Own nothing control everything. Belnet Security Conference

Transcription

1 Own nothing control everything Belnet Security Conference

2 I am Rutger doing security Agfa 2

3 Agfa-Gevaert Group Business & Organization Belgian Companies Agfa-Gevaert NV Agfa Healthcare NV Agfa Graphics NV Agfa-Gevaert Group Parent Company CC and GSS CC = Corporate Center GSS = Global Shared Service GSS GSS Agfa Agfa ICS ICS Global HR/ Global Procurement/ HR Logistics Agfa Graphics Agfa HealthCare Agfa Materials Specialty Products ICT within AGFA is called Agfa ICS (ICS = Information & Communication Services 3

4 Agfa in the World Sales organisations in 40 countries Representations in 100 countries Manufacturing sites in 10 countries HealthCare No 1-2 Prepress No 1-2 Other 4

5 Agfa Graphics: Product Portfolio Software Computerto-Film Film setter Film Analog Plates Offset Press Computerto-Plate Plate setter Digital Plates Thermal, Polymer & Silver Proofing PC Flexo Printing Flexo CTP Flexo Plates Flexo Press Screen Printing Screen exposure frame Screen Screen Press Scanner Industrial Inkjet Printing Digital Inkjet Print 5 Ink

6 Agfa HealthCare: Radiology Product Portfolio Contrast media Screen Film, Intensifying screens, cassettes Film processor & chemistry Screen Film Diagnosis on light box Analog X Ray Digital X Ray Reusable Imaging plate CR Digitizer Musica - CR Dry Imager Hardcopy film workstation CT, MR, PET, Connectivity PACS 6

7 Agfa HealthCare: IT Solution Portfolio Administration The HealthCare Community Referring Physicians Assisted Living Home Care Pharmacists Billing Payors Planning Emergency Room Nursing Reporting Intensive Care Intensive Care Electronic Patient Record Surgery Accounting Examining Cardiology Radiology Laboratory Treating Resource Management Diagnosing Catering Logistics 7

8 Specialty Products: Product Portfolio Classics : Motion Picture PCB-film Microfilm Film manufacturing services NDT-film 3rd party contracts New businesses Synthetic Paper Membranes Functional inks for industrial applications Identification & Security Orgacon 8

9 Agfa ICS facts and figures +/ users +/ servers +/ network devices Mainframe 3 main data centers + various server rooms Manufacturing environment R&D environment ICT within AGFA is called Agfa ICS (ICS = Information & Communication Services 9

10 First of all The topics covered in this presentation are applicable for the Agfa This is not an infomercial!! This is not the silver bullet solution!! 10

11 CISCO VPN 3000 CONCENTRATOR SERIES SYSTEM ETHERNET LINK STATUS EXPANSION MODULES INSERTION STATUS RUN STATUS FAN STATUS POWER SUPPLIES A B CISCO VPN 3000 CONCENTRATOR SERIES SYSTEM ETHERNET LINK STATUS EXPANSION MODULES INSERTION STATUS RUN STATUS FAN STATUS POWER SUPPLIES A B CPU UTILIZATION ACTIVE SESSIONS THROUGHPUT CPU UTILIZATION ACTIVE SESSIONS THROUGHPUT High level network/security design Country xyz MPLS Internet Customer Customer Customer Customer Networks Networks Networks Networks Core Internet routers Core MPLS routers Internet backbone Intranet backbone VPN Concentrators Firewall Cluster Proxies Rem. Supp. Customer A,B,C,D.. winsock Mgmt. DMZ Core WAF Core Mgmt. DMZ Mgmt. DMZ Datacenter User LAN MORTSEL Internet area User LAN Intranet area Extranet area 11

12 Security vision in the past Keep the evil outside of the perimeter Very strict interconnection policy Standardization High risk information processing in a secure "bubble (HE customers) 12

13 Why? Issues Capacity issues (MPLS) and related cost Internet issues Quick integration of acquisitions and associated risks Security 13

14 Capacity issues (MPLS) and related cost Internet Proxies Large office Datacenter Internet VPN (mpls backup) MPLS VPN(mpls backup) ` Small office Proxies User LAN Internet ` 14

15 Internet issues Internet Proxies Large office Datacenter Internet VPN (mpls backup) MPLS VPN(mpls backup) ` Small office Proxies User LAN Internet ` 15

16 Quick integration of acquisitions and associated risks Is like opening Pandora s Box 16

17 Quick integration of acquisitions and associated risks Internet Proxies Large office Datacenter Internet VPN (mpls backup) VPN(mpls backup) Joint V./ Acquisition MPLS VPN(mpls backup) ` Small office Proxies User LAN Internet ` 17

18 Security ISO 27K FDA Datacenter TÜV HIPAA NONE Proxies LAN Internet ` 18

19 Why? New business requirements Open device policy (BYOC) Managed Services model Local island networks 19

20 BYOC 20

21 Managed Services model 3 Managed Service Models On-site Solution as a Service (SaaS) Off-site Managed Hosting Remote Management IMPAX 6 PACS IMPAX RIS ORBIS EPR IMPAX CARDIO Agfa HealthCare IT Solutions IMPAX DATA CENTER HYDMEDIA ECM 21

22 Managed Services model Agfa Hosting Datacenter Impax servers / DB Datacenter Service Provider Impax servers / DB Datacenter Customer Customer network IDC Customer FW Customer A 22

23 Isolated networks Internet Datacenter Proxies Large office Internet VPN (mpls backup) VPN(mpls backup) Joint V./ Acquisition MPLS ` Plantnet, R&D.. VPN(mpls backup) Small office Proxies LAN Internet ` 23

24 Conclusion Some security measures are the cause of network issues Ignoring these issues or just saying no is not a solution 100% end user device standardization is utopia The internal trust/security concept is an illusion Protection of most important assets (datacenter) are necessary We need a plan!!! 24

25 We tried the hard way Enforce standardization Enforce policy More appliances (Wan opti., Firewalls, QOS, Winsock, ) 25

26 Result.. Overall happiness Security Long term operational costs 26

27 Let s start with a BIG project, that Solves network/security issues Brings internet into the company Provides a flexible but secure network Supports the new security vision Is future proof Embrace BYOC 27

28 The new security vision High risk information processing in a secure "bubble (HE customer, Manufacturing ) Granular security model (Different security requirements between BU s) Adopt a least privilege strategy and strictly enforce access control (user and device authentication) Gaining network traffic visibility: inspection and logging Virtualization It is not about who you keep OUT, it s about who you let IN User LAN = untrusted 28

29 Embrace BYOC Reducing costs User understands and supports his own system Agfa ICS can focus on infrastructure,projects,security etc not on fix and break support User satisfaction BYOC gives a sense of ownership Overall hapiness goes up Flexibility home enabler Could trigger thin client computing The only real way to standardize computing Ideal way to approach Secure Environments (healthcare,manufacturing) 29

30 Drawbacks Helpdesk support ICS Service Desk will be called first in case of problems, also when the problem is related to their own system Costs Application delivery Virtual environment delivery Network/security infrastructure Security Information security Legal issues 30

31 Looking for a security appliance Identify By Application By UserGroup By Content Inspection By Device Categorize By Application By Application Category By Destination By Content By usergroup Control Prioritize Apps by Policy Manage Apps by Policy Block Apps/Devices by Policy Detect and Block Malware Detect & Prevent Intrusion Attempts 31

32 Future high level netwerk/security design 32

33 How do we solve the capacity issues? Datacenter VPN (mpls backup) Large office ` Internet VPN(mpls backup) Joint V./ Acquisition MPLS Plantnet, R&D.. VPN(mpls backup) Small office LAN Internet ` 33

34 How do we solve the internet issues? Datacenter VPN (mpls backup) Large office ` Internet VPN(mpls backup) Joint V./ Acquisition MPLS Plantnet, R&D.. VPN(mpls backup) Small office LAN Internet ` 34

35 How do we solve the security issues? Datacenter VPN (mpls backup) Large office ` Internet VPN(mpls backup) Joint V./ Acquisition MPLS Plantnet, R&D.. VPN(mpls backup) Small office LAN Internet ` 35

36 Does this design meet the new requirements? Datacenter VPN (mpls backup) Large office ` Internet VPN(mpls backup) Joint V./ Acquisition MPLS Plantnet, R&D.. VPN(mpls backup) Small office LAN Internet ` 36

37 How to BYOC Smart phones Tablets PCs All devices No restrictions (non) Agfa Internet With controls (non) Agfa Device Checked for: - Virus software - Agfa standard Agfa devices Checked for: - Virus software - Encryption - Agfa standards -. Next Gen. firewall Internal Agfa Web applications Internal Agfa applications Highly secure applications Virtual Desktop Infrastructure 37

38 Managed Services model Agfa Hosting Datacenter Impax servers / DB Impax servers / DB Datacenter Service Provider Impax servers / DB Datacenter Customer Customer network IDC IDC Customer FW Customer A Customer B 38

39 Use cases Contractor -> SAP infrastructure 1 2 Ng Firewal 4 5 Datacenter 3 1. Contractor initiates traffic to the datacenter 2. FW agent sends user-ip mapping + system profile/parameters 3. Firewall verifies user credentials on AD 4. Firewall does policy check (User ok,av = OK, Agfa Standard = not ok system) 5. Only RPD Traffic allowed to Virtual Desktop VLAN 39

40 Use cases Agfa user to notes 1 2 Ng Firewal 4 5 Datacenter 3 1. Contractor initiates traffic to the datacenter 2. FW agent sends user-ip mapping + system profile/parameters 3. Firewall verifies user credentials on AD 4. Firewall does policy check (User = ok, AV = ok, Agfa Standard system = ok) 5. Notes/sametime traffic allowed to notes infrastructure 40

41 Use cases Agfa ICS administrator to notes 1 2 Ng Firewal 4 5 Datacenter 3 1. Contractor initiates traffic to the datacenter 2. FW agent sends user-ip mapping + system profile/parameters 3. Firewall verifies user credentials on AD 4. Firewall does policy check (User = ok, AV = ok, Agfa Standard system = ok) 5. Notes/sametime/administration traffic allowed to notes infrastructure 41

42 Final conclusion Next generation appliances are not a revolution This is not the silver bullet security solution, secure MZ s such as SRSS are still needed IT security is more than a security applicance doing UTM There is still a lot of work to do 42

43 Questions & Answers

44 Backup slides 44

45 Use cases Guest to internet 1 2 Ng Firewal 4 5 Internet 3 1. Guest initiates traffic to the internet 2. Webform used to collect authentication information 3. Firewall verifies user credentials on AD 4. Firewall does policy check (URL, application, user..) 5. Internet-bound traffic passed if allowed by policy 45

46 Use cases Contractor to HE webportal 1 2 Ng Firewal 4 5 Datacenter 3 1. Contractor initiates traffic to the datacenter 2. FW agent sends user-ip mapping + system profile/parameters 3. Firewall verifies user credentials on AD 4. Firewall does policy check (User = ok, AV = ok, Agfa Standard system = not ok) 5. Only HTTPS Traffic allowed to HE webportal 46

47 Use cases HE engineer to SRSS 1 2 Ng Firewal 4 5 Datacenter 3 1. Contractor initiate traffic to the datacenter 2. FW agent sends user-ip mapping + system profile/parameters 3. Firewall verifies user credentials on AD 4. Firewall does policy check (User = ok, AV = ok, Agfa Standard system = ok, Encryption = Ok) 5. SRSS traffic allowed to SRSS MZ 47

48 What is changed between 2001 and now? Good old days.. Related to Now Desktops > Laptops No smartphones Ownership/control + End user devices Desktop < Laptops everybody smartphones Ownership/control - Internet = privilege Browser/ftp client Internet Internet = Commodity A lot of other applications Static/economical Internet content Dynamic Economical Files Large Client <-> Lan Applications Client <-> LAN Client <-> Internet Default installed OS Users with no passwd Vulnerable CGI, OS To many ports open Security Threats Client side software Websites Zero-days + 48

49 User LAN Server VLAN s 49

50 The good old days Ratio desktop/laptop 80/20 Especially client server LAN traffic Internet was a privilege Static and economical internet content Browser <-> internet No smartphones etc.. Limited removable media IT was something work related Less compliancy obligation IT no core business Server based security threats 50

51 This resulted in following security controls Remote access only via VPN (strong authentication) Very tight network perimeter security Very strict interconnection policy Only internet access via proxy(authenticated) Seperated internal and external dns infrastructure 51