Problems Example

All these example are real cases

1- A trainee sniffs the network and gets all mailboxes passwords
2- A subcontractor shuts down all the 300 WNT servers with a denial of service attack(DoS)
3- Employees go on strike after looking at their colleagues benefits on the web site of a subsidiary
in another country
4- Someone hacked the bank wire transfers of a corporate database server
5- A cooperative partner on the on the development of version N of a product, steals the
specifications of version N+1 of the product on hundreds of application servers
Solution

What folks might suggest initially

 A trainee sniffs the network and gets all mailboxes passwords

1. Move to a full switched network and avoid network sniffing
 A subcontractor shuts down all the 300 WNT serves with a DoS
2. Secure your WNT servers, upgrade WNT, apply hot-fixes
 Employees look at web site of a subsidiary in another country
3. Add user authentication and access control on the company web server (100+) and subsidiaries
(30+)
 Someone hacked the bank wire transfers
4. Cut off the connection from internal network to the database server (it remains connected to
the bank)
 A cooperative partner steals the specification of version N+1
5. Add stronger user access-security at the operating system layer on all servers
What the analysis shows up:
 A trainee sniffs the network and gets all mailboxes password
1. The trainee doesn’t need access to the mail server
 A subcontractor shuts down all the 300 WNT server with a DoS
2. The subcontractor needed access to only 6 WNT server to perform his job
 Employees look at web site of a subsidiary in another country
3. Employees of one country didn’t need access to the others countries subsidiaries web server
 Someone hacked the bank wire transfer
4. Nobody needed to be able to connect from the place where the hacker was to the database
server
 A cooperative partner steals the specifications of version N+1
5. The cooperative partner should not have access to that part of the database
Class
 IP addresses can be
 Domains(s)
 Class(es)

 Class
 Grouping of IP addresses, groups of sources or destinations
 Within a domain
 Across daomians
 Network, sub-network, ranges, lists
 Static or dynamic
 A Group is the grouping of users
 A set is the grouping of protocols or services
Does Network partitioning satisfy everyone

 Network partitioning makes network managers & NOC (Network Operations Center)
unhappy in most cases
 They don’t want filters on network devices
 They don’t want to worry about security
 They are afraid of the move to user-based security at the network layer
 Network managers & NOC must adapt
 They must support QoS, id flow selection, idaccess-lists
 QoS ACLs are much more complex than just allow/deny
 Network manager & NOC already know ACLs
 Routing ACLs
 Existing IP filtering
Domain
 A domain is a piece of the network
 Set of sub networks
 LAN(s) or WAN(s)
 Virtual network (VLAN)
 Host(s)
 Mostly static
 The policy will be enforced between domains
 There is no policy enforcement within a domain
 Future of network partitioning

 X.509 certificates to replace IP addresses for device & hosts identification & authentication
 The same as IP sec
 User-based access control
 Filter based on user X.509 certificates
 Using HTTP AAA
 Recall: in existing network devices: at network layer
 How user-based filtering works
 The first network device that a host tries to cross authenticates the user
 The network device applies the user profile
 The user only sees a virtual network with the specific hosts and service he needs access.
 Network partitioning & Intrusion Detection System

 IP filtering is proactive security, Intrusion Detection is responsive security

 Several intrusion Detection Methods
 Network-based IDS
 Host-based IDS
 Application-based IDS
 Host-based & Application-based IDS
 As difficult to deploy as proactive host-based security
 Network-based IDS
 Useful for application layer signatures detection
 Going from host into network devices
Limitations of Network partitioning
 IP address based
 Why trust IP addresses?
 LAN security is needed
 DHCP
 Binding IP address to MAC(Ethernet) address
 Becomes complex in large environment
 Meshed networks with large numbers of filtering devices
 When business needs require the set up of many VLANs
 Definition is too complex when many entities have exchanges
 Many branches with different flows between then
 templates can’t be used
 Need for local policy definition within a hierarchical policy definition
Application layer controls
 Network partitioning applies security at the network layer with IP filtering
 IP filtering can go up to application layer controls
 Within the same session with cut-thru proxies
 Many existing filtering devices use application proxies when necessary
 Application layer control you may find
 Commands within a protocol
 GET vs PUT in FTP
 Database SELECT in SQL Net
 Field size in SMTP
 Data type
 Word document, java mobile code, Active X mobile code
 Content-filtering
 Hidden mobile code: JavaScript in HTML, macros in Word, Excel, Etc
 XML Signature
 Virus detection
Performance issues associated with Network Partitioning
 IP filtering performance is still an issue today
 Low cost network devices, low performance, minimum amount of memory
 Poor IP filtering capabilities on low-end routers
 Poor optimization of filtering code in some routers
 IP filtering performance will no longer be issue tomorrow
 Layer 4 filtering on switches, even in routers
 IP filtering is programmed in hardware, ASICs
 Time of datagram treatment is independent of filters length
 Needed for QoS, QoS needed for VoIP

Application layer controls

 Network partitioning applies security at the network layer with IP filtering
 IP filtering can go up to application layer controls
 Within the same session with cut-thru proxies
 Many existing filtering devices use application proxies when necessary
 Application layer control you may find
 Commands within a protocol
 GET vs PUT in FTP
 Database SELECT in SQL Net
 Field size in SMTP
 Data type
 Word document, java mobile code, Active X mobile code
 Content-filtering
 Hidden mobile code: JavaScript in HTML, macros in Word, Excel, Etc
 XML Signature
 Virus detection
Scalability of network partitioning
 Meshed network
 Tabular line/rule oriented tools
  You must have the topology in tour mind
 Limited to ±5 network devices applying security (SPEP)
 Limited to ±70 rules
 Tool with topological global view
 Limited to ±50 network devices applying security (SPEP) without zoom or folding
 No rule limitation
 Example of tabular line/rule oriented view

Security policy enforcement point (SPEP)

 SPEP is a filtering device

 SPEP is any kind of device able to do filtering
  Firewall
 Router
 Switch
 Specific network appliance
 The SPEPs with central management act as distributed firewalls

Typical applications of network partitioning

Internet
 Complex perimeter architecture
E-commerce platform
Extranets
Branches networks

VLANs, VPNs & IP sec management

 VLANs
 The configurable logical view of hosts
  Let you set up your business domains
 VPNs
 Network layer: IP sec
 Data linklayer:PPTP,L2TP
 Application layer: PPP over SSH, many proprietary software component

What is network partitioning?

 Dividing internal network into domains
 Application filters between domains using existing network devices
  These network devices have IP filtering devices: security policy enforcement point =
SPEP
 Most network device devices have IP filtering capabilities
 Filtering devices allow only necessary service flows between domains
 Network partitioning is also called network segregation or network compartimentalization

When should network partitioning be used?

 Unclear or unmanageable or porous network perimeter
 Intranet over a WAN using VPN
  VPNs with mobile users
 What security should be on a mobile PC directly connected to the Internet and
within the private network through a VPN?
 VPNs with branches over the Internet
 Modem banks and remote access users
 Extranets
 E-commerce platforms that integrate core business to the internet
 Like layered n-tier architectures
 B-to-B applications that interconnect core business to suppliers
 All need to communicate:
 Mobile users via VPN that updates E-commerce platforms

Why network partitioning instead of others security techiques?

 Network partitining is easier than other techniques

 Distributed security is too complex
 Single-sign-on remains difficult to deploy
  Remote procedure call and existing mobile code make traditional security models
outdated
 Network partitining is a proactive security technique
 Intrusion detection is responsive or monitoring and not as easy and sfficent models
outdated
 Others security techniques are still complementary
 Network partitioning is the natural extansion of the firewall
 The firewall concept is themost popular concept in security
 Network partitining is just the distribution of the firewall concept across an existing
network

Security policy enforcement at Application & OS layer vs. Network layer

Application & OS layer Network layer

 Set up security in many application Set up security once for the whole infrastructure
Set up security on many hosts in many ways

Affects many system and application adnimistrators Affects the Network architecture department & the
in many place Network Operation Center

Complex to implement without a tool Complex to implement without a tool

Complex to implement with available tool. Example: Simple to implement with available tool. Example:
Axent ESM solsoft Net partioner

Fragmented, Device-Based vs. Centralized, Policy-Based Network Security

 Framented, Device-Based Centralized, Policy-Based

Doesn’t provide scalability Provide scalability with global vision

Difficult to manage Easy to manage

Complexity can lead to security holes Complexity becomes hidden bo policy simplicity

Complexity avoids granularity Simplecity allows granularity

Abstraction level of policy-Based Network Security management

  Policy-based management is a new abstraction Level
 True Policy-based management is not a new marketing idea for network management
 Policy-based management enforrces real business needs over information infrastructure
 Policy-based management is the highest level view, the closest to business needs and
far detailed network management

Authentication
 Network security policy requires authentication of
 Hosts & Network devices
 User
 Hosts & Network device authentication
 Today : only indentification with IP address
 Tomorrow : X.509 cetificate
 Key management with PKI
 Solves the scalability issue of authentication
 The PKI could become the security policy Decision Point
 The network is a Distributed Policy Enforcement Point for the Security Policy
Policies

Many Policies