Presentation is loading. Please wait.

Presentation is loading. Please wait.

Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden.

Published byErick Small Modified over 8 years ago

Similar presentations

Presentation on theme: "Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden."— Presentation transcript:

1 Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden

2 The view of the 90’s  Modems are used for remote access  The Internet is used primarily for email, news and later also world wide web (www) –1994 there were 500 web servers –1995 there were 10,000 –2000 there were 30,000,000  Security? –Private modem pools are managed and regarded as secure enough –A firewall is enough to protect the network from Internet threats –1997: Question is what to buy: Stateful inspection firewall or application level firewall [Rik Farrow]

3 Around year 2000  Mobile devices are becoming increasingly popular –Mobility: Computers move between networks – virus problem –Software: New software follow the tracks of mobile computers –Information: Internal information can easily be transferred –Devices: USB disks and memories begin to see the world  Internal security is now being addressed –Not all devices are secure and trustworthy –Malicious software cannot be allowed to spread freely –Information cannot be trusted to all staff (“need to know”)  The firewall? –It is still probably doing its job as intended

4 Traditional Internal Security Other are segmented with firewalls, switches, routers and other equipment Users Servers Personal FW IDS system WLAN Firewalls Switches and Routers Many networks lack internal protection Personal firewalls protect workstations IDS systems monitor traffic

5 Customer support Accounting Tech.department Management ! Large networks are beginning to be partitioned

6 Today – Devices  Internal security is more important than ever  Mobile devices are in everyone’s possession –Devices will be moved to and from corporate networks: Laptops, USB sticks, portable disks, phones, PDAs, … –We should be able to check them before granting access –Some devices should not be allowed –Better control over internal information (authorisation, access control)  WLAN access exist on many places –Networks are extended outside the firewall –Traffic from the outside may not even pass the firewall… –Our users communicate – risk for wiretapping –Other users use them without our authorisation  VoIP will be the next thing to integrate

7 WLAN Customer support Accounting Tech.department Management ! ! Internal segmentation is even more important Firewall

8 Today and communications  The Internet has replaced modems for remote access  All users have access to mail and www –Companies without web servers do not exist –Many threats to www (scripts, malicious software, etc.)  We need to access data from other organisations –Computers used to connect to ext. systems and share data  Systems automatically connect to home servers –Software updates, anti-virus, etc. (“phone home”)  Users are located everywhere –At home, remote offices, partners, customers, etc. –Information must be shared – it’s a business enabler  Applications (e.g. p2p) can be disguised as p2p app’s –They use port 80 for “firewall friendly” access – no control

9 We can no longer hide behind a firewall Partners Product partners THE COMPANY Employees Contractors WLAN Access Remote officeHome workers Suppliers Consultants Outsourced resources

10 Many complex solutions exist… Mobile users with VPN Firewall with IPSec VPN Servers Push-email system IDS Wireless Network Internal firewalls SSL VPN Internet Users Management dep’t. Product development

11 The problem with a Firewall-centric view Firewall Over time, the firewall will have many holes MailVPNLegacy ProxiesVoIPWebIMFirewalls

12 Remote access – a simple problem? Internal network Server Internet Firewall Remote user “VPN tunnel” Corporate network

13 This is the same picture! Internal network Server Internet Firewall Remote user Corporate network

14 This is what we the firewall implements…

15 But once you are on the inside… It used to be a modem… Now we have: Mobile computers USB memories PDA:s Software Remote execution Internet access Remote access WLAN, 3G access www p2p VoIP mail, viruses hacking tools personal firewalls outsourced administration etc.

16 Protection must be where the assets are Protection at the source  It does not matter how you got to the inside!

17 This would be easy to implement – provided...  Each application server and client can protect itself  There’s central authentication system for all users –Applications should not have to deal with authentication  And a distributed authorisation system –Each project (data owner) can decide who can do what –User roles must depend on authentication method, user’s role, type of device, client location, time of day, etc.  Applications are only visible to authorised users Then:  No perimeter firewall would be needed (we would still keep it)  No difference between local access and remote access!  It would not even be necessary to have an internal network!

18 NAC – Network Access Control  Goal: check the connecting device before granting network access –Non-accepted devices can be connected to quarantine- networks where they can update software, etc. –Some products may support identity-based access control to networks  Emerging technology initiated by many vendors: –But with different names (McAfee, Microsoft, Symantec, Cisco, …)

19 NAC – Network Access Control  An interesting approach –Vendor approach to solve the problem with disappearing network boundaries –Means that the problems mentioned here are recognised  Requires an infrastructure on the network which implements the protection –Protection is enforced by the network, not the end devices –Does not enable secure end-to-end communication with mutual authentication –May mean we get more point products to manage…

20 Network Access Control (NAC)  NAC is complicated: –Checks whether endpoints meet security policies and updates configurations –Checks for and isolates endpoints and users that have made it onto the network and seem to be breaching security policies  Management is done from different platforms depending on device and access type –RAS policies would be enforced by a VPN gateway –LAN user access enforced by switches and similar equipment –Does not offer mutual trust – just checking the connecting device

21  Forrester believes NAC is not the future –Next version is PERM - proactive endpoint risk management –“Policy-based software technology that manage risk by integrating endpoint security, access control, identity and configuration management.” Network Access Control (NAC)

22 What is de-perimeterisation?  Move security control closer to the source – to the end-points  Be in total control of all users’ access rights  Be in control of the connecting device  Add policies that dictate how and under what circumstances each user can access each service  Make access ”seamless” and base it on cooperation between applications and users and the use of secure protocols (short version of the Jericho Forum approach)

23 Move protection closer to application servers

24 The Jericho Forum Blueprint  In a de-perimeterised world companies will have more systems not connecting to “their” network, but transacting via inherently secure protocols  Tools: encryption, secure protocols, secure computer systems and data-level authentication  User access can be granted based on his/her identity, authentication strength, location, time, type of device, etc.

25 Full de-perimeterised working Full Internet-based Collaboration Consumerisation [Cheap IP based devices] Limited Internet-based Collaboration External Working VPN based External collaboration [Private connections] Internet Connectivity Web, e-Mail, Telnet, FTP Connectivity for Internet e-Mail Connected LANs interoperating protocols Local Area Networks Islands by technology Stand-alone Computing [Mainframe, Mini, PC’s] Time Connectivity Drivers: Low cost and feature rich devices Drivers: B2B & B2C integration, flexibility, M&A Drivers: Cost, flexibility, faster working Today Drivers: Outsourcing and off-shoring Effective breakdown of perimeter

Download ppt "Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden."

Similar presentations

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.
Network Systems Sales LLC

Network Systems Sales LLC
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.

Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.
Prepare for the future  The de-perimeterised “road-warrior”  Paul Simmonds ICI Plc. & Jericho Forum Board.

Prepare for the future  The de-perimeterised “road-warrior”  Paul Simmonds ICI Plc. & Jericho Forum Board.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Chapter 12 Network Security.

Chapter 12 Network Security.
In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?

In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Information Security in Real Business

Information Security in Real Business
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Similar presentations

Ads by Google