Presentation is loading. Please wait.

Presentation is loading. Please wait.

KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy."— Presentation transcript:

1

2 KBOM

3 Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy to the Digital world Describe typical faults in infrastructure security

4 Good Security Security Success Factors Multiple layers of protection -Defence in-depth -No direct access to customer data Utilises multiple technologies including -Access control -Breach detection -Auditing or recording key events Should integrate Human and Mechanised systems What is not specific required is denied

5 Security systems Testing the key success factors in the real world

6 Guard Good Security: A Physical Analogy Motion Detector Security Camera

7 Guard Security Success Factors Applied Multiple layers of security - “buys” time to repel attacker and prevents bert endangering the jewels Multiple technologies including Access control Breach detection Auditing Ensures one fault does not put the crown jewels at risk Use of manual and digital security

8 E-security systems Relating the digital-world to the real world

9 E-security systems A model that works

10 Countermeasures – Digital & Physical Door + Lock = Firewall Security Camera = Activity Logs Movement Sensors = Intrusion Detection Security Guard = Security Technician Physical Asset = Digital Asset System Logs

11 Security Success Factors Applied Internet Corporate Network Audit Logs Multiple technologies including Access control Breach detection Auditing Ensures one fault does not put the crown jewels at risk Multiple layers of security -“buys” time to repel attacker and prevents bert endangering the jewels -Customer data not inDMZ Security Console Interface of manual and digital security Alert data

12 Common Faults

13 Customer Data Web Server Intranet Internet Enterpris e Systems Corporate Databases Application Server Bank Internet Databases Certification Authority SET payment protocol that sends the user’s details directly to the bank Authentication and permissions Further protection of the Intranet Central role of the application server that will connect to all data sources User securely identified via certificates Merchant securely identified via Certificates Encrypted information securely transferring over the Internet Perimeter Firewall Internal Firewall ? ? Common Faults Overall configuration & design Standing data stored in DMZonly protected by 1 Layer of security No administration access or terminal servers so when things go wrong it is impossible to get access No proper design documentation – only a collection of clip-art No ip addresses or server details etc No centralised Time server or logging server Authentication flawed or SPI Unencrypted Data checking ing download ed scripts Design rules applied with no understanding so for example multiple firewalls provide no extra protection No Desk Check done !!!!! Too much new and diverse technology – multiple UNIX & Multiple Windows OS versions make it operational unviable

14 Common Faults: Router Internet Corporate Network Audit Logs Access lists absent, incomplete or applied to the wrong interface SNMP open with Community string of Public &... (Go on, have a guess) Telnet open - allowing unrestricted terminal access to the internet Small services open And even if the perimeter router isn’t yours WHO PAYS THE PRICE IF IT IS HACKED

15 Bad Config - router 1 of 1 pants#show startup-config hostname pants enable password cisco interface Serial0/0 ip address 194.117.132.10 255.255.255.252 interface FastEthernet1/0 ip address 192.188.144.81 255.255.255.252 ip route 0.0.0.0 0.0.0.0 194.117.132.9 ip route 192.193.97.65 255.255.255.255 195.188.144.82 snmp-server community public RO snmp-server community private RW line con 0 line aux 0 line vty 0 4 password cisco login !

16 After

17 After router 1 of 2 service password-encryption no service udp-small-servers no service tcp-small-servers hostname pants enable secret 5 $1$s1gN$TDLK8LhaSdgKlDUpR84OY1 enable password notused ! interface Serial0/0 ip address 192.117.132.10 255.255.255.8 ip access-group 102 in ! interface FastEthernet1/0 ip address 195.188.144.81 255.255.255.0 ! ip access-group 103 in

18 After router 1 of 2 ! Management controls access-list 1 permit 193.193.97.65 access-list 1 permit 193.193.116.0 0.0.0.255 ! ! Spoof & rfc 1918 filter access-list 102 deny ip 195.188.144.0 0.0.0.255 any access-list 102 deny ip 10.0.0.0 0. 255. 255.255 any ! ! Traffic filter access-list 102 permit tcp any host 195.188.144.68 eq www access-list 102 permit tcp any host 195.188.144.66 eq smtp access-list 102 permit ip any host 195.188.144.66 ! ! Egress rules access-list 103 permit ip 195.188.144.0 0.0.0.255 any access-list 103 deny ip any any

19 snmp-server community x1xx RO 1 snmp-server community x1xx RW 1 line con 0 password GMxQttt98 login line aux 0 line vty 0 4 access-class 1 in password Tmtttts login

20 Common Faults - Firewalls Internet Corporate Network Audit Logs No anti-spoofing No anti-spoofing Default passwords, Rules or Config Default passwords, Rules or Config Unused services Unused services Rules confused + undocumented Rules confused + undocumented No consideration given to error logging or the return connection (which can stop many hacks !!!) No consideration given to error logging or the return connection (which can stop many hacks !!!) Changes to the Configuration not logged Changes to the Configuration not logged No reporting of authorisation failures No reporting of authorisation failures

21 Before Pix 1 of 3 nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname firewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol sqlnet 1521 names pager lines 24 no logging console no logging monitor no logging buffered errors no logging trap logging facility 20

22 Before Pix 2 of 3 interface ethernet0 auto interface ethernet1 auto ip address outside 11.73.2.222 255.255.255.0 ip address inside 11.73.7.251 255.255.255.0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 11.73.1.2 161.73.1.2 netmask 255.255.255.255 0 0 static (inside,outside) 11.73.1.1 161.73.1.1 netmask 255.255.255.255 0 0 conduit permit tcp host 11.73.1.1 eq smtp any conduit permit tcp host 11.73.1.2 eq www any conduit permit tcp host 11.73.1.2 eq telnet any

23 Before Pix 3 of 3 apply (inside) 11 outgoing_src rip outside passive rip outside default rip inside passive rip inside default route outside 0.0.0.0 0.0.0.0 161.73.2.234 1 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps telnet 11.73.140.99 255.255.255.255 telnet timeout 5 floodguard 1 Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

24 After

25 after Pix 1 of 3 nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname firewall no fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 no fixup protocol h323 1720 no fixup protocol sqlnet 1521 names pager lines 24 no logging console logging host 192.2.2.1 logging trap 3 logging facility 20

26 After Pix 2 of 3 interface ethernet0 auto interface ethernet1 auto ip address outside 11.73.2.222 255.255.255.0 ip address inside 11.73.7.251 255.255.255.0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 11.73.1.2 161.73.1.2 netmask 255.255.255.255 0 0 static (inside,outside) 161.73.1.1 161.73.1.1 netmask 255.255.255.255 0 0 conduit permit tcp host 11.73.1.1 eq smtp any conduit permit tcp host 11.73.1.2 eq www any conduit permit tcp host 11.73.1.2 eq telnet any outbound 11 permit 11.73.0.0 255.255.0.0 smtp tcp outbound 11 deny 11.73.0.0 255.255.0.0 www tcp apply (inside) 11 outgoing_src

27 After Pix 3 of 3 rip outside passive rip outside default rip inside passive rip inside default route outside 0.0.0.0 0.0.0.0 161.73.2.234 1 no snmp-server location no snmp-server contact no snmp-server community public no snmp-server enable traps telnet 11.73.140.99 255.255.255.255 telnet timeout 5 floodguard 1 Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

28 Firewall 1 - before

29

30 Firewall 1 - After

31

32 Common Faults - Web Server Internet Corporate Network Audit Logs Whoops - SSL is not enabled Critical data in the DMZ – Classical example of pointless Multiple layers Default CGI script or Administration servlets only protected by a simple (Default!!) passwords Developer SDK and doco available Operating systems not properly hardened and configured

33 Common Faults - Applications Internet Corporate Network Audit Logs Confidential screens and information (perhaps passwords) unencrypted – in URL or in cookies Passwords used for high- value transactions Application authorization that “should work” (as long as you don’t try it) No proper application logging or alerting –making fraud easy

34 Common Faults - IDS Internet Corporate Network Audit Logs Focusing on known- attacks rather than anomalous traffic Not updating it regularly -Attacks emerge every day Encryption -Encryption is our friend – but if you install a network based IDS to monitor encrypted traffic what is it Putting them in a wrong place -You don’t put a motion detector outside your house

35 KBOM

36

Download ppt "KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Implementing a Highly Available Network

Implementing a Highly Available Network
Cisco IOS Firewall ( CBAC-Context Based Access Control)

Cisco IOS Firewall ( CBAC-Context Based Access Control)
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, U.S./Canada Equipping Today’s Instructors for Tomorrow’s.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, U.S./Canada Equipping Today’s Instructors for Tomorrow’s.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Similar presentations

Ads by Google