Security Policies Tekenen? Florian Buijs



Similar documents
Enhancing Your Network Security

WHITEPAPER. Five Pillars for Controlling Firewall ACLs and Rules

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

FireMon Security Manager Fact Sheet

Cisco Firewall Technology

Cisco PIX vs. Checkpoint Firewall

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

Securing Networks with PIX and ASA

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

ACL Compliance Director FAQ

Technical Note. ForeScout CounterACT: Virtual Firewall

FIREWALL CLEANUP WHITE PAPER

8 steps to protect your Cisco router

Extreme Networks Security Analytics G2 Risk Manager

Lab Configure IOS Firewall IDS

Configuring PA Firewalls for a Layer 3 Deployment

F i r e s ec tm F i r e w a l l R u l e b a s e A n a l y s i s T o o l

IBM Security QRadar Risk Manager

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

CIP Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011

WhatsUp Gold vs. Orion

IBM. Vulnerability scanning and best practices

INTEGRATION GUIDE TECHNOLOGY INTRODUCTION NETWORK DEVICES AND INFRASTRUCTURE

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

12. Firewalls Content

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

Enterprise Strategy Group Getting to the bigger truth. Cisco: ACL Survey. Final Results. Jon Oltsik, Senior Principal Analyst

FIREMON SECURITY MANAGER

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Deploying ACLs to Manage Network Security

Automate PCI Compliance Monitoring, Investigation & Reporting

Lab Developing ACLs to Implement Firewall Rule Sets

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

IBM Security QRadar Risk Manager

Cisco Application Networking Manager Version 2.0

WHITE PAPER. Infoblox IPAM Integration with Microsoft AD Sites and Local Services

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

FIREWALLS & CBAC. philip.heimer@hh.se

TECHNOLOGY INTEGRATION GUIDE

Topic 7 DHCP and NAT. Networking BAsics.

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Best Practices for PCI DSS V3.0 Network Security Compliance

Business Values of Network and Security Virtualization

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

RSA Security Analytics

OLD DOMINION UNIVERSITY Firewall Best Practices (last updated: )

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

NC School Connectivity Initiative Firewall Best Practices. NCET 2014 Conference

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Cisco Change Management: Best Practices White Paper

Cisco Wide Area Application Services (WAAS) Software Version 4.0

GFI Product Manual. Deployment Guide

Network Manager 6.1. Network operations management software. NEC Corporation

CSCE 465 Computer & Network Security

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

QUESTION: 1 Which of the following are valid authentication user group types on a FortiGate unit? (Select all that apply.)

March

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Infoblox vnios Software for CISCO AXP

Where can I install GFI EventsManager on my network?

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

Manage Firewalls. Palo Alto Networks. Panorama Administrator s Guide Version 6.1. Copyright Palo Alto Networks

Cisco ASA Configuration Guidance

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

How To Get Started With Whatsup Gold

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Microsoft Azure Configuration

Cisco Network Planning Solution 2.0 Cisco Network Planning Solution Service Provider 2.0

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Switch Configuration Required to Support Cisco ISE Functions

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

TECHNOLOGY INTEGRATION GUIDE

WhatsUp Gold 2016 Getting Started Guide

ICND IOS CLI Study Guide (CCENT)

2. Are explicit proxy connections also affected by the ARM config?

IBM Security QRadar Risk Manager Version Getting Started Guide IBM

Cyber Security RFP Template

Adding an Extended Access List

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Chapter 3 Using Access Control Lists (ACLs)

Network Configuration Manager

TRIPWIRE NERC SOLUTION SUITE

How to Set Up Automatic Subnet Scan Using SolarWinds IP Address Manager. Share:

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Configuring a Backup Path Test Using Network Monitoring

Troubleshooting an Enterprise Network

Network Security Policy Validation

Guideline on Firewall

Cisco AnyConnect Secure Mobility Solution Guide

Architecture Overview

How To: Configure a Cisco ASA 5505 for Video Conferencing

The Bomgar Appliance in the Network

SolarWinds Log & Event Manager

CiscoWorks Resource Manager Essentials 4.3

Implementation Note for NetFlow Collectors

CISCO IOS NETWORK SECURITY (IINS)

Transcription:

Security Policies Tekenen? Florian Buijs

Good Old Days: IP Address = User Application = Port/Protocol Today: IP Address! User Application! Port/Protocol

What are ACL s? Firewall Rules? Real World example: Marco B. To the golf course In a Bugatti YES! Network example (ACL / Firewall Rule): Internal Network To DNS server Using DNS Allow Source address Destination address Service Action Internal network 1.2.3.0/24 DNS server 5.6.7.8 DNS UDP/53 Allow

What is the difference between an ACL and a Firewall Rule? Internal Network To DNS server Using DNS Allow Source address Destination address Service Action Internal network 1.2.3.0/24 DNS server 5.6.7.8 DNS UDP/53 Allow Cisco router: access-list acl-inside-in extended permit udp 1.2.3.0 255.255.255.0 gt 1023 host 5.6.7.8 eq domain! Here s a Cisco Firewall rule, can you spot the differences? Cisco ASA Firewall: access-list acl_inside extended permit tcp object-group Internal_Network objectgroup DNS_Server eq domain

What does a Next Generation Firewall rule look like? Same IP Addresses and Ports as before but with some extra s like Users, Applications etc. Internal Network Marco B. To DNS server Using DNS DNS port Allow Source address User Destination address Application Service Action Internal network 1.2.3.0/24 Marco B. DNS server 5.6.7.8 DNS UDP/53 Allow

3 Teams use ACL & firewall rules Set department policy InfoSec Team Deploy & implement Communication and reporting Enforce & monitor Network Ops Team Security Ops Team

Problem statement: Dynamic networks change often; change is the challenge "! Risky error prone, disrupts existing services "! 62% firewall-rule change management processes put them at risk to be breached Dark Reading Feb 2013 "! 74% rule changes resulted in an outage or decreased network performance 2013 State of Network security May 2013 "! Expensive time consuming, inefficient, requires expert resources "! Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws. Gartner Firewall Report Nov. 2012 "! 95% of engineers have trouble with firewall audits because the manual processes are time consuming. TechTarget Networking July 2012

So Many Firewalls, So Many Changes, So Little Time "! Spike in number of security policy changes "! IT headcount not keeping pace "! Multiple products add to confusion "! Network SLAs impacted negatively "! Expensive and diminishes security effectiveness Firewall Change Needed Search For Devices Figure Out Impacted Devices Determine Correct Config Compare Change to Standards/ Compliance Request Change/ Implement Manually Reconfirm Correctness and Compliance 1 2 3 Manual 4 5 6 Network Provisioning Time Hours/Days LEGACY APPROACH TO FIREWALL POLICY CHANGE IMPLEMENTATION

ACL & FW policy management value Set department policy InfoSec Team "! Reduce time to audit "! Compliance reporting "! Visibility "! Improve efficiency "! Visibility, and agility "! ACL + FW Policy management Deploy & implement Communication Security and Device reporting Controller "! Reduced risk profile "! Change modeling Enforce & monitor Network Ops Team "! Single version of truth "! Tool set to manage and deploy change Security Ops Team

InfoBlox Security Device Controller Multi-Vendor Firewall Control

Five Pillars of Security Device Controller Automated Discovery Multi-vendor Provisioning Embedded Expertise Customized Alerting Powerful Search

Automated Discovery " NetMRI Discovery Engine "!Automatic scans "!Utilizes SNMP, SSH, CLI access "!Finds "!active network components "!subnets, VLAN s and more "!Maps the Topology "!Graphical Display "!Retrieves configurations

Automatic and complete network-wide discovery Powerful topology to visualize path

Embedded Expertise "! Knows how to build rules/acl s "! Predefined Best practices onboard "! Analyses the current state and recommends improvements "! Optimizes rulebase by eliminating "!unused rules "!duplicate rules "!hidden rules

Expertise: Issues Page Out of the box alerts: Address how to clean up the ACLs & Firewall rules of today The older the firewall/router the more the rules and objects are outdated, and inaccurate.

Powerful Search "!Network Automation: FindIT "! easy to use "! will find devices, subnets, ip addresses etc. " Config Management Search "! searches across all known device configs "! running, saved and archived configs "!Workbook "! search for rule list

Search Number of Rules on the device that match Hover over the object, shows the object values Devices and ACLs/Zones/ Policies Quick Summary of Access: "! Allowed "! Denied "! Partial Select a Device on the left, shows the rules that match on the right

Find traffic PATHS Infoblox Security Device Controller Whitelist Alerts: "! Use a Workbook to define a paths through the network "! Capturing how A routes to B Whitelist Alerts: Alert when mission critical services services are blocked or partially blocked

Customized Alerting "!Automatic alerts "! for device changes as well as unused, duplicate, overlapping and hidden rules "!Customizable "! tune it to fit your needs "! Syslog, Email and SNMP " Realtime "! picks up device changes as they happen

Unique to SDC: Real-Time notifications Custom and out of the box Alerts Notifications to follow the sun Notifications to APAC/EMEA/ NAM Integrate with other security products "! SNMP Trap to other monitoring tools "! Syslog to SIEM solutions (Arcsight/Q1Labs, etc) Subscriptions -> Notifications

Multi-Vendor Provisioning "!Cisco "! IOS = Routers, Switches, Nexus "! Firewall = ASA, PIX, FWSM "!Juniper "! Firewalls = Netscreen/ScreenOS, SRX/JunOS "! Routers = Flow Mode " Fortinet "! Firewalls = FortiGate

Router ACL & firewall coverage Layer 1 4 Layer 5-7 60% of Top 5 firewall vendors (Palo Alto Networks is not a top 5 vendor) 66% of Router/Switch Market NgFW/UTM "! Users "! Web filtering "! IDS/IPS "! Applications ACL/Firewall "! IP address "! Protocols & ports Cisco Juniper Fortinet CheckPoint PAN Supported Not Supported

SDC improves...

Improve agility, Reduce errors Infoblox Security Device Controller Send for approval 1 Network Ops Team Know the devices that need to be changed A SDC provides a map of the network 2 3 Generate configurations for the devices Check if rule violates, or matches security policies DMZ 4 Approve Change for Audit Internet B A needs to talk to B 5 Rollback change if there s a problem

Improve visibility, Reduce Risk Infoblox Security Device Controller To an alert Send SIEM, Network Monitoring 1 Security Ops Team Real-time notification if rule violates, or matches security policies A Secured networks & internal resources Analyze hundreds of thousands of this SCA-IAD-FWSM1/admin# sh access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list inside; 1 elements access-list inside extended permit ip any any (hitcnt=0) access-list outside_acl; 4589 elements access-list outside_acl extended permit udp object-group network_devices object-group loghost object-group monitoring access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq tftp (hitcnt=4) access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq ntp (hitcnt=32213) access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq snmptrap (hitcnt=1173) access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq syslog (hitcnt=80943) access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq tftp (hitcnt=5) access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq ntp (hitcnt=31331) access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq snmptrap (hitcnt=1142) access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq syslog (hitcnt=48282) access-list outside_acl extended permit udp host 160.33.128.6 host loghost eq tftp (hitcnt=14) access-list outside_acl extended permit udp host 160.33.128.6 host loghost eq ntp (hitcnt=34980) access-list outside_acl extended permit udp host 160.33.128.6 host loghost eq snmptrap (hitcnt=7793) access-list outside_acl extended permit udp host 160.33.128.6 host loghost eq syslog (hitcnt=2830) access-list outside_acl extended permit udp host 160.33.129.3 host loghost eq tftp (hitcnt=0) access-list outside_acl extended permit udp host 160.33.129.3 host loghost eq ntp (hitcnt=0) access-list outside_acl extended permit udp host 160.33.129.3 host loghost eq snmptrap (hitcnt=0) access-list outside_acl extended permit udp host 160.33.129.3 host loghost eq syslog (hitcnt=0) access-list outside_acl extended permit udp host 160.33.128.99 host loghost eq tftp (hitcnt=0) access-list outside_acl extended permit udp host 160.33.128.99 host loghost eq ntp (hitcnt=0) 2 3 Send to other SIEM security tools Forensic and Historic reporting

Proof of agility and cost savings (# of minutes, for 7 firewalls on a path, manual vs SDC) 25 20 20 Manual/Vendor Mgmt 15 14 14 10 7 5 2 2 1 2 0 Search if rule is needed on path/ device Review for conflicts to device/security posture Build and create rule changes Provision/schedule the change

Remember the 4 steps of a Change Request 1 2 Search if a rule is needed - Path / Device Review for conflicts Device / Risk 4 Provision Schedule the change Build create rule changes 3

Security Operations Demo A Infoblox Security Device Controller To an alert Send SIEM, Network Monitoring Analyze hundreds of thousands of this SCA-IAD-FWSM1/admin# sh access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 1 2 3 Security Ops Team Real-time notification if rule violates, or matches security policies Send to other SIEM security tools Forensic and Historic reporting access-list inside; 1 elements access-list inside extended permit ip any any (hitcnt=0) access-list outside_acl; 4589 elements access-list outside_acl extended permit udp object-group network_devices object-group loghost object-group monitoring access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq tftp (hitcnt=4) access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq ntp (hitcnt=32213) access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq snmptrap (hitcnt=1173) access-list outside_acl extended permit udp host 160.33.128.4 host loghost eq syslog (hitcnt=80943) Secured networks & internal resources access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq tftp (hitcnt=5) access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq ntp (hitcnt=31331) access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq snmptrap (hitcnt=1142) access-list outside_acl extended permit udp host 160.33.128.5 host loghost eq syslog (hitcnt=48282)

Network Operations Demo A Infoblox Security Device Controller Send for approval SDC provides a map of the network 1 2 Network Ops Team Know the devices that need to be changed Generate configurations for the devices DMZ Internet B A needs to talk to B 3 4 5 Check if rule violates, or matches security policies Approve Change for Audit Rollback change if there s a problem

Security Operations: Reduce Risk Make sure you discuss how Security Device Controller: "! Cleans up the mess they have "! Keeps the rules clean "! Define the network security posture "! Real-time notifications of violations "! Remediation of problems "! Integration with SIEM and other monitoring tools

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information