Month: April 2015

Posted on

When it Comes to Networking, Keep It Simple

Networking is fun. It should also be pragmatic. The goal should be to get traffic from Point A to Point B as efficiently and securely as possible.

There are many networks in production that have been architected like a service provider network, or how networking companies want them designed.  This is not to say that these networks aren’t providing service, as they all are, just not likely with the scaling requirements of an ISP. These designs are likely implemented by people who love networking and just want to see as much of it as possible, at the expense of being impractical and expensive.

Here’s an example of what I’ve described:

The architecture above contains:

  • Border Routers that connect to the Internet and are the first hop for the IPs provided by the ISP
  • Core Routers or Switches that handle routing between internal networks
  • Distribution Routers or Switches that aggregate Access Switches. They will either pass traffic between locally connected access switches or forward traffic to the core to be routed
  • Access Switches that provide physical Ethernet connectivity for endpoints (clients and servers)
  • Security Gateways that may include multiple layers of firewalls, Network IPS, Web Gateways, and Email Gateways

There are usually a few other erroneous network elements; routers to connect to partner networks, proxy servers, VPN concentrators, and legacy environments that people are reluctant to make changes to because they have been in place for years.

While highly scalable, for most enterprises (outside of ISPs) an environment like this is too much; like putting out a match with a fire hose.

Due to its complexity, this architecture would have a high capex and operational cost, as well as many potential points of failure. The most serious problem with this design though is its blind spots and lack of visibility. Specifically, because much of the internal traffic would travel from an endpoint, to a switch, then to another switch without hitting the security gateways it cannot be scrutinized. This is troubling from a security perspective as it’s estimated that during most network breaches the attacker makes six lateral movements once inside the network environment. The attacker makes these lateral moves in order to find the data they want, and then find an exit point. This lateral movement needs to be accounted for in any network security policy.

For better management and security, much of the functionality presented above should be collapsed into much fewer layers.

  1. Firewalls
  2. Access/Distribution Switches

 

In this architecture, the Internet connection would terminate at security gateways. In order to ensure a high-availability Internet connection, it is recommended that the firewalls each have two cable connections to the ISP (two connections to different ISPs is also possible).  If necessary we implement dynamic routing protocols like BGP for high availability or OSPF for MPLS across the WAN interfaces of the security gateways.  Threat modules should be enabled on the security gateways to perform network intrusion prevention and malware prevention.  All site-to-site and client based VPNs should terminate at the security appliances, too.

Policy switches should connect to the security gateways inside interfaces as much as possible with as few other switch hops as possible.  The switches should be configured in layer 2 mode only, and all layer 3 VLANs should terminate at the security gateways. This allows traffic to be routed from the access switches up to the security gateways so that security policy is applied to as much internal traffic as possible. If the number of access switches required outnumbers the ports on the security gateway, then distribution switches must be introduced to aggregate the physical access switch uplinks, as depicted in the diagram above. The distribution switches will then have trunks connecting to the security gateways.

With a next generation security platform, access control and security change dramatically. For example, imagine the simple scenario of IT engineers needing access to the servers to keep things running. If there are only VLANs between the LAN network and the server network, then there is no real room for access control. Anyone can move between these two networks as long as they have credentials.

However, if there were a firewall between these networks, a policy would need to be implemented. Each engineer upon joining the organization will need to request a static IP address, which takes time. From there they request access into the server network from that static IP address. The firewall team will update the policy with the new users source IP address and the destinations will likely be a long list of IP addresses and TCP and UDP services. The challenges here are that anyone can take that static IP and assign it to their computer. It also means that the administrator is restricted to a certain physical location (wherever their endpoint is located) when they access the server. Finally as people leave the organization the policy is never updated and becomes unruly.

In this same environment a much simpler and secure policy could be enabled. The source of the management traffic could be looking at the Active Directory user group for the IT engineers rather than (or in addition to) a static IP address. As soon as a new engineer is added or removed from Active Directory their access across the network is also added or removed. Rather than using ports and protocols that can be abused by malicious actors, the actual applications required (RDP, SSH) can be allowed and everything else will be blocked. And finally, by enabling network intrusion prevention and anti-malware, any malicious behavior can be prevented.

In summary, these are the benefits to this design:

  1. Capital cost savings – We have eliminated at least three layers of physical appliances.  While the cost of individual security gateways may increase due to their larger capacity, there is still cost savings of approximately 50 percent on overall equipment costs due to the reduction in hardware.
  2. Operational cost savings – The complex routing and filtering is now being done on a single security gateway (or HA pair).  Most daily modifications and troubleshooting will occur on a single pair of devices.  The switches can all be in simple layer 2 mode.  This means fewer devices need to be examined when there’s a problem, which saves time.  Because the operational team will be spending most of their time in the security appliances, they will quickly develop stronger security skills which will also reduce the time taken to make repairs.  There will be additional operations savings as less rack space, power, and cooling are required.
  3. Better security – The more traffic that we route on an internal core network, the less traffic will be visible to the security gateways.  By putting the default gateway for all networks on the security gateway, traffic between those networks will be scrutinized.

With the increase in the use of virtual machines in modern datacenters, it is important to ensure that the security platform you select can be deployed in virtual and public cloud environments to provide continuity.

Complexity and obscurity are the real enemies of security and availability. Simplicity and efficiency are key allies.

[Palo Alto Networks Blog]

Posted on

How to Create a GEIT System that Delivers Value

Governance is vital to accomplishing the goals of an enterprise. By its very definition, governance of enterprise IT (GEIT) places a structure around how an organization aligns IT strategy with business strategy, ensuring that companies stay on track to achieve goals and implement methods to measure performance.

To be successful, an enterprise needs to manage expectations and satisfy stakeholder requirements— the drivers behind development of enterprise goals and subsequent IT-related goals. These goals must be in alignment and are best created with the full cooperation and involvement of IT and the stakeholders.

While governance is critical to any enterprise, form does not always follow function, resulting in many different pathways to successful implementation. In short, there seems to be no agreed-upon approach.

How to you get there—how do you start?

One valuable new resource is ISACA’s white paper, “Getting Started with GEIT.” The white paper outlines how an enterprise can begin the process of understanding needs and how to take that knowledge and put it into action.

It summarizes how using a well-established framework, such as COBIT 5, assists in creating a common language and understanding of governance concepts throughout the enterprise.

For example, the early benefits of using a framework include:

  • Deliver value to stakeholders.
  • Accomplish established stakeholder goals.
  • Make future change easier to accomplish.
  • Establish a framework that is part of the enterprise culture.
  • Strengthen internal control.
  • Rely less on external parties.
  • Enhance credibility of internal resources.

One item to note is that no matter what new framework is introduced, the timing of its introduction should be sensitive to the general business environment or commitment to its adoption could prove difficult.

The beauty of a successful framework is that its strength resides in its flexibility. It offers guidance, not prescriptive steps in what to do. The end result? Risks to the enterprise are significantly reduced and overall value quickly recognized.

Joanne De Palma, CISM, BCMM Assessor, MBA
Director, Global Information Technology Risk Management – ORM
PFI

[ISACA]

Posted on

Palo Alto Networks Now a Four-Time Gartner Magic Quadrant Leader!

Gartner has just released its latest Magic Quadrant for Enterprise Network Firewalls and once again named Palo Alto Networks a Leader. This marks the fourth consecutive year that Palo Alto Networks has been named a Leader, a designation shared only with Check Point. All other vendors were named either Challengers or Niche Players in Gartner’s four-quadrant system. I invite you to download the report at http://connect.paloaltonetworks.com/gartner-mq-2015.

 

At Palo Alto Networks we have maintained a steadfast commitment to innovation. Just recently we introduced a disruptive new endpoint protection technology named Traps, and a new cyberthreat intelligence service named AutoFocus. These new innovations are not only a testament to that commitment, they’re proof points in our continued ability to execute. We believe this record of innovation and execution has moved Palo Alto Networks further along the x-axis within Leaders quadrant.

DISCLAIMER: This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available from Palo Alto Networks at http://connect.paloaltonetworks.com/gartner-mq-2015. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

[Palo Alto Networks Blog]

Posted on

RSA 2015: #PreventionIsHere

Thanks to everyone who’s joined us so far at RSA 2015. It’s been a lot of fun, and we’ve still got another day!

Palo Alto Networks cybersecurity experts – ranging from Nir Zuk and Rick Howard, to Ryan Olson and Scott Simkin, and many more – have been showcasing the importance of prevention. It’s not sufficient to simply detect and remediate; we help our customers protect their networks and make the cost of attack prohibitively high for cybercriminals.

This week has been busy for Palo Alto Networks at RSA, with breakout sessions from Rick Howard, Ryan Gillis, and Ryan Olson, focusing on the role of the CISO, cybersecurity legislation, and building a threat intel team. At the booth, we’ve had a packed house for sessions on mobile security, advanced attacks, endpoint protection, and more. And we capped it all off by treating our customers to the hottest after party at RSA last night.

The excitement continued today, with attendees packing our booth for hands-on demos of the Palo Alto Networks enterprise security platform, which enables organizations to prevent attacks before they occur. Presentations from our experts and partners continued to drive crowds to the booth. In fact, Nir’s presentation was so popular we added two encore presentations this afternoon.

Here’s a look at some of the action so far. And remember, stop by our booth (N4120) tomorrow for more presentations, giveaways, hands-on demos, and more!

 [Palo Alto Networks Blog]

 

Posted on

Everyone Has a Part in the Digital Forensics Process

Recently, ISACA announced the release of its free “Overview of Digital Forensics” white paper to illustrate the role of digital forensics as it relates to cybersecurity. Organizations need to discuss the role of digital forensics, even to those in non-technical roles. Without holistic consideration, there will not be data to utilize in a cybersecurity investigation.

Digital forensics is used in conjunction with other business areas to investigate issues such as insider threats. In 2014, insider threats composed up to 35 percent of information security incidents. Digital forensics and compliance becomes increasingly difficult if IT policies are not practiced as suggested under ISO 27001:2013 or NIST 800-53.

As mentioned in the white paper: In 2013, US President Barack Obama issued Executive Order (EO) 13636 to improve critical infrastructure cybersecurity. The National Institute of Standards and Technology (NIST) spearheaded this framework, along with international partnerships. ISACA’s COBIT 5 framework aids businesses in managing their systems, following the values embedded within the Cybersecurity Framework (CSF). This is another way to support digital forensics investigators.

Investigators also benefit from information sharing, especially indicators of compromise. These can be collected by network traffic, memory images, and from other host-based forensic methods. This “is the lifeblood of effective cyber defense and response. Pulling together this information allows defenders to identify anomalies or patterns and recognize dangerous activity before it can do significant damage,” as stated by the US Department of Homeland Security.

Below are a few tips on how everyone within a business can help defend against significant damage and help investigators.

Tip 1 : Enable logging and network monitoring. Network traffic logs are critical during a breach. If an endpoint appliance breaks, hopefully that company still has monitoring in place.

Tip 2 : Establish and follow through with record retention. The US State Department was in the news recently for a recent record policy mishap. No business wants to see its name in the news for either not having a policy or failing to comply with established procedures. Human resource (HR) record retention policies should be in place so that when needed, HR complaints and whistleblower allegations may be pulled. Always be court ready. Email servers should have backups and a deletion policy in anticipation of Freedom of Information Act (FOIA) or electronic discovery requests. For instance, any email deleted on a user’s machine should still be recoverable on the mail server, regardless of the host facility. Exchange servers have default settings that can be modified to fit the needs of an organization. Gmail and other business applications have similar settings as well.

Tip 3 :Establish standard operating procedures and images. Without standard baseline images for end-user systems (e.g., laptops, desktops, servers, mobile devices), digital forensic investigators may not recover security event logs. Security event logging does not occur by default, so this needs to be turned on by administrators. VPN and system event logs are helpful to determine a series of events, but every little bit counts towards a successful investigation. TSA-13-1004-SG from the US National Security Administration(NSA) dives into this topic in more detail.

As for the term cybersecurity, it is one of those multifaceted, sexy buzz words. It is appealing to both the bad guys and the defenders, but it is as broad as it is vague. Maybe you are interested in cybersecurity, but do not know where to begin. It is difficult to narrow down the breadth of information out there. You can start with an ISACA course or begin reading up on a topic of interest, beginning in the weeds then working your way out of the trenches. Some material you might find helpful includes:

  • Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization by Eric Cole Syngress Publishing (c) 2013 ISBN: 9781597499491
  • Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell (Author), Gerald Combs (Foreword) 2010 ISBN-13: 978-1893939998
  • Hacking Exposed 6: Network Security Secrets and Solutions by Stuart McClure, Joel Scambray and George Kurtz McGraw-Hill/Osborne (c) 2009 9780071613743
  • Handbook of Digital Forensics and Investigation by Eoghan Casey et al., Academic Press (c) 2010 9780123742674
  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig, No Starch Press (c) 2012 9781593272906
  • Malware Analyst’s Cookbook: Tools and Techniques for Fighting Malicious Code by Michael Hale Ligh, Steven Adair, Blake Hartstein and Matthew Richard, John Wiley & Sons (c) 2011 9780470613030
  • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory by Michael Hale-Ligh, Andrew Case, Jamie Levy and Aaron Walters, John Wiley & Sons (c) 2014 9781118825099

You have seen cybersecurity in the news. PricewaterhouseCoopers’ Game of Threats illustrates it through gamification. Hackers expose it as an illustrious career path for a get rich quick scheme. We no longer question if an insider will steal data or an outsider will breach a network, but rather, when.

Businesses need to prepare themselves for battle, arming themselves with knowledge of how security works, training their team to understand threats in a realistic manner, and grabbing weapons to protect their information and reputation. Imagine the “battlefield” like a game of DotA or Magic the Gathering. The attacks do not stop. If businesses do not prepare beforehand, by investing and maintaining these weapons, they may not make it out alive.

Jaime B.
IT Consultant, Washington, DC

[ISACA]

English
English
Exit mobile version