SAFE AND SOUND

INTRODUCTION Elements of Security Auditing Elements of Security Auditing Applications to Customers Network Applications to Customers Network

Modular Approach User layer…….Server layer……..Network layer User layer…….Server layer……..Network layer …………..interconnects (cabling)…………… …………..interconnects (cabling)……………

User Layer Thin-clients, or physically-secure workstations Thin-clients, or physically-secure workstations Login + passworded access Login + passworded access Access only to relevant services, applications Access only to relevant services, applications Run background malware prevention software Run background malware prevention software

Server Layer Remove unnecessary services Remove unnecessary services User groups to match physical topology User groups to match physical topology Don’t run services as root / admin Don’t run services as root / admin Run OS as read-only Run OS as read-only

Network Layer Backup IOS, OS, data Distribute & centralise topology (failover, and ordered & documented design & layout) Use firewalls & logging Use IDS, IPS, traffic monitoring

Cabling Use more secure cable types Use more secure cable types Use patch-panels and colour-coding Use patch-panels and colour-coding Layouts that make testing, fault-finding easy Layouts that make testing, fault-finding easy

Security Considerations

Network Threats Viruses Viruses Tend to be inadvertently activated Tend to be inadvertently activated ….or may be installed deliberately ….or may be installed deliberately

Network Threats Worms Worms Travel the internet, scanning for vulnerabilities Travel the internet, scanning for vulnerabilities Often disrupt networks by flooding, forking Often disrupt networks by flooding, forking

Network Threats Spiders and webbots Spiders and webbots Can be used maliciously – Can be used maliciously – Automated signups, website duplication, spam Automated signups, website duplication, spam

Network Threats Trojans Trojans Masquerade as regular software Masquerade as regular software Tend to allow attacker to control infected machine Tend to allow attacker to control infected machine

Network Threats Spyware and Phishing Spyware and Phishing Information stealing, user profiling Information stealing, user profiling Used in advert targeting, spam, ID theft Used in advert targeting, spam, ID theft

Network Threats Spam Spam Can contain other malware Can contain other malware Congests networks Congests networks

Network Threats Delete traces of intrusions Delete traces of intrusions Alter logs Alter logs Forensics get-around Forensics get-aroundBombs

Solutions for Customer Separate physical network for WAN access Separate physical network for WAN access Honeypot to track & ID intrusions Honeypot to track & ID intrusions Monitoring station for internal LANs Monitoring station for internal LANs

Solutions for Customer Honeypot Honeypot Mimics internal network or DMZ Mimics internal network or DMZ Allows profiling of network threats Allows profiling of network threats

Solutions for Customer SAN - storage area network SAN - storage area network RAID 40 : RAID level 4 & RAID level 0 4 – block striping with parity: failure tolerant & faster rebuilds 0 – striping: faster writes

Solutions for Customer RAID 40 RAID 40

Tenable’s Security Center Each node is a router, hosts behind router

Advisor Parallel co-ordinate plot of firewall logs

Flamingo Port scan 1 source manytargets

Rumint Visualisation Jamming Attack

Psad Nachi worm network behaviour Red nodes are ICMP packets

Web server log, Raju Varghese Spider attack on web server from single IP Red colouration indicates 5xx status codes

f i n Network monitoring visualisations from: Network monitoring visualisations from: galleries/graph-exchange galleries/graph-exchange