Download - Jwp Whitepaper Hoehl Khalil

7/23/2019 Jwp Whitepaper Hoehl Khalil

1/79

Implementing and AutomatingCritical Control 19: Secure Network

Engineeringfor

Next Generation Data Center Networks

STI Joint Written Project

Authors: Aron Warren, George Khalil, Michael Hoehl

Accepted:

AbstractThis document provides technical and best practice approaches to

implement and automate safeguards consistent with control 1,

!"ecure #etwor$ %ngineering&, of the "A#" Twent' (ritical "ecurit'(ontrols for %)ective ('ber *efense+ The scope is the secure design ofcuttingedge high speed -.Gb% networ$s designed to host /nternetfacing web and mobile applications+


2/79

"A#" 0W /mplementing and Automating (ritical (ontrol 12: "ecure #etwor$ %ngineering for#e3t Generation *ata (enter #etwor$s

4

1 Executi!e Summar"

People seem to want to treat computer security like it's rocket science or black magic. Infact, computer security is nothing but attention to detailandgood design.

Marcus J. anum

!e"t #eneration networks will ha$e to defend against many of the same threats

targeting today%s networks. Modern reconnaissance, disco$ery, and mapping approaches

are $ersatile and &ust as effecti$e at higher network speeds. he ma&or difference is the

speed of e"ploitation. (hereas today%s network may re)uire a few days to complete a

multi*gigabyte data theft attack, poorly designed !e"t #eneration + #igabyte -thernet

+#b-/ networks can facilitate this same e"ploit in &ust a few seconds. his condition

makes the re)uirement for secure network engineering $ital for !e"t #eneration

networks.

!etwork design is foundational to security controls. Incorporating safeguards at

this le$el is essential to pre$ent the circum$ention of higher le$el controls. he first and

most fundamental re)uirement is to build a multi*tiered network architecture. o

accomplish this, assets of similar $alue and function are segmented into encla$es.

0hokepoints are then created between each encla$e. his approach allows access,

detecti$e, and pre$enti$e controls to be implemented in a logical manner with rapid

response to suspected threats. 1urther, pro"ies can be introduced at each chokepoint that

further reduces the surface of attack.

he proposed !*iered architecture has two silos. he first silo contains the

segmented applications. -ncla$es for Internet 2ccess, 3345Pro"ies, 6P52PI 3er$ers,

(eb 2pplications, and 7ata are recommended. he second silo contains the

infrastructure ser$ices. -ncla$es for 0ustomer 2uthentication, !etwork 2pplications,

Management, and 898 connections are recommended in this silo.

:nce the !*iered network architecture is in place, additional controls are

implemented within each encla$e. 0ontrols include centrali;ed authentication, IP3,

!20, malware scanning, data leakage pre$ention, $ulnerability and patch management.

hese controls are tuned for each encla$e to optimi;e performance and effecti$eness.

"T/ 0oint Written ro5ect


3/79


6

-ncla$es are interconnected using a security fabric. 2 security fabric is created

by using a switching platform that pro$ides multiple security ser$ices across the

encla$es. he security fabric includes the familiar firewall capabilities. It also is

e"panded to pro$ide other security ser$ices including network IP35I73, web application

and database firewalling, in*line malware scanning, and load balancing. 8y combining

all these ser$ices within the security fabric, packets can be e"changed beyond +#bps

through backplane speeds of o$er 9.?ba in June 9@. In 9@9, only a

few $endors are offering products that support +#b- and adoption by enterprises has

been slow. 2 solution based on functional re)uirements and product a$ailability is

pro$ided in this paper. 2 8ill of Materials is included in 2ppendi" 8.

echnology is &ust one part of a triad of considerations. People and process are the

other core considerations for this paper%s proposed solution. 7ocumentation and

procedures are necessary to optimi;e the e"isting staff resources. 7ocumentation is

li$ing, with regular updates e"pected from re)uirements phase to asset retirement.

2utomation of processes is necessary at +#b-. 3e$eral approaches are proposed

including engaging Managed 3ecurity 3er$ice Pro$iders M33Ps/ who must be

e"perienced in +#b- or higher technologies.

here are se$eral benefits associated with this secure network engineering of ne"t

generation networks. hese include impro$ed security, increased design credibility,

better manageability, lower total costs, and faster response to threats. =ltimately,



4/79


-

adopting these design recommendations will pro$ide a solid foundation for safeguarding

infrastructure and data at the highest speeds a$ailable todayAand tomorrow.

# $ro%lem Description

#1 Introduction to SANS Critical Securit" Control 19

he 32!3 Institute, in collaboration with many other organi;ations, e"tracted

twenty critical technical security controls 32!3, 9@@/ from e$ision ? of the !I3

3pecial Publication >*


5/79


7

3pecifically mentioned in the control is the use of layered 7!3 ser$ice. his is

achie$ed by only allowing intranet 7!3 ser$ers to forward unanswerable )ueries to 7!3

ser$ers located in a 7MC. In turn the 7MC 7!3 ser$er is only allowed to forward

re)uests to the Internet.

o measure the success of the design, port and $ulnerability scanners are used to

determine $isibility of systems. If unauthori;ed systems are found or sensiti$e data

machines, such as database ser$ers, are located and publically $isible then the scoring of

the design takes a noticeable numerical hit.

## Critical Securit" Control 19 ImplementationC&allenges

(hen designing a secure network, a balance of security, performance and

accessibility must be achie$ed. 2 perfectly secure network would be air*gaped, with so

many controls in place that the functionality would border on unusable. hat design is

not what this paper stri$es to achie$e. (hen too many controls are put into place, the

performance of the network begins to become degraded. his paper%s ob&ecti$e is to

define a secure network approach to perform at + #bps -thernet +#b-/ throughput.

his meant some of the security controls had to be shifted to specific indi$idual de$ices

in order to ensure the necessary throughput. (hen single points of failure create too high

of a risk for loss of a$ailability, redundancy must then be considered. he design

presented here does not detail all of the possible redundancy options that could or should

be implemented but instead focuses on the theme of 0ritical 0ontrol @BAa design that

pre$ents a hacker from pi$oting through the network by minimi;ing attack points and

creating data chokepoints for analysis. !etwork design must incorporate security

controls early into the planning process rather than as an afterthought. 8y not building

security into the pro&ect early, higher and possibly une"pected/ implementation costs

might occur down the road.

#' Network C&allenges for Next Generation Networks

+#b- and @#b-, at the time of this writing, are still considered cutting edge

technologies with few $endors offering a product line specifically targeting +#b-. o

clarify, this paper focuses on +#b- in a single pipe as opposed to aggregation of +



6/79


2

separate @#b- pipes. -$en though switch $endors ha$e been offering +#b- backplane

speeds for se$eral years now, today the chokepoint or bottleneck impacting total

throughput is not with the switching fabric. he problem lies with the ability for the other

technologies, such as firewall, I73, IP3 and applications, to keep up with the sheer

$olume of data being thrown at it.

he le$el of uncertainty increases relati$e to speed too. 1or e"ample, in the past if

@D of traffic was missed on a @Mbps pipe, this only resulted in an actual uncertainty of

@Mbps. 6owe$er, this same @D is e)ui$alent to @Mbps of unanaly;ed traffic at @#b-

and +Mbps at +#b-. (ith an increase in speed, the scale of unanaly;ed traffic

uncertainty/ scales to an unacceptable le$el.

+#b- introduces human capital challenges as well. More traffic, and the associated

monitoring, will re)uire additional e"perienced staff to re$iew the alerts and e$ents that

will be created. he +#b- flows and technologies will also demand a higher skilled

staff. 2utomation will be critical if adding staff is not in the budget

1orensics analysis teams are only now beginning to ramp up for +#b-.

:rgani;ations must be careful not to get too far ahead of incident handling teams, law

enforcement, and assessment teams. In the e$ent these teams are not prepared to work

with the +#b- infrastructure, the enterprise may find work being done on production

systemsAor e$en worse, the production systems may get confiscated to conduct

in$estigations.

#( )rgani*ational c&allenges wit& (+G%E and NextGeneration Networks

1or this 3I Joint (ritten Pro&ect, a fictitious organi;ation was created and named

#I20 -nterprises. #I20 -nterprises is a small to medium si;ed growing business with

@, employees, two data centers, 9 people in central business and I, and is the

largest supplier of fortune cookie sayings in the world. #I20 -nterprises has recently

decided to implement a +#b- network to meet the demands of mobile apps that deli$er

fortunes. he 0I: has created a special tiger pro&ect team to handle this challenge. he

recommendations and scope of this paper are associated with this type of organi;ation



7/79


8

profile. 1urther, the business has asked that automation be considered where$er a$ailable

so that additional staffing is minimi;ed.

' ,unctional -e.uirements

2s with all pro&ects and designs, a clear understanding of business and technical

re)uirements is re)uired. 8ased upon the fictitious company #I20 -nterprises%

organi;ation profile, the following re)uirements were used to de$elop this paper%s

recommendations.

(ith +#b- networks, security cannot be bolted on as an afterthought. he

network design will not be successful if security is not included early in the re)uirements

and planning phases. 3ecure network engineering is only @ of 9 critical security

controlsAhowe$er it can be one of the most impactful. 1urther, there are no higher le$el

controls that can o$ercome a serious deficiency with lower le$el network controls.

(ithout proper network design and build practices, many of the other @B critical security

controls can be defeated or simply circum$ented.

'1 Documentation

3ecure network engineering begins with gathering documentationAnot creating

documentation. =nderstanding the specific business purposes/ of the new infrastructure,

risk appetite of the organi;ation, e"isting infrastructure, current data flows, planned

interfaces, financial constraints, corporate security policies, contractual e.g., P0I/ and

regulatory e.g., 3:E/ obligations are important first steps. #aps are typically disco$ered

during this first phase. 2 small in$estment of time here can result in big payoffs later in

the pro&ect.

0reating an accurate map of the current and intended network is necessary early on

in the pro&ect. 2 traditional network topology map is an e"cellent start howe$er this doesnot pro$ide the entire picture. 7ocumentation should also include all protocols running

through the network, data flows, chokepoints, asset lists including $alue/, access

controls, and system administration methods. Inter*system dependency should also be

documented. 1or e"ample, an IP host cannot talk to its peer o$er the network without

names resolution. 3e$eral of these documents are li$ing and change regularly. -stablish



8/79


9

a change management procedure for documents, as well as a means to properly secure the

documentation.

'# Data Center $&"sical Controls

!e"t, a data center site re$iew is in order. !etwork engineers will commonly

consider data center en$ironmental e.g., cooling, power, cable distribution, and rack

space/. 6owe$er, data center physical security controls must also be inspected and

planned for. 3ecure network engineering includes implementing proper physical

safeguards to protect the new infrastructure from unauthori;ed access, tampering, and

theft. -nsure appropriate data center facility entry controls are implemented to limit and

monitor physical access to systems and infrastructure. Fisitors must be easily

distinguished from authori;ed staff. Fisitor logs, which include all staff and $isitors,

building card access systems, and sur$eillance e)uipment must be implemented.

Physical security controls and logging are also re)uired for any remo$able media.

'' Encla!es

1ast, fat, and flat may seem like an ideal mantra for ne"t generation networks.

6owe$er, this design approach leads to operational and security risks. 4ack of

segmentation makes it difficult for the !:0 to monitor traffic flows for anomalies and

routing failures. 0ongestion management and a$oidance become challenging as well.

Inspection and troubleshooting 4ayer + through 4ayer G problems with con$entional

tools becomes almost impossible. 6igh $alue assets become mi"ed with different assets

that are not maintained, safeguarded, and monitored with the same le$el of rigor. he

surface of attack then becomes large and these low $alue assets might become pi$ot

points of attack.

oday%s ad$anced web and mobile applications are tiered in architecture. his

pro$ides another credible argument for separation of hosts into communities or encla$es.

2n encla$e allows for easy grouping of assets of similar functionality or $alue. rust

boundaries can be created making it easier to assign responsibilities and establish

accountabilities. 0hokepoints can be introduced between the encla$es to prioriti;e

network flows, inspect traffic, and perform forensics. he chokepoints can also be used



9/79


to limit access to the hosts and their associated applications. he use of encla$es is

mandatory.

2dditionally encla$es make audit and compliance reporting easier for organi;ations.

-$erything does not ha$e to be in scope for inspection by an auditor or compliance

assessor. If the infrastructure contains hosts of $arious data classifications then

separation can pro$ide financial benefits as well. (hen all hosts are present on a flat

network, security controls that are re)uired for compliance e.g., P0I 733 9./ may need

to be applied to all hosts within the segment. his may end up being e"tremely costly.

2s a minimum design standard,the following encla$es are re)uiredH

Figure 3.3: Enclave Overview

he silo of encla$es on the left of 1igure ?.? is for the !*ier 2pplications. he

Internet 2ccess -ncla$e ser$es as the entry point into the infrastructure from the Internet.

his encla$e contains the Internet access pro$ider e)uipment including routers and

switches. 2 dedicated, standalone firewall separates the untrusted Internet access



10/79


1.

pro$ider network from the trusted customer premises e)uipment. he 3345Pro"y

-ncla$e ser$ices as the peering point for 334 encryption of mobile and browser de$ices.

0ustomers are challenged for authentication from this encla$e. 2dditionally pro"ies are

to be hosted within this encla$e. he 6P52PI -ncla$e, (eb 2pplication -ncla$e, and

7ata -ncla$e are re)uired to host the e)ui$alent !*ier application function.

he silo of encla$es on the right of 1igure ?.? is for Infrastructure 2pplications.

he 0ustomer 2uth -ncla$e contains the credential stores for customer authentication

and authori;ation. he !etwork 2pp -ncla$e contains ser$ices like 7!3, !P,

27I=3, 3I-M, and tape back*up. he 898 -ncla$e is essentially a landing beach for

business partners to securely communicate with systems within the other encla$es. he

Management -ncla$e contains the &ump bo"es for remote administration and support.

1urther technical elaboration is pro$ided in the section +, Secure Network Engineering

Practices for Next Generation Networks.

'( ,irewalls and Securit" Applications

1irewalls are used to interconnect the encla$es. he firewalls must be configured

to perform stateful inspection of network traffic. 2 standalone firewall is also re)uired

for the Internet 2ccess -ncla$e. 2 separate standalone firewall is re)uired to connect the

!*ier to the -nterprise 0ore. 2 security fabric is recommended to interconnect the !*ier 2pplication -ncla$es. In addition to the con$entional firewall functionality, the

security fabric includes integrated security applications. hese security applications are

integrated into a high*speed


11/79


11

etc./ do not star$e resources that are customer facing. 1or e"ample, data that needs to be

e"ported, transformed, and loaded routinely may create a sustained high utili;ation on the

+#b- network. his will consume switch, firewall, and network interface card

utili;ation. 2 separate firewall for this purpose helps reduce the risk of appreciable

performance impact on interacti$e customer transactions. 2 firewall policy manager is

re)uired to optimi;e policies and firewall rules. 2 tool for monitoring of flows through

firewall is also re)uired to ensure state table o$erflow does not occur. his last function

might be a$ailable as part of the firewall element manager.

'/ Internet Access

he network design must support multiple Internet 3er$ice Pro$iders and

di$ersity. he purpose of this re)uirement is primarily for a$ailability. 2lso, the design

must incorporate integration between at least two data centers. he purpose of this

re)uirement is to synchroni;e data between en$ironments P:7*P:7 and P:7*

=2/. 7isaster reco$ery plans must be de$eloped and scripted procedures implemented

prior to the infrastructure being made generally a$ailable.

'0 DNS

/nternal *#" must be designed in a hierarchical manner+ "ecure

7!3 ser$ers are re)uired within the !etwork 2pplication -ncla$e. hese 7!3 ser$ers

are intended for hosts within the !*ier 2pplication and Infrastructure -ncla$es only.

hese 7!3 ser$ers must point to trusted 7!3 ser$ers within the -nterprise 0ore. he

-nterprise 0ore 7!3 ser$ers then connect to authoritati$e ser$ers on the Internet. 7!3

ser$ers within the !etwork 2pplication -ncla$e as well as all 7!3 clients within the

other encla$es are not permitted direct Internet access for names resolution. 1or )ueries

of e"ternal domains, the !etwork 2pplication -ncla$e 7!3 ser$ers must perform

recursi$e lookups through the -nterprise 0ore 7!3 ser$ers. Cone transfers in5out of the

!etwork 2pplication -ncla$e are not permitted. 2 managed ser$ice pro$ider must host

and protect the domain used by customers to access the ser$ices offered by #I20

-nterprises. 0ustomer )ueries of the e"ternal domain are not to be resol$ed by the 7!3

ser$ers within the !etwork 2pp -ncla$e.



12/79


14

' S"stem and Infrastructure 2ardening

3ystem and infrastructure hardening is re)uired. 8enchmarks from 32!3, 0I3,

or similar authoritati$e source must be adopted as part of standard system build process.

Ferification of build standards must be done prior to commissioning the system.

2utomation of security control $erification and recurring configuration inspection must

be implemented. Procedures should follow an authoritati$e standard e.g., !I3 3pecial

Publication >*@9> #uide for 3ecurity*1ocused 0onfiguration Management of

Information 3ystems/. 4astly, formal certification and accreditation procedures for

systems must be created and integrated into change management.

'3 Configuration and C&ange 4anagement

2utomated file*integrity monitoring also known as change*detection software/ is

re)uired to track network and security component alterations. hese tools must alert staff

to unauthori;ed modification of critical system files, configuration files, or content files.

ecurring configuration comparisons must be performed to ensure integrity of

applications, systems, and infrastructure. 2ll detected configuration changes with

material impact must be reconciled to 0hange Management tickets.

'9 5irtual Ser!er and 6lade Ser!er 4anagement

Firtual switching is inherent to hyper$isor platforms. 0are must be taken when

implementing 4ayer ? $irtual switch capabilities. !etwork based security controls e.g.,

firewalls, !IP3, etc./ are not to be circum$ented using these $irtual switches. !etflow or

similar technology must be included in the solution to baseline traffic patterns and to

identify communication anomalies between $irtual clients. 1lows associated with $irtual

ser$ers and blade ser$ers are to be inspected in the same manner physical hosts would be.

runking is not permitted to ensure >9.@) tagging e"ploits are not successful. 3eparate

!I0s on the hyper$isor and blade ser$er chassis must be used for each encla$e. !et1low

or a similar technology must be included in the solution to baseline traffic patterns and to

identify communication anomalies between $irtual clients.



13/79


16

'1+ 5ulnera%ilit" and 7&reat 4anagement

Fulnerability scanning and penetration testing must be performed routinely.

3canning and testing must be performed using sources originating from the Internet as

well as from within each encla$e. his pro$ides insight into the initial surface of attack

as well as pi$ot weaknesses.

:nce the $ulnerabilities are identified through scanning or $endor notification,

remediation is re)uired. 2n operational framework is re)uired that deli$ers patch and

non*patch remediation in a timely manner. 0onsider an approach based on !I3 3pecial

Publication >*+ Fersion 9. 0reating a Patch and Fulnerability Management Program.

eal*time threat analysis must be performed using IP3s, in*line malware and

spyware scanning. 6ost Intrusion Pre$ention 3ystems 6IP3/ are highly recommendedfor seasonal companies that cannot patch systems promptly throughout the year.

3easonal free;es e.g., 0hinese !ew ear/ may re)uire systems to go unaltered for

months, pre$enting implementation of patch and non*patch remediation within ? days.

2 6IP3 can help ser$e as a bridge during these free;es. 2dditional IP3s are

recommended including (eb 2pplication 1irewalls (21/ and 7atabase 2cti$ity

Monitoring 72M/. 1or +#b- ne"t generation networks, (21 and 72M ser$ices are

becoming $ital for detecting higher le$el attacks that may be deluded among the millions

of e$ents and alerts that are being reported by the systems.

'11 8og 4anagement

hreat monitoring with actionable intelligence is a prere)uisite for rapid response.

2 3ecurity Information and -$ent Management 3I-M/ system is re)uired to gather,

process, correlate, alert, and archi$e security e$ents. -$ents from I73s e.g., replay

attacks, fragmentation attacks, buffer o$erflow attacks, etc./, firewalls e.g., 7o3 attacks,

port errors, dropped packets/, 334 e.g., 7o3 attacks, certificate errors, session drop/,

re$erse*pro"ies e.g., dictionary logon attacks, cached content change, etc./, and file

integrity monitoring can collecti$ely o$erwhelm the 3:0 staff without automation.

esiliency depends on a clear understanding of operational and security threats. If

the log sources are not properly configured, then the 3I-M and 3:0 cannot be effecti$e.

4og and e$ent sources for 3I-M include operating systems, applications, databases,



14/79


1-

network, and security components. 3ecure !etwork -ngineering includes the proper

configuration of these components to generate the necessary e$ents that dri$e incident

response. 1urther, the log sources and files must be safeguarded from unauthori;ed

$iewing and alteration while in transit, if possible, and while in storage. 4ogs must be

sent to a centrali;ed 3I-M to protect the integrity of e$ent data. 2 log source

configuration standard based on P0I e)uirement B or !I3 3pecial Publication >*B9

#uide to 0omputer 3ecurity 4og Management is re)uired.

'1# Asset 4anagement

2n asset management or 0M78 is re)uired to track assets and configuration

information in a secure manner. his information should be $erified routinely using

automated tools that scan the network and fingerprint assets. 2ssets must be scanned for

data classification as well. 3canners must incorporate algorithms to identify restricted

data e.g., 4uhn Mod*@ method for identifying and $alidating credit card primary

account numbers/.

ogue de$ice detection must be performed routinely. 7ata center physical security

controls should be the primary pre$enti$e control to pre$ent unauthori;ed de$ices from

connecting to the network. ogue de$ice detection should be used to $erify that the

physical controls are effecti$e. he automation for asset disco$ery and restricted datascanning may be used for disco$ering rogue de$ices.

'1' Access 4anagement

2uthentication, 2uthori;ation, and 2uditing 222/ systems for customers must be

separate from system administrators. 6igh 2uthority accounts used by 782s, firewall

administrators, network engineers, system administrators, and $endors must be located in

a separate encla$e from customer accounts. !o trust is to be established between the

-nterprise 0ore, 6igh 2uthority, and 0ustomer credential systems.

emote administration is made a$ailable from the Management -ncla$e. 8usiness

partners, manufacturer support staff, outsourced staff, managed ser$ice pro$iders, and the

I staff must all use &ump bo"es to gain access into the applications, systems, and

infrastructure. Products that may be considered for the &ump bo" function include



15/79


17

Microsoft erminal 3er$er, 0itri", and FM(are. Multi*factor authentication is re)uired

for access onto these &ump bo"es. 1urther, remote administrators must ha$e their

computer scanned to $erify basic security controls are in place and working properly.

!etwork 2ccess 0ontrol !20/ products are to be implemented to check the status of

malware pre$ention, personal firewall, patches, and $ulnerabilities on administrator

computers prior to re$ealing the &ump bo"es.

'1( $erformance 4anagement

3!MP, M:!, and !et1low are common tools for network engineers to perform

performance monitoring and capacity planning. hese protocols must be properly

secured. Fendor defaults e.g., 3!MP community string public/ are not permitted.

3!MP $? is re)uired. (hen a$ailable, authentication and encryption controls must be

incorporated into performance management design.

'1/ ,orensic 4anagement

3upport for forensic analysis and network monitoring :ut*of*band is re)uired.

!etwork taps or in*line :3I 4ayer @ network monitoring de$ices are acceptable. hese

de$ices are to be transparently connected so that they do not introduce performance

degradation. 3P2! or similar technology features are not to be used on +#b-

components. In addition, the integration of the network monitoring de$ices must be in a

manner that does not allow circum$ention of network based security controls e.g.,

firewalls/. 7edicated network monitoring systems for each encla$e would pro$ide the

necessary boundary to pre$ent this e"ploit.

'10 Ser!ice 4anagement

(here there is a business ad$antage, consider the use of managed ser$ice pro$iders

as an alternati$e to additional staffing. :pportunities include domain hosting, managed

PI, firewall5IP35I7352F management, security operations center ser$ices, computer

security incident handling, $ulnerability scanning and penetration testing. 3ome of these

same ser$ices are a$ailable as a cloud computing offering. his option might be

desirable for reducing capital and e"pense commitments. his allows the limited I staff

to focus on business communications and solutions by reducing the demands of daily



16/79


12

security operations. his also pro$ides an elastic bench of resources for the busy seasons

and rapid business growth.

( Secure Network Engineering $ractices for NextGeneration Networks

8efore authoring this paper, the 3I team approached $endors, consultants, and early

adopters of +#b- to share their e"pertise and lessons learned. his research

incorporates their feedback. 0urrent benchmarks and standards were also re$iewed for

applicability to +#b-. 3ection + presents risk considerations, remediation strategies,

technical approaches, design recommendations, and references to best practices for

secure network engineering of a +#b- infrastructure intended to host web and mobile

applications.

(1 Design and 6uild 7ec&nical Approac& for NextGeneration Networks

1igure +.@ $isually depicts a high*le$el network architecture o$er$iew with multiple

encla$es that host an Internet facing mobile or web application.

Figure 4.1: ig!"#evel Network $rc!itecture Overview



17/79


18

wo ma&or groups of encla$es are recommended. he silo of encla$es on the left of1igure +.@ and labeled !*ier 2pp -ncla$es contain the web and mobile applications.

-ach function of the application is isolated into a separate encla$e. his silo of encla$es

is connected by a customer facing firewall 2/ and infrastructure firewall 8/. 3eparate

firewalls are used substantially for performance and capacity planning in a +#b-

networkAnot security. 2s new +#b- firewalls arri$e on the market, a single multi*port

firewall to interconnect all !*ier 2pplication -ncla$es could be considered with proper

capacity planning. 2ccess is cascading between encla$es through the firewall so that any

encla$e can only connect to ad&acent encla$es within the !*ier 2pplication -ncla$e silo.

he Infrastructure -ncla$es contain network applications and access controls necessary

for all !*ier 2pplication -ncla$es. his includes account authentication and

authori;ation, in addition to common network applications e.g., 7!3, tape back*up,

3!MP, patching, etc./. 2dministrators of the systems and applications within the !*ier



18/79


19

2pplication -ncla$e must pass through the Management -ncla$e. he 898 -ncla$e is

for -7I, -4, and $endor partner connections e.g., M33P/. he -nterprise 0ore access

into this new infrastructure is restricted using a dedicated firewalls/ 7/ and Internet

access into the !*ier 2pplication -ncla$e if also restricted using a dedicated firewalls/

0/.

:nce the network has incorporated proper security controls, the architect must

consider the operational impact of +#b- speed. 2utomation becomes a critical

consideration as the $elocity of data increases many orders of magnitude. (ith speed

comes an increase in the number of flows, e$ents, and triggers. Procedural controls that

were successful with slower speed networks may get o$errun at higher speeds. 1or

e"ample, swapping current firewalls with new firewalls containing faster +#b-

interfaces has a cascading effect. he firewall may be able to handle the new packet

$olumeAhowe$er the 3:0, 3I-M and associated firewall administration tools may go

into a meltdown. 3ecurity controls, automation, and capacity planning must go hand*in*

hand.

(# Internet Access Encla!e

his first encla$e within the !*ier 2pplication silo is where the mobile and web

applications are re$ealed to the Internet. Multiple Internet access pro$iders may beterminated here to pro$ide di$ersity and redundancy.

Figure 4.% &nternet $ccess Enclave



19/79


1

(#1 -isk Considerations and -emediation Strategies

his is the first location where customer and attacker are being identified and

separated. his encla$e contains the highest le$el of uncertainty because the untrusted

network and trusted network are both present. Internet sourced mapping and scripted

attacks use this as their primary point of entry. Intrusion detection and pre$ention

de$ices are necessary to safeguard the infrastructure as well as to e"amine the e$ol$ing

ta"onomy of Internet based attacks. Probes and brute force authentication attacks

targeting infrastructure de$ices at this layer are common. Poorly designed networks will

unintentionally allow enumeration of network accounts in 27I=3520203 or

275472P credential store.

-thernet switches in general are by design o$ersubscribed sum of physical interface

speed e"ceeds switch backplane speed/ and can be o$erwhelmed by sustained traffic



20/79


4.

$olume from metro networks. 2 standalone firewall and switch are recommended for this

encla$e for the abo$e mentioned performance reason as well as security benefits.

(## 7ec&nical Approac& and Design -ecommendations

he Internet 2ccess -ncla$e is the first layer into the network. edundancy, high

a$ailability and resource isolation is critical to maintain stable and secure access to

customers. o offer redundancy, Internet access should be pro$ided by multiple I3P%s,

for di$ersity, using different paths and peering partners. his approach will pro$ide high

a$ailability in the e$ent of an I3P outage, upstream pro$ider failure, or network

e)uipment failure. Multiple I3P%s will allow traffic engineering, load balancing and

pro$ide an alternate connection in the e$ent of a 7o3 attack.

-ach connection from the Internet access%s pro$iders should be terminated into a

router supporting +#b- interfaces running 8#P using a pri$ate 23 number. his

pro$ides IP mobility across separate I3P%s and allows for future transitions between

carriers. Internet facing interfaces must pre$ent any leakage of internal routes, topology

broadcasts or redistribution, and e"plicitly pre$ent e"ternal management of the routers.

1or traffic engineering, multiple high a$ailability instances can be created to allow a path

across both I3P%s concurrently.

2ny peering relationship e.g., routing protocols, FP!, 27I=3, etc./ must bemutually authenticated prior to making a trusted connection. his control will help defeat

attack sources mas)uerading as a trusted peer. Integrity checking must also be in place to

defeat man*in*the*middle attacks.

he Internet access routers connect into a high speed +#b- switch which pro$ides

a common media for high a$ailability and fail*o$er capabilities. !etwork taps pro$ide

inspection points for Internet traffic. 3witch 3P2! features are not recommended.

2 firewall connects the aforementioned switch to the !*ier 2pplication silo. his

perimeter firewall must be a standalone de$ice with large processing power capable of

handling legitimate traffic and potential attacks simultaneously. he standalone firewall

is intended to ser$e as a buffer between the Internet 2ccess -ncla$e and the remaining

encla$es within the !*ier 2pplication silo. his approach pre$ents resource e"haustion

attacks that target the Internet facing firewall. -"ternal management and non*public



21/79


41

information e"posure must be disabled on the outside interfaces. he firewall should

point to the 6igh 2$ailability IP address of the perimeter routers based on the traffic

engineering designs. 2ccess 0ontrol 4ists 204s/ should be created with permit

statements that match security policy and align with business re)uirements. his

approach applies to both inbound and outbound traffic. 204s must end with an e"plicit

deny with logging enabled for dropped connections. 4ogging of denied packets pro$ides

$aluable insight including common attack $ectors, ta"onomy, and firewall administrator

204 change errors. his data is also $aluable for effecti$e data and e$ent correlation

across all network and security de$ices. 4ogging of the permitted traffic is a commonly

accepted practice. 7ata leakage considerations should include network related

information e.g., internal IP addresses, routing tables, etc./. I0MP should be disabled to

defeat reconnaissance efforts by attackers. 1urther, I0MP should be filtered to pre$ent

smurf attacks and using the network as a reflection or amplification point.

1low data should be enabled on all de$ices that support it e.g., 0isco @9>@K router/.

his network data is $ery useful to the security team with +#b- networks to identify

baseline changes, detect threats, and perform e$ent correlation. his same data is

$aluable to an attacker when mapping the network. 3afe network engineering practices

must be considered early on so that flow data is not e"filtrated or altered.

here are multiple options to forward traffic on to the ne"t encla$e 33452PI/. he

first option and most traditional is !etwork 2ddress ranslation !2/. !2 is only

recommended at the perimeter within the Internet 2ccess encla$e. his is re)uired to

translate from the 2I! IP address space to a 10 @B@> pri$ate IP address space. 1or

the other encla$es, 10@B@> addresses are used e.g., @...5>, @B9.@K>..5@K, and

@[email protected]@9/ and routing is performed. outing is recommended because there is less

)ueue delay associated with deep packet inspection and less chance of errors than with

!2 tra$ersal. he router protocol must be secure, ensuring that routes cannot be

maliciously manipulated or deleted. ecommended security controls include router

authentication and integrity checking. Modern firewalls support routing protocols with

associated security settings. he router protocol should ha$e established boundaries.

outing tables are not to be redistributed from -nterprise or Internet peers. oute

summari;ation or static routes must be used.



22/79


44

2ll network de$ices must ha$e a common authoritati$e time source !P/. his

pro$ides credibility for logging and data correlation.

(#' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"

Controls

7ynamic routing protocols, such as 8#P, are generally preferred on border and edge

routers due to the ability of the router to propagate route changes more efficiently and

rapidly than by an operator entering the routes statically. 8#P has e"isted for a long time

and been thoroughly tested throughout the world. :ne of the benefits of dynamic routing

protocols is they offer route in&ection protection such as 4 $erification and

authentication of peers see 2ppendi" 2.9/. 6a$ing independent 23 numbers on the

border routers pro$ide fle"ibility to ad$ertise routes to different I3Ps for failo$er or

attack remediation strategies see 2ppendi" 2.9/.

outing black holes should be implemented on the routers and firewall and

automated where a$ailable. outers must already ha$e the 204s or maps in place to

perform this traffic filtering. his is needed to minimi;e the amount of time needed to

create the black hole and apply it. 2utomation is achie$ed when a black hole route is

in&ected on one router and $ia a dynamic routing protocol is distributed to the other

routers see 2ppendi" 2.B.?/.8lack hole routes are used to pre$ent traffic from crossing network segments. 1or

e"ample, a black hole route implemented on the border router might be used to pre$ent a

7o3 attack. 2nother e"ample might be to pre$ent the further e"filtration of data. If the

destination network is known, implementing traffic drops across the entire network can

be done )uickly and efficiently.

7eployment of Infrastructure 204s i204s/ is e"pected on border routers see

2ppendi" 2.?/. i204s permit management and control traffic to the infrastructure

switches and routers while pre$enting attack traffic directed at the infrastructure de$ices.

ypically i204s focus on source and destination IP addresses as well as 4ayer + ports

and protocols. 2ntispoofing 204s e"plicitly permit traffic based on authori;ed source

IP addresses only. 2ny traffic sourced from outside the e"plicitly permitted IP address

range is dropped 3chudel L 3mith, 9>, Interface 204 echni)ues, para. ?/ such as



23/79


46

pri$ate network address leakage, Martians and bogons. ransit 204s t204s/ e"plicitly

permit only re)uired and authori;ed traffic to transit the IP network 3chudel L 3mith,

9>, Interface 204 echni)ues, para. ?/. 204s typically don%t filter IP addresses

but are used more on packet types such as IP header options, IP fragments or protocols

such as routing protocols.

Many general router hardening practices such as IP :ptions selecti$e dropping and

disabling of IP 3ource outing must be deployed on the router see 2ppendi" 2.B.< and

2.B.G respecti$ely/. =nused features or ser$ices must be turned off on routers and

switches. 3uch ser$ices include dhcp, bootp and !P timeser$ing see 2ppendi" 2.>/.

he additional 0P= a$ailability, created by remo$al of unused ser$ices, allows more

fle"ibility to a$oid 0P= resource e"haustion.

4ogin banners are to be implemented on e$ery de$ice in the network to pro$ide a

$etted legal notice to anyone using the de$ice as to the le$el of pri$acy and the legal

issues associated with accessing the de$ices. !either physical location data nor network

architecture information should be found on any switches, routers or firewalls see

2ppendi" 2.B.@/.

Implement 2P inspection on routers to pre$ent malicious frame redirection or

M20 table poisoning. 2nother method a$ailable is to hard code static M20 addresses

for the most critical de$ices see 2ppendi" 2.?/.

7isable, if possible, or do not use F42! @, the default F42! for some $endors.

F42! @ is not to be re$ealed to any of the encla$es. 1urther, the management F42!

must only be re$ealed to the Management encla$e. his eliminates the switch interface

from being a possible target of attack.

2 firewall located after the border router pro$ides the ne"t depth and breadth layer

of defense 3chudel L 3mith, 9>, Principles of 7efense in 7epth and 8readth, para.

@/. (here implementation of traffic controls might o$erwhelm the border router, those

controls are transferred to the firewall. !ot only are the same 2ntispoofing 204s, i204s

and t204s found on the border routers implemented here, but more fine grained 204s

are implemented on the firewall, too. 2doption of an e"plicit deny rule is preferred here

to allow only authori;ed ports and protocols through as determined by the firewall

security plan see 2ppendi" 2.+/.



24/79


4-

uality of 3er$ice o3/ is used to ensure that control and management traffic are

guaranteed passage when the routers and switches are o$erwhelmed with normal data

traffic see 2ppendi" 2.@


25/79


47

(' SS8$rox" Encla!e

334 accelerators and re$erse pro"y ser$ers are present in this encla$e. hese ser$e

multiple purposesAthe most common being to off*load encryption processing o$erhead

from 6P ser$ers. If logging is re)uired, customers are challenged at this encla$e for a

name and password.

Figure 4.3 SS#'Prox( Enclave

('1 -isk Considerations and -emediation Strategies

Man*in*the*middle, session high*&acking, 0ross*site 3cripting E33/, and denial of

ser$ice 7o3/ attacks are )uite pre$alent today. In some cases these attacks are effecti$e

because of poor network design. In other cases these attacks are effecti$e because too

much surface is re$ealed to the Internet, lea$ing systems $ulnerable to attack because of

product defect and configuration errors. 3ecure network engineering must include an



26/79


42

approach that reduces the surface of attack and optimi;es performance. 3pecialty

products like pro"ies and 334 accelerators are hosted in this encla$e to defeat brute force

authentication attacks and resource e"haustion attacks targeting 6P and 2PI 3er$ers.

If logon is re)uired, challenging for customer account authentication is done from

this encla$e. 4ogon at this point within the infrastructure is necessary to disguise the

comple"ity and potential $ulnerability/ of authentication ser$ers deeper within the

infrastructure. he actual customer credential store account name, passwords,

passphrase, account number, attributes, etc./ is not to be hosted within this encla$e. he

334 accelerator or pro"y will reach out to the authentication ser$ers for credential

$erification. his design approach is necessary to defeat direct attacks against the

authentication ser$er platform e.g., 7o3, buffer o$erflow, etc./ that could result in

circum$enting authentication controls.

If 334 is used for mobile de$ice or browser access which is recommended/, this

encla$e re$eals the Internet sourced data in the clear for the first time. 3ecurity controls

that safeguard confidentiality must be balanced with controls to inspect for attacks and

errors. eep in mind that encryption without inspection may disguise e"filtration

occurring within the !*ier 2pplication -ncla$es. 1urther, throughput of a +#b-

network can )uickly decline when traffic is repeatedly encrypted and unencrypted.

Pro"y and re$erse pro"y ser$ers can be used to cache content. hese platforms

might be used as a springboard of attack. 0ached contend that is not properly

safeguarded can result in unintentional data leakage. 1urther, malicious alteration of

cache content could allow client side attacks.

('# 7ec&nical Approac& and Design -ecommendations

he 3345Pro"y encla$e consists of an 334 offloading engine that will accept

inbound +#b- 334 traffic from mobile app customers and decrypt it. 334 poses certain

challenges for security de$ice inspection as packets tra$erse the network in an encrypted

form. =tili;ing an 334 offloading appliance pro$ides the enterprise with the following

ad$antagesH

Inspection of unencrypted traffic as it tra$erses other encla$es.

-limination of 334 processing on ser$ers



27/79


48

Implementation of an application layer firewall. 3e$eral 334 accelerator products

re$iewed pro$ide additional application firewall or 4ayer G inspection capability.

raffic from the Internet 2ccess -ncla$e must pass through a firewall before being

passed into the 33452PI -ncla$e. =nlike the Internet facing firewall, this firewall that

interconnects the Internet 2ccess and 3345Pro"y -ncla$es does not ha$e to be a

standalone appliance. 2 more sophisticated de$ice can be considered that ser$es the

secure interconnect needs between the remaining !*ier 2pplication -ncla$es. he

proposed de$ice contains shared security ser$ices that are applied to the switching fabric.

2 security fabric is created by using a shared platform that pro$ides multiple

security ser$ices across the encla$es. he security fabric must include firewall

capabilities but also can be e"panded to pro$ide other security ser$ices including networkIP35I73, web application and database firewalling, in*line malware scanning, and load

balancing. 8y combining all these ser$ices within the security fabric, customers can take

ad$antage of backplane speeds of o$er


28/79


49

he same F42! protections mentioned in the Internet 2ccess -ncla$e apply here

as well with the addition of disabling trunking on access layer ports see 2ppendi" 2.9?/.

his encla$e continues the design practice of separation of ser$ices and

classification. -ach de$ice or ser$ice in the encla$e offers similar ser$ices or has data

classified at the same le$el. his separation pro$ides protection from the pre$ious less

trusted encla$e while also allowing the uniform inspection of data between the encla$es.

3ince only one type of data is passing between the different encla$es the traffic

inspection can be narrowed and made $ery specific. his also pro$ides measurable

optimi;ation of performance for firewalls and IP3s at +#b- speeds.

(( 277$A$I Encla!e

his part of the !*ier 2pplication -ncla$es contains the 6P 3er$ers and 2PI3er$ers.

Figure 4.4 ))P'$P& Enclave



29/79


4

((1 -isk Considerations and -emediation Strategies

he aforementioned encla$es contain function specific de$ices e.g., firewall, IP3,

334 2ccelerator, etc./ that are in many cases appliances and proprietary. his encla$e

most likely will introduce multi*function capable hosts based on common enterprise

operating systems e.g., ed 6at -nterprise 4inu", Microsoft (indows 3er$er, I8M 2IE,

etc./. 6ardening, configuration management and file integrity monitoring will be

re)uired. he network design must permit the associated automated tools into this

encla$e to routinely update, inspect and report. elease management and change

management practices become $ital as the hosts within this encla$e will be updated

fre)uently e.g., code updates, software releases, content changes, etc./. 1urther,

automated update of security controls must be incorporated e.g., patching, web

application firewalls and 6IP3 signature updates, malware detection databases, etc./.

8lade ser$er and $irtual ser$er integration is now a ma&or design consideration for

this encla$e. Port aggregation is commonly considered during the design phase. his

pro$ides higher bandwidth as well as fault tolerance between blade ser$er chassis or

hyper$isor/ and ethernet switch. 0areful consideration is re)uired if cable taps,

inspection de$ices e.g., IP35I73/ and forensic analysis de$ices are to be integrated. 1ore"ample, if the blade ser$er chassis and ethernet switch are interconnected using + " @

#bps to get an aggregate of + #bps, there may not be a way to introduce a tap or IP3 in*

line.

Firtuali;ation and blade ser$ers may introduce new flows in which traffic ne$er

passes a physical switch. 2s an e"ample, consider two Microsoft (indows 3er$ers

running II3 as guests on FM(are -3E. If clustered, the (indows 3er$ers would be able

to intercommunicate without inspection by a network intrusion pre$ention system

appliance. his would make detection of a pi$ot attack more difficult. 3ome switch

$endors like 0isco and -"treme !etworks are introducing $irtual switches with features

to o$ercome this issue. 3P2! may help in some conditions, howe$er this feature is

typically the first sacrificed when the switch approaches ma"imum utili;ation.



30/79


6.

0ommon I ser$ice acti$ities will result in large $olumes of data mo$ement e$en

though 6P 3er$er content is static. ape backup mo$es a substantial amount of data

daily. 0reating snapshots of FMs prior to software upgrades is a common practice. (ith

342s of BB.


31/79


61

2nomaly detection at the 6P layer is critical to monitor abnormal =4 access,

fre)uency and $olume. 1rom the +#b- network prospecti$e, !et1low5s1low data is

crucial at all layers to monitor abnormal spikes between specific hosts and destination.

his pro$ides non*signature based analysis in the e$ent that our other layers of security

fail as well as pro$ide us insight into attacks that do not fit our normal traffic beha$ior. 2

correlation engine is re)uired to process the $arious sources of data to detect anomalies

e.g., 6P ser$er logs, IP3 logs, !et1low5s1low logs, etc./

6ost based monitoring is another critical layer of protection to identify attacks and

traffic from the host and application prospecti$e. he network will see the traffic but

might not ha$e full understanding of how each application will handle the $arious types

of anomalies that is being directed towards it. 4ayering security implementation is

recommended as through the 9 critical controls and specifically critical control number

@B.

(ith a limited number of systems, the understanding of data flow is the foundation

to creating access lists limiting source and destination traffic between the 334 encla$e

and the 6P encla$e mo$ing to the (eb 2pplications -ncla$e. 204%s are applied on the

firewall limiting communications to trusted hosts between the encla$es while dropping

and logging any other non*authori;ed traffic.

((' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"

Controls

3e$eral of the security controls mentioned in ?.9.? apply to this encla$e as well.

3pecifically, the guidance pro$ided with routing, hardening, o3, 204s, firewalls, 222,

patch and $ulnerability management, and remote management apply to this encla$e.

he network design makes use of $irtuali;ation and blade ser$ers. FMs should be

separated by different trust le$els, asset $alues, or data classification. his would be

achie$ed by running FMs of the same trust le$el on the same bo" and using a separate

hyper$isor on a separate machine to host FMs of a different trust le$el. FMs should also

be pre$ented from accidentally being migrated from one trust le$el to another trust le$el.

3ecuring the hyper$isor is another hardening techni)ue and can be implemented by using



32/79


64

multi*factor authentication, separation of roles and pri$ileges, and disabling or remo$ing

unused ser$ices on the hyper$isor 3ee 2ppendi" 2.9G/.

6yper$isors also introduce their own network switches. 2 thorough understanding

of how the switch is implemented to pre$ent unintentional misconfigurations or breaches

of trust le$els. hese $irtual switches are also capable of using F42! trunking and as

such the same considerations presented abo$e regarding trunking apply here as well 3ee

2ppendi" 2.9G/.

If F42! trunking is used then usage of an authentication method is highly

recommended. Ports should ha$e a default configuration of not allowing trunking so that

manual configuration is re)uired as a safety precaution. 2utomatic F42! propagation,

if necessary, must also be contained to propagate F42!s within similar security ;ones

3ee 2ppendi" 2.99/.

(/ e% Application Encla!e

his encla$e contains the web application ser$ers and 2PI ser$ers. In addition, load

balancers, web application firewalls, and web application intrusion pre$ention systems

may be present.

Figure 4.* +e, $--lication Enclave



33/79


66

(/1 -isk Considerations and -emediation Strategieshis encla$e has many of the same risks as the aforementioned 6P52PI 3er$er

-ncla$e including multi*function hosts, $irtuali;ation, blade ser$ers, common I

ser$ices, and -thernet port re)uirements. 1urther, this encla$e is a $ery dynamic

en$ironment operationally. It is also the most comple". he hosts within this encla$e are

a hub for combining content and data from a $ariety of sources. here are many leads

and feeds to consider for this encla$e including enterprise ser$ice buses, message

ser$ices, databases, warehouses, 3:2 gateways, EM4 accelerators, and legacy gateways.

8ecause of this, accurate documentation and comprehensi$e data mapping are critical for

this encla$e.

Managing this encla$e%s 204s for firewalls, routers, and switches can be a daunting

task for engineers. 2n unintended configuration error might re$eal $ulnerabilities and

new targets of attack. In addition to the firewall administration tools pro$ided by firewall



34/79


6-

manufacturers, consider the use of firewall policy managers. hese products integrate

with multiple firewalls from multiple manufacturers. In addition to the routine policy

updating, they also include policy optimi;ation. 2 poorly written 204 has one of the

biggest impacts on firewall performance.

Many different types of I administrators must access this encla$e including

database administrator, system administrators, middleware administrators, application

administrators and the occasional de$eloper. 7irect access into this encla$e is a

common re)uest, howe$er this is a poor approach. 2ccess must be pro"ied through the

Management -ncla$e to ensure access controls are enforced and acti$ity can be tracked.

3ecurity integration into 3740 is also $ital. -arly adoption of security best practices will

reduce the likelihood of unplanned application problems that result in network security

controls being temporarily rela"ed to troubleshoot production problems.

(/# 7ec&nical Approac& and Design -ecommendations

Many organi;ations must consider hosting multiple web application standards that

reside within this encla$e. 2s an e"ample, the ma&ority of new web applications may be

built on I8M (ebsphere, howe$er a legacy web application based on Microsoft (indows

.!et may ha$e to remain around for a few more years. 2 design decision is re)uired to

create duplicate web application encla$es or introduce further segmentation within theencla$e.

1or architects considering further security to isolate disparate standards within the

encla$e, there are a few options. 2 common option considered is to implement IP3ec

-3P on the hosts. his pro$ides mutual authentication and encryption. 6owe$er, legacy

systems many not ha$e a practical IP3ec solution or the processing o$erhead is materially

impactful to application performance. 3ome switch manufacturers offer Pri$ate F42!s

in which the -thernet switch limits inter*port con$ersation to within the same F42!.

his can be effecti$e, howe$er load balancing and clustering can be a challenge to

integrate. 2 new standard I--- >9.@ae is being adopted by some +#b- switch

manufacturers. In this case the switch itself performs the encryption of framesAthere is

no supplicant re)uired on the host for authentication and no client needed for encryption.

erberos snooping, 447P, or 7!3 are used by the switch to determine the host type.



35/79


67

he switch can automatically assign the encryption and segmentation settings or the

switch administrator can set this manually.

2pplication firewalls are common within this encla$e. 2lso known as layer G

firewalls or (eb 2pplication 1irewalls (21/, they safeguard web applications from the

most common forms of attack. he difference between these firewalls and the traditional

network firewall is they ha$e conte"t intelligence. 2 (21 can recogni;e attacks

targeting web application weaknesses including configuration errors, parameter

manipulation, coding errors, buffer o$erflows, and known web application defects in a

way IP3 and traditional firewalls cannot. 1or e"ample, Imper$a offers a product

3ecure3phere which pro$ides protection against the :(23P op en attacks, including

34 in&ection, E33 and 031. 3e$eral other commercial and open source solutions are

a$ailable. EM4 firewalls, 3:2 firewalls, and 6P firewalls may be of interest. hese

application firewalls can be installed as agents on the ser$er, in*line -thernet, 3P2!, or in

some cases as a cloud*based ser$ice. (ith +#b- speed, any help applying intelligence

to raw e$ents must be considered.

(/' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"

Controls

3e$eral of the security controls mentioned in ?.9.? apply to this encla$e as well.


patch $ulnerability management, and remote management apply to this encla$e.

(0 Data Encla!e

his encla$e may contain traditional databases e.g., Microsoft 34 3er$er, :racle,

My34, etc./ as well as a number of other data sources including enterprise ser$ice

buses, message ser$ices, databases, warehouses, 3:2 gateways, EM4 accelerators, and

legacy gateways.

Figure 4. /ata Enclave



36/79


62

(01 -isk Considerations and -emediation Strategies-nterprises might consider dissol$ing this encla$e, opting to access data within the

-nterprise 0ore -ncla$e directly. 0oncerns about data synchroni;ation and the cost of

redundant data stores may make this seem an attracti$e design approach. -"panding the

use of database technology in place within the -nterprise 0ore might be tempting to

consider. apid growth in customer demand may accelerate capacity demands and

re)uire an unplanned upgrade of e"isting enterprise data ser$ices impacting internal and

e"ternal customers. 1urther, segmentation within the core may not be sufficient to create

boundaries for compliance and audit. his may draw the entire enterprise into scope for

compliance e$aluation and control implementation.

:perationally, there are potential problems using data sources within the -nterprise

0ore. 1or e"ample, two phase commit and record le$el locks become difficult to e"ecute.

here are many hidden costs and risks associated using data resources residing within the



37/79


68

-nterprise 0ore. 2 thorough in$estigation into all design options for is strongly

recommended. 0reating this encla$e is highly recommended.

2s with the (eb 2pplication -ncla$e, documentation and data mapping are critical

for this encla$e. Policies should also be documented including data retention and data

destruction. hese policies may dri$e archi$ing and transfers impactful to the network

capacity.

he pattern of traffic for this encla$e will be high $olume, large payload transfers.

7atabase -4 -"port*ransform*4oad/ and -7I -lectronic 7ata Interchange/ will

cause bulk transfersApossibly while customers transactions are occurring. he benefits

of a separate customer facing firewall and infrastructure firewall are best demonstrated

with this encla$e when running at +#b- speeds.

here are a number of attacks targeting database ser$ers that a con$entional I73

will not detect. 7atabase intrusion pre$ention systems also known as database acti$ity

monitors/ are becoming increasingly popular. hey pro$ide conte"tual knowledge of

database protocols and structures that is used to detect database attacks. hese products

can be placed in*line, installed as an agent, assigned to a 3P2! port, or connected to a

tap.

(0# 7ec&nical Approac& and Design -ecommendationshere are a $ariety of data sources that might be placed within or re$ealed through

this encla$e. 7atabase ser$ers are commonly staged within this part of the network. 7ay

one the database is empty. here must be an approach defined for getting data in and out

of the database ser$er to ensure the data remains rele$ant. -4 is a common way to get

this data. 6owe$er this creates a challenge for real*time data. -4s are typically done

once or twice a day, so customers that demand data with )uick e"piration will not be

satisfied. 1or e"ample, if the web or mobile application is to pro$ide logistic information

e.g., (here is my shipment of fortune cookies and when will it arri$eO/, then -4

simply won%t work. In some cases the data may not be on*premise. 2 898 connection or

-7I ser$ice is re)uired. In some cases the data is not entirely from the enterpriseAbut

instead a collection of information from enterprise, business partners and $endors. his



38/79


69

encla$e is where these data feeds are intended to land before being re$ealed to the (eb

2pplication -ncla$e.

!etwork engineering for this encla$e must include the secure transport of data.

0onfidentiality is important, but so is authentication and integrity checking. #arbage

tra$eling at + #bps is still garbage.

If for some business reason the data cannot reside within the 7ata -ncla$e, then

consider alternati$es like database gateways e.g., 34, EM4, 789, etc./, an enterprise

ser$ice bus e.g., ibco/, or message ser$ice e.g. I8M M 3eries/ for the encla$e.

(0' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"

Controls

3pecifically, the guidance pro$ided with routing, hardening, o3, 204s, firewalls,

222, patch and $ulnerability management, and remote management apply to this

encla$e.

In this encla$e we scope in our monitoring to continuous analysis of all database

traffic to detect unauthori;ed or anomalous acti$ities. his can be done in*line on the

network or a copy of the database transactions can be offloaded to another de$ice for

analysis. 8aselining is another important step that will assist in the identification of

normal $ersus malicious transactions see 2ppendi" 2.9>/.

( Customer Aut&entication and Aut&ori*ation Encla!e

his encla$e contains the credential store for customer accounts. 2uthentication,

authori;ation, and auditing of customer account acti$ity are performed here. his

encla$e does not contain the credential store for -nterprise 0ore accounts nor

infrastructure i.e., firewalls, routers, switches, etc./ accounts. 0ustomer data is not

stored hereA&ust the account information necessary to access the applications re$ealed to

the Internet.

Figure 4.0 usto2er $ut! Enclave



39/79


6

(1 -isk Considerations and -emediation Strategiese)uiring customer authentication pro$ides se$eral business opportunities for the

enterprise. (ebsite personali;ation, order processing, fulfillment tracking, logistics,

loyalty programs, and promotions can all be integrated with the website customer

credentials. Internal business systems like -P may ha$e to integrate with this customer

credential store, too. he business may re)uire many touch points to this credential store.

his might unintentionally create a large surface for attack. 3egmenting customer

authentication and authori;ation data is $ital to protect confidentiality and integrity. his

encla$e is intended to pre$ent customer account har$esting and pi$ot attacks deeper into

the enterprise infrastructure. 4astly, breach notification is e"pensi$e and can ha$e a

material impact on enterprise reputation.



40/79


-.

his encla$e is generally re$ealed to all !*ier 2pplication -ncla$es, so secure

network engineering is critical for this encla$e. :nce this encla$e is compromised,

attackers will attempt to circum$ent firewalls between the !*ier 2pplication -ncla$es.

(# 7ec&nical Approac& and Design -ecommendations

his is not the location where system administrators, 782s, and network engineers

store their accounts to manage the infrastructure. his encla$e and associated ser$ices

are not intended for the -nterprise 0ore. here should be no trust established to

enterprise credential stores or directories.

2 dedicated solution to host customer credentials is placed within this encla$e.

3e$eral options are a$ailable including 27I=3, 472P, Microsoft 27, i$oli Identity

and 2ccess Manager, and others. Identity and 2ccess 3er$ices I2M/ systems, federated

ser$ices, and single sign*on ser$ices may also reside within this encla$e.

2utomation for I2M will become critical as the number of customers increase.

0ustomer self*registration and self*password reset should be considered. okens for

passing credentials to 6P, (eb 2pplication, and 7ata encla$es will also be created

here. Mutual authentication between hosts within in this encla$e and other encla$es is

re)uired prior to customer credential or token e"change.

(' Industr" 6est $ractices and Aut&oritati!e Sources for Securit"

Controls

3e$eral of the security controls mentioned in ?.9.? apply to this encla$e, too.


patch and $ulnerability management, remote management, and !2 apply to this

encla$e.

(3 Network Application Encla!e

raditional network applications and ser$ices reside in or are re$ealed by/ this

encla$e. his includes tape back*up, 7!3, 3I-M, !P, 1ile Integrity Monitoring,

27I=3, 20203, administrator authentication ser$ers, M1, release management,



41/79


-1

application performance monitoring, network performance monitoring

3!MP5M:!5!et1low/, transaction auditors, and forensic analysis tools.

Figure 4. Network $-- Enclave

(31 -isk Considerations and -emediation Strategies

he largest fraction of firewall 204s are associated with this encla$e. his part of

the network offers the greatest opportunity for firewall policy and rule optimi;ationAor

the greatest source of inefficiency and firewall performance hit. 1or e"ample, @

network ser$ices 7!3, !P, 27I=3, etc./ presented from this encla$e to the other

encla$es would result in at least G 204s G encla$es " @ network ser$ices G

204s/. (ith redundancy of hosts and ser$ices, this could possibly translate into @,

2ccess 0ontrol -ntriesQ 2s with the (eb 2pplication -ncla$e, consider 1irewall Policy

Managers 1PM/.



42/79


-4

In addition to 204 optimi;ation on the firewall, network engineers must consider

the number of flows passing through the firewall. hough a firewall may ha$e a new

+#b- interface that is + times faster than con$entional @#b- interface firewalls, the

state table buffer may not be the same order of magnitude larger. (ith +#b-, firewalls

might be o$erwhelmed with stateful flow management long before the physical -thernet

interface is saturated. his may result in une"pected outcomes including session loss

through the firewall. (orse, this may result in a buffer o$erflow state in the firewall

resulting in a failed closed condition that passes traffic that should be denied.

3ystem, database, application, middleware and firewall administrators all store their

accounts in 27I=3 or similar authentication system within this encla$e. 0entrali;ed

authentication of high authority accounts is re)uired for this entire infrastructure.

7istributed account management is not practical and in some cases not compliant/. 2

27I=3 or similar ser$ice for administrati$e accounts should be placed within this

encla$e. his will also pro$ide a con$enient method of centrali;ed management of

authentication controls e.g., password comple"ity, rotation, etc./. Insider threats should

be strongly considered when designing this encla$e.

he $elocity of traffic for +#b- networks is $ery high, making management a

challenge. his encla$e creates e$en more comple"ity because of the high $olume

combined with small packets. 3ecurity Information and -$ent Management 3I-M/

automation is critical for processing and correlation is necessary. -$ents from I73 e.g.,

replay attacks, fragmentation attacks, buffer o$erflow attacks, etc./, firewall e.g., 7o3

attacks, port errors, dropped packets/, 334 e.g., 7o3 attacks, certificate errors, session

drop/, re$erse*pro"y e.g., dictionary logon attacks, cached content change, etc./, and file

integrity monitoring can collecti$ely o$erwhelm the 3:0 staff and 3I-M platform

without proper planning.

(3# 7ec&nical Approac& and Design -ecommendations

2ll network application ser$ers that ser$e the !*ier 2pplication encla$e silo

reside within this encla$e. !etwork applications ser$ing the -nterprise 0ore do not

reside within this encla$e. !etwork applications include 7!3, 4ogging, !P,

management, monitoring, patch and release management, and 3I-M. hese ser$ices are



43/79


-6

securely re$ealed into the remaining !*ier 2pplication encla$es using the

aforementioned i204s.

wo Public ey Infrastructures PIs/ are introduced within the encla$e. he first

is for customer authentication of the ser$ices offered

www.giacenterprisescooolmobileapp.com/. he second is for non*console

administrati$e access to infrastructure components including 334 accelerators, firewalls,

IP35I73, re$erse*pro"ies, and load balancers. PI and certificate mismanagement at this

layer can impact customer trust e"piration and signing errors/ and security control

integrity. In addition to PI, 7!3 is offered from this encla$e. his is necessary for

intersystem communication without embedding IP addresses e.g., 334 accelerator needs

7!3 to find 6P ser$er IP addresses/. Mobile de$ice and web browser names

resolution of www.giacenterprisescoolmobileapp.com is pro$ided separately from this

infrastructure. Managed security pro$iders or cloud hosted ser$ices e.g., 3ymantec,

-ntrust, etc./ are recommended for automation and administration to minimi;e the need

for additional internal resources to maintain these ser$ices securely.

7!3 ser$ers within this encla$e point to trusted 7!3 3er$ers within the -nterprise

0ore. 1or )ueries of e"ternal domains, the !etwork 2pplication -ncla$e 7!3 ser$ers

perform recursi$e lookups through the -nterprise 0ore 7!3 ser$ers. 6osts within the !*

ier 2pplication -ncla$es are not permitted to )uery untrusted, e"ternal 7!3 ser$ers

directly.

1unctional isolation will result in a large number of ser$ers within this encla$e.

3er$ers residing in the network applications encla$e connect to a high port density switch

with a high speed backplane. In addition, port aggregation may be re)uired to link

multiple chassis together. 0apacity and Performance Monitoring are $ital for this encla$e

as network application performance problems could manifest as application performance

problems. hrough the security fabric the traffic is inspected and filtered real*time e.g.,

firewall, IP3 and inline 2F, etc./ before going to its destination encla$e and final system.

2 network monitoring switch is re)uired between the high speed -thernet switch

and security fabric. he network monitoring switch pro$ides an inline tap to capture and

monitor traffic without effecting enterprise ser$ices or ha$ing to schedule downtime



44/79


--

when the need arises. he network monitoring can then forward frames to a $ariety of

de$ices including I73, forensic analysis, and data leakage analysis.

1or managing the $irtual en$ironment, networking becomes a challenge at +#b-.

Managing $irtual network switching in addition to guest 0P= and memory demands/

can ha$e a material impact on performance of the host system. (hen the network is

$irtuali;ed at this speed, the host must allocate more resources to $irtual switching and

star$es guest resources. 3e$eral $endors are approaching this issue with $ery different

solutions. 3ome are offering $irtual switching in which a separate host is pro$iding the

resources for switching. :thers ha$e taken an approach of eliminating the $irtual

switching with de$ice dri$ers and redirecting $irtual switching to actual switching with

e"ternal physical switches. his last approach presents a problem when there are only a

limited number of physical ports supporting +#b-. 2s the cost per port drops, adoption

of the last approach may grow. 4astly, these new solutions pro$ide 3P2! ports, network

:3 and 204 control down to the FM le$el.

Fisibility into network traffic flows in the $irtual en$ironment can be a challenge.

he monitoring controls e.g., !et1low5s1low5&1low/ present in the physical switching

en$ironment must be made a$ailable within the $irtual en$ironment. his is $ital for

performance monitoring as well as security and anomaly detection. In some cases, the

switch $endor offers an option for $irtual en$ironments e.g., 0isco !e"us @F/. 2

switch $endor agnostic alternati$e should also be considered e.g., 4ancope 3tealth(atch

1low3ensorF-/.

!P 3er$ers reside within this encla$e. ime synchroni;ation is necessary for

system clocks, session management, and key management. 6ost time settings must also

be safeguarded from unauthori;ed change. 1or credible security e$ent management, an

authoritati$e clock source is re)uired e.g., P0I 733 e)uirement @/.

2ll administrati$e non*console access to network applications must be encrypted.

334 or 336 are to be used with ciphers at least @9> bit. (hen a$ailable, mutual

authentication between &ump bo"es in the Management -ncla$e and hosts within this

encla$e must be implemented.

0entrali;ed infrastructure account management is performed within this encla$e.

his ser$ice is not to be integrated with the customer or -nterprise 0ore authentication



45/79


-7

solutions. 2 27I=3 or 20203 ser$er is recommended. 27 integration can be

consideredAhowe$er there may not be any integration with the -nterprise 0ore 27.

ey rotation between authentication ser$er and infrastructure components must be

performed at least yearly. 4ogging of authentication and access is re)uired and retention

policies would apply.

4ogging of e$ents is re)uired. hese e$ents must be re$iewed daily or automation

must be implemented. 3e$eral categories of e$ents would be gathered including

component failures, port errors, threshold e"ceeded, and security controls defeated.

0entrali;ed logging is necessary for I administrators as well as for security staff for

which the solution would reside within this encla$e. 4ogged e$ents from the other

encla$es make their way here for centrali;ed analysis. he approach and solutions

implemented here of data aggregation and analysis by the monitoring group are outside