Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Borderless Network March 21, 2000 Ted Barlow.

Similar presentations


Presentation on theme: "Securing the Borderless Network March 21, 2000 Ted Barlow."— Presentation transcript:

1 Securing the Borderless Network March 21, 2000 Ted Barlow

2 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu The Internet has fundamentally changed the way networks are designed and secured Introduction

3 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu How things used to be... single host environment mainframe security systems hierarchical controls well-defined access paths dumb terminals centralized storage/processing of data Old Model

4 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu “Fortress” Security Model Internet Internal Network Firewall Protocols: SMTP FTP HTTP “New” Old Model

5 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu DMZ “Freeway” Security Model Internet Internal Network Firewall Web Server Application/ Database Vendor Extranet HTTP SSLJava ActiveX SMTP S/MIME VPNViruses TrojansH.323 Credit Validation Network New Model

6 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu What are the Risks? Denial of Service DDOS (Distributed Denial of Service Attacks) Defacement 3693 web server defacements in 1999 (www.attrition.org) 130 government sites (.gov) Loss of private data CD Universe (~350,000 credit card numbers) Breach of internal networks and systems Risks

7 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu How do you Build a Secure Internet Application Environment? Incorporate security reviews early in the design process Design with future strong authentication methods in mind Design for explosive growth Encrypt entire path from client to backup tapes for critical data Establish security baselines and perform security hardening before going live on the Internet Design and Build

8 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Key Components of the Secure Network Border routers DMZ Firewalls Encrypted data paths Intrusion Detection System (IDS) Content Security (CVP) Infrastructure

9 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu The Firewall/DMZ Environment Begin with a secure screening router Choose a firewall that is extensible, scalable Packet filtering vs. application proxy firewalls Firewall appliances and next generation firewalls Network address translation (NAT) will improve DMZ security Build firewall redundancy Firewalls

10 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Choosing the Right Firewall Solution Packet Filters Application- Proxy Gateways Stateful Inspection Firewall Comparison PROSCONS Application Independent High Performance Scalable Good Security Fully Aware of Application Layer Good Security High Performance Scalable Fully Aware of Application Layer Extensible Low Security No Protection Above Network Layer Poor Performance Limited Application Support Poor Scalability More Expensive

11 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Is Intrusion Detection Necessary? Definition – the ability to detect and defend against defined attack patterns Host based & network based Network IDS can be integrated with firewalls to automatically respond to attacks Host based IDS can detect changes to operating system programs and configurations IDS

12 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Internet Web Server Internet External Router Intranet Web Server Internal Network DMZ Outside Application/Database Server Backup Server Intrusion Detection System (IDS) Inside Design Case Study Internal Router

13 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Web Server Internet External Router Internal Router IDS App Server Backup Server Internal Network IDS Console IDS CVP Server DMZ NAT DMZ NAT Design Case Study

14 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu How do you Maintain a Secure Internet Application Environment? Keeping ahead of security exploits is a full time job Actually review and report on firewall, IDS and system logs Develop incidence response (IR) procedures and IR team Periodically review and audit system and network security configurations Maintenance

15 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu What is coming in Network Security? Better, cheaper authentication mechanisms Open network security models System, application level “firewalls” Windows 2000 Future Developments

16 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Windows 2000 Security Kerberos Authentication Infrastructure Certificate Authority (CA) Security Configuration Editor IPSec Support Encrypting File System (EFS) Future Developments

17 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Kerberos Authentication Windows 2000 supports several authentication models: Kerberos for internal authentication and X.509 certificates for external authentication. Kerberos can be configured to use private or public key authentication. Keys are managed by the Domain Controller (DC) in the Key Distribution Center (KDC). A User is granted a ticket or certificate which permits a session between the user and the server. Important security considerations: The KDC MUST be physically secured Susceptible to password dictionary attacks Administrators still have complete access Future Developments

18 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Certificate Authority (CA) This is a Public Key Certificate Server built into Windows 2000. The server manages the issuing, renewal, and cancellation of digital certificates. Digital certificates are used to initiate encrypted sessions such as Secure Sockets Layer (SSL) for secure web-based communications. Future Developments

19 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Security Configuration Editor This is a Microsoft Management Console (MMC) tool that eases security administration. Allows administrators to create security baselines by defining templates with global security parameters, and then perform security analyses against the templates. Manages security policies, file system access control, and Registry permissions. Future Developments

20 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Internet Protocol Security (IPSec) Defines security policies at the lowest possible layer: the network communication layer. Enables encryption and decryption of network packets before they leave the network interface card (NIC). Supports the use of public keys (RSA) or private keys (DES). Future Developments

21 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Encrypting File System (EFS) Allows users to encrypt files and directories that only they (and administrators) can decrypt. EFS creates a separate 56-bit encryption key based on the Data Encryption Standard (DES) algorithm. The administrator’s key can unlock any encrypted file in the domain. This service is very fast and encryption/decryption occurs without the user noticing. Future Developments

22 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Summary of Best Practices If possible, create a separate trusted network (DMZ) Choosing the right firewall solution is key Application security is only as strong as system and network security Design the infrastructure to facilitate monitoring and data backups Intrusion Detection Systems – you can’t defend what you don’t detect Summary

23 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Questions? Contact: Ted Barlow tbarlow@dttus.com Thank You tbarlow@dttus.com


Download ppt "Securing the Borderless Network March 21, 2000 Ted Barlow."

Similar presentations


Ads by Google