Jwp Whitepaper Hoehl Khalil

download Jwp Whitepaper Hoehl Khalil

of 79

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Jwp Whitepaper Hoehl Khalil

  • 7/23/2019 Jwp Whitepaper Hoehl Khalil


    Implementing and AutomatingCritical Control 19: Secure Network


    Next Generation Data Center Networks

    STI Joint Written Project

    Authors: Aron Warren, George Khalil, Michael Hoehl


    AbstractThis document provides technical and best practice approaches to

    implement and automate safeguards consistent with control 1,

    !"ecure #etwor$ %ngineering&, of the "A#" Twent' (ritical "ecurit'(ontrols for %)ective ('ber *efense+ The scope is the secure design ofcuttingedge high speed -.Gb% networ$s designed to host /nternetfacing web and mobile applications+

  • 7/23/2019 Jwp Whitepaper Hoehl Khalil


    "A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s


    1 Executi!e Summar"

    People seem to want to treat computer security like it's rocket science or black magic. Infact, computer security is nothing but attention to detailandgood design.

    Marcus J. anum

    !e"t #eneration networks will ha$e to defend against many of the same threats

    targeting today%s networks. Modern reconnaissance, disco$ery, and mapping approaches

    are $ersatile and &ust as effecti$e at higher network speeds. he ma&or difference is the

    speed of e"ploitation. (hereas today%s network may re)uire a few days to complete a

    multi*gigabyte data theft attack, poorly designed !e"t #eneration + #igabyte -thernet

    +#b-/ networks can facilitate this same e"ploit in &ust a few seconds. his condition

    makes the re)uirement for secure network engineering $ital for !e"t #eneration


    !etwork design is foundational to security controls. Incorporating safeguards at

    this le$el is essential to pre$ent the circum$ention of higher le$el controls. he first and

    most fundamental re)uirement is to build a multi*tiered network architecture. o

    accomplish this, assets of similar $alue and function are segmented into encla$es.

    0hokepoints are then created between each encla$e. his approach allows access,

    detecti$e, and pre$enti$e controls to be implemented in a logical manner with rapid

    response to suspected threats. 1urther, pro"ies can be introduced at each chokepoint that

    further reduces the surface of attack.

    he proposed !*iered architecture has two silos. he first silo contains the

    segmented applications. -ncla$es for Internet 2ccess, 3345Pro"ies, 6P52PI 3er$ers,

    (eb 2pplications, and 7ata are recommended. he second silo contains the

    infrastructure ser$ices. -ncla$es for 0ustomer 2uthentication, !etwork 2pplications,

    Management, and 898 connections are recommended in this silo.

    :nce the !*iered network architecture is in place, additional controls are

    implemented within each encla$e. 0ontrols include centrali;ed authentication, IP3,

    !20, malware scanning, data leakage pre$ention, $ulnerability and patch management.

    hese controls are tuned for each encla$e to optimi;e performance and effecti$eness.

    "T/ 0oint Written ro5ect

  • 7/23/2019 Jwp Whitepaper Hoehl Khalil


    "A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s


    -ncla$es are interconnected using a security fabric. 2 security fabric is created

    by using a switching platform that pro$ides multiple security ser$ices across the

    encla$es. he security fabric includes the familiar firewall capabilities. It also is

    e"panded to pro$ide other security ser$ices including network IP35I73, web application

    and database firewalling, in*line malware scanning, and load balancing. 8y combining

    all these ser$ices within the security fabric, packets can be e"changed beyond +#bps

    through backplane speeds of o$er 9.?ba in June [email protected] In [email protected], only a

    few $endors are offering products that support +#b- and adoption by enterprises has

    been slow. 2 solution based on functional re)uirements and product a$ailability is

    pro$ided in this paper. 2 8ill of Materials is included in 2ppendi" 8.

    echnology is &ust one part of a triad of considerations. People and process are the

    other core considerations for this paper%s proposed solution. 7ocumentation and

    procedures are necessary to optimi;e the e"isting staff resources. 7ocumentation is

    li$ing, with regular updates e"pected from re)uirements phase to asset retirement.

    2utomation of processes is necessary at +#b-. 3e$eral approaches are proposed

    including engaging Managed 3ecurity 3er$ice Pro$iders M33Ps/ who must be

    e"perienced in +#b- or higher technologies.

    here are se$eral benefits associated with this secure network engineering of ne"t

    generation networks. hese include impro$ed security, increased design credibility,

    better manageability, lower total costs, and faster response to threats. =ltimately,

    "T/ 0oint Written ro5ect

  • 7/23/2019 Jwp Whitepaper Hoehl Khalil


    "A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s


    adopting these design recommendations will pro$ide a solid foundation for safeguarding

    infrastructure and data at the highest speeds a$ailable todayAand tomorrow.

    # $ro%lem Description

    #1 Introduction to SANS Critical Securit" Control 19

    he 32!3 Institute, in collaboration with many other organi;ations, e"tracted

    twenty critical technical security controls 32!3, [email protected]@/ from e$ision ? of the !I3

    3pecial Publication >*

  • 7/23/2019 Jwp Whitepaper Hoehl Khalil


    "A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s


    3pecifically mentioned in the control is the use of layered 7!3 ser$ice. his is

    achie$ed by only allowing intranet 7!3 ser$ers to forward unanswerable )ueries to 7!3

    ser$ers located in a 7MC. In turn the 7MC 7!3 ser$er is only allowed to forward

    re)uests to the Internet.

    o measure the success of the design, port and $ulnerability scanners are used to

    determine $isibility of systems. If unauthori;ed systems are found or sensiti$e data

    machines, such as database ser$ers, are located and publically $isible then the scoring of

    the design takes a noticeable numerical hit.

    ## Critical Securit" Control 19 ImplementationC&allenges

    (hen designing a secure network, a balance of security, performance and

    accessibility must be achie$ed. 2 perfectly secure network would be air*gaped, with so

    many controls in place that the functionality would border on unusable. hat design is

    not what this paper stri$es to achie$e. (hen too many controls are put into place, the

    performance of the network begins to become degraded. his paper%s ob&ecti$e is to

    define a secure network approach to perform at + #bps -thernet +#b-/ throughput.

    his meant some of the security controls had to be shifted to specific indi$idual de$ices

    in order to ensure the necessary throughput. (hen single points of failure create too high

    of a risk for loss of a$ailability, redundancy must then be considered. he design

    presented here does not detail all of the possible redundancy options that could or should

    be implemented but instead focuses on the theme of 0ritical 0ontrol @BAa design that

    pre$ents a hacker from pi$oting through the network by minimi;ing attack points and

    creating data chokepoints for analysis. !etwork design must incorporate security

    controls early into the planning process rather than as an afterthought. 8y not building

    security into the pro&ect early, higher and possibly une"pected/ implementation costs

    might occur down the road.

    #' Network C&allenges for Next Generation Networks

    +#b- and @#b-, at the time of this writing, are still considered cutting edge

    technologies with few $endors offering a product line specifically targeting +#b-. o

    clarify, this paper focuses on +#b- in a single pipe as opposed to aggregation of +

    "T/ 0oint Written ro5ect

  • 7/23/2019 Jwp Whitepaper Hoehl Khalil


    "A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s


    separate @#b- pipes. -$en though switch $endors ha$e been offering +#b- backplane

    speeds for se$eral years now, today the chokepoint or bottleneck impacting total

    throughput is not with the switching fabric. he problem lies with the ability for the other

    technologies, such as firewall, I73, IP3 and applications, to keep up with the sheer

    $olume of data being thrown at it.

    he le$el of uncertainty increases relati$e to speed too. 1or e"ample, in the past if

    @D of traffic was missed on a @Mbps pipe, this only resulted in an actual uncertainty of

    @Mbps. 6owe$er, this same @D is e)ui$alent to @Mbps of unanaly;ed traffic at @#b-

    and +Mbps at +#b-. (ith an increase in speed, the scale of unanaly;ed traffic

    uncertainty/ scales to an unacceptable le$el.

    +#b- introduces human capital challenges as well. More traffic, and the associated

    monitoring, will re)uire additional e"perienced staff to re$iew the alerts and e$ents that

    will be created. he +#b- flows and technologies will also demand a higher skilled

    staff. 2utomation will be critical if adding staff is not in the budget

    1orensics analysis teams are only now beginning to ramp up for +#b-.

    :rgani;ations must be careful not to get too far a