Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Policy (slides by Jeremy, Brian, and Daniel)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Policy (slides by Jeremy, Brian, and Daniel)"— Presentation transcript:

1 Network Policy (slides by Jeremy, Brian, and Daniel)

2 What Network Policy IS Includes a set of preconditions required for network access and to maintain that access (access policy) Some Examples: –Must be running the organization’s specified antivirus product with latest virus definitions –Must have personal firewall enabled Egress/ingress, particular ports, protocols, etc. –Must pass a scan for known vulnerabilities (like CMU)

3 What Else Network Policy IS Specifies access controls for systems and resources Examples: –Bank teller can only connect to the bank network during regular business hours –Staff not employed by the payroll department must not access payroll records.

4 Anything Else? What is allowed on the network –Hotmail, Ebay, Ameritrade, Pornography? What is monitored –How long do you keep the logs –What do you do with them after that time period –Who handles these logs –Who is responsible for auditing them

5 Network Policy is NOT A firewall, IDS, IPS, etc A certification Something you download and print Something you purchase It is a custom tailored process!

6 The IKEA Analogy for Network Policy No policy is like having no instructions for securing the network Seems simple but actually a million complicated pieces with complex interactions “Universal Tool” – Not the best solution It works great until it falls apart and needs to be redone the right way –Find out what those extra parts do after the fact Frustrating? Quality Issues?

7 But Policy is Just Paper True, policy needs to be enforced –People are either ignorant of or don’t care what is on the paper. –Survey: Who has knows CMU’s Network Policy? How to enforce Network Policy? –Technology: firewalls, ACLs, Nessus, card readers, network monitors, encryption, active directory etc. Can’t effectively deploy these tools without policy –Can’t build sturdy furniture (security) without directions (policy) –Policy = Directions

8 Designing Network Policy Very specific to the organization’s needs No “one size fits all” Try to follow best practices –Least Privilege –Defense in Depth –ACTIVE MONITORING Build this into the policy! Threats constantly evolve, security must do the same.

9 The Case: Issues to Consider Least Privilege –Sponsors – “What do you mean I can’t do xyz, I paid for this thing to happen!” –Money Talks, but making exceptions can break down security of entire system People want money spent on something visible –Make case for security supporting visibility? Does it? People want invisible security If it is a hassle, they will circumvent it –Media – use venue as backdoor

10 More Issues: Insiders Organizations implicitly trust them Intimate knowledge of system and its weak points May be sympathetic to protesters Physical access to critical areas –Easy to plug in a rogue WAP on the wired network Many new temporary employees –Where is their loyalty?

11 Showdown: Wireless Policy VS

12 Wireless Policy Considerations Basic requirements for event –Can enough cable be run at the venue to support all wired connections? –Do the participants need wireless? Why? Who is in charge? –Delegate who is in charge and who takes responsibility for problems Establishes accountability and point of contact

13 What is the Risk? Perform a Risk Assessment –Potential Threats: DoS, Session hijacking, sniffing, MITM, ad-hoc connections Wardrive/Warwalk to determine physical exposure –What is the wireless going to be used for? casual websurfing (low risk) Media/sponsor access (medium risk) Confidential scheduling and voting (high risk) –How frequently to assess risk? Do the threats outweigh the benefits? See NIST 800-30 for more formal information

14 Consider Wireless Topology Network Topology –Wireless as untrusted network –Wired as trusted network –Separate them with a gateway –Install filter to control/monitor traffic at that junction Active monitoring goes in the wireless policy!

15 Other Considerations How to Authenticate –Cost, ease of implementation, ease of use –PKI may be too much, Open may be too little Maintaining Confidentiality –Encryption – WEP, WPA, IPSec Selection based on sensitivity of data –Key management How to distribute Can we change it faster than it can be cracked? Availability –Most noticeable –Productivity losses –Media backlash

16 No WiFi For You! Do we allow it or not? Is the threat greater than the benefit? –Difficult to quantify Do we also allow limited wired access if wireless goes down? What if wireless keys are shared with outsiders? Many other “what if’s” See NIST 800-48 for a wealth of information

17 This Can Be Really Tough! Difficulty will cause users to circumvent security measures Prepare for your first line of defense to fail (D.I.D.) Perhaps we need something more rigorous A formal framework with better metrics for making critical decisions

18 Conclusion Are Network Policies such as the ones described tonight silver bullets?? The answer is NO!!!!

19 Conclusion These are guidelines that need to be enforced, understood, documented and evaluated constantly because the environmental variables (such as new technology) change over time

Download ppt "Network Policy (slides by Jeremy, Brian, and Daniel)"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Policies and Standards

Information Security Policies and Standards
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Chapter 12 Network Security.

Chapter 12 Network Security.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.

Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Similar presentations

Ads by Google