Transcript Turning the Network Inside Out Joel Snyder, Ph.D. Senior Partner Opus One [email protected] Most networks focus on perimeter defense  “[AT&T’s gateway creates] a sort of.

Turning the Network
Inside Out
Joel Snyder, Ph.D.
Senior Partner
Opus One
[email protected]
Most networks focus on perimeter defense
 “[AT&T’s gateway creates] a sort of crunchy shell
around a soft, chewy center.” (Bill Cheswick, Design
of a Secure Internet Gateway, April, 1990)
Big Bad
Internet
Perimeter defense has its flaws
 “Protecting your network
with a perimeter firewall is
like putting a stake in the
middle of a field and
expecting the other team to
run into it.”
 #include <statistic on insider
break-in percent>
 “If your position is invisible,
the most carefully concealed
spies will not be able to get a
look at it.” (Sun-Tzu)
Virus
Big Bad
Internet
Defense in Depth is the alternative
 Make the network
“crunchy,” not soft
and chewy
throughout.
 Turn the network
inside-out: the
security is on the
inside, not on the
outside
We don’t do defense-in-depth because...
 Cost
•
The cost of adding
firewall “brains” has
been prohibitive
 Authentication
•
 Performance
•
Firewalls are slower
than Gigabit switches
 Management
•
Determining the “manyto-many” relationships
are difficult
How do you know who
has that IP address
anyway? What about
NATed users?
 Policy
•
It’s hard to describe the
security policy for
inside users; it’s much
easier to describe the
Internet-oriented policy
Whoops. I lied. My bad.
Cost
•
dropping
Performance
•
increasing
Management
•
getting better
Authentication
•
solved
Policy
•
OK, there had to be
something we
couldn’t solve with
technology
You can implement Defense-in-Depth
New and Exciting
 802.1X Authentication
 Digital Certificates
Not-so-bleeding-edge
 MAC lock-down on ports
 Authenticated routing updates
 Rate-limiting (DoS resistance)
 VLANs as Security
Barriers
 Host-based IDS
 Multiple levels of ACLs
 SSH (Secure Shell) for
management
 Firewall/VPN on the NIC
 Network Intrusion
Detection/Prevention
Systems
 RADIUS-based authentication
 SNMPv3 and not SNMPv2
 “Access Ethernet” dedicated
management network
802.1X is the new standard for layer 2
authentication
EAP over RADIUS
Supplicant
EAP over Wireless
EAP over LAN
Authenticators
Authentication
Server (e.g.,
RADIUS server)
Supplicant
The World
802.1X on every port adds security
 In the wireless environment,
802.1X is absolutely required
•
802.11i and WPA (Wi-Fi
Protected Access) use
802.1X
•
Pure 802.1X for
authentication solves
“Here’s your
most WEP problems (if WEP key for
the next 30
implemented with mutual seconds...”
authentication methods
TLS, TTLS or PEAP)
EAP over
RADIUS
“Put the user on
VLAN x and
here’s what he
has access to...”
802.1X on every port adds security, II
 In the wired
environment,
802.1X adds
security
•
Microsoft gives it
to you for free
with W2K and XP
•
Many wireless
vendors too...
* 802.1X ties to
RADIUS which
means...
...you can use
RADIUS to push
authorization
information to wired
and wireless
equipment
* VLAN
information
* ACL (access
control list)
information
What are pitfalls and caveats with 802.1X?
 802.1X does not mandate an authentication method
•
•
So you have to pick one (TLS, TTLS, or PEAP)
•
Strategy: hold off until this battle is settled by the IETF
There are a bunch of choices and a bunch of interoperability
problems (TTLS vs. PEAP)
 802.1X does not require you to swap out your RADIUS
infrastructure
•
You can get a new, small server which will proxy to your existing
RADIUS servers
 802.1X will not immediately be “full featured”
•
Authorization information, such as ACLs and VLANs, is still
awaiting “industry agreement”
Public/Private Cryptography enables ...
n = p•q
 Authentication
•
d = e-1 mod((p-1)(q-1))
Using public/private cryptography, I can strongly prove my
identity
 Integrity Checking
•
Using public/private cryptography, I can digitally sign
documents and ensure that they cannot be tampered with
•
Digitally signed documents have “proof of sender” as well
 Encryption
•
Using public/private cryptography, I can encrypt short and
long strings of data effectively
Digital Certificates enable public/private cryptography
n = p•q
A Certificate
can be many
things and have
many forms, but
fundamentally
is a binding of
a public key to
an identity
d = e-1 mod((p-1)(q-1))
Many existing IT applications can use
Encryption
certificates
Authentication
 SSL-based Web servers
 VPNs Remote User
Authentication
 E-mail (S/MIME clients)
Certificate-based techniques
can also be used to pass
encryption keys for secret key
encryption: disk partitions, for
example
 Windows 2K/XP Login
 802.1X Network
Authentication
 E-mail (Netscape,
Outlook, others
supporting S/MIME)
And they all
can use the
same
certificate!
So, why isn’t everyone using them?
 PKI manufacturers have made it more complex than it needs
to be
•
“Solve all the problems up front, for country-wide
deployments” seems to be their strategy
 And expensive!
 Certificate Revocation List strategies have not been coherent
•
Online Certificate Status Protocol may help
 Certificate Enrollment is chaotic
•
•
Four different protocols in common use
Plus a few proprietary ones
VLANs aren’t just for breakfast anymore
 802.1q (Virtual LANs) can be used to combine, yet
not mix, traffic from multiple networks
Originally:
Now:
Management Domains
Security Domains
“tagged”
VLANs
Use VLANs to distribute protected and
unprotected services
1st Floor
2nd Floor
3rd Floor
4th Floor
Using VLANs for security has its risks
 If packets jump from one VLAN to the
other... the game is over
 Management of switching infrastructure
is now as important as management of
firewalls
 Your switches are your weak links
•
•
Attacks
Bugs
 Switch vendors have a very bad
reputation in this area
Risk/Benefit Analysis
All Access Control Lists are not created equal
Some are more equal than others
Static Packet
Filters
“Extended” Access
Lists
 Cannot be used
for port-based
controls
 Are commonly
implemented
 High performance
Packet Filters
(Packet Filters)
 Look at things within
 Typically look only
IP layer
Stateful
 Look at entire
IP and TCP or UDP
datagram and try and
header (such as port
simulate higher layer
number and flags)
state machines
 Can be used for
 Considered very
limited port-based
secure at layer 3
controls
(Check Point, Cisco
 Available on many,
but not all, platforms
 High performance
depend on them)
 Slower and more
CPU/memory
intensive
ACLs can be spread throughout
your network to increase security
Allow traffic to HR
server only from
HR VLAN
Block SMTP not
from Internet.
Kiosk PCs can’t
get to inside net
Pre-filter protocols
(such as SNMP)
you never want to
let in; block
spoofed packets
User can get to
departmental servers
and Internet only
ACLs everywhere is a tricky situation
 Static ACLs on ports can be difficult to manage and maintain
(at this time)
 802.1X-derived ACLs don’t have sufficient context to work at
IP layer (yet)
 Not every device has the capability
 Not every policy-based security server has the ability
But this is a technology
coming very soon to a
theatre near you!
“Put the user on
VLAN x and
here’s what he
has access to...”
You can put a firewall on a NIC
 Technically, this is not making
the network itself crunchy and
more secure
 “Defense in Depth” isn’t too
concerned with labels
Policy Server
Vendors: 3COM, Snap,
OmniCluster, NetMaster,
Corrent
You can make a network which has deep defenses
Segmentation
VLANs as management
and as security
domains
Wireless
Secure wireless LAN,
using 802.1X and/or
802.11i and/or IPsec
Multi-Level Security
Push ACLs everywhere
they can go,
dynamic, too.
The
Network
IDS/IPS
Intrusion Detection
and Prevention
for forensics and
prevention
Layer 2
Authentication
802.1X Network Login
authenticates
users
Internal Security
Embedded Firewall
secures desktops
and servers
Perimeter
Firewalls
and VPNs
Old Standbys
still useful!
PKI Authentication
Uniform approach to
authentication gives
strongest security
Thank you.
Questions, comments?