EN Spring 2016 Lecture Notes FUNDAMENTALS OF SECURE DESIGN (NETWORK TOPOLOGY)

DESIGNING A SECURE NETWORK Later lectures are going to deal with protecting channels of communication However, the channels are supported by a network topology (architecture) Properly designed topology reduces the burden on the protected channels Today’s focus is the following principles and their contemporary implementations: Separation Isolation Encapsulation and Modularity Layering Minimized Exposure

SEPARATION: THE IDEA Humans have a tendency to “homogenize” and “consolidate” This is especially true when the complexities of an idea are not well understood Some make arguments for efficiency in planning (e.g., Governments) From a security perspective, “separation” is often superior: Separation of duties Separation of users Separation of networks Separation of responsibilities and operations

SEE ALSO: Simplicity of Design Implementation Minimization Failing Safely Least Privilege Minimizing attack surface

SEPARATION OF DUTIES Require more than one person to complete a task In military, for example, requiring two keys to fire a weapon Reduces how much TRUST must be put into a single individual Note: can use crypto to require two keys (e.g., Shamir Sharing)

SEPARATION OF USERS Separating users from data: Users access data via enforced policy Separating user populations: Users interact with each via enforced policy Policy enforcement mechanisms: ACLs Segmented networks/devices Device file-system and memory-system protections

SEPARATION OF NETWORKS Logical separation Physical separation For example, in separate rooms Separated into high/low risk (REDUCING TRUST) DMZ’s are a good example Mechanisms for Logical Separation: VLANs – Layer 2 separation Routers – Layer 3+ separation VPNs – Remote computing separation

VLAN VISUALIZATION VLAN 1VLAN 2VLAN 1VLAN 2 LAN Switch

ROUTER VISUALIZATION LAN LAN LAN LAN Router IP RangeEgress *Port *.*Port 2 InternetPort 3 Internet

VPN VISUALIZATION LAN LAN LAN Router Secure Channel Virtual Adapter (Over Secure Channel)

DMZ VISUALIZATION Internet Router (Firewall) #1 Web Server Server Router (Firewall) #2 Internal LAN DMZ

SEPARATION OF RESPONSIBILITIES A server hosting both the web server and the server is inherently less secure Now, both systems are compromised by vulnerabilities in either In general systems at risk should be have that risk minimized by hosting one thing (LEAST PRIVILEGE) (MINIMIZING ATTACK SURFACE)

ISOLATION Isolation restricts movement into and out of a separated entity If you separate but do not isolate, your separation has less impact Resource isolation separates resources from each other Allows resources to have different access levels Isolation also enables auditing and other control mechanisms Political Analogy: Separation = Borders Isolation = Border Enforcement

ENCAPSULATION AND MODULARITY Consider what happens when a computer visits Does the result depend on the OS running on the server? Does the result depend on whether or not “the server” is one machine or 100? Does the result depend on the network topology (e.g., server is in DMZ)? Like OO programming, network arch. depends on encapsulation and modularity In addition to the efficiency of design, it also supports security: Easier to reason (formally or informally) about security of the interface Easier to hide weak components behind secure façade Easier to swap in and out security components (3 rd party competition) Separation and Isolation depend on this principle

ENCAPSULATION AND PSYCHOLOGY Encapsulation also improves separating the crypto mechanism from the UI The two elements can evolve independently The two elements can be researched by different specialists

LAYERED SECURITY Multiple layers of security, each focused on a different threat Similar, from a certain point of view, to a network stack NOTE: not multiple layers focused on the SAME threat (e.g., two AV software) Sometimes sold by a single company as a “suite” of security applications Generally, for a network, good “layered security” is beyond a single vendor Firewall Anti-virus IDS Host-based protections

RETURN OF THE CONTEXT Getting layered security right really depends on the context Requirements Engineering: Figure out what attacks require protection Implementation: Create a “layer” that protects against each attack Focus that layer on solely that attack (Modularity!) Some professionals prefer “Defense in Depth” Broadest possible view… no “one true philosophy” Really, this is just another way of getting Anderson’s approach DON’T GET STUCK IN CHECK BOXES

MINIMIZING EXPOSURE The number one goal of all network design is minimizing exposure to protected elements BUT REMEMBER: The hardest part is figuring out what needs protected Once you have the requirements figured out, you can use the other principles: Separation Isolation Encapsulation and Modularity Layered Security ALL FOCUSED ON MINIMIZING EXPOSURE OF THE PROTECTED ELEMENTS (Don’t design in stuff just because it’s “cool” or you’ve done it before)

PLAYGROUND: TRY IT OUT! Begin thinking about how you might apply these principles in Playground How can you apply them? For example, how about a PLAYGROUND firewall? You could put your computing node up behind a firewall node. How would a firewall node work? It would take the request, analyze it, and pass it on to the real node You could do purely “network” security and limit the sources and destinations You could try to do application security by examining the data in the packets. Not required, but this is an example of something for the Advanced Features Lab

FIREWALL EXAMPLE IN MORE DETAIL What type of routing will you support? Will you have devices behind the firewall have private PLAYGROUND addresses? If so, you’re going to need to do NAT (Network Address Translation) outbound If so, you’ll need port forwarding inbound

PORT FORWARDING Firewall (public) Outsider Insider (private) Local PortForward To 100Insider at port 1001 Outsider connects to FW on port 100 Firewall connects to Insider on Port 1001 FW session w/ Outsider on port 100 FW session w/ Insider on port SourceForwarding connection Outsider/

NAT Firewall (public) Outsider Insider (private) Firewall connects on Insider’s behalf Insider “connects” to Outsider on port 100, src port FW session w/ Outsider on local port FW records Insider src/dst port Source DataForwarding connection Insider/11111/

OTHER PLAYGROUND OPTIONS Separate remote computation from security systems Separate remote computation from other remote computation based on privilege level Multiple remote computation (load balancing) Separate accounting system from remote computation Separate “networks” for computing and providing computation If providing advanced features, separating them out: File storage (store once, compute many) Computation services (e.g., providing support for graphing)

CITATIONS While not used word-for-word, these two sources assisted me with these slides: defense-in-depth/ defense-in-depth/ Security_Architecture.pdf Security_Architecture.pdf