The Institute of Internal Auditors Detroit Chapter Presents
Transcript of The Institute of Internal Auditors Detroit Chapter Presents
1
The Institute of Internal AuditorsDetroit Chapter
Presents
Use Cases – Webinar Series IIA Detroit ChapterWebinar #4 – Firewall and Virtualization
3
If You Have Questions…
Submit Questions and/or Comments via chat
4
In order to receive CPE credit for this webcast, participants must:
Attend the webcast on individual device (one person per computer/device)
Answer polling questions asked throughout the webcast
CPE certificates will be sent to the e-mail address on your Zoom account within two weeks of this webinar.
If you are unsure if that correct email address is on your zoom account, please send us the correct email in a chat message.
Earning CPE Credit
5
Polling Question #1: Please tell us your member status
A)Member Detroit Chapter
B)Member – Central Region District 2 (Fort Wayne, Toledo, Michiana, W. Mich., Lansing)
C)Member – Other District
D)Non-member
6
Agenda
Firewall/Demo – One hourVirtualization/Demo – One hour
7
Firewalls
7
Firewall – a firewall is a host that mediates access to a
network, allowing and disallowing certain type ofaccess based on a configured security policyUsed to allow access to ports, protocols, etc.Allows outbound trafficBlocks unauthorized inbound traffic
– Is a combination of hardware and software– Come “for free” inside many devices: routers,
modems, wireless base stations etc.– Use firewalls to achieve selective border control– Prevent specific types of information from
moving between the outside world (untrustednetwork) and the inside world (trusted network)
8
Firewall Placement
8
• In border network devices at the edge of yournetwork
• In interior network devices that move trafficfrom the border into your network
• In a DMZ, which is a series of routers/switchesthat surround the strategic IT assets
• In separate routers or router combinations thateach enclose a segregated portion of thenetwork
• In software firewalls on all the individualworkstations
9
Firewall Placement – Example
Filter traffic going across perimeter boundary
Various levels of sophistication
Intranet
Firewall
10
Firewall Placement – Example DMZ
FirewallIntranet
Desktop
Public WebServer
DNSServer
MailServer
Intranet WebServer
DMZ
11
What Firewalls can’t do
• They are not a panacea– Only adds to defense in depth
• If not managed properly– Can provide false sense of
security• Cannot prevent insider attack• Firewalls act in a particular layer (or
layers)• Most firewalls work at Layers 3
(Network) and 7 (Application)• Web Application Firewalls work on
Layers 3, 4, 5, and 7
11
12
Firewalls Categorized by Development Era
12
First generation: static packet filtering firewalls Second generation: application-level firewalls or proxy
servers Third generation: stateful inspection firewalls (allows
only packets for specific function and port e.g. UDP traffic for a certain port) Fourth generation: dynamic packet filtering firewalls;
allow only packets with particular source, destination and port addresses to enter Fifth generation: Next Generation Firewall. Even has
built-in Data Loss Prevention(DLP) capabilities
13
Firewalls Categorized by Deployment Structure
13
Most firewalls are appliances: stand-alone, self-contained systems Commercial-grade firewall system consists of firewall
application software running on general-purpose computer Small office/home office (SOHO) or residential-grade
firewalls, aka broadband gateways or DSL/cable modem routers, connect user’s local area network or a specific computer system to Internetworking device Residential-grade firewall software is installed directly
on the user’s system Cloud firewalls are implemented in the cloud with
integration with subscribing organizations
14
Polling Question #2
If I have a Next Generation Firewall installed inmy network, I don’t need anything else: Mynetwork is protected with the latest technology
a) Trueb) False
14
15
Selecting the Right Firewall
15
When selecting firewall, consider a number offactors:
– What firewall offers right balance betweenprotection and cost for needs of organization?
– What features are included in base price andwhich are not?
– Ease of setup and configuration? Howaccessible are staff technicians who canconfigure the firewall?
– Can firewall adapt to organization’s growingnetwork
16
Configuring and Managing Firewalls
16
Each firewall device must have own set of configurationrules regulating its actions
Firewall policy configuration is usually complex anddifficult
Configuring firewall policies both an art and a science
When security rules conflict with the performance ofbusiness, security often loses
17
Best Practices for Firewalls
17
All traffic from trusted network is allowed out Firewall device never directly accessed from public
network Simple Mail Transport Protocol (SMTP) data allowed to
pass through firewall Internet Control Message Protocol (ICMP) data denied.
(Ping is ICMP). ICMP can be used for simple DoS. Telnet access to internal servers should be blocked. Use
SSH. FTP protocol should be blocked. S-FTP instead. When Web services offered outside firewall, HTTP traffic
should be denied from reaching internal networks
18
Best Practices for Firewalls
Security Activity
Deny all traffic by default and then add rules for what needs to be allowed
Use NGFW firewalls instead of packet filters except for border routers
Firewall configuration backup should not be stored in the network protected by the same firewall
Maintain network application matrix in a table and make this matrix available to firewall administrators
Perform quarterly review of firewall policies
Provide High Availability and redundancy
Security Activity
Install a firewall in front of any subnet classified as critical
Use principle of least privileges. Allow the minimum number of protocols from minimum number of sources and minimum number of destinations
At a minimum block ingress access to the following ports:
TCP: 135, 137, 138, 139, 445, and 3389.
UDP: 135, 137, 138, 139, 445, and 3389.
This will prevent Windows remote logins and file sharing through the firewall
18
19
Best Practices for Firewalls
Security Activity
Install and configure Web Application Firewall for web applications
Perform periodic penetration test of the firewall
Only VPNs should be used to bypass firewall policies
19
20
Audit Considerations
20
Review organizations security policies and procedures and verify that the policies are implemented in the firewall(s)
Obtain and review network diagrams Verify that logging is enabled in the firewall(s) Review the log monitoring process and procedures Obtain and review the last vulnerability scan and penetration test reports Identify all allowed VPN entries Obtain and review the firewall vendor information Verify that default passwords have been changed Review the change management process for rules and configuration changes Verify that the firewall is physically secure Identify redundant rules, unused objects, unused connections, and have those
removed Review the ACLs implemented Identify who has access to the firewall and who can make changes to the firewall
21
Audit Considerations…(cont’d)
21
Consider using Center for Internet Security (CIS) standards to secure the firewall Consider using automated tools to audit firewalls
– Firewall rules and configuration information may be many pages
– Firewall rules may not have been documented
If you have many firewalls, consider bringing in a 3rd
party, with access to a tool, to review the firewalls
22
Polling Question #3
Firewalls should never be available for accessfrom public networks
a) Trueb) False
22
23
Polling Question #4
To have a layered defense, an organizationmust consider implementation of:a) Firewallsb) DMZc) IDS/IPSd) All of the above
23
24
Demo 1 – Windows Defender Firewall
25
Demo 2 – Enterprise Firewall - VyOS Open Source – Originally
Vyatta Router and firewall Linux base Available features
– Routing– Firewall and NAT– VPN– Network services (DNS
forwarding, DHCP,Netflow, etc.)
Enabled modules can also include IDS Cloud support
26
Demo 2 – Enterprise Firewall – VyOS...(cont’d)
Gateway
Primary Firewall
Secondary Firewall
Internet
Virtualization
28
What is Virtualization? The creation of virtual resources such as servers,
desktops, switch, storage, etc. used to address the computing needs of the organization.
– Abstraction of the hardware
– The VM is stored as a file on the disk
Goals of Virtualization
– Scalability
– Workload Management
– Security
29
Types of Virtualization
Desktop Virtualization Server Virtualization Network Virtualization Storage Virtualization Application Virtualization
30
Containers
Lightweight alternatives to fully virtualized machines
An abstraction at the application layer– Packages an application with all the
dependencies in its own namespace Available in Linux, Windows, Cloud and
Datacenter Containers virtualize the OS instead of the
hardware Containers are more portable than VMs Used in development environment on a
single application Take up less space Infrastructure
Host OS
Docker
App A
App B
App D
App C
31
Desktop Virtualization
• VMware Workstation (Local)• Microsoft Virtual PC (Local)• Citrix XenDesktop (Centralized)
32
Desktop Virtualization Architecture
Hardware
Host OS
Virtual Machine Manager
Virtual Machine
Guest OS(VMware ESX)
Applications
Virtual Machine Virtual Machine
Guest OS(Windows)
Guest OS(Linux)
Applications Applications
V i r
t u
a l
P h
y s
i c a
l
33
VMware Workstation– Costs more– More host & guests support– Better features (Snapshots, USB)– 64-bit hosts and guests
Microsoft Virtual PC– Free– Less hosts & guests support– Less VM features and capabilities
Comparison
34
Benefits from Virtualization
• Save money and energy• Simplify management
35
Polling Question #5
One of the benefits of virtualization is the costsavings
a) Trueb) False
35
36
Components of Virtual Machines?
• Configuration file• Hard disk file(s)• Virtual machine state file• In-memory file
37
Some Virtual Platforms
Vmware
– Now owned by Dell
– Runs on Windows, Linux, and in the cloud
– More 3rd-party products designed for it
Hyper-V
– By Microsoft
– Virtualizes x86-64 systems
– Has server and desktop
– Less expensive to deploy
VirtualBox
– Originally Open Source
– Now owned by Oracle
– Can be used in Windows, MacOS, and Linux
Kernel-based Virtual Machine (KVM)
– Open Source
– Now merged into Linux
– Turns Linux into a hypervisor
Proxmox Virtual Environment– Open Source
– Linux based (QEMU/KVM/LXC)
– Manages virtual server, containers, storage, network, etc.
– Web-based interface
38
Uses
DevelopmentTestingTrainingProduction Applications
39
Virtualization Types
• Hosted• Native or Bare-metal
40
Hosted Virtualization
VMware Workstation Oracle VirtualBox
41
Hosted Virtualization Architecture
Hardware
Host OS
Hypervisor
Virtual Machine
Guest OS(MAC OS)
Applications
Virtual Machine Virtual Machine
Guest OS(Windows)
Guest OS(Linux)
Applications Applications
V i r
t u
a l
P h
y s
i c a
l
42
Native Virtualization
• Citrix XenServer• VMware ESX/ESXi Server• Microsoft Hyper-V Server• Proxmox VE
43
Native (Bare-metal) Virtualization Architecture
Hardware
Hypervisor (Native)
Virtual Machine
Guest OS(MAC OS)
Applications
Virtual Machine Virtual Machine
Guest OS(Windows)
Guest OS(Linux)
Applications Applications
V i r
t u
a l
P h
y s
i c a
l
44
A hypervisor, also called a virtual machine manager (VMM), is aprogram that allows multiple operating systems to share a singlehardware host. Each operating system appears to have the host'sprocessor, memory, and other resources all to itself. However, thehypervisor is actually controlling the host processor and resources,allocating what is needed to each operating system in turn andmaking sure that the guest operating systems (called virtualmachines) cannot disrupt each other.
What is a hypervisor?
45
ESX has a Service Console is based on Red Hat Enterprise Linux 3 (Update 6)that is heavily modified and stripped down and is used for managementpurposes. During the boot process the Service Console bootstraps theVMKernel using initrd and then turns over full control of all hardwareresources to the VMkernel. When the VMkernel takes over the hardwareresources of the host, the Service Console is warm booted and managed as aprivileged virtual machine within the VMkernel.
ESXi uses vSphere architecture and does not have a Linux Service Consolebut instead uses vCenter, a separate web tool, to manage multiple vSpherehosts. This is the current architecture of VMware and offers better hypervisorarchitecture, security, reliability, and management than ESX. With ESXi, thehypervisor is loaded into memory at boot time.
ESX & ESXi
46
Hyper-V
Virtualization isolates critical applications
Virtualization helps to consolidate multiple physical servers into a singular server
Using a virtual machine increases the ease of backing up essential servers
Updates or changes to an OS can be made on a virtual machine to test stability before being applied to a production machine
Reduces the need for physical devices in educational environments
47
Hyper-V
Hyper-V Requirements
– 64-bit version of Windows Server 2008 Standard, Enterprise, or Datacenter Edition
– A server running a 64-bit processor with virtualization support and hardware data execution protection
– Enough free memory and disk space to run virtual machines and store virtual hard drives; virtual machines use the same amount of memory and disk space resources as physical machines
48
For Auditors – Important Controls
For Hosted virtualization, audit the underlying OS separately Documentation of the whole virtualization architecture, including the network,
supported systems, management system, etc. Compare implemented hypervisor configuration against organizational security
policy Determine how patches, updates, and upgrades are managed Determine what services and features are enabled and if they are needed Review account and resource provisioning and deprovisioning Review policy and procedure for provisioning and deprovisioning new hosts and
VM Evaluate the management of hardware capacity for virtual environment Review how performance is managed and monitored (CPU, storage, memory,
etc.) Review backup policy and Business Continuity/Disaster Recovery plan and
management Evaluate the security of the remote hypervisor management
49
Polling Question #6
Hypervisor is a program which allows multipleoperating systems to share a single hardwarehost.
a) Trueb) False
49
50
Polling Question #6
50
Design
• Detailed design
• Implementation plan
Implement
• Build virtual infrastructure
• Test virtual infrastructure
• Move to production
Manage
• Maintain in operations
• Monitor• Periodic
Review
ContinuousOptimization
Analysis
• Discovery• Scenarios
definition• Strategy
definition• High level
design• TCO/ROI
analysis
Project Management
51
Virtualization Hands-on – VirtualBox Installation
Verify that Virtual Technology is enabled with Task Manager
Prerequisite
Verify that Virtual Technology is enabled with systeminfo
Note: Virtual Technology is not needed for 32bit guest operating systems.
52
Virtualization Hands-on, cont’d
Go to virtualbox.org
Click on the download button
Supported OS– Windows
– Linux
– Mac
– Solaris
53
Virtualization Hands-on, cont’d
Double click the downloaded file
Installing VirtualBox
Select the defaults and click Next
54
Virtualization Hands-on, cont’d
Configure how to start VirtualBox and click Next
Click Yes to acknowledge the network warning
55
Virtualization Hands-on, cont’d
Click Install Click Yes to Windows verification message
Installation begins
56
Virtualization Hands-on, cont’d
Check the “Start Oracle VM VirtualBox….”
Click Finish
If the checkbox was completed, then double click the VirtualBox icon on the desktop
57
Virtualization Hands-on, cont’d
Download Extension from https://www.virtualbox.org/wiki/Downloads
Go to File -> Preference -> Extensions -> Add new package
Click on the “+” sign and browse to the downloaded file
Click Install
Note: The Extension pack provides support for USB 2.0 and 3.0 devices, VirtualBox RDP, disk encryption, etc.
58
Virtualization Hands-on, cont’d
Host is installed.
59
Virtualization Hands-on – VirtualBox Installation
Click the New button on the menu band on the top
Creating a Guest VM In the Name and operating system dialog screen:
– Enter a name for the VM
– Select a location for the VM file
– Select the OS
– Select the version of OS
– Click Next
60
Virtualization Hands-on – VirtualBox Installation
Select the disk file type and click Next
Creating a Guest VM Select how to manage storage and click Next
61
Virtualization Hands-on, cont’d
Set the storage location and click Create
Note: The new VM is created and will show in the left panel. However, the guest operating system is not installed yet.
Select the new VM
Click Start to power on the VM
Begin installing the guest OS
62
Virtualization – Proxmox VE Demo
Open Source
Linux based
Use a regular web interface to manage hosts
Hosts can be clustered
Storage can be shared across hosts
Supports containers
Other Network Security Layers
64
Network Intrusion Detection
Passive traffic interception– Send copy of traffic to NIDS– Do not block normal path
Better performance / worse security
Intranet
NIDS
Internet
65
NIDS vs. Firewalls
Actions:– Firewalls: block or allow– NIDS: alert administrator, log, block (intrusion prevention system)
Policies:– Firewalls: ACL-style policy on (packet) attributes– NIDS: attack signatures, statistical anomalies
NIDS challenges:– Evasion– False positives
66
Using Proxy Servers
Prevent the outside world from gathering information about your internal network
Provide valuable log information
Can redirect certain traffic, based on configuration
Typically runs on the firewall machine
Protects against spoofing
67
Network Address Translation
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
138.76.29.7
local network(e.g., home network)
10.0.0.0/24
rest ofInternet
Datagrams with source or destination in this network
have 10.0.0.0/24 address for source, destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address: 138.76.29.7,different source port numbers