Implementing and Automating
Critical Control 19: Secure Network Engineering
for
Next Generation Data Center Networks
Aron Warren, George Khalil, Michael Hoehl
February 2012
SANS Technology Institute - Candidate for Master of Science Degree
Objectives
• Introduction
• Secure Network Engineering
• Challenges for Next Generation Networks
• Functional Requirements
• Key Risk Considerations
• High-Level Design and Build Approach
• N-Tier Application and Infrastructure Control Checklist
• Lessons Learned
SANS Technology Institute - Candidate for Master of Science Degree
Introduction
• SANS 20 Critical Security Controls for Effective
Cyber Defense
• Security Control 19 “Secure Network Engineering”
• Technical approaches to advance this control
• Scope is for Web/Mobile App and 40GbE
SANS Technology Institute - Candidate for Master of Science Degree
Secure Network Engineering
• Document Gathering is First Step
• Understand Data Flows
• Log Events and Correlate
• Apply Least Privileged Principles
• Divide and Secure
• Establish Trust and Validate Data Integrity
• Test and Validate Routinely
SANS Technology Institute - Candidate for Master of Science Degree
Challenges
for Next Generation Networks
• 40GbE is still early in “hype” cycle for Enterprises
• Throughput speed ≠ Wire speed
• Uncertainty increases relative to speed
• Limited forensic team experience with 40 GbE
• Existing operations resource capacity
SANS Technology Institute - Candidate for Master of Science Degree
Functional Requirements
1. Documentation
9. Virtual and Blade Servers
2. Data Center Physical Controls 10. Vulnerability and Threat Mgt
3. Enclaves
11. Log Mgt
4. Firewalls and Security Apps
12. Asset Mgt
5. Internet Access
13. Access Mgt
6. DNS
14. Performance Mgt
7. Hardening
15. Forensic Mgt
8. Config and Change Mgt
16. Service Mgt
SANS Technology Institute - Candidate for Master of Science Degree
Key Risk Considerations
• Mixing assets of different value
• Integrating security and network controls
• High event volume and Impact of false negatives
• Understanding data flows and security policies
• Performance impact of inspection
• Protecting high authority access
• Configuration errors and product defects
SANS Technology Institute - Candidate for Master of Science Degree
High-level Design
and Build Approach
SANS Technology Institute - Candidate for Master of Science Degree
N-Tier Application
Control Checklist











Enclave for each app function
Dedicated Internet Access Firewall
Security Fabric
Separate Infrastructure Firewall
SSL Accelerator and Proxies
Tiered DNS
Virtualization and Blade Servers
Netflow
Network Address Translation
Network Monitoring Switch
Load Balancers
SANS Technology Institute - Candidate for Master of Science Degree
Infrastructure
Control Checklist











Enclave for each function
No direct Internet access
Infrastructure Firewall
Dedicated Enterprise Firewall
Customer Authentication
Admin Authentication
Jump Boxes
Network Access Control (NAC)
Business-to-Business (B2B)
VPN
System and Security Event Mgt
SANS Technology Institute - Candidate for Master of Science Degree
Lessons Learned
Pitfalls
Promising Solutions
•Poor Documentation
• Security Fabric
•Too many ACLs and Flows
• Firewall Policy Mgt
•Netflow “meltdown”
• Virtual Switch Replacement
•4 x10 Port Aggregation
• IEEE 802.1AE (MACsec)
•Virtual Switch Overload
•Poorly designed QoS
•Forensic Teams
SANS Technology Institute - Candidate for Master of Science Degree
Benefits
• Improved Security
• Increased Design Credibility
• Better Manageability
• Lower Total Costs
• Faster Response to Threats
Ultimately, adopting these design recommendations will provide a solid foundation for
safeguarding infrastructure and data at the highest speeds available today—and tomorrow.
SANS Technology Institute - Candidate for Master of Science Degree