key
Authentication,
Non-repudiation
Digital
Signature
Decrypt
Kprivate
Encrypt
Kprivate
Key owner
Key
owner
Plaintext = Decrypt(kPUB, Encrypt(kPRIV,Plaintext))
NIST Recommended:
2011: RSA 2048 bit
Security Planning: An Applied Approach | 6/21/2016 | 33
Confidentiality:
Remote Access Security
Firewall
The Internet
VPN
Concentrator
Virtual Private Network (VPN) often implemented with IPSec
Can authenticate and encrypt data through Internet (red line)
Easy to use and inexpensive
Difficult to troubleshoot
Susceptible to malicious software and unauthorized actions
Often router or firewall is the VPN endpoint
Security Planning: An Applied Approach | 6/21/2016 | 34
Integrity:
Secure Hash Functions
Examples: HMAC, SHA-2, SHA-3
Ensures the message was not modified during transmission
Message
Message H
Message H
Compare
Secure Hash
H
H
H
K
H
K
K Message
Message H
H
K Message
HMAC
H = Hash Algorithm
K=Encryption Key H=Hashed Value
Transmitted Hash
H
H
Compare
H
NIST Recommended: SHA-2, SHA-3
Security Planning: An Applied Approach | 6/21/2016 | 35
Non-Repudiation:
Digital Signature
Electronic Signature
Uses public key algorithm
Verifies integrity of data
Verifies identity of sender:
non-repudiation
Message
Encrypted
K(Sender’s Private)
Msg Digest
Security Planning: An Applied Approach | 6/21/2016 | 36
Authentication:
Public
Key
Infrastructure
(PKI)
7. Tom confirms
Sue’s DS
5. Tom requests Sue’s DC 
6. CA sends Sue’s DC 
Tom
4. Sue sends
Tom message
signed with
Digital Signature
Digital
Certificate
User: Sue
Public Key:
2456
Certificate Authority
(CA)
3. Send approved
Digital Certificates
1. Sue registers with
CA through RA
Sue
Register(Owner, Public Key)
2. Registration Authority
(RA) verifies owners
Security Planning: An Applied Approach | 6/21/2016 | 37
Hacking Defense:
Intrusion Detection/Prevention
Systems (IDS or IPS)
Router
IDS
Firewall
Network IDS=NIDS
Examines packets for attacks
Can find worms, viruses, or
defined attacks
Warns administrator of attack
IPS=Packets are routed through
IPS
Host IDS=HIDS
Examines actions or resources
for attacks
Recognize unusual or
inappropriate behavior
E.g., Detect modification or
deletion of special files
Security Planning: An Applied Approach | 6/21/2016 | 38
IDS/IPS Intelligence Systems
90
NastyVirus
80
NIDS:
ALARM!!!
70
60
Sales
Personnel
Factory
50
40
Attacks:
30
NastyVirus
20
Normal
BlastWorm
Signature-Based:
Specific patterns are recognized as
attacks
10
0
Mon.
Tues.
Wed.
Thurs.
Statistical-Based:
The expected behavior of the system is
understood
If variations occur, they may be attacks
(or maybe not)
Neural Networks:
Statistical-Based with self-learning (or
artificial intelligence)
Recognizes patterns
Security Planning: An Applied Approach | 6/21/2016 | 39
Hacking Defense:
Evaluating Applications
Unified Threat Management = SuperFirewall = firewall + IPS +
anti-virus + VPN capabilities
• Concerns are redundancy and bandwidth.
Blacklist= restrict access to particular web sites, e.g., social, email
sites
Whitelist= permit access to only a limited set of web sites.
Security Planning: An Applied Approach | 6/21/2016 | 40
Hacking Defense:
Honeypot & Honeynet
Honeypot: A system with a special software application which
appears easy to break into
Honeynet: A network which appears easy to break into
Purpose: Catch attackers
All traffic going to honeypot/net is suspicious
If successfully penetrated, can launch further attacks
Must be carefully monitored
Firewall
Honey
Pot
External
DNS
IDS
Web
Server
E-Commerce
VPN
Server
Security Planning: An Applied Approach | 6/21/2016 | 41
Hacking Defense:
Vulnerability Assessment
Scan servers, work stations, and control devices for vulnerabilities
Open services, patching, configuration weaknesses
Testing controls for effectiveness
Adherence to policy & standards
Penetration testing
Security Planning: An Applied Approach | 6/21/2016 | 42
Step 5: Draw Network Diagram
Workbook
Internet
Router
Demilitarized Zone
External
DNS
Email
Firewall
Public
Web
Server
E-Commerce
Zone 3:Confidential Data
Zone 1:
Student
Labs &
Files
Student
Scholastic
Zone 2:
Faculty
Labs &
Files
Student
Records
Student
Billing
Student
Billing
Student
History
Transcripts
Security Planning: An Applied Approach | 6/21/2016 | 43
Path of Logical Access
How would access control be improved?
Border Router/
Firewall
The Internet
De-Militarized
Zone
WLAN
Private Network
Router/Firewall
Security Planning: An Applied Approach | 6/21/2016 | 44
Protecting the Network
Border Router: Packet Filter
The Internet
De-Militarized
Zone
Bastion Hosts
WLAN
Private Network
Proxy server firewall
Security Planning: An Applied Approach | 6/21/2016 | 45
University Scenario:
Dual in-line Firewalls
Security Planning: An Applied Approach | 6/21/2016 | 46
Writing Rules
Policies
Corrections
Network Filter Capabilities
Write Rules
Audit Failures
Protected Network
Fail-Safe: If the filter fails, it fails closed
Default Deny: If a specific rule does not apply,
The packet is dropped.
Security Planning: An Applied Approach | 6/21/2016 | 47
Firewall
Configurations
terminal
host
firewall
A
A
terminal
host
firewall
A
A
A
Router Packet Filtering:
Packet header is inspected
Single packet attacks caught
Very little overhead in firewall: very quick
High volume filter
Stateful Inspection
State retained in firewall memory
Most multi-packet attacks caught
More fields in packet header inspected
Little overhead in firewall: quick
Security Planning: An Applied Approach | 6/21/2016 | 48
Firewall
Configurations
terminal
host
firewall
A
B
A B
terminal
host
firewall
A
B
A B
Circuit-Level Firewall:
Packet session terminated and recreated
via a Proxy Server
All multi-packet attacks caught
Packet header completely inspected
High overhead in firewall: slow
Application-Level Firewall
Packet session terminated and recreated
via a Proxy Server
Packet header completely inspected
Most or all of application inspected
Highest overhead: slow & low volume
Security Planning: An Applied Approach | 6/21/2016 | 49
Summary of Controls
Confident.
Integrity
Authen.
Nonrepud.
Encryption Protocols: S-HTTP, HTTPS, SSL, SSH2, x
PGP, S/MIME
?
?
Virtual Private Network (VPN): IPsec
x
x
x
Wireless: WPA2, TKIP, IEEE 802.11i
x
x
x
Hashing: HMAC, SHA, MD5
x
Digital Signature
x
x
x
x
Public Key Infrastructure
x
Centralized Access Control: RADIUS, TACACS
Kerberos
Authentication: biometric, flash drive, token
x
x
x
x
AntiHack
Security Planning: An Applied Approach | 6/21/2016 | 50
Confident.
Integrity
Authen.
Nonrepud.
AntiHack
Firewall, App. or web firewall
x
Mobile device mgmt
x
Antivirus, Endpoint Security
x
Event Logs/SIEM
x
Intrusion Detection/Prevention Systems
x
Unified Threat Mgmt
x
Vulnerability Assessment
x
Risk, Policy Mgmt
x
Honeypot/Honeynet
x
Email security mgmt
Bastion host
x
x
x
Security Planning: An Applied Approach | 6/21/2016 | 51
Question
A map of the network that shows where service requests
enter and are processed
1. Is called the Path of Physical Access
2. Is primarily used in developing security policies
3. Can be used to determine whether sufficient Defense in
Depth is implemented
4. Helps to determine where antivirus software should be
installed
Security Planning: An Applied Approach | 6/21/2016 | 52
Question
1.
2.
3.
4.
The filter with the most extensive filtering capability is the
Packet filter
Application-level firewall
Circuit-level firewall
State Inspection
Security Planning: An Applied Approach | 6/21/2016 | 53
Question
The technique which implements non-repudiation is:
1.
Hash
2.
Secret Key Encryption
3.
Digital Signature
4.
IDS
Security Planning: An Applied Approach | 6/21/2016 | 54
Question
1.
2.
3.
4.
Anti-virus software typically implements which type of
defensive software:
Neural Network
Statistical-based
Signature-based
Packet filter
Security Planning: An Applied Approach | 6/21/2016 | 55
Question
1.
2.
3.
4.
MD5 is an example of what type of software:
Public Key Encryption
Secret Key Encryption
Message Authentication
PKI
Security Planning: An Applied Approach | 6/21/2016 | 56
Question
1.
2.
3.
4.
A personal firewall implemented as part of the OS or antivirus
software qualifies as a:
Dual-homed firewall
Packet filter
Screened host
Bastion host
Security Planning: An Applied Approach | 6/21/2016 | 57
Summary
Step 1: Determine Services: What, Who, Where?
• Who accesses which services from where?
Step 2: Determine Sensitivity of Services
• Compartmentalization or Separation partitions services across physical or virtual
servers to provide protection between them
Step 3: Allocate Network Zones
• Compartmentalization partitions a network to provide protection
Step 4: Define Controls
• Confidentiality, authenticity, integrity, non-repudiation controls
• Anti-hacker controls
Step 5: Draw the Network Diagram
Security Planning: An Applied Approach | 6/21/2016 | 58
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Pat
Licensed
Software Consultant
Practicing Nurse
HEALTH FIRST CASE STUDY
Designing Network Security
Security Planning: An Applied Approach | 6/21/2016 | 59
Defining Services which can Enter and
Leave the Network
Service
Source
Destination
(e.g., home,
world, local
computer)
(local server,
home, world, etc.)
Security Planning: An Applied Approach | 6/21/2016 | 60
Defining Services and Servers
Workbook
Service
(e.g., web, sales
database)
Source
(e.g., home, world, local
computer)
Destination
(local server, home,
world, etc.)
Registration,
Desire2Learn
Students and Instructors:
Anywhere in the World
Computer Service Servers
Registration
Registrars and Advisers: On
campus
On campus students and staff.
Off-campus requires login
Computer Service Servers
Health Services
On campus: nurses office
Computer Service Servers
External (Internet)
web services
On campus: Campus labs, dorms, Anywhere in the world
faculty offices
Library databases
Specific off-site library
facilities
Security Planning: An Applied Approach | 6/21/2016 | 61
Define Services & Servers
Which data can be grouped together by role and
sensitivity/criticality?
Confidential –
Management
Service Name
Privileged –
Contracts
Sensitivity
Class.
Roles
Access
Public –
Web Pages
with Server Name
Security Planning: An Applied Approach | 6/21/2016 | 62
Evaluating Service Classes & Roles
Workbook
Service Name
(E.g., web,
email)
Desire2-Learn
Sensitivity Class
Roles
(E.g.,
(E.g., sales, engineering)
Confidential)
Private
Current Students, Instructors
Server
(*=Virtual)
Student_
Scholastic
Registration
Confidential
Health Service Confidential
Web Pages:
activities,
news,
departments,
…
Public
Current Students, Registration,
Accounting, Advising,
Instructors
Nurses
Student_
Students, Employees, Public
Web_Services*
Register
Health_Services
Security Planning: An Applied Approach | 6/21/2016 | 63
Defining Zones and Controls
Compartmentalization:
Zone = Region (E.g., DMZ, wireless, internet)
Servers can be physical or virtual
Zone
Service
Server
Required Controls
(Conf., Integrity, Auth., Nonrepud., with
tools: e.g., Encryption/VPN)
Security Planning: An Applied Approach | 6/21/2016 | 64
Defining Zones
Workbook
Zone
Services
Internet
De-Militarized Zone
Wireless
Network
Web,
Email, DNS
Wireless local
employees
Private
Databases
Server Zone
Confidential Payment
card, health,
Zone
grades info
Private user Wired staff/
Zone
students
Student Lab Student labs
Zone
Zone Description
(You may delete or add rows as necessary)
This zone is external to the organization.
This zone houses services the public are allowed to access in our
network.
This zone connects wireless/laptop employees/students (and
crackers) to our internal network. They have wide access.
This zone hosts our student learning databases, faculty servers,
and student servers.
This highly-secure zone hosts databases with payment and other
confidential (protected by law) information.
This zone hosts our wired/fixed employee/classroom computer
terminals. They have wide univ. & external access.
This zone hosts our student lab computers, which are highly
vulnerable to malware. They have wide access
Security Planning: An Applied Approach | 6/21/2016 | 65
Defining Controls for Services
Workbook
Zone
DeMilitarized
Zone
Server
(*=Virtual)
Service
Web_
Web,
Services*,
Email,
Email_Serve DNS
r
DNS_Server
Wireless
Wireless local
Network
users
StudentScho Classroom
Private
Server Zone lastic
software,
Student_File Faculty &
student
s
Faculty_File storage.
s
Required Controls
(Conf., Integrity, Auth., Nonrepud., with tools:
e.g., Encryption/VPN, hashing, IPS)
Hacking: Intrusion Prevention System,
Monitor alarm logs, Anti-virus software
within Email package.
Confidentiality: WPA2 Encryption
Authentication: WPA2 Authentication
Confidentiality: Secure Web (HTTPS), Secure
Protocols (SSH, SFTP).
Authentication: Single Sign-on through
TACACS
Hacking: Monitor logs
Security Planning: An Applied Approach | 6/21/2016 | 66
Draw the Network Diagram
Internet
Router
Demilitarized Zone
External
DNS
Email
Firewall
Public
Web
Server
E-Commerce
Zone 3:Student Data
Zone 1:
Student
Labs &
Files
Student
Scholastic
Zone 2:
Faculty
Labs &
Files
Student
Records
Student
Billing
Student
Billing
Student
History
Transcripts
Security Planning: An Applied Approach | 6/21/2016 | 67
MS
Visio
Diagram
Related documents
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
A 3 week literacy and numeracy program for students
A 3 week literacy and numeracy program for students
Download
advertisement