Security Policies Tekenen? Florian Buijs

Transcription

1

2 Security Policies Tekenen? Florian Buijs

3 Good Old Days: IP Address = User Application = Port/Protocol Today: IP Address! User Application! Port/Protocol

4 What are ACL s? Firewall Rules? Real World example: Marco B. To the golf course In a Bugatti YES! Network example (ACL / Firewall Rule): Internal Network To DNS server Using DNS Allow Source address Destination address Service Action Internal network /24 DNS server DNS UDP/53 Allow

5 What is the difference between an ACL and a Firewall Rule? Internal Network To DNS server Using DNS Allow Source address Destination address Service Action Internal network /24 DNS server DNS UDP/53 Allow Cisco router: access-list acl-inside-in extended permit udp gt 1023 host eq domain! Here s a Cisco Firewall rule, can you spot the differences? Cisco ASA Firewall: access-list acl_inside extended permit tcp object-group Internal_Network objectgroup DNS_Server eq domain

6 What does a Next Generation Firewall rule look like? Same IP Addresses and Ports as before but with some extra s like Users, Applications etc. Internal Network Marco B. To DNS server Using DNS DNS port Allow Source address User Destination address Application Service Action Internal network /24 Marco B. DNS server DNS UDP/53 Allow

7 3 Teams use ACL & firewall rules Set department policy InfoSec Team Deploy & implement Communication and reporting Enforce & monitor Network Ops Team Security Ops Team

8 Problem statement: Dynamic networks change often; change is the challenge "! Risky error prone, disrupts existing services "! 62% firewall-rule change management processes put them at risk to be breached Dark Reading Feb 2013 "! 74% rule changes resulted in an outage or decreased network performance 2013 State of Network security May 2013 "! Expensive time consuming, inefficient, requires expert resources "! Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws. Gartner Firewall Report Nov "! 95% of engineers have trouble with firewall audits because the manual processes are time consuming. TechTarget Networking July 2012

9 So Many Firewalls, So Many Changes, So Little Time "! Spike in number of security policy changes "! IT headcount not keeping pace "! Multiple products add to confusion "! Network SLAs impacted negatively "! Expensive and diminishes security effectiveness Firewall Change Needed Search For Devices Figure Out Impacted Devices Determine Correct Config Compare Change to Standards/ Compliance Request Change/ Implement Manually Reconfirm Correctness and Compliance Manual Network Provisioning Time Hours/Days LEGACY APPROACH TO FIREWALL POLICY CHANGE IMPLEMENTATION

10 ACL & FW policy management value Set department policy InfoSec Team "! Reduce time to audit "! Compliance reporting "! Visibility "! Improve efficiency "! Visibility, and agility "! ACL + FW Policy management Deploy & implement Communication Security and Device reporting Controller "! Reduced risk profile "! Change modeling Enforce & monitor Network Ops Team "! Single version of truth "! Tool set to manage and deploy change Security Ops Team

11 InfoBlox Security Device Controller Multi-Vendor Firewall Control

12 Five Pillars of Security Device Controller Automated Discovery Multi-vendor Provisioning Embedded Expertise Customized Alerting Powerful Search

13 Automated Discovery " NetMRI Discovery Engine "!Automatic scans "!Utilizes SNMP, SSH, CLI access "!Finds "!active network components "!subnets, VLAN s and more "!Maps the Topology "!Graphical Display "!Retrieves configurations

14 Automatic and complete network-wide discovery Powerful topology to visualize path

15 Embedded Expertise "! Knows how to build rules/acl s "! Predefined Best practices onboard "! Analyses the current state and recommends improvements "! Optimizes rulebase by eliminating "!unused rules "!duplicate rules "!hidden rules

16 Expertise: Issues Page Out of the box alerts: Address how to clean up the ACLs & Firewall rules of today The older the firewall/router the more the rules and objects are outdated, and inaccurate.

17 Powerful Search "!Network Automation: FindIT "! easy to use "! will find devices, subnets, ip addresses etc. " Config Management Search "! searches across all known device configs "! running, saved and archived configs "!Workbook "! search for rule list

18 Search Number of Rules on the device that match Hover over the object, shows the object values Devices and ACLs/Zones/ Policies Quick Summary of Access: "! Allowed "! Denied "! Partial Select a Device on the left, shows the rules that match on the right

19 Find traffic PATHS Infoblox Security Device Controller Whitelist Alerts: "! Use a Workbook to define a paths through the network "! Capturing how A routes to B Whitelist Alerts: Alert when mission critical services services are blocked or partially blocked

20 Customized Alerting "!Automatic alerts "! for device changes as well as unused, duplicate, overlapping and hidden rules "!Customizable "! tune it to fit your needs "! Syslog, and SNMP " Realtime "! picks up device changes as they happen

21 Unique to SDC: Real-Time notifications Custom and out of the box Alerts Notifications to follow the sun Notifications to APAC/EMEA/ NAM Integrate with other security products "! SNMP Trap to other monitoring tools "! Syslog to SIEM solutions (Arcsight/Q1Labs, etc) Subscriptions -> Notifications

22 Multi-Vendor Provisioning "!Cisco "! IOS = Routers, Switches, Nexus "! Firewall = ASA, PIX, FWSM "!Juniper "! Firewalls = Netscreen/ScreenOS, SRX/JunOS "! Routers = Flow Mode " Fortinet "! Firewalls = FortiGate

23 Router ACL & firewall coverage Layer 1 4 Layer % of Top 5 firewall vendors (Palo Alto Networks is not a top 5 vendor) 66% of Router/Switch Market NgFW/UTM "! Users "! Web filtering "! IDS/IPS "! Applications ACL/Firewall "! IP address "! Protocols & ports Cisco Juniper Fortinet CheckPoint PAN Supported Not Supported

24 SDC improves...

25 Improve agility, Reduce errors Infoblox Security Device Controller Send for approval 1 Network Ops Team Know the devices that need to be changed A SDC provides a map of the network 2 3 Generate configurations for the devices Check if rule violates, or matches security policies DMZ 4 Approve Change for Audit Internet B A needs to talk to B 5 Rollback change if there s a problem

26 Improve visibility, Reduce Risk Infoblox Security Device Controller To an alert Send SIEM, Network Monitoring 1 Security Ops Team Real-time notification if rule violates, or matches security policies A Secured networks & internal resources Analyze hundreds of thousands of this SCA-IAD-FWSM1/admin# sh access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list inside; 1 elements access-list inside extended permit ip any any (hitcnt=0) access-list outside_acl; 4589 elements access-list outside_acl extended permit udp object-group network_devices object-group loghost object-group monitoring access-list outside_acl extended permit udp host host loghost eq tftp (hitcnt=4) access-list outside_acl extended permit udp host host loghost eq ntp (hitcnt=32213) access-list outside_acl extended permit udp host host loghost eq snmptrap (hitcnt=1173) access-list outside_acl extended permit udp host host loghost eq syslog (hitcnt=80943) access-list outside_acl extended permit udp host host loghost eq tftp (hitcnt=5) access-list outside_acl extended permit udp host host loghost eq ntp (hitcnt=31331) access-list outside_acl extended permit udp host host loghost eq snmptrap (hitcnt=1142) access-list outside_acl extended permit udp host host loghost eq syslog (hitcnt=48282) access-list outside_acl extended permit udp host host loghost eq tftp (hitcnt=14) access-list outside_acl extended permit udp host host loghost eq ntp (hitcnt=34980) access-list outside_acl extended permit udp host host loghost eq snmptrap (hitcnt=7793) access-list outside_acl extended permit udp host host loghost eq syslog (hitcnt=2830) access-list outside_acl extended permit udp host host loghost eq tftp (hitcnt=0) access-list outside_acl extended permit udp host host loghost eq ntp (hitcnt=0) access-list outside_acl extended permit udp host host loghost eq snmptrap (hitcnt=0) access-list outside_acl extended permit udp host host loghost eq syslog (hitcnt=0) access-list outside_acl extended permit udp host host loghost eq tftp (hitcnt=0) access-list outside_acl extended permit udp host host loghost eq ntp (hitcnt=0) 2 3 Send to other SIEM security tools Forensic and Historic reporting

27 Proof of agility and cost savings (# of minutes, for 7 firewalls on a path, manual vs SDC) Manual/Vendor Mgmt Search if rule is needed on path/ device Review for conflicts to device/security posture Build and create rule changes Provision/schedule the change

28 Remember the 4 steps of a Change Request 1 2 Search if a rule is needed - Path / Device Review for conflicts Device / Risk 4 Provision Schedule the change Build create rule changes 3

29 Security Operations Demo A Infoblox Security Device Controller To an alert Send SIEM, Network Monitoring Analyze hundreds of thousands of this SCA-IAD-FWSM1/admin# sh access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval Security Ops Team Real-time notification if rule violates, or matches security policies Send to other SIEM security tools Forensic and Historic reporting access-list inside; 1 elements access-list inside extended permit ip any any (hitcnt=0) access-list outside_acl; 4589 elements access-list outside_acl extended permit udp object-group network_devices object-group loghost object-group monitoring access-list outside_acl extended permit udp host host loghost eq tftp (hitcnt=4) access-list outside_acl extended permit udp host host loghost eq ntp (hitcnt=32213) access-list outside_acl extended permit udp host host loghost eq snmptrap (hitcnt=1173) access-list outside_acl extended permit udp host host loghost eq syslog (hitcnt=80943) Secured networks & internal resources access-list outside_acl extended permit udp host host loghost eq tftp (hitcnt=5) access-list outside_acl extended permit udp host host loghost eq ntp (hitcnt=31331) access-list outside_acl extended permit udp host host loghost eq snmptrap (hitcnt=1142) access-list outside_acl extended permit udp host host loghost eq syslog (hitcnt=48282)

30 Network Operations Demo A Infoblox Security Device Controller Send for approval SDC provides a map of the network 1 2 Network Ops Team Know the devices that need to be changed Generate configurations for the devices DMZ Internet B A needs to talk to B Check if rule violates, or matches security policies Approve Change for Audit Rollback change if there s a problem

31 Security Operations: Reduce Risk Make sure you discuss how Security Device Controller: "! Cleans up the mess they have "! Keeps the rules clean "! Define the network security posture "! Real-time notifications of violations "! Remediation of problems "! Integration with SIEM and other monitoring tools