Documente Academic
Documente Profesional
Documente Cultură
Firewall, My Son!
The Jaws That Bite,
The Claws That
Catch!*
*With apologies to Lewis Carroll
Who Am I?
Michele Chubirka, aka Mrs. Y.
Senior security architect.
Blogs and hosts Healthy
Paranoia, information security
podcast channel of
Packetpushers.
Researches and pontificates
on topics such as security
architecture and best
practices.
Discussion Points
Beware the
proxy server,
and shun The
frumious
packet filter!
Recent Findings
According to Trustwaves 2012 Global Security Report:
Customer records make up 89% of breached data
investigated.
The most common password used by organizations is
Password1 because it satisfies the default Microsoft
Active Directory complexity setting.
Anti-virus detected less than 12% of malware samples
collected during 2011 investigations.
SANS Institute declared the death of AV.
Findings Cont
Only 16% of
compromises
were selfdetected and
attackers had
an average of
173.5 days
before
detection.
<2008
66%
55%
2008
55%
44%
2009
41%
2012
2011
2010
75%
<2008
69%
2008
92%
86%
2011
2010
61%
2009
69%
2012
Compromise (n=180)
Overall
60%
11%
13%
13%
2%
1%
Exfiltration (n=39)
36%
15%
18%
3%
10%
18%
0%
1%
9%
11%
12%
4%
41%
18%
2%
2%
Seconds
Minutes
Hours
Financial
14%
Days
Espionage
Weeks
Other
22%
Months
Years
62%
Definitions
Defense-in-depth
According to the Committee on National
Security Systems Instruction No. 4009,
National Information Assurance Glossary, it is
defined as:
IA [information assurance] strategy integrating
people, technology, and operations capabilities
to establish variable barriers across multiple
layers and dimensions of networks.
Defense-in-depth is comprised of
multiple types of controls, not only
multiples of the same controls.
Definitions Cont
Firewall
From The Oxford American Dictionary:
A wall or partition designed to inhibit or prevent
the spread of fire. Any barrier that is intended to
thwart the spread of a destructive agent.
A firewall does not prevent a fire.
So rested she by
the DMZ,
And stood
awhile in
thought.
And, as in
uffish thought
she stood,
The firewall,
with eyes of
flame,
The Challenge
A Network Security team is responsible for
managing the technical or logical controls for
accessing data.
They are data custodians for the data
owners.
The challenge is to ensure that they closely
align the network security segmentation
design with an information classification
matrix.
Definitions
Compliance - the act of conforming, acquiescing, or
yielding. A tendency to yield readily to others, especially
in a weak and subservient way. Conformity; accordance:
in compliance with orders. Cooperation or obedience.
Security - freedom from danger, risk, etc.; safety.
Freedom from care, anxiety, or doubt; well-founded
confidence. Something that secures or makes safe;
protection; defense. Precautions taken to guard against
crime, attack, sabotage, espionage, etc.
From The American Heritage Dictionary
Compliance or Security?
Compliance != Security
Focus on containment.
Improve standardization and documentation.
Gather metrics.
Event monitoring (and no, that doesnt mean
email alerts).
Consolidate when possible.
Consistently audit access.
Emphasize a proactive over reactive posture.
SABSA Framework
http://www.opensecurityarchitecture.org/cms/images/OSA_ima...
AU-10 Non-Repudiation
Flow
AC-04 Information
Enforcement
Of Audit
AU-03 Content
Records
Record
AU-11 Audit
Retention
SC-05
Denial Of Service
Protection
Code
SI-03 Malicious
Protection
SI-06
Security
Functionality Verif..
SI-07
Software And
Information Integri..
Storage
AU-04 Audit
Capacity
To Audit
AU-05 Response
Processing Failures
Monitoring,
AU-06 Audit
Analysis, And Repor..
Proxy/Gateway/Web
-minimal services
-hardened configuration
-management/monitoring
by seperate network
interfaces/VLAN
Internal
Services
External
Services
External
Firewall
Internal
Firewall
Bastion
Host
IDS/IPS
DNS
Name /
SC-20 Secure
Address Resolution ..
SI-04
Trusted network
e.g. CorpNet
Information System
Monitoring Tools An..
Name /
SC-21 Secure
Address Resolution ..
And
SC-22 Architecture
Provisioning For Na..
Login
AC-07 Unsuccessful
Attempts
hBp://www.opensecurityarchitecture.org/
cms/en/library/paBernlandscape/286-
sp-016-dmz-module
OSA is licensed according to Creative Commons Share-alike.
Please see:http://www.opensecurityarchitecture.org/cms/about/license-terms.
Reduction And
AU-07 Audit
Report Generation
System
CA-03 Information
Connections
CA-04 Security
Certification
Of Action And
CA-05 Plan
Milestones
RA-05 Vulnerability
Scanning
Alerts And
SI-05 Security
Advisories
Where Am I?
Spending quality time in kernel mode practicing
and refining my particular form of snark.
www.healthyparanoia.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
networksecurityprincess@gmail.com
chubirka@packetpushers.net
References
Covert, Edwin. Using Enterprise Security Architecture S to Align Business
Goals and IT Security within an Organization. Tech. Columbia: Applied
Network Solutions, n.d. Print.
Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15 May
2012. Web. 15 May 2012. <http://www.infoworld.com/d/security/why-youdont-need-firewall-193153?page=0,1>.
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May
2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/globalpayments-breach-window-expands/>.
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May
2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/globalpayments-breach-now-dates-back-to-jan-2011/>.
Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation
Created for Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012.
Web. 16 Apr. 2013. <http://computer-forensics.sans.org/blog/2012/04/09/isanti-virus-really-dead-a-real-world-simulation-created-for-forensic-datayields-surprising-results>.
M-Trends 2012: An Evolving Threat. Rep. Alexandria: Mandiant, 2012.
Print.
References Cont
"Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17
Apr. 2013.
Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog.
Antian Security, 3 Jan. 2013. Web. 16 Apr. 2013.
"SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013.
Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web.
Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web.
Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S.
Computers to Chinese Military." Washington Post. The Washington Post, 19
Feb. 2013. Web. 16 Apr. 2013. <http://www.washingtonpost.com/world/reportties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/
2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html>.
Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting
Compromise." Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr.
2013. <http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/
>.