Security - Packet Pushers Future of Networking Summit - Interop Las Vegas 2016

Transcript

1. © 2015 Packet Pushers Interactive LLC Page Future of Networking

   Security Interop Las Vegas 2016 1

2. © 2015 Packet Pushers Interactive LLC Page Agenda 1. Stop

   Being Negative 2. Defining Network Security 2

3. Making Security Valuable

4. © 2015 Packet Pushers Interactive LLC Page Security is about

   ONE THING • What events will destroy the business ? • What events will stop revenue ? • What events will slow revenue ? • revenue => production, sales, shipping or whatever your core business is. 4 Continuity

5. © 2015 Packet Pushers Interactive LLC Page Too Much Security

   • Too much security prevents profit • No profit, nothing to secure 5 State of the Market: Internet of Things 2016 - Verizon

6. © 2015 Packet Pushers Interactive LLC Page Technology • Killed

   = media strategy • Penetrated = detection, reaction • Hit = app security, scans, hunters • Acquired = policy, expose the minimum • Do not be seen = LOL 6

7. © 2015 Packet Pushers Interactive LLC Page Don’t Use FUD

   7 Don't say (Negative) Better Attitude (Positive) I’m protecting you Being Safe and Worry-free Be afraid of scary hackers Avoid lost time, wasted effort Prevent business (superiority) Minimum interference Protect Avoiding business interruption IT security is “critical” One of many business threats

8. © 2015 Packet Pushers Interactive LLC Page Security Policy •

   What can be implemented ? • Identify events then specify mitigations • Keep it simple • then a manager can understand • “lock the door to the house, don’t build a fortress” 8

9. © 2015 Packet Pushers Interactive LLC Page Have a Media

   Strategy • Assume you will be breached • SINGLE MOST IMPORTANT SECURITY STRATEGY • A great media plan will handle the breach as free marketing • Target, Homeland, • Ashley Madison • Heartland Payment Systems • did anyone go out of business ? Or did business get better…. 9

10. © 2015 Packet Pushers Interactive LLC Page Media Plan •

    Most breaches are found by external parties • The first 12 hours of handling are critical • Plan • Who has to know ? Escalation path • What will they say ? (it doesn’t matter who) • have scripts ready to go • Verification • Have forensic tools 10

11. © 2015 Packet Pushers Interactive LLC Page NO PENALTY •

    There is no real penalty is being breached • Set you price on security accordingly • Heartland Payment Systems, Target, 11

12. Implementing Security

13. © 2015 Packet Pushers Interactive LLC Page Virtual Appliances •

    Physical Appliances are an operational nightmare • too many services on a single box creates huge problems • because of poor device control, every change can impact every other service • Reduce services per instance 13

14. © 2015 Packet Pushers Interactive LLC Page Virtual Appliances -

    1 • At the WAN Head End have multiple Internet providers. • Or Private WAN • Have 2 routers per provider • Add more x86 as needed 14 ISP vRtr Internet ISP ISP vRtr vRtr ISP vRtr vRtr vRtr © Greg Ferro 2016 SVR2 SVR1 iBGP

15. © 2015 Packet Pushers Interactive LLC Page Deploying Virtual 15

    vLB vLB vLB vLB vLB vLB FW FW FW FW FW FW SVR SVR SVR SVR vLB vLB vLB vLB vLB vLB FW FW FW FW FW FW SVR SVR © Greg Ferro 2016 • Because giving up on Active Standby is hard for most people

16. © 2015 Packet Pushers Interactive LLC Page Virtual Appliances -

    Firewalls • Useful for control when servers aren’t protected • Bad for networking because they break paths and protocols • e.g.routing/redundancy • e.g. ICMP Echo, Path Asymmetry • Protocol Inspection is pointless • its all DNS, HTTP/S, SMTP these days. • more on this later 16

17. © 2015 Packet Pushers Interactive LLC Page Virtual Appliances -

    ADC/LoadBal/WAF • lot of people doing this already 17 The Expanding Role and Importance of Application Delivery Controllers (ADCs) - By Radware/ESG - Feb 2015

18. © 2015 Packet Pushers Interactive LLC Page Load Bal as

    security tool • Why is a load balancer being used as a security tool ? 18 The Expanding Role and Importance of Application Delivery Controllers (ADCs) - By Radware/ESG - Feb 2015

19. © 2015 Packet Pushers Interactive LLC Page Priority Features •

    Availability / Outage • DDOS • Succesful Change • Prevent Data Theft • Breach • Exfiltration • Defacement • reaction/shutdown 19

20. © 2015 Packet Pushers Interactive LLC Page Last Generation of

    Security • Firewalls • IPS/IDS • Change control, • Written policy 20

21. © 2015 Packet Pushers Interactive LLC Page Next Generation of

    Security • Network Micro-Segmentation • Data-centric Application Inspection /Awareness • Lateral Detection and Prevention • Analytics / Big Data (measureable policy) 21 Lets look at each of these

22. © 2015 Packet Pushers Interactive LLC Page Network Micro-Segmentation -1

    • Goal: Increase “Need to Know” • Trust should be reduced to smallest possible area 22 trusted untrusted safe © Greg Ferro 2014 EtherealMind.com internet wan b2b dmz firewalls, ids, proxy, mail gwys production non-prod dev/test Enterprise Security Zones

23. © 2015 Packet Pushers Interactive LLC Page Network Micro-Segmentation -

    2 • VLANs are network segmentation • MPLS is network segmentation • ACLs are network segmentation • Segmentation isn’t new, OK. • has been an operational disaster • VLANs & MPLS are network centric not application centric 23

24. © 2015 Packet Pushers Interactive LLC Page Network Micro-Segmentation -

    3 • Need Segmentation that servers can use. • Goal: Application security not VLAN/VRF security • SDN created orchestration between OS/VM/ Container/Network, • Overlays are practical because of SDN • Not just one but MANY overlays 24

25. © 2015 Packet Pushers Interactive LLC Page Application Inspection /Awareness

    • How do you classify applications/host/traffic into security zones ? • You do it at the network edge: • Virtual Switch with Meta Data (aka NSX) • extract context from cloud/virtualization platform • e.g. security context by hostname - secure because of meta data • Appliance with Deep Inspection & Analytics engines • analytics engines enforcing policy • also extracting context where possible 25

26. © 2015 Packet Pushers Interactive LLC Page Application Inspection /Awareness

    • How do you classify applications/host/traffic into security zones ? • You do it at the network edge: • SD-WAN Appliances • edge classification (emerging) • VPN/Remote Access • based on network analytics + multi-factor authentication • Modern NAC e.g. Aruba ClearPass 26

27. © 2015 Packet Pushers Interactive LLC Page Lateral Detection and

    Prevention • Primary security outcome of micro- segmentation • remove negative security interventions • proxies, firewalls, • improve operation • Prevent lateral movement • reduce risk or loss 27

28. © 2015 Packet Pushers Interactive LLC Page Analytics / Big

    Data • network devices are data collection units • collect data for analytics platform • deep learning / machine learning to extract information • Kentik, Deepfield, 28 Heuristics Ingestion Machine Learning Analytics & Telemetry Local Telemetry, Cloud-based Analysis On-Premises Off-Premises Web Interface Static Reports Cloud Storage Collection Agent Collection Agent Collection Agent Collection Agent Collection Agent Collection Agent Collection Agent Collection Agent Syslog Flow Data Windows Packet Capture FWL Logs IPS Logs Collection Agent Notifications/ Alerts © Greg Ferro 2015

29. © 2015 Packet Pushers Interactive LLC Page Forensic Tools •

    Once you have been breached, the media strategy requires that you can back up your claims • Have forensic tools for playback • Packet capture e.g. Endace. • Log 29

30. © 2015 Packet Pushers Interactive LLC Page The End Thanks

    30

31. © 2015 Packet Pushers Interactive LLC Page Newsletters 31 Deep

    Dive Podcasts Latest News http://packetpushers.net/podcasts/ http://packetpushers.net/the-network-break/ http://packetpushers.net/free-newsletter-magazine-subscriptions/