Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Borderless Network March 21, 2000 Ted Barlow.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing the Borderless Network March 21, 2000 Ted Barlow."— Presentation transcript:

1 Securing the Borderless Network March 21, 2000 Ted Barlow

2 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu The Internet has fundamentally changed the way networks are designed and secured Introduction

3 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu How things used to be... single host environment mainframe security systems hierarchical controls well-defined access paths dumb terminals centralized storage/processing of data Old Model

4 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu “Fortress” Security Model Internet Internal Network Firewall Protocols: SMTP FTP HTTP “New” Old Model

5 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu DMZ “Freeway” Security Model Internet Internal Network Firewall Web Server Application/ Database Vendor Extranet HTTP SSLJava ActiveX SMTP S/MIME VPNViruses TrojansH.323 Credit Validation Network New Model

6 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu What are the Risks? Denial of Service DDOS (Distributed Denial of Service Attacks) Defacement 3693 web server defacements in 1999 (www.attrition.org) 130 government sites (.gov) Loss of private data CD Universe (~350,000 credit card numbers) Breach of internal networks and systems Risks

7 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu How do you Build a Secure Internet Application Environment? Incorporate security reviews early in the design process Design with future strong authentication methods in mind Design for explosive growth Encrypt entire path from client to backup tapes for critical data Establish security baselines and perform security hardening before going live on the Internet Design and Build

8 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Key Components of the Secure Network Border routers DMZ Firewalls Encrypted data paths Intrusion Detection System (IDS) Content Security (CVP) Infrastructure

9 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu The Firewall/DMZ Environment Begin with a secure screening router Choose a firewall that is extensible, scalable Packet filtering vs. application proxy firewalls Firewall appliances and next generation firewalls Network address translation (NAT) will improve DMZ security Build firewall redundancy Firewalls

10 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Choosing the Right Firewall Solution Packet Filters Application- Proxy Gateways Stateful Inspection Firewall Comparison PROSCONS Application Independent High Performance Scalable Good Security Fully Aware of Application Layer Good Security High Performance Scalable Fully Aware of Application Layer Extensible Low Security No Protection Above Network Layer Poor Performance Limited Application Support Poor Scalability More Expensive

11 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Is Intrusion Detection Necessary? Definition – the ability to detect and defend against defined attack patterns Host based & network based Network IDS can be integrated with firewalls to automatically respond to attacks Host based IDS can detect changes to operating system programs and configurations IDS

12 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Internet Web Server Internet External Router Intranet Web Server Internal Network DMZ Outside Application/Database Server Backup Server Intrusion Detection System (IDS) Inside Design Case Study Internal Router

13 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Web Server Internet External Router Internal Router IDS App Server Backup Server Internal Network IDS Console IDS CVP Server DMZ NAT DMZ NAT Design Case Study

14 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu How do you Maintain a Secure Internet Application Environment? Keeping ahead of security exploits is a full time job Actually review and report on firewall, IDS and system logs Develop incidence response (IR) procedures and IR team Periodically review and audit system and network security configurations Maintenance

15 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu What is coming in Network Security? Better, cheaper authentication mechanisms Open network security models System, application level “firewalls” Windows 2000 Future Developments

16 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Windows 2000 Security Kerberos Authentication Infrastructure Certificate Authority (CA) Security Configuration Editor IPSec Support Encrypting File System (EFS) Future Developments

17 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Kerberos Authentication Windows 2000 supports several authentication models: Kerberos for internal authentication and X.509 certificates for external authentication. Kerberos can be configured to use private or public key authentication. Keys are managed by the Domain Controller (DC) in the Key Distribution Center (KDC). A User is granted a ticket or certificate which permits a session between the user and the server. Important security considerations: The KDC MUST be physically secured Susceptible to password dictionary attacks Administrators still have complete access Future Developments

18 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Certificate Authority (CA) This is a Public Key Certificate Server built into Windows 2000. The server manages the issuing, renewal, and cancellation of digital certificates. Digital certificates are used to initiate encrypted sessions such as Secure Sockets Layer (SSL) for secure web-based communications. Future Developments

19 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Security Configuration Editor This is a Microsoft Management Console (MMC) tool that eases security administration. Allows administrators to create security baselines by defining templates with global security parameters, and then perform security analyses against the templates. Manages security policies, file system access control, and Registry permissions. Future Developments

20 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Internet Protocol Security (IPSec) Defines security policies at the lowest possible layer: the network communication layer. Enables encryption and decryption of network packets before they leave the network interface card (NIC). Supports the use of public keys (RSA) or private keys (DES). Future Developments

21 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Encrypting File System (EFS) Allows users to encrypt files and directories that only they (and administrators) can decrypt. EFS creates a separate 56-bit encryption key based on the Data Encryption Standard (DES) algorithm. The administrator’s key can unlock any encrypted file in the domain. This service is very fast and encryption/decryption occurs without the user noticing. Future Developments

22 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Summary of Best Practices If possible, create a separate trusted network (DMZ) Choosing the right firewall solution is key Application security is only as strong as system and network security Design the infrastructure to facilitate monitoring and data backups Intrusion Detection Systems – you can’t defend what you don’t detect Summary

23 Securing the Network Copyright 2000, Deloitte Touche Tohmatsu Questions? Contact: Ted Barlow tbarlow@dttus.com Thank You tbarlow@dttus.com

Download ppt "Securing the Borderless Network March 21, 2000 Ted Barlow."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Firewall Configuration Strategies

Firewall Configuration Strategies
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 19 Security.

Chapter 19 Security.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Similar presentations

Ads by Google