Add to collection(s) Add to saved
  1. No category
Uploaded by shriharsha rao

CIPS-2011-0035 (1)

advertisement 
Securing Enterprise Network
Indian Computer Emergency Response Team
Department of Information Technology
Ministry of Communications & Information Technology
New Delhi
Expansion in Enterprise networks
Network performance, high availability, and
uptime are must for not only running the dayto-day operations of an enterprise, they are
also critical for a successful business.
Networks are expanding in one more sensethey are running myriad applications that in
turn drive many of the businesses that these
enterprises deal in.
Challenges of expanding enterprise network
• This growth and expansion of enterprise
networks, and increasing reliance of businesses
on them, has given rise to new challenges of
securing these networks
• However securing a network and thereby
guaranteeing its high performance, availability,
and uptime isn't a difficult task provided security
managers do the right thing. The challenge is to
know what those right things are.
So,what does Securing enterprise Network
mean?
Securing enterprise Networks means practising
preventative and real-time defense methods to be
implemented by an enterprise:
• to protect its bussiness network against
potential threats that may impede or paralyze the
system
• safeguards bussiness-sensitive information
and applications from malicious sources through
combined efforts of IT strategies,software and
hardware.
Network & Security
• A Computer Network is an interconnected
group of computing nodes, which use a welldefined, mutually agreed set of rules and
conventions known as protocol, interact with
each other meaningfully, and allow resource
sharing preferably in a predictable and
controlled manner.
• Network Security is the need to protect one or
more aspects of network’s operation and
permitted use. Security requirements may be
Local or Global in their scope, depending upon
the network’s or internetwork’s purpose of
design and deployment.
Aspects of A Computer Network
•
•
•
•
•
•
•
Network Architecture
Servers and Workstations
LAN : Cabled and Wireless
WAN
ISP Link
Perimeter Network Devices
Network Security Appliances
Elements of Network Security
• Primary elements of security of any computer
network include security provisioning at : – Sending Node
– Intermediated Forwarding Node
– Receiving Node
– Interconnection Links
– Mechanism of Transmission
Basic Secure Network Design
8
Major Network Security Equipment
1. Routers & Managed Switches
2. Link Load Balancer
3. Firewall (Universal Threat Management)
4. VPN
5. Intrusion Prevention System
6. Antivirus and Antimalware Solution
7. Antispam and email Security
8. Web Security
9. Filters
10. Log Management & Analysis
11. Network Access Control
12. Management System
13. Patch Management
14. Backup Solutions
15. Endpoint Security
9
Firewall
A firewall is a part of a computer system or network that is designed to
block unauthorized access while permitting authorized communications.
It is a device or set of devices configured to permit, deny, encrypt,
decrypt, or proxy all (in and out) computer traffic between different
security domains based upon a set of rules and other criteria.
Products: Hardware Firewall
Cisco PIX 515,520 and Cisco ASA 5500
Fortinet Fortigate
ZyXEL ZyWALL UTM (Universal Threat Management)
Check Point UTM
These days most devices are supported by failover feature. This is required to
10
keep the network active in case the master device (firewall) fails.
What about UTM?
Unified Threat Manager
All-in-one devices that can do:
Firewall
Antivirus
IPS
VPN
Etc.
This is being discussed because vendors
very often push UTM devices when
customers are looking for IPS solutions
UTM Products
•
•
•
•
Fortinet
Radware
Cisco (ASA appliance)
Juniper
UTM Pro’s & Con’s
• Pro’s
– Cost effective for remote branch offices where
other capabilities like Firewall are also needed
• Con’s
– Usually a limited subset of IPS functionality
and signatures as compared to stand alone
IPS products
Intrusion Prevention Systems (IPS)
• IPSs are not a new technology, they are simply an
evolved version of IDS.
• IDS have been one of the cornerstones of network
security they are a passive component which only
detects and reports without preventing. It is the
intrusion prevention system (IPS) which, is to
prevent attacks.
Because IDS and IPS technologies offer many of
the same capabilities, administrators can usually
disable prevention features in IPS products, causing
them to function as IDSs.
IPS (Intrusion Prevention System)
An Intrusion Prevention System is a network
security device that monitors network and/or system
activities for malicious or unwanted behavior and
can react, in real-time, to block or prevent those
activities.
– Network based IPS:
Snort Sourcefire (Open Source)
Winpooch (Windows Only)
Cisco IPS 4200 series
IBM Proventia GX Series
Tipping point
Cyberoam UTM
McAfee M Series
Juniper
15
Definition
Intrusion Detection
• Intrusion detection is a technique of detecting
unauthorized access to a computer system or a
computer network.
• An intrusion into a system is an attempt by an
outsider to the system to illegally gain access to
the system. Intrusion prevention, on the other
hand, is the art of preventing an unauthorized
access of a system’s resources.
• The two processes are related in a sense that
while intrusion detection passively detects system
intrusions, intrusion prevention actively filters
network traffic to prevent intrusion attempts.
IPS (Intrusion Prevention System)
Host Based IPS
McAfee
Kaspersky
Panda
CA
17
What can an IPS do?
• IPS can detect and block:
–
–
–
–
–
–
OS, Web and database attacks
Spyware / Malware
Instant Messenger
Peer to Peer (P2P)
Worm propagation
Critical outbound data loss (data leakage)
Antivirus Suites and Internet Security
Antivirus Software is used to prevent, detect, and
remove malware, including computer viruses,
worms, and trojan horses. Such programs may also
prevent and remove adware, spyware, and other
forms of malware. Some examples are: Bit Defender 2010 Suite
McAfee Virus Scan Plus
Symantec Corporate 11.0
Cyberoam UTM
Panda Security
Kaspersky Space Security
Trend Micro Scan Suites
Quickheal Total Security
19
Anti Spam and email Security
Spam is flooding the Internet with many copies of
the same message, in an attempt to force the
message on people who would not otherwise
choose to receive it. Most spam is commercial
advertising, often for dubious products, get-richquick schemes, or quasi-legal services. To get rid of
these Spam one should use good Anti Spam and
email Security for Mail Server and Services. Few
examples are:– Symantec mail security for Microsoft Exchange
– GFI mail security (scans with multiple antivirus
engines)
– Cisco IronPort (c & x series)
– Cyberoam
– Checkpoint UTM
– AVG Server edition 8.5 for Linux
– Kaspersky Total Space Security for Linux
20
Web Security
As more and more attacks are being carried out
over the HTTP layer or protocol there is a growing
need to push the envelope and bring Web security
to new levels. Most existing tools work on the
TCP/IP level, failing to use the specifics of the HTTP
protocol in their operation. Few dedicated Web
Security products are:–
–
–
–
–
–
–
–
Cisco IronPort S series
Microsoft ISA Enterprise 2006
Cyberoam UTM
Sophos Web Gateway
Fortinet UTM
Barracuda Web Filter
Trend Micro InterScan Web Security Virtual Appliance
Alcatel Omniaccess 8500
21
Auditing & Log Management
It is in the best interest of organizations to have appropriate
auditing policies in place that affectively and efficiently
collect the information regarding events including critical
events occurring in the network and systems in the form of
logs and manage them appropriately . This has created the
need for Computer Security Log Management, which is
the process for generating, transmitting, storing, analyzing,
and disposing of computer security log data. Log
Management Should be centralized and Products should
support Syslog , SNMP and Windows Logs. A few are:-Manage Engine Event Log Analyzer
-GFI Event Management
-Linux (for syslog)
-System Information and event management (SIEM)tools
22
System Information and event management
(SIEM)tools
Centralized Syslog Server : This facilitates record-keeping
of all systems and network activity at a single locations,
which offers advantages such as, it can be placed at
different segments for secure storage, allows better corelation of attacks across different platforms, easier backup
policies,real-time alert generation using tools like
Swatch(simple watcher) and security benefit that at least
with a central syslog server the entries associated with the
attack itself can be obtained even if the original machine has
got hacked and the traces being wiped off by intruder.
23
System Information and event management
(SIEM)tools
.
24
Patch Management
Patch management tasks include: maintaining current
knowledge of available patches, deciding what patches
are appropriate for particular systems, create testing
environment so that patches can be tested before
deploying to the clients,ensuring that patches are
installed properly, testing systems after installation, and
documenting all associated procedures, such as specific
configurations required.
Manage Engine
GFI Languard
Security Manager Plus
Novell ZENworks Patch Management. Available for
Windows, NetWare, Macintosh, AIX, Solaris and HP-UX.
25
Altiris client management suite
Backup
• Backup is the activity of copying files or databases
so that they will be preserved in case of equipment
failure or other catastrophe. Backup is usually a
routine part of the operation of large businesses to
the administrators of smaller business computers.
Administrators must choose right type of hardware
and software to be used for regular backup.
– Backup Devices: HP DAT 320, Iomega REV 120,
LTO’s
– For Large Data Centres: IBM System Storage
– Online Backup Solutions e.g. SugarSync, box.net
– S/W: Symantec Veritas, IBM Tivoli, Norton backup
– Disaster Recovery Servers
26
Testing of Patches
27
Endpoint Security
Endpoint security is a strategy in which security software
is distributed to end-user devices but centrally managed.
A server or gateway hosts the centralized security
program, which verifies logins and sends updates and
patches when needed. This type of solution includes:
– Firewall
– IPSEC VPN
– IPS
– Web Security
– URL Filtering
– Antivirus & Anti-Malware
– Anti-Spam & Email Security
Few Solutions are:
– Checkpoint Endpoint Security
– Symantec Endpoint Security Product 11.0
– Trend Micro Endpoint Security
28
Building secure environment
Defense in Depth:
•Using a layered Approach
•Increases an attacker’s risk of detection
•Decreases an attacker’s chances of success
Secure environment
A secure environment is a combination of :
• Hardened hosts(nodes)
• Intrusion Detection System(IDS)
• Operating Processes
Standard and Emergency
• Threat Modeling and Analysis
Simple Security Risk Analysis
Attack Vectors and threat modeling
•
Dedicated Responsible Staff
Chief Information Security Officer(CISO)responsible for all, should
acquire coordination of sectoral and other CERTs as required.
• Continous Training
Users and Security Staff-against “social engineering”
Host Hardening
This process starts with an requirements evaluation to see what the server is for
and to assess the risks involved
The main stages of host hardening are as follows:
•
Disabling unused services and user accounts
Tightening the security settings of required services (Limiting access by host
•
or IP block)
•
Replacing insecure or vulnerable services with more secure alternatives
•
Removing unused tools, libraries, and files (OS minimization)
•
Tightening file system security settings (System ACLS)
•
Installing host-based intruder detection systems (HIDS)
•
jail)
Running high risk services in a tightly controlled environment (e.g. chroot
Processes
Operating Processes
:
•Aim for compliance with an overall operational process framework
Eg. Microsoft Operations Framework’s SLAs, O LAs and UCs
•As a minimum define Operating Processes
- Standard Operating Procedures: set of security policies used
during normal conditions
- Emergency Operating Procedures: Tighter policies used during
“high-risk” or “under-attack” conditions
- Include scheduled internal and external audits to verify security
compliances practiced in the organisation
Education and Research
•As minimum, there is a need to subscribe to security advisories:
Microsoft Security Notification service
www.microsoft.com/security
CERT-In
www.cert-in.org.in
SANS Institute
www.sans.org
Other Vendor specific
CISCO ,Oracle,IBM and so on.
http://www.oracle.com/technology/deploy/security/alerts.htm
https://lists.ubuntu.com/archives/ubuntu-security-announce/
www.redhat.com/security/
•Apart from notifications,study available operational security guidance
www.microsoft.com/tecnical/security
Recommendations: Summary
•Protect the infrastructure
- Secure endpoints
- Protect email and Web
- Defend critical internal servers
- Backup and recover data
•Protect the information
- Discover where sensitive information resides
- Monitor how data is being used
- Protect sensitive information from loss
Recommendations(contd.)
•Develop and enforce IT policies
- Define risk and develop IT policies
- Assess infrastructure and processes
- Report, monitor and demonstrate due care
- Remediate problems
•Manage systems
- Implement secure operating environments
- Distribute and enforce patch levels
- Automate processes to streamline efficiency
- Monitor and report on system status
Thank you
Related documents
Isolated Power Supply (IPS)
Isolated Power Supply (IPS)
ABSTRACT: Nowadays, organizations discover that it is essential to protect ...
ABSTRACT: Nowadays, organizations discover that it is essential to protect ...
Information Prescription Service (IPS) Content Feedback
Information Prescription Service (IPS) Content Feedback
the ivoclar vivadent picture book of exemplary all
the ivoclar vivadent picture book of exemplary all
Download
advertisement