Modern Network Security NSE1 Study Guide eBook
January 23, 2017 | Author: heferson | Category: N/A
Short Description
Download Modern Network Security NSE1 Study Guide eBook...
Description
Modern Network Security: Study Guide for NSE 1 2015
Modern Network Security: Study Guide for NSE 1
January 1
2015
This Study Guide is designed to provide information for the Fortinet Network Security Expert Program – Level 1 curriculum. Each chapter in the study guide corresponds to a module in the NSE level 1 curriculum and examinations. The study guide presents discussions on concepts and equipment necessary as a foundational understanding for modern necessary security prior to taking more advanced and focused NSE program levels.
1
Fortinet Network Security Solutions
Modern Network Security: Study Guide for NSE 1 2015 Introduction ............................................................................................................................................ 8 Infrastructure Evolution ....................................................................................................................... 9 Threat Landscape .............................................................................................................................. 10 Threat Timeline ............................................................................................................................. 11 Advanced Threats .......................................................................................................................... 11 Advanced Threats and Network Security: Continuing Evolution ......................................................... 12 Module 1: Data Center Firewalls............................................................................................................ 13 Data Center Evolution........................................................................................................................ 13 Market Trends Affecting Data Centers ............................................................................................... 13 Infrastructure Integration .............................................................................................................. 14 Edge vs. Core Data Center Firewalls ............................................................................................... 14 Data Center Firewall Characteristics .................................................................................................. 16 Virtual Firewalls ............................................................................................................................. 19 Data Center Network Services ........................................................................................................... 21 Application Systems....................................................................................................................... 21 Application Services ....................................................................................................................... 22 Summary ........................................................................................................................................... 24 Module 2: Next Generation Firewall (NGFW) ......................................................................................... 25 Technology Trends ............................................................................................................................ 25 NGFW Characteristics: Fundamental Changes.................................................................................... 26 NGFW Evolution ............................................................................................................................ 27 Traditional NGFW Capabilities ........................................................................................................... 28 NGFW Functions ............................................................................................................................ 32 Extended NGFW Capabilities ............................................................................................................. 33 Sandboxes and APT........................................................................................................................ 36 Advanced Persistent Threats (APT) ................................................................................................ 37 Advanced Threat Protection (ATP) ..................................................................................................... 38 NGFW Deployment............................................................................................................................ 38 Edge vs. Core ................................................................................................................................. 38 NGFW vs. Extended NGFW ............................................................................................................ 39
2
Modern Network Security: Study Guide for NSE 1 2015 Summary ........................................................................................................................................... 40 Module 3: Unified Threat Management (UTM) ...................................................................................... 41 The Key to UTM: Consolidation ...................................................................................................... 41 UTM Features .................................................................................................................................... 41 UTM Distributed Enterprise Advanced Features ............................................................................. 43 Extended UTM Features .................................................................................................................... 44 Evolving UTM Features .................................................................................................................. 45 UTM Functions .................................................................................................................................. 47 Where UTM Fits In… .......................................................................................................................... 48 UTM: Scalable Deployment ............................................................................................................ 49 Summary ........................................................................................................................................... 50 Module 4: Application Security .............................................................................................................. 51 Application Challenges to Meeting User Needs .................................................................................. 51 Application Layers: The OSI Model ................................................................................................. 52 Application Vulnerabilities ................................................................................................................. 53 OWASP .......................................................................................................................................... 53 Distributed Denial of Service (DDoS) .................................................................................................. 55 Application Security Solutions............................................................................................................ 58 Application Delivery Controllers (ADC) ........................................................................................... 58 Application Delivery Network (ADN) .............................................................................................. 59 ADC: Solutions and Benefits Part I...................................................................................................... 60 Web Application Firewall (WAF) Characteristics ................................................................................. 61 Heuristics....................................................................................................................................... 62 WAFs and PCI DSS Compliance ....................................................................................................... 63 ADC: Solutions and Benefits Part II..................................................................................................... 64 Summary ........................................................................................................................................... 66 Module 5: Management and Analytics .................................................................................................. 67 Security Management ....................................................................................................................... 67 Managing the Security Console ...................................................................................................... 69 Policy and Security............................................................................................................................. 70 Analytics ............................................................................................................................................ 73
3
Modern Network Security: Study Guide for NSE 1 2015 Security Information and Event Management ................................................................................ 73 Network Visibility .......................................................................................................................... 74 Summary ........................................................................................................................................... 76 Key Acronyms........................................................................................................................................ 77 References ............................................................................................................................................ 79
4
Modern Network Security: Study Guide for NSE 1 2015 Figure 1. From closed networks to Global Information Grid ..................................................................... 9 Figure 2. The scope of modern global network users. .............................................................................. 9 Figure 3. Fortinet UTM versus traditional ad hoc model......................................................................... 10 Figure 4. Chronology of major networks attacks since October 2013. .................................................... 11 Figure 5. Advanced Threat Protection (ATP)........................................................................................... 11 Figure 6. Notional edge firewall configuration. ...................................................................................... 15 Figure 7. Notional data center firewall deployment. .............................................................................. 15 Figure 8. Data center firewall adaptability to evolving capabilities. ........................................................ 16 Figure 9. Data center in a distributed enterprise network. ..................................................................... 17 Figure 10. Data center core firewall. ...................................................................................................... 19 Figure 11. North-South (Physical) vs. East-West (Virtual) traffic. ............................................................ 20 Figure 12. Notional network. ................................................................................................................. 22 Figure 13. Differences between IaaS, PaaS, and SaaS. ............................................................................ 23 Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models. ......................................... 24 Figure 15. Bring Your Own Device (BYOD) practices in 2011. .................................................................. 26 Figure 16. Edge firewall vs. NGFW traffic visibility. ................................................................................. 26 Figure 17. Traditional port configuration example. ................................................................................ 27 Figure 18. NGFW configuration example by application, user ID. ........................................................... 27 Figure 19. NGFW evolution timeline. ..................................................................................................... 28 Figure 20. Intrusion Prevention System (IPS).......................................................................................... 28 Figure 21. Deep Packet Inspection (DPI)................................................................................................. 29 Figure 22. Network application identification and control. ..................................................................... 29 Figure 23. Access enforcement (User identity). ...................................................................................... 30 Figure 24. NGFW distributed enterprise-level capability. ....................................................................... 30 Figure 25. Extra-firewall intelligence IP list assignment. ......................................................................... 31 Figure 26. Notional network with managed security (MSSP). ................................................................. 31 Figure 27. Application awareness: The NGFW application monitoring feature. ...................................... 32 Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP). ..................................... 33 Figure 29. Authentication functions integrated into NGFW. ................................................................... 34 Figure 30. Web filtering profile control. ................................................................................................. 35 Figure 31. FortiGate antivirus/malware. ................................................................................................ 35 Figure 32. FortiGuard Anti-botnet protection. ....................................................................................... 36
5
Modern Network Security: Study Guide for NSE 1 2015 Figure 33. FortiGate Web filtering capability. ......................................................................................... 36 Figure 34. Sandbox deployed with NGFW Solution. ............................................................................... 37 Figure 35. The NGFW three-step approach to APT. ................................................................................ 37 Figure 36. Fortinet Advanced Threat Protection (ATP) model................................................................. 38 Figure 37. NGFW deployment to edge network ..................................................................................... 39 Figure 38. Current NGFW vs. Extended NGFW capabilities. .................................................................... 39 Figure 39. Legacy network security add-ons vs. UTM architecture ......................................................... 41 Figure 40. Unified Threat Management (UTM)....................................................................................... 42 Figure 41. LAN control. .......................................................................................................................... 45 Figure 42. Typical Power over Ethernet (POE) cable configuration. ........................................................ 46 Figure 43. UTM scalability...................................................................................................................... 48 Figure 44. Fortinet’s concept of “Connected UTM.” ............................................................................... 50 Figure 45. DDoS architecture. ................................................................................................................ 56 Figure 46. SYN Flood DDoS attack. ......................................................................................................... 56 Figure 47. ICMP Flood DDoS attack. ....................................................................................................... 57 Figure 48. Zombie DDoS attack. ............................................................................................................. 57 Figure 49. Application Delivery Controller (ADC). ................................................................................... 58 Figure 50. Typical Application Delivery Network (ADN) infrastructure. ................................................... 59 Figure 51. Intelligent Load Balancing. .................................................................................................... 60 Figure 52. SSL offloading and HTTP compression. .................................................................................. 61 Figure 53. Web Application Firewall (WAF). ........................................................................................... 62 Figure 54. Global Server Load Balancing (GSLB). .................................................................................... 64 Figure 55. Server ID masking with ADC. ................................................................................................. 65 Figure 56. Security Management (SM) conceptual diagram ................................................................... 68 Figure 57. Integrated security control console ....................................................................................... 70 Figure 58. Policy Package example......................................................................................................... 71 Figure 59. Global Policy “Bookend” flow. ............................................................................................... 71 Figure 60. Network visibility benefits. .................................................................................................... 75
6
Modern Network Security: Study Guide for NSE 1 2015 Table 1. Comparative security features of edge firewalls vs. NGFW. ...................................................... 27 Table 2. Comparison between flow-based and proxy-based inspections ................................................ 40 Table 3. Comparative models for layers, protocols, and devices............................................................. 51 Table 4. Translation of ISO/OSI layers to TCP/IP model. ......................................................................... 52 Table 5. Function of network layers in OSI model. ................................................................................. 52 Table 6. OWASP top 10 2010 vs. 2013 comparison. ............................................................................... 54 Table 7. Web Application Firewall (WAF) application-level security measures........................................ 62 Table 8: Payment Card Industry Data Security Standards (PCI DSS). ....................................................... 63
7
Modern Network Security: Study Guide for NSE 1 2015 Introduction Welcome to the fascinating world of network security… …or, on second thought, should we be letting you in?
That is the question around which this primer was written—helping you learn the background, processes, capabilities, and questions to consider when configuring your systems and networks to help analyze, identify, and either allow or block traffic from entering or leaving your computer network in the dynamic 21st Century information technology environment. In other words—modern network security. Modern network security is comprised of many facets, some of which are in your control, others which may not be. In an increasingly mobile world, traditional network security measures focused on desktop platforms and “dumbphones” are no longer relevant to the world of tablets, phablets, and smartphones. Because of the constantly changing landscape of network environments, organizations of all sizes and complexities face challenges in keeping pace with change, developing counters to emerging threats, and controlling network and security policies. Once the realm of the highly trained and richly resourced, development of malicious code has become widespread to the degree that school children have been known to compete with each other in hacking contests. To meet modern and emerging threats, companies and organizations must adopt dynamic network security programs that keep pace with changing trends and activities. Back to the opening question: Should we be letting you in? People—or the man-machine interface—is the weakest link in any security process. People are easily lulled into a false sense of security about the effectiveness of passwords and access codes, identity verification, and policies regarding the use of information technology (IT) systems and networks. It takes just one careless moment to potentially breach the integrity of protected information and systems—if network security user policies and protocols are too complicated, compliance is less likely. Because of this human factor it is important to ensure that network security schema are clear and simple for network administrators and users to operate, with the necessary complexity to identify, deter, or contain threats being embedded in stateof-the-art hardware and software solutions that are nearly transparent to internal network users. But a note of caution—just as every organization is not alike, neither will their networks, hardware, software, or needs be alike. Each organization needs a customized strategic network security program tailored to balance its needs against its operating environment, perceived threats, and operating budget. Of course, the best network security program would be an end-to-end, 24/7 monitored program with regular analytics informing plan effectiveness and potential enhancements—this would be the holy grail of network security. Systems like Fortinet’s Unified Threat Management (UTM) provide the ability to balance needs, capabilities, and resources to secure networks while maintaining the ability of the organization to operate. In essence, this book will help you learn about how to take steps to mitigate best the threats to your network and optimize network security while balancing those factors.
8
Modern Network Security: Study Guide for NSE 1 2015 Infrastructure Evolution In a world growing ever more complex with network portability being built into an increasing number of devices of varying capabilities, network security continues to evolve in complexity—and importance. In the 1980’s a transition from early closed networks to a broader Internet occurred, with the advent of Ethernet, Bitnet, TCP/IP, SMTP, DNS, and in 1985—the first .com domain name registration. It was not until six years later, in 1991, that the Worldwide Web (WWW) came into existence; by 1995, what we know now as the modern Internet became established as a fixture in how business—and the world— would communicate in the future (Figure 1).
Figure 1. From closed networks to Global Information Grid No longer was high-tech the sole domain of major companies, organizations, and government agencies, but the global information network became the domain of everyone from multi-billion dollar international conglomerates to grade school children (Figure 2). As technologies developed, the industry response was typically the addition of new stand-alone, single- or dual-purpose hardware or integrated hardware-software packages designed to address newly identified threats. This resulted in a constant state of expensive upgrades that added network complexity, integration of new devices and scrubbing and repurposing or disposing of legacy hardware, new policy development and new management consoles. This served to increase workload, retraining, and complexity for network administrators and end users, exacerbating the balancing problem between security and productivity.
Figure 2. The scope of modern global network users. Because new products were not always able to integrate fully into existing systems, the piecemeal approach to network development and security led to potential blind spots that threats may exploit undetected. In order to solve this growing challenge, a move toward more strategic solutions to network security were needed—not new stand-alone systems addressing individual threat vectors; rather, strategic systems and processes designed to protect networks comprised of systems-of-systems. From this problem developed the Unified Threat Management (UTM) concept, which goes beyond a systemof-systems approach to integrate individual system characteristics into strategic systems (Figure 3) [1].
9
Modern Network Security: Study Guide for NSE 1 2015
Figure 3. Fortinet UTM versus traditional ad hoc model.
Threat Landscape One may view the threat landscape much the same as law enforcement views threats using three primary characteristics—motive, means, and opportunity. In terms of technology threats, these terms are translated into motivation (motive), knowledge (means), and access (opportunity). Motivation may be as simple as a student trying to get into protected information or as malicious as a competitor trying to delay or disable a company’s ability to reach the market. Knowledge on networks—and hacking—is widespread, with books and guides available globally through the Internet and often at little or no cost. As for access, this is the area where the veracity of your network security will pay off— identifying potential threats, analyzing them, and either determining validity or cataloging and rejecting them as a threat.
Contemporary and future threat landscapes are dynamic and often include unforeseen technological advances. Devices and applications are under development and appear on the market at more rapidly— and with those new technologies come new threats. Not only companies and organizations, but individual users of less expensive technology such as smartphones, tablets, and laptop computers who are novices where information security is concerned must deal with optimizing their devices and applications while blocking potential threats. With the explosion of social media as the primary source of connectivity for so many people internationally, addressing the hidden threats from social media sites is a continuing challenge…and more cross-platform sharing and integration will continue to make device and network security an evolving challenge at all levels.
10
Modern Network Security: Study Guide for NSE 1 2015 Threat Timeline Since the last quarter of 2013, major network attacks have affected large companies and billions of consumers. These attacks not only affected business systems, but also had the ability to infect personal systems and mobile devices, such as the Heartbleed and Find My iPhone attacks. Figure 4 below chronicles these threats and the targets affected by them.
Figure 4. Chronology of major networks attacks since October 2013. Advanced Threats Experienced hackers or groups of hackers possessing significant resources pose an increased threat to systems and networks, including developing and implementing techniques not previously used to compromise, gain control of, or shut down service. Advanced Threat Protection—also referred to as Advanced Persistent Threat Protection—provides integrated measures to detect and block advanced threats. These measures include botnet and phishing antivirus profiling, as well as zero-day threat protection using sandboxing to analyze, identify, and block suspicious code and add the suspicious code profile to the ATP signature database.
Figure 5. Advanced Threat Protection (ATP).
11
Modern Network Security: Study Guide for NSE 1 2015 Advanced Threats and Network Security: Continuing Evolution The early days of personal computer availability to consumers and the advent of the Internet and Worldwide Web are behind us. These events were followed by parallel development of more powerful hardware appliances and more complex applications for those machines. Unfortunately, with those developments also came a thriving developmental path for malware and other methods by which to breach system and network security to obtain data from or deny use of targeted platforms. This Modern Network Security Primer presents current and future appliances, applications, and concepts to provide the options to keep pace with emerging capabilities and threats—and maintain the safety and security of your system and network.
12
Modern Network Security: Study Guide for NSE 1 2015 Module 1: Data Center Firewalls Data centers have become abundant in the increasingly technology-based business environment of the 21st Century. Because of this growth, data centers provide a new field for trends in computing and networking driving revisions to IT infrastructure strategies and, along with new strategies, new methods to bolster network security. Presented in this module are characteristics and functions of data center firewalls as they apply to networks and applications.
Data Center Evolution A common notion in today’s business environment is that “No matter what business you are in, you are a technology business.” In the 21st Century, this is not only true of large businesses, but also applies to successful small and medium businesses (SMB). Modern data centers typically contain a servers with a variety of purposes, including web, application, and database servers. Along with growing use of technology came a need to not only develop more specialized applications but also develop innovative ways to store ever-increasing volumes of digital data. This growing storage requirement spurred a new sector in the technology operations—the Data Center. As new technologies for end users of computing platforms evolve, so must security measures for the data centers they will access for operations such as email, social media, banking, shopping, education, and myriad other purposes. Developing strategies to keep pace with the accelerating integrated and distributed nature of technology has become a critical industry in protecting personal, business, and organizational data and communications from legacy, advanced, and emerging threats.
Market Trends Affecting Data Centers As mentioned previously, consumer trends influenced data center development; however, the business sector was also instrumental in spurring on this development. As technology evolved, businesses learned to step to the leading edge of innovation in order to get ahead—or stay ahead—of competing enterprises. To this end, changes in business practices that influenced data center development included: Virtualization. Creating a virtual version of a device or resource, such as a server, storage device, network or even an operating system where the framework divides the resource into one or more execution environments. Cloud Computing. Computing in which large groups of remote servers are networked to allow the centralized data storage, and online access to computer services or resources. Clouds can be classified as public, private or hybrid. Software-Defined Networks (SDN). An approach to networking in which control is decoupled from hardware and given to a software application called a controller. Dynamic, manageable, costeffective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications.
13
Modern Network Security: Study Guide for NSE 1 2015 BYOD. Refers to employees taking their own personal device to work, whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee. Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to process using traditional databases and software techniques. In many enterprise scenarios, the data is too big, moves too fast, or exceeds current processing capacity. The Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to the Internet & identify themselves to other devices. IoT is significant because an object that can represent itself digitally becomes something greater that the object by itself. When many objects act in unison, they are known as having “ambient intelligence.” Infrastructure Integration Meeting the challenge of data center growth while maintaining throughput capability requires the use of technology integration to reduce potential for signal loss and speed reduction because of bridging and security barriers between ad hoc arrangements of independent appliances. There are definitely two camps on what should be at the heart of a modern firewall, with two types of hybrid design being prevalent: CPU + OTS ASIC. A design whereby a general purpose central processing unit (CPU) is augmented by an off the shelf (OTS) processor. CPU + Custom ASIC. Most difficult but best design, bringing together a general CPU linked closely to a number of custom built application-specific integrated circuits (ASICs). By matching ASICs that are designed to handle the specific tasks for which the processor and device is intended, the ability to process data is enhanced and system performance is optimized. On one side, there are vendors who want to use off-the-shelf (OTS) central processing unit (CPU) design. This is the simplest design but suffers from performance degradation. On the other side are those advocating the use of hybrid designs, merging CPUs with application-specific integrated circuits (ASIC), which are more efficient and may provide the necessary infrastructure to meet the demand for throughput, growth, and security. Edge vs. Core Data Center Firewalls Edge Firewall. Implemented at the edge of a network in order to protect the network against potential attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall— the gatekeeper. In addition to gatekeeper duties, the edge firewall may have capabilities added as other security appliances are linked to the firewall. This method, however, leads to a complex architecture that results in complex network—and security—controls. A typical edge firewall is depicted in Figure 6.
14
Modern Network Security: Study Guide for NSE 1 2015
Figure 6. Notional edge firewall configuration. Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of functions. Depending on network size and configuration, the data center firewall may also provide additional security functions, such as segregating internal resources from access by malicious insiders, and ensuring compliance with regulations protecting consumer, patient, and other sensitive user data. These functions are referred to as Multi-Layered Security, and may include:
IP Security (IPSec) Firewall Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Antivirus/Antispyware Web Filtering Antispam Traffic Shaping [2]
These functions work together, providing integrated security for the data center, concurrently providing consolidated, clear control for administrators while presenting complex barriers to potential threats. Figure 7 shows a notional data center firewall deployment, providing gatekeeper duty, integrated security solutions (as depicted in Figure 6, above), with simplified control and complex protection.
Figure 7. Notional data center firewall deployment.
15
Modern Network Security: Study Guide for NSE 1 2015 Data Center Firewall Characteristics As end user devices and activities evolve, data centers must evolve to ensure both service and security keep pace. Some market trends affecting data centers include increasing use of mobile devices, employee device portability—or BYOD, data center consolidation through server virtualization, cloud computing, and software-defined networking. The key benefit of a data center network core firewall configuration with high-speed, high-throughput, low-latency is the ability to evolve as technology develops. Throughput speeds have potential to double every 18 months High-speed 40/100 GbE ports are already going into existing systems External users moving from Internet Protocol version 4 (IPv4) to IPv6 Figure 8 illustrates how the data center firewall is adaptable to evolving technology and user trends.
Figure 8. Data center firewall adaptability to evolving capabilities. Size Matters. Historically, a determining factor in network firewall selection included consideration based on the size of users—both internal and external—accessing the network or its components. Using data center firewalls in small and medium businesses (SMB) makes sense, because modern data center firewall systems provide higher throughput speeds, higher connectivity (port capacity), and a higher capacity for concurrent sessions. As a business or organization grows and network access begins to grow into multiple locations and thousands of users, the option to consider using an enterprise campus firewall may become a necessary investment. While the capacity to handle thousands of users and multiple locations may be accomplished with enterprise firewalls, the trade-off is in the need for redundancy to ensure reliability— resulting in significantly higher costs and equipment complexity—and the need for extensive training if an organization intends to self-manage the enterprise firewall. Because of these complexities, enterprise
16
Modern Network Security: Study Guide for NSE 1 2015 data centers may reside on-premises at a company site, in a dedicated co-location space in a provider’s data center facility, or as an outsource service in a multi-tenant provider cloud environment.
Figure 9. Data center in a distributed enterprise network. Because of the increasing size and complexity of data center operations and needs of external users—as well as the increased costs associated with enterprise firewall equipment and training needs— companies may decide to outsource data center security operations to a third party, or Managed Security Service Provider (MSSP). A growing market along with evolving technologies, MSSPs provide a wide range of network security services, from one-time services—such as configuring routers—to ongoing services such as network monitoring, upgrade, and configuration. This provides small and medium businesses (SMB) enhanced capabilities without having to increase technical staff, while providing large and high-visibility businesses with supplemental protection beyond their technical staff. When deciding on whether to engage an MSSP for network security operations, a number of considerations must be taken into account. From the most basic perspective, the MSSP should align with your business and security philosophy. Will they sign a non-disclosure agreement, so details about your company’s security will be secure? The MSSP needs to be highly available to you, especially if you run 24/7 operations and reach a global audience (and who on the Internet doesn’t these days?). It is worth a visit to their facility to check out their operations and talk with staff. The MSSP’s service must be sustainable—what are their redundancy capabilities in case of primary system failures or disaster; what is the likelihood they may go out of business (the market is still maturing and the current failure rate is high). Identify clearly the level of serviceability you can expect from the MSSP—demand a strong service level agreement (SLA) spelling out all roles and responsibilities for both parties. These requirements are foundational to success with using an MSSP to manage data center security. As cloud services and software-defined networks (SDNs) became prevalent, network functions virtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical devices, encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual appliances within the same physical devices. The emergence of OpenFlow from behind the research lab walls and
17
Modern Network Security: Study Guide for NSE 1 2015 into mainstream management in cellular, TELCO, and data center operations has brought major network operators and manufacturers onboard in making OpenFlow the standard protocol for communications between controllers and network switches in the SDN—or virtual—environment. The OpenFlow protocol abstracts the network control plane from the data control plane in order to program network traffic flows to be more dynamic and automated. As virtualization and SDN deployment expanded, the practice became available for implementation by private individuals and organizations outside traditional boundaries of those with large amounts of available capital and resources. With broad availability of open-source software enabling low-cost network development, cloud computing has reached into the realm of private and personal clouds. One popular open-source platform for cloud computing is OpenStack, which provides capability to develop and manage private and public clouds, even providing compatibility with popular enterprise and opensource technologies for controlling large pools of data center computing, storage, and networking resources. By designing and implementing network infrastructures combining high throughput with a dynamic software-defined network (SDN), the data center firewall provides the capability to evolve with consumer and industry trends. To accomplish this, data center firewalls must focus on three primary areas as foundations for security: performance, segmentation, and simplification. Performance. As the need for network speeds to accelerate continues, the data center will be at the forefront of network design enabling higher performance through high-speed, high-capacity, and low latency firewalls. Currently, the minimum required throughput of a data center firewall is 10 Gbps, with an expectation by large company data center users that throughput may be increased up to an aggregate 100+ Gbps. Similarly, enabling high throughput requires a minimum port size connectivity of 10 Gigabits for Ethernet ports on the data center firewall, with some capabilities already expanding in the 40-100 Gigabit range. Segmentation. With the evolution of IT devices and evolving network threats, organizations using data centers have adopted network segmentation as a best practice to isolate critical data against potential threats. Common data isolation criteria include applications, user groups, regulatory requirements, business functions, trust levels, and locations. To support the use of network segmentation in network security schema, data center firewalls must provide high density and logical abstraction supporting both physical and virtual segmentation clouds. Benefits include keeping sensitive data partitioned from unauthorized access for security and compliance purposes, limiting lateral movement of advanced threats that gain initial footholds in the network, and ensure employees and users have access to only the services and applications for which they are authorized. Simplification. Because data centers extend to external users of varying trust levels, the need to extend a “Zero-Trust” model for data access beyond the traditional data center edge and into the segmentation throughout the network’s core. This requires a consolidated—simplified—security platform that can manage multiple functions while supporting high speed network operations. In order to further simply data center firewall operations, integration of network routing and switching functions into firewall
18
Modern Network Security: Study Guide for NSE 1 2015 controls provides added centralized visibility and control to network functions and security monitoring. Consolidation may also be accomplished by putting multiple physical server workloads onto a shared physical host by using virtual machines on a hypervisor. A good example of a data center core firewall that incorporates all the requirements of low-latency, high throughput, and high performance is the FortiGate platform line. These firewalls includes models that deliver over 100 Gbps performance with less than 5 µs latency (Figure 10).
Figure 10. Data center core firewall requirements. One of the benefits to a data center network core firewall configuration as illustrated in Figure 10 is the ability to evolve as trends in technology develop. With an estimated potential for throughput speeds to double every 18 months, and adoption of high-speed network interfaces such as 40/100Gb Ethernet ports into existing architectures, data center firewalls will need to be ready for the challenge. With these developments, and as external users move from transmitting traffic using Internet Protocol version 4 (IPv4)—which currently carries over 95% of the world’s Internet traffic—to IPv6, firewalls such as the FortiGate line provide ability to keep pace and maintain data center service and security. Virtual Firewalls Traditional firewalls protect physical computer networks—those running on physical hardware and cabling. As such, the most effective means of security was and still is a physical, locked, fire door. This is also referred to as “North-South” traffic. Unlike physical machines and networks, virtual machines operate in a virtual environment, isolated on a host but acting as though it were an independent system or network. Even as a virtual reality, however, the network may be subject to threats and intrusion from external sources. Virtual traffic—that traffic moving laterally between servers without leaving the data center—is referred to as “East-West” traffic (Figure 11).
19
Modern Network Security: Study Guide for NSE 1 2015 Today, 60-70% of traffic is E-W because of the trend in virtualization and consolidation – which is why virtual networks are of vital importance in the emergence of data centers and need for reliable and adaptable data center security in modern networks. Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical switch—to secure data being transmitted between virtual machines in a virtual network, the virtual firewall was developed. A virtual firewall is simply a firewall service running entirely within the virtual environment, providing the typical packet filtering and monitoring that would be expected when using a physical device in a physical network. The virtual firewall may take a number of forms: it may be loaded as a traditional software firewall on the virtual host machine, it can be built into the virtual environment, it can be a virtual switch with additional capabilities, or it can be a managed kernel process within the host hypervisor for all virtual machine activity.
Figure 11. North-South (Physical) vs. East-West (Virtual) traffic. Virtual firewalls may operate in one of two modes, depending how they are deployed, either bridge mode or hypervisor mode. A virtual firewall operating in bridge mode acts like a physical firewall, normally situated at an inter-network switch or bridge to intercept network traffic needing to travel over the bridge. In this way, the virtual firewall may decide to allow passage, drop, reject, forward, or mirror the packet. This was the standard for early virtual networks and some current networks still retain this model. In hypervisor mode the virtual firewall is not actually part of the virtual network at all; rather, it resides in the host virtual machine—or hypervisor—in order to capture and analyze packets destined for the virtual network. Since virtual firewalls operating in hypervisor mode are not part of the virtual network
20
Modern Network Security: Study Guide for NSE 1 2015 in a virtual machine, they are able to run faster within the kernel at native hardware speeds. Examples of popular hypervisors on the market include VMware vSphere, Citrix Xen, and Microsoft HyperV. As these developments in virtual capabilities occurred, they necessarily gave way to a new paradigm by which to consider the definition of the data center itself. Instead of the need for a traditional physical infrastructure that defines the data center—such as a building or a server room within a structure— what if the paradigm shifted to a data center that resided within a software-defined space? Because of continued evolution of virtual technology, this capability is a reality. The software-defined data center (SDDC) presents a paradigm that infrastructure such as servers, network, and storage can be logically and dynamically orchestrated without the need for adding or configuring new physical appliances or expanding into new facilities. Because of the virtual nature of these SDDCs, the emergence of ondemand data centers was enabled that provided benefits to small consumers and SMBs, such as pay-asyou-use infrastructure, delivery on demand without extended provisioning times, and no requirement for long-term obligations or contracts. In other words, the emergence of SDDCs provided new paths for economical flexibility in data center definition and operation. In summary, the flexible deployment capability for data center firewalls provides for targeting of the threats identified as most important to the network or system. Deploying the firewall at the network edge is effective to block external intrusions from accessing the network. Deploying the firewall at the network core provides segmentation in the event that an external threat gains access to the network. At the virtual layer, the firewall is able to monitor traffic between virtual machines (VM).
Data Center Network Services As technology evolved, more and more services moved from running as physically resident to virtual or cloud-based applications to reduce bottlenecks, increase throughput, and optimize data sharing, among other benefits. Data center traffic has increased because of factors such as the increased number of users depending on mobile applications to access data anytime and anyplace, businesses aggregating and storing increasing amounts of data to enable analytics, and increased use of SaaS cloud storage over local physical drive storage appliances. Because of these shifts, networks from distributed enterprises down to SMB and home businesses began to depend on virtual and cloud applications for remote and mobile capability. This led to a parallel focus on development of threats to the application layers of the Open Systems Infrastructure (OSI), which will be discussed later in this book. The remainder of this module will focus on how the data center serves to facilitate the use of applications in the modern mobile, virtual and cloud-based technology environment. Application Systems Application systems typically consist of user interfaces, programming (logic), and databases. A user interface is the control or method by which the user interacts with the computer, system, or network, often consisting of screens, web pages, or input devices. Some application systems have non-visual interfaces that exchange data electronically with other systems in a network. Figure 12 illustrates a notional network.
21
Modern Network Security: Study Guide for NSE 1 2015 Programming consists of the scripts or computer instructions used to validate data, perform calculations, or navigate users through application systems. Many large computers use more than one computer language to drive the system and connect with networks. This allows linking of systems performing specialized functions into a centrally-manageable network.
Figure 12. Notional network. Databases are simply electronic repositories of data used to store information for the organization in a structured, searchable, and retrievable format. Most databases are configured to facilitate access for downloading, updating, and—when applicable—sharing with other authorized network users. Computer systems are simply sets of components that are assembled into an integrated package. The heart of a computer system is the central processing unit (CPU), around which various other components such as data storage, drives, displays, memory, input devices, and other peripherals are built. Computer system components may vary in size and complexity and can be designed for single or multiple purposes. Control is accomplished through user interfaces. The level of application control found in Next Generation Firewalls (NGFWs) is not generally necessary as a data center core firewall, primarily because of the lack of end-users running in the data center itself. Typically data center applications are accessed and used as cloud services or database information, rather than platforms for writing and execution of programming by external users. Application Services With increasing use of “the cloud” to enable mobile—even global—use of applications and access to organization databases, technology services designed to fulfill the needs of various industries from SMB to large international corporations developed. In today’s market—and the foreseeable future—cloud
22
Modern Network Security: Study Guide for NSE 1 2015 services continue to grow quickly. Integral to this broad range of services are three primary components: infrastructure (IaaS), platforms (PaaS), and software (SaaS) as services. The primary difference between models rests in responsibility tradeoffs between developer (user) and vendor (provider), as illustrated in Figure 13 [3]. Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service provider creates the infrastructure, which becomes a self-service platform for the user for accessing, monitoring, and managing remote data center services. The benefit to IaaS is that the user does not have to invest large amounts into infrastructure and ongoing upgrades and service, while retaining operational flexibility. The down side is that this model requires the user to have a higher degree of technical knowledge—or at least know or employ someone who does. Examples of businesses using the IaaS model appear in Figure 14.
Figure 13. Differences between IaaS, PaaS, and SaaS. Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond the IaaS model. In this model, the provider not only builds the infrastructure, but also provides monitoring and maintenance services for the user. Users of PaaS cloud services have access to “middleware” to assist with application development, as well as inherent characteristics including scalability, high availability, multi-tenancy, SaaS enabling, and other features. This allows the user to focus on what is most important to their business—their application(s). In particular, businesses large or complex enough to employ an enterprise data center model benefit greatly from PaaS because it reduces the amount of coding necessary and automate business policy. Examples of businesses using the PaaS model appear in Figure 14. Software as a Service (SaaS). The SaaS model represents the largest cloud market and continues to grow. This model takes the final step of bringing the actual software application into the set of functions managed by the provider, with the user having a client interface. Because the application resides in the cloud itself, most SaaS applications may be operated through a web browser without the need to
23
Modern Network Security: Study Guide for NSE 1 2015 download or install resident software on individual physical systems. This allows businesses to develop software and operational requirements, but to have those requirements written and fulfilled by a third party vendor—although such designs typically involve customization of pre-existing software applications, because SaaS does not provide the broad flexibility of software development options available in the SaaS model. Examples of businesses using the IaaS model appear in Figure 14 [4].
Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models. The Shared Security Responsibility (SSR) Model. When using application services—“the cloud”—for applications and access to databases, these services come with a shared responsibility for security and operations split between the cloud provider and the cloud tenant. Depending upon which model is chosen for operations—IaaS, PaaS, or SaaS—your level of security responsibility changes in magnitude. Referring back to Figure 13, as you relinquish more control of operations and decisionmaking/configuration to the vendor/provider, such as with the SaaS model, your degree of security responsibility also declines. Conversely, if you decide to retain more management, such as in the IaaS model, your security responsibility increases in magnitude.
Summary From an introduction to the current status of computer network options and configurations, to the challenges posed by evolving technologies and advanced threats, this module has prepared a foundation for more focused discussion on emerging threats and the development of network security technologies and processes designed to provide organizations with the tools necessary to defend best against those threats and continue uninterrupted, secure operations. The next module will focus on the Next Generation Firewall (NGFW), an evolving technology in network security.
24
Modern Network Security: Study Guide for NSE 1 2015 Module 2: Next Generation Firewall (NGFW) Just because you’re paranoid that hackers are trying to steal your data… …doesn’t mean they’re not really out to get you! Early firewalls acted much like a fire door in a building—if something bad was happening in the hallway, it protected what was in your room and other parts of the building. As personal computers became more affordable and digital portable devices became more widespread, system and network threats evolved as well, creating a need for protection technology able to evolve along with—or ahead of— advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IP addresses or TCP/UDP port data to discern whether packets should be allowed to pass between networks or be blocked or rejected. Most firewall configurations allowed all traffic from trusted networks to pass through to untrusted networks, unless policy exceptions were implemented. In closed networks and the early days of the Internet, this was a viable option—this predominantly static firewall configuration model no longer provides adequate protection against advanced and emerging system and network threats to large, distributed enterprise businesses and organizations having to serve customers, clients, and employees in an ever-evolving mobile environment.
Technology Trends Trends in information technology development and employment over the last 15 years have led to a need to rethink the methodology behind modern network security. To further exacerbate this challenge, these trends occurred simultaneously across major industry, all levels of business, and personal consumer environments. Consumerization of IT has resulted in IT-enabled devices—such as smartphones, digital music and video players, recorders, cameras, and others—becoming so commonplace in the market that their lower pricing resulted in an explosion of individual consumers acquiring technology-enabled devices for personal use. This extends beyond the obvious devices listed above. IT-enabled devices now include such appliances as refrigerator/freezers, home security systems, personal home networks that include WiFi-enabled televisions, stereos, and even the automated “smart house.” In other words, what we have to be mindful of today is the Internet of Things (IoT) when we acquire devices and appliances. Because consumers have embraced technology devices for both communication and information sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer markets and supplement Web and traditional marketing and communication pathways. With so many applications—especially social media—being cloud based, the challenge of network security expands beneath the surface of traffic and into substance. With the proliferation of inexpensive, technology-enabled devices interacting with business networks— including both external users and those using personal devices for work purposes (Bring Your Own Device – BYOD), the question becomes one of how to provide security, network visibility, control, and user visibility simultaneously without an exponential increase in required resources (Figure 15).
25
Modern Network Security: Study Guide for NSE 1 2015
Figure 15. Bring Your Own Device (BYOD) practices in 2011.
NGFW Characteristics: Fundamental Changes The primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacy firewalls, ports were opened and closed, or protocols allowed or disallowed without consideration beyond basic characteristics.
Figure 16. Edge firewall vs. NGFW traffic visibility. With NGFW, administrators are provided finer granularity that provides deeper insight into the traffic attempting to access the network (Figure 16). This includes deeper visibility of users and devices, as well as the ability to allow or limit access based on specific applications and content rather than accepting or rejecting any traffic using a particular transmission protocol. This is the primary difference that separates traditional and next generation firewalls (NGFW). With a traditional firewall, traffic is accepted based on identification criteria of designated port and IP address. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP address and traffic content. The diagrams in Figures 17 and 18 illustrate better the visibility and control capability provided when NGFW is integrated into the network security architecture, supplanting the legacy edge firewall.
26
Modern Network Security: Study Guide for NSE 1 2015 When comparing the granularity in how traditional and legacy firewalls assess data, note that in NGFW the ports are identified with traffic flowing through them as well as specific information about the user sending the traffic, traffic origin, and the type (content) of traffic being received. This information goes beyond the basic link level and brings security into OSI levels 3 & 4 (application security capability). Figure 17. Traditional port configuration example.
Figure 18. NGFW configuration example by application, user ID. In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex security protection and administrator control simplicity over traditional firewalls, as compared in Table 1. Table 1. Comparative security features of edge firewalls vs. NGFW. Edge Firewall
NGFW
Gatekeeper
Gatekeeper
ISO/OSI L4 Port Protocol
Application-Centric (Content Flow) Protocol
Basic Security + Add-ons
Integrated Security Solutions
Complex Architecture
Integrated Architecture
Complex Control
Simplified Control
Simple – Moderate Security
Integrated Complex Security
NGFW Evolution Referring to an evolving technology offering high-performance protection, Next Generation Firewalls (NGFW) provide solutions against a wide range of advanced threats against applications, data, and users. Going beyond standard firewall protections, NGFW integrate multiple capabilities to combat advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep packet scanning, network application identification and control, and access enforcement based on user identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector, persistent network or system attacks against large and distributed enterprise networks.
27
Modern Network Security: Study Guide for NSE 1 2015 The concept of NGFW was first coined by Gartner in 2004 in their paper discussing the need for integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities into firewalls [5]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level firewall with integrating IPS or Deep Packet inspection, Application Identification, and “extra-firewall” intelligence (such as Web Content Filter), but allowing for interoperability with third-party rule management technology [6]. In 2009, Gartner published a new definition of NGFW, defining the characteristics as including VPN, integrated IPS interoperability with firewall components, application awareness, and “extra-firewall” intelligence [7].
Figure 19. NGFW evolution timeline.
Traditional NGFW Capabilities Traditional NGFW provides solutions against a wide range of advanced threats against applications, data, and users. Traditional enterprise network security solutions such as legacy firewalls and standalone intrusion detection/prevention systems (IPS) are no longer adequate to protect against today’s sophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at a minimum, the ability to identify and control applications running over a network, an integrated intrusion prevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user or device’s identity and enforce access policies accordingly. However, advanced threats require advanced protection. Some NGFW devices—such as the Fortigate line—include additional technologies that provides you with a real-time ranking of the security risk of devices on your network and cloud-based threat detection and prevention. Traditional NGFW integrates multiple capabilities to combat emerging threats.
Figure 20. Intrusion Prevention System (IPS). Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directs firewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert the firewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology. IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more
28
Modern Network Security: Study Guide for NSE 1 2015 effective to tie it into network segregation, enabling protection against both internal and external attacks against critical servers [8].
Figure 21. Deep Packet Inspection (DPI). Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passes through a firewall or other security device. DPI identifies and classifies network traffic based on signatures in the payload [9]. Examines packets for protocol errors, viruses, spam, intrusions, or policy violations.
Figure 22. Network application identification and control. Network Application Identification & Control. Traditional firewall protection detects and restricts applications by port, protocol and server IP address, and cannot detect malicious content or abnormal behavior in many web-based applications. Next Generation Firewall technology with Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even unknown applications from unknown sources and inspects encrypted application traffic. Protocol decoders normalize and discover traffic from applications attempting to evade detection via obfuscation techniques. Following identification and decryption, application traffic is either blocked, or allowed and scanned for malicious payloads. In addition, application control protocol decoders detect and decrypt tunneled IPsec VPN and SSL VPN traffic prior to inspection, ensuring total network visibility. Application control even decrypts and inspects traffic using encrypted communications protocols, such as HTTPS, POP3S, SMTPS and IMAPS.
29
Modern Network Security: Study Guide for NSE 1 2015
Figure 23. Access enforcement (User identity). Access Enforcement (User Identity). When a user attempts to access network resources, Next Generation Firewalls allow identification of the user from a list of names, IP addresses and Active Directory group memberships that it maintains locally. The connection request will be allowed only if the user belongs to one of the permitted user groups, and the assigned firewall policy will be applied to all traffic to and from that user.
Figure 24. NGFW distributed enterprise-level capability. Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks. The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW) that adds intrusion prevention, application control and antimalware to the traditional firewall/VPN combination. In particular, Fortinet NGFWs: Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete applications to establish/enforce appropriate policies. Include powerful intrusion prevention, looking beyond port and protocol to actual content of your network traffic to identify and stop threats. Leverage top rated antimalware to proactively detect malicious code seeking entry to the network. Deliver actionable application and risk dashboards/reports for real-time views into network activity. Run on purpose-built appliances with Custom ASICs for superior, multi-function performance, even over encrypted traffic.
30
Modern Network Security: Study Guide for NSE 1 2015
Figure 25. Extra-firewall intelligence IP list assignment. “Extra-firewall” Intelligence. This provides the ability to create lists for access or denial of external traffic to the network. These lists may be designates by IP address List types include: White List. Designated sources considered trusted and will be allowed access to the network. Black List. Designated sources considered not trusted and will be denied access to the network. A key point to this function is that the source is based on an address, therefore, access does not relate to any specific type of information that may be carried on traffic from that source. This is a surface screening rather than a content screening function.
Figure 26. Notional network with managed security (MSSP). Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensive security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full suite of ASIC-accelerated security modules for customizable value-added features for specific customers. FortiGate NGFW appliances include the ability to create multi-tenant virtual security networks, supporting up to 5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated management applications—including granular reporting features—offer unprecedented visibility into the security posture of customers while identifying their highest risks. VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and
31
Modern Network Security: Study Guide for NSE 1 2015 decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections— including antivirus, intrusion prevention, application control, email filtering and web filtering—can be applied and enforced for all content traversing the VPN tunnel.
Figure 27. Application awareness: The NGFW application monitoring feature. Application Awareness. While establishing port and protocol are important first steps in identifying traffic, positive identification of application traffic is an important capability added by NGFW, requiring a multi-factor approach independent of port, protocol, encryption, or evasive measures. Application awareness includes protocol detection and decryption, protocol decoding, signature identification, and heuristics (behavioral analyses). [10] NGFW Functions Two important functions of NGFW is to detect threats and prevent them from exploiting system or network vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS) as part of the network architecture. In order to prevent identified threats from exploiting existing vulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react to detected threats to a network in order to block intrusion by traffic attempting to take advantage of system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [8]. NGFW appliances, such as the FortiGate line of network hardware, provide integrated capability for IDS and IPS to both detect and prevent intrusion and exploitation of protected networks. Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type of inspection protects endpoint clients as well as Web and application servers from potentially hidden threats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to its destination and can be applied to client-oriented traffic, such as users connected through a cloud-based
32
Modern Network Security: Study Guide for NSE 1 2015 site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Like other inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughput speed.
Extended NGFW Capabilities Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the need to protect against new and evolving classes of highly targeted and tailored attacks designed to bypass common defenses is needed. Because of these advanced and evolving threats, additional defenses—referred to by Fortinet as Advanced Threat Protection (ATP)—include anti-virus/malware, anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilities appear in Figure 28.
Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP). When integrated with NGFW, capabilities of ATP enhance security by providing additional protections against evolving threats, including: Dual-level sandboxing, allowing code activity examination in simulated and virtual environments to detect previously unidentified threats. Detailed reporting on system, process, file, and network behavior, including risk assessments. Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing communications with malicious sites and IPs. Option to share identified threat information and receive updated in-line protections. Option to integrate with other systems to simplify network security deployment.
33
Modern Network Security: Study Guide for NSE 1 2015 With continued shift toward mobile and BYOD practices, integrated user authentication takes on increased importance in visibility and control of applications being employed by network users. With the sophistication of advanced and evolving threats, use of two-factor—or “strong”—authentication has become more prevalent. In addition to the capabilities discussed previously as additive measures to the NGFW, a number of strong authentication factors may also be enabled:
Hardware, software, email, and SMS tokens Integration with LDAP, AD, and RADIUS End user self-service Certificate Authority Single sign on throughout the network
Illustration of authentication functions integrated into NGFW appear in Figure 29.
Figure 29. Authentication functions integrated into NGFW. While the Application Control feature of the extended NGFW serves to identify network users, monitor applications employed by those users, and block applications representing a risk to the organization, this feature differs from how the Web Filtering function of ATP operates. Unlike Application Control that focuses on the actual content of the accessed site, Web Filtering focuses on the Internet Sites (URLs) based on a categorization of the site, or type of content [8]. This allows the NGFW to block web sites known to host malicious content. An example of how Web Filtering categorizes site appears in Figure 30.
34
Modern Network Security: Study Guide for NSE 1 2015
Figure 30. Web filtering profile control. Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. By intercepting and inspecting application-based traffic and content, antivirus protection ensures that malicious threats hidden within legitimate application content are identified and removed from data streams before they can cause damage. Using AV/AM protection at client servers/devices adds an additional layer of security.
Figure 31. FortiGate antivirus/malware. Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other coordinated network attacks. Organizations may prevent, uncover, and block botnet activities using Anti-Bot traffic pattern detection and IP regulation services supplied in real-time. This capability is important in detecting and reacting to Distributed Denial of Service (DDoS) or other coordinated network attacks.
35
Modern Network Security: Study Guide for NSE 1 2015
Figure 32. FortiGuard Anti-botnet protection. Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined by categories. Web filtering protects endpoints, networks and sensitive information against Web-based threats by preventing users from accessing known phishing sites and sources of malware.
Figure 33. FortiGate Web filtering capability.
Code emulation. Allows testing of unknown or potentially malicious traffic in a virtual environment by emulating the actual environment to which the traffic was addressed. Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions before allowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-day exploits that other security solutions cannot identify. If malicious activity is discovered, Advanced Threat Protection (ATP) can block it. Sandboxes and APT You might be thinking whether this is Back to the Future? After all, sandbox technology is old, having long been a standard safety isolation to analyze code. So why would sandboxes be important when examining the implications of Advanced Persistent Threats (APT)?
36
Modern Network Security: Study Guide for NSE 1 2015 Sandboxes were initially developed for executable files. Now they run application data that may contain malicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it can infect your operating system. Modern sandbox technology can help detect and identify new threats— such as old legacy threats in new veneers, by emulating endpoint device environments to analyze how the potential threat behaves. In this way, relatively unknown malware—constantly being developed at all levels of complexity—and APTs may be detected, identified, cataloged, and blocked by the NGFW (Figure 34). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic is forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.
Figure 34. Sandbox deployed with NGFW Solution. Advanced Persistent Threats (APT) Since widespread availability of computer technology—especially since introduction of affordable personal computing platforms and open availability of computer training—people have used software to target systems and networks to damage, steal, or deny access to data. Modern and future challenges— or Advanced Persistent Threats—present a more daunting sophistication of malware, attack vectors, and perseverance by which they mount offensives against their targets. Just as APT uses multiple attack layers and vectors to enhance chances of success, network security administrators must also design and implement a multi-layered defense to protect against these threats. It is critical to understand that no single network security feature will stop an APT. Simplified, a three-step approach to how NGFW addresses APTs appears in Figure 35, below.
Figure 35. The NGFW three-step approach to APT.
37
Modern Network Security: Study Guide for NSE 1 2015 Advanced Threat Protection (ATP) In order to protect against modern and emerging future threats, adaptive defense tools like ATP are being incorporated into network security infrastructures at an increasing pace. This level of protection provides increased security across all network sizes from SMB to large enterprises. Critical capabilities brought to bear by ATP include: Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication. Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering, antimalware. Threat Detection. “Sandboxing,” botnet detection, client reputation, network behavior analysis. Incident Response. Consolidated logs & reports, professional services, user/device quarantine, threat prevention updates. Continuous Monitoring. Real-time activity views, security reporting, threat intelligence. The continuous nature of ATP protection is illustrated in Figure 36, below:
Figure 36. Fortinet Advanced Threat Protection (ATP) model.
NGFW Deployment Edge vs. Core When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFW brings a unique combination of hardware- and software-related segmentation capabilities that allow isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 37).
38
Modern Network Security: Study Guide for NSE 1 2015
Figure 37. NGFW deployment to edge network NGFW vs. Extended NGFW Another consideration that must be made is what NGFW capabilities are needed—or desired—for the network being protected. A consideration whether to deploy extended NGFW capabilities depends on the nature of what functions will be accomplished both internally and external to the network. In particular, with movement to more cloud-based and web applications, the benefits of extended NGFW may be best suited. As illustrated in Figure 38, Extended NGFW incorporates the capabilities of current NGFW plus enhanced features that make it more capable against modern and emerging threats.
Figure 38. Current NGFW vs. Extended NGFW capabilities. One of the characteristics of most technologies is that with added capabilities comes concomitant tradeoffs. In the case of NGFW, the addition of inspection functions such as web filtering—or anti-malware— presents options that balance capabilities and protection levels versus traffic processing speed. The two methods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection, the NGFW performs a “string comparison” to examine patterns in the traffic without breaking the connection, resulting in a small portion of the traffic stream being inspected but with a trade-off of faster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking the connection and reestablishing it after analysis, resulting in slower throughput.
39
Modern Network Security: Study Guide for NSE 1 2015 Table 2. Comparison between flow-based and proxy-based inspections Type of Inspection Speed/Performance Resources
Protocol Awareness
Flow-based Faster Comparing traffic to database of known bad situations TCP flow not broken. Only packet headers changed if necessary. Not required
File size limits
Only during scanning
Features supported
Antivirus, IPS, Application Control, Web Content Filtering
Security Analysis Method TCP Transparency
Proxy-based Slower Conducting specific analysis on relevant information TCP convention broken, TCP sequence numbers changed. Understands protocol being analyzed Yes, when buffering, based on available NGFW memory Antivirus, DLP, Web Content Filtering, AntiSpam
Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying antimalware in Flow Mode may result in decreased detection rate.
Summary The concept of Next Generation Firewalls developed to address evolving threats as technology itself evolved. With the rapid rise of technology integration, portability and BYOD models in business, education, and other environments, combined with more widespread ability for hackers from novices to experts to develop malicious code, a system deriving from the initial premise of NGFW needed to develop for the future. Because of these capabilities and the flexibility to proactively address modern and developing threat environments across networks of varying sizes, NGFW will be the standard in network firewall protection at least through 2020…
40
Modern Network Security: Study Guide for NSE 1 2015 Module 3: Unified Threat Management (UTM) Unified Threat Management (UTM) is a security management approach providing administrators the ability to monitor and manage multiple security-related applications and infrastructure components through a single management console. Through this simplified management approach, UTM provides administrators the ability to protect both local and branch offices from potential threats, rather than having to depend on coordination with remote site administrators or multiple control panels. This integrated approach to security control is an extension of the philosophy that resulted in integration of multiple security functions into hardware and software appliances, compared to legacy network security systems that used single- or dual-function add-on appliances that resulted in complex hardware, software, and management control systems (Figure 39).
Figure 39. Legacy network security add-ons vs. UTM architecture UTM provides administrators the ability to monitor and manage multiple, complex security-related applications and infrastructure components through a single management console. Because UTM is designed as an integrated solution, it does not suffer the problems of network address translation, overheating, or throughput difficulties caused by activating multiple security services in legacy systems. The Key to UTM: Consolidation Similar to NGFW, one of the strengths of UTM is integration of components and functions into both hardware appliances and associated security software applications. The advantage to UTM is that it goes beyond the NGFW focus of high performance protection of data centers by incorporating a broader range of security capabilities to provide administrator-friendly, threat-unfriendly management. Using firewall capabilities as a foundation, UTM integrates additional VPN, intrusion detection and prevention, and secure content management capabilities.
UTM Features UTMs are generally acquired as either cloud services or network appliances, and integrate firewall, intrusion detection system (IDS), anti-malware, spam and content filtering, and VPN capabilities (Figure 40). These can be installed and updated as necessary to keep pace with emerging threats. [11]
41
Modern Network Security: Study Guide for NSE 1 2015
Figure 40. Unified Threat Management (UTM). Firewall. The most basic, necessary, and deployed network security technology, which uses sets or rules or policies to determine which traffic is allowed into or out of a system or network. UTM builds on this foundation to integrate—rather than add on—enhanced security capabilities. [8] Intrusion Detection System (IDS). IDS is capable of detecting potential threats to the network, but does not react by sending a message to the firewall to block the threat. [8] The function of IDS is an integrated feature in Intrusion Prevention System (IPS). Antivirus/malware. Antivirus/Antimalware (AV/AM) provides multi-layered protection against viruses, spyware, and other types of malware attacks. It enables scanning for e-mail for viruses, but it doesn’t stop there. You can also apply anti-virus protection to File Transfer Protocol (FTP) traffic, instant messaging (IM), and web content at the network perimeter. Some solutions support Secure Sockets Layer (SSL) content scanning, which means that you can protect the secure counterparts to those types of traffic as well, such as HTTPS, SFTP, POP3S, and so on. A UTM virus filter examines all files against a database of known virus signatures and file patterns for infection. If no infection is detected, the file is sent to the recipient. If an infection is detected, the UTM solution deletes or quarantines the infected file and notifies the user. [9] Antispam. This is a module that detects and removes unwanted email (spam) messages by applying verification criteria to determine if the email fits defined parameters as spam traffic. Anti-spam filtering can block many Web 2.0 threats like bots, many of which arrive in your users’ e-mail boxes. Multiple anti-spam technologies incorporated into UTM can detect threats through a variety of techniques [9].These parameters may be as simple as a list of senders identified by a user or comparison against databases of known bad messages and spam server addresses [8]. Content filtering. These devices block traffic to and/or from a network by IP address, domain name/URL, type of content (for example, “adult content” or “file sharing”), or payload. They maintain a
42
Modern Network Security: Study Guide for NSE 1 2015 whitelist of trusted sites and a blacklist of forbidden sites to prevent users from violating acceptable use policies or being exposed to malicious content. [9] VPN. A Virtual Private Network (VPN) uses special protocols to move packets of information across the Internet securely. In general, VPN protocols encrypt traffic going from sender to receiver. This makes such traffic appear completely garbled to anyone who might intercept and examine those packets while they’re on the Internet. VPNs use encryption to protect the traffic they carry from unauthorized access. Because the VPN packets wrap the encrypted data inside a new protocol envelope — a technique known as encapsulation — a VPN creates a private, encrypted “tunnel” through the Internet. [9] UTM Distributed Enterprise Advanced Features Enterprise customers may have access to more advanced features, such as identity-based access control, load balancing, intrusion prevention (IPS), Quality of Service (QoS), SSL/SSH inspection, and application awareness [11]. Access (Application) control. Application control can identify and control applications, software programs, network services, and protocols. In order to protect networks against the latest web-based threats, application control should be able to detect and control Web 2.0 apps like YouTube, Facebook, and Twitter. Enterprise-class app control provides granular policy control, letting you allow or block apps based on vendor, app behavior, and type of technology. For example, you can block specific sites, block only your users’ ability to follow links or download files from sites, or block games but allow chat. Another feature of application control is the ability to enforce identity-based policies on users. The UTM system tracks user names, IP addresses, and Active Directory user groups. When a user logs on and tries to access network resources, UTM applies a firewall policy based on the requested application or destination. Access is allowed only if the user belongs to one of the permitted user groups. Load balancing. Load balancing distributes traffic and routes content across multiple web servers. This load balancing increases application performance, improves resource utilization and application stability while reducing server response times. With data compression and independent SSL encryption processor, this capability increases further transaction throughput and reduce processing requirements from web servers, providing additional acceleration for web application traffic. Intrusion Prevention System (IPS). An IPS acts as a network’s watchdog, looking for patterns of network traffic and activity, and records events that may affect security. An IPS issues alarms or alerts for administrators, and is able to block unwanted traffic. IPS also routinely log information as events occur, so they can provide information to better handle threats in the future, or provide evidence for possible legal action [9]. IPS is the best way to detect threats trying to exploit network vulnerabilities. Quality of Service (QoS). QoS refers to a network’s ability to achieve maximum bandwidth and deal with other network performance elements like latency, error rate and uptime. Quality of service also involves controlling and managing network resources by setting priorities for specific types of data (video, audio,
43
Modern Network Security: Study Guide for NSE 1 2015 files) on the network. QoS is exclusively applied to network traffic generated for video on demand, IPTV, VoIP, streaming media, videoconferencing and online gaming. [12] SSL/SSH inspection. This provides the ability to inspect content encrypted by applications using Secure Socket Layer (SSL) cryptologic technique, in which it performs a “man-in-the-middle” takeover of the SSL traffic. This allows other inspections to be applied such as DLP, web filtering, and antivirus/malware. Some popular examples of SSL protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS. [8] Application awareness. Web Application Security solutions provide specialized, layered application threat protection for medium and large enterprises, application service providers, and SaaS providers. FortiWeb application firewall protects your web-based applications and internet-facing data. Automated protection and layered security protects web applications from layer 7 DoS and sophisticated attacks such as SQL Injection, Cross Site Scripting attacks and data loss. Web Vulnerability Assessment module adds scanning capabilities to provide a comprehensive solution to meet your PCI DSS section 6.6 requirements. Tradeoffs. The main advantage to UTM is reducing operational complexity. In particular, reducing operational complexity for network administrators increases the likelihood that they will use the available protection features to optimize network security. However, while simplification presents the advantage of security optimization by administrator, the main drawback may be positioning UTM as a single point of failure (SPOF) in a system or network.
Extended UTM Features One of the key factors that enables specialized UTM products to achieve the highest levels of performance and boost network throughput is incorporating custom application-specific integrated circuits (ASICs) into UTM hardware components. As discussed previously in Module 1, using customdesigned ASICs present a more challenging design process, but the tradeoff is achieving the highest levels of system performance by having tailored the ASICs to the device capabilities and intended functions. As with most highly efficient technologies, planning and configuration are critical in achieving optimum performance and control when systems and networks are brought online. Expanding on the foundation of an integrated firewall, UTM builds additional capabilities to enhance network security management. With ever-increasing capabilities for data transfers between remote users, integration of capabilities not resident in NGFW include Data Leak Prevention (DLP) (sometimes referred to as Data Loss Prevention), helps prevent unauthorized transfer of information to someone outside an organization by protecting the contents of email, web pages, and transferred files. DLP provides a strong authentication appliance to control data by methods such as inbound/outbound filtering and fingerprinting. DLP filtering scans inbound and outbound files, searching for text string and patterns that, when compared against the DLP database, determine whether the content will be allowed, blocked, or archived.
44
Modern Network Security: Study Guide for NSE 1 2015 Fingerprinting consists of a method by which each document file is encoded with a unique “fingerprint”—based on the fingerprint, DLP determines whether the document is a sensitive or restricted file that should be blocked or if the file is allowed to be shared beyond the network. DLP has the ability to scan and identify data patterns using supported scanable protocols—for example, FortiGate systems are capable of detecting HTTP, FTP, SMTP, POP3, IMAP, and instant messaging protocols for Yahoo, MSN, AOL, and ICQ messaging services [8]. A limitation of DLP, however, is that it is affected by the same limitations as antivirus scanning—maximum file size, data fragmentation (but not necessarily packet fragmentation), and encryption—all of which may limit effective data leak detection and subsequent prevention. Evolving UTM Features As mentioned previously, UTM is a user-simplified, protection-complex, integrated concept with the ability to evolve as technologies, user trends, and threats evolve. With this focus on being flexible and future-ready, additional technologies are increasingly being integrated to UTM devices. Among these capabilities—suited to various size networks—are switching, Wireless Local Area Network (WLAN) control, and Power-over-Ethernet (POE). Switching. By integrating Switching into UTM, the capability to manage switching is added to single control console security management. This again reduces the number of physical hardware devices and control monitors necessary to manage the UTM system. From this integrated control panel, individual ports can be switched on or off to physically isolate network traffic. This is important, because some applications attempt to use port 80 to avoid detection from traditional port-based firewall security systems. Port 80 is the primary port used by the Worldwide Web (WWW) and is how web servers “listen” for incoming unsecure (HTTP) connections from web browsers. This is a primary port through which malicious code tries to sneak through via Internet applications. Conversely, secure WWW connections are monitored through port 443 (HTTPS) using TLS/SSL security protocols.
Figure 41. LAN control. Wireless LAN (WLAN). Integrating the WLAN into UTM provides more than added economy of hardware. Integrating WLAN into UTM provides a simplified method to ensure each network on the full infrastructure—physical, WLAN, and VPN—may be controlled together to maintain consistent security
45
Modern Network Security: Study Guide for NSE 1 2015 policies and controls across all networks on the control interface. This approach also detects and eliminates potential “blind spots” and better prevents unauthorized or rogue wireless access to the combined network. WLAN is also important for SMB networks where secure wireless coverage must take the place of non-existent cable-based network connectivity, such as rented small office spaces. With continued increases in mobile computing and BYOD operations, many people in today’s technologically-empowered workforce expect the ability to replicate their office environment wherever they happen to be conducting business. Because of the many variables involved in such an endeavor— variations in available Internet speeds, availability of secured versus open networks, volume of users on remote networks, the cost of high-speed links, and so forth—a technique needs to be available to enable effective remote communication for authorized network users. In this situation, a process called WAN Optimization (WANOpt) is such a technique for use with UTM-empowered network infrastructures. WANOpt provides improved application and network performance to authorized remote users through five primary methods [9]: Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to accelerate network performance. Byte caching. Caches files and data to reduce amount of data necessary to be sent across WAN. Web caching. Stores/caches web pages to serve on request to avoid reloading over the WAN to reduce latency and delays between servers. SSL offloading. Offloads SSL decryption/encryption onto SSL acceleration hardware to boost web server performance. Secure tunneling. Secures traffic crossing the WAN. Power over Ethernet (POE). POE allows UTM to provide power to external devices, much like legacy systems such as Universal Serial Bus (USB). With POE, power can be supplied over Ethernet data cables along extensive cable lengths, either on the same conductors as data or on a dedicated conductor in the same cable (Figure 42). USB data + power capabilities are designed for up to 5m (16ft), compared to POE capability up to 100m (330ft) or even more with new POE-plus developments.
Figure 42. Typical Power over Ethernet (POE) cable configuration. UTM applications utilizing POE enables connection of Wireless Access Points, 3G/4G Extenders, Voice over Internet Protocol (VoIP) handsets, and IP cameras to the network security platform while keeping the devices away from system main power supplies. Depending on how it is applied, some advantages of
46
Modern Network Security: Study Guide for NSE 1 2015 POE over other technologies include: lower cost because of combined cabling for power and data, ability to remotely cycle appliance power, and fast data rates. 3G/4G. 3G/4G extenders integrate with UTM to provide a secure WAN connection for SMB and distributed enterprise locations, with ability to serve as a secondary failover connection to the wired WAN link for business continuity or, if desired, as a primary WAN link.
UTM Functions UTM provides a number of integrated functions beyond the scope of NGFW. Two of these important functions focus on threats inherent in platform capabilities used daily by users in systems and networks of all sizes, from personal computers, to smartphones and phablets, to networks and data center operations and automated business functions. In particular, these common threats—which continue also to evolve with technology and more widespread integration of technology components into common devices—include email and “Surfing the Web.” You may have heard on many different commercials—both online and on other media—the phrase “we have an app for that!” Fortunately, UTM has apps—or solutions—to help protect your networks from these continually evolving threats. Antispam. One of most widely used “buttons” on email applications is the one that allows users to designate messages from a particular sender as “spam,” thereby delegating it to be routed to a folder for which the user receives no alert when the message arrives and the message is often automatically deleted at a programmed periodicity. UTM has an integrated Anti-Spam function as well, acting as a filter to block many threats like bots—many of which arrive in user email boxes. The multiple anti-spam capabilities integrated into UTM may detect threats using a variety of methods, including: Blocking known spam IP addresses to prevent receipt. Blocking messages with any URL in the message body associated with known spam addresses. Comparing message “hashes” against those for known spam messages. Those that match may be blocked without knowledge of actual message content. Comparing the client IP address and sender email address to stored whitelist/blacklist profiles. Whitelist matches get through; blacklist matches get blocked. Conducting a DNS lookup on the domain name to see if the domain exists or is blacklisted. Blocking email based on matching message keywords or key phrases in a banned word/phrase filter list. [9]
47
Modern Network Security: Study Guide for NSE 1 2015 Intrusion Prevention Systems (IPS). IPS performs a dual protection function. In the UTM environment, IPS protects the internal network from attacks that originate from outside the network perimeter as well as those that originate from within the network itself. IPS is also discussed as a component of NGFW—in a UTM solutions environment, the IPS component provides a range of security tools to both detect and block malicious activity, including: Predefined signatures. A database of malicious attack signatures is included, which is updated regularly to keep pace with newly identified threats. Custom signatures. Customizable entries that add to the standard threat signature library to add protection against new, little known, or unknown attacks. Out-of-band mode. Alternately referred to as “one-arm IPS” mode, the component may be programmed to operate as only an Intrusion Detection System (IDS), detecting but not acting upon identified threats and attacks. In this configuration, such identified threats/attacks would be analyzed on a separate switch port. Packet logging. This feature provides the option to save network packets that match identified IPS signatures and analyze the log files with analysis tools. [9]
Where UTM Fits In… UTM provides a scalable security solution for networks from SMB to large and distributed enterprise networks.
Figure 43. UTM scalability. As network magnitude and function complexity grow, so also must the capabilities of the security apparatus. One of the considerations for both SMB and smaller, remote offices tied to a corporate headquarters or central database, is consideration of implementing UTM security as an all-in-one solution that provides flexible, future-ready security that is user-friendly and threat-complex. Figure 43 illustrates how UTM may be deployed to support satellite branches in a distributed enterprise network, while NGFW and ATP technology is maintained at the central office where increased staff and capability exists to monitor and manage security parameters at all network locations.
48
Modern Network Security: Study Guide for NSE 1 2015 Home Office / Administrator. Next Generation Firewall (NGFW) Application Visibility & Control. Identify and control applications on a network regardless of the port, protocol, or IP address used. Advanced Threat Protection (ATP). Sophisticated on-device and cloud-based detection and mitigation techniques block Advanced Persistent Threats (APTs) that target specific people or functions within an organization, and use extensive evasion techniques to remain stealthy for long periods before exfiltrating data. Remotes. Unified Threat Management (UTM) Content Security & Web filtering. Combines sophisticated filtering capabilities together with a powerful policy engine and cloud-based model to create a high performance and flexible web content filtering solution. Antispam. Real-time protection against spam. IPS/IDS. Intrusion Detection and Prevention Systems monitor, log, identify and block malicious network activity UTM: Scalable Deployment Because UTM may be configured to provide network security tailored to specific environments, UTM is designed for deployment across a broad range of organizational needs. The integrated hardware and software features of UTM make it ideal for SMB networks, while simultaneous control of wired, VPN, and wireless infrastructure components provide the means for distributed enterprise and select large enterprise deployment (Figure 44). Across these various deployment environments, UTM provides enhanced and cost-effective network security options. SMB networks. Simple controls and multiple scalable options. Provides option for control and scalable security for businesses with limited physical space and IT staff, or branch offices where IT policy and control is managed from a central location (Figure 43). Distributed enterprise networks. Simultaneous control of wired, VPN, and wireless infrastructure components, with centralized control with advanced features to effectively run operations up to a global scale. Like many other sectors of the technology industry, UTM deployment may be accomplished in various ways. A common method for vendors—following traditional hardware procurement paradigms—was to license UTM infrastructure based on the amount of devices included in the deployment package. In other words, the standard was an “a la carte” menu of options. However, in an effort to provide a better option for organizations wanting to upgrade to the UTM security model, leading UTM companies developed a new licensing model that more closely reflects the “bundle” model offered by cable and DSL companies. Fortinet, recognized by Gartner as a leader in UTM development and implementation along with CheckPoint, offers a “bundle” concept that includes the purchased hardware, software updates, security feature updates for all included security components, and system support [8]. This not
49
Modern Network Security: Study Guide for NSE 1 2015 only provides simplified licensing and reduced costs, but also enables better future budget planning for UTM system customers.
Figure 44. Fortinet’s concept of “Connected UTM.”
Summary NGFW improved on the basic gatekeeping security of Edge Firewalls by introducing such features as IPS, Deep Packet Scanning, Network Application Identification and Control, and Access Enforcement. However, beyond those capabilities, additional security functions meant additional appliances and software configurations, increasing operational complexity for the network administrator. Because increased operational complexity often results in bypassing of processes in the interest of time or administrator overload, development was needed for a new dynamic vision of a flexible, future-ready security solution to meet the needs of today’s network environments and keep pace—or think ahead of—advanced threats of the future. This dynamic, integrated network security concept—Unified Threat Management (UTM)—is in place today and ready for tomorrow’s evolving challenges. Overcoming the difficulties of patching together legacy systems with newer, state of the art systems, UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have international reach. Combining user-simple interfaces with threat-complex protections, as well as cost effective procurement, operations, and support, UTM provides an optimum system to best ensure continued network operations in a secure environment.
50
Modern Network Security: Study Guide for NSE 1 2015 Module 4: Application Security Because threats are constantly evolving, network security technologies and methods must evolve also. One of the most important points about application security is that threats—including such evils as Bots, Ransomware, Advanced Persistent Threats (APT), Viruses, and Spam, to name some recent prevalent threats—have a heavy content component and not just focused on the physical and data layers. In this context, content refers to packet payload analysis and how they are transported—in particular, layers 37 of the OSI Model (Table 3) [13]. Table 3. Comparative models for layers, protocols, and devices.
Because of the focus of these threats on the application content component and transport rather than link and physical components, firewalls designed to protect, load balance, and accelerate content between web servers are necessary. This type of appliance is the Web Application Firewall (WAF), designed to provide protection for web applications and related database content [8]. In order to understand better the type of threats that the WAF faces in protecting networks, an examination of the vulnerable areas targeted by application threats provides the necessary context.
Application Challenges to Meeting User Needs With increased reliance of businesses on cloud-based applications, focus on the vulnerabilities of webbased applications is essential to system and network security. These applications reside deep in layer 7 of the OSI Model, which will be discussed further in this module, but remain vulnerable to targeted attacks. Of these attacks, Denial of Service (DoS)—or more importantly, Distributed Denial of Service (DDoS)—attacks designed to inhibit use of such applications have evolved as technology evolved, becoming much more sophisticated than early hacker methods. The mobility of modern business, combined with distributed enterprise networking, demands VPNs with secure access to resources. SSL VPNs establish connectivity at L4 & L5; information is encapsulated at L6 & L7. So, these VPNs—and other remote accessing sites to network resources—function in the top tiers of the OSI Model, known as the Application Layers when translated into the broader TCP/IP Model.
51
Modern Network Security: Study Guide for NSE 1 2015 Table 4. Translation of ISO/OSI layers to TCP/IP model.
Secure Socket Layer (SSL) traffic poses a challenge because legacy servers and load balancers cannot manage increased loads caused by increased SSL traffic requiring decryptionscanreencryption in order to detect potential malicious code attempting to sneak into the network in encrypted data packets. Scalability is the concept of enabling a system, network, or application to handle a growing volume of work in an efficient manner or, if necessary, to be enlarged to accommodate growth. Scalability may be accomplished through the use of hardware, software, or a combination of both, in order to improve availability and reliability by:
Managing data flow and workload across multiple servers to increase capacity Improve application response times by either hardware upgrades or software solutions Reducing costs by optimizing resources through improved allocation Allocating data across multiple data centers to facilitate redundancy and recovery
Application Layers: The OSI Model The Open Systems Interconnection (OSI) model defines computer networks by functional levels. As the level increases, so also increases the complexity and critical nature of the data contained therein. A description of the OSI layers and their functions appear in Table 4. Table 5. Function of network layers in OSI model. 7 6 5 4 3 2 1
52
Application Presentation Session Transport Network Data Link Physical
Application and end-user processes. Application-specific data. Translates between application and network formats (syntax layer). Establishes, manages, terminates connections between applications. Transfer of data between end systems, error recovery, flow control. Switching and routing—virtual circuits to transmit between nodes. Data packets are encoded and decoded, transmission protocols. The bit stream mechanical and electrical level.
Modern Network Security: Study Guide for NSE 1 2015 Applications are what allow users to accomplish tasks using computer systems and networks without having to learn the complex languages of writing their own code. Many common applications include word processing, spreadsheet, and graphics design programs, email applications, games, and media, and may apply across platforms from wired desktop systems to smartphones and myriad others. Many of these applications are now web-based, as discussed in the Module 1 section on Application Services such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Application Vulnerabilities Because threats are constantly evolving, network security technologies and methods must evolve also. An important point about modern and emerging threats is that they have a heavy content component focused beyond physical and data link layers (L1 & L2). These threats focused on content include such current challenges as: Bots Viruses
Ransomware Spam
Advanced Persistent Threats (APT) …and others…
In this context, “content” refers to packet payload analysis and how they are transported, particularly focusing on layers 3, 4, & 7 of the OSI Model. Widespread use of applications provides commonality between business users and private consumers, making application threats a problem with the potential for repeated instances if such a threat infects the systems of multiple private users who interface with organizational networks. This may occur from innocuous sources such as customers, clients, or those using a BYOD model who fail to accomplish regular security screenings on their equipment. They may also occur as a dedicated effort to adversely affect the success of the organization by an outside competitor, malcontent, or hacker. OWASP Fortunately, a global project exists that assists application developers and system/network security administrators in identifying and understanding the prevalent and emerging application security threats. This project is the Open Web Application Security Project (OWASP) and is also supported by an OWASP Foundation in the United States. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security… Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. [14] One of the primary studies accomplished by OWASP is cataloging and ranking of the most prevalent threats in web applications. A comparative analysis between the 2010 and 2013 findings appears in Table 6 [27].
53
Modern Network Security: Study Guide for NSE 1 2015 Table 6. OWASP top 10 2010 vs. 2013 comparison.
Over the prior four years, OWASP found consistency among the top four application threats to system and network security: SQL Injection Broken Authentication & Session Mgmt
Cross-site Scripting (XSS) Insecure Direct Object References
Of note, the OWASP analysis also provides information on which threats have increased and declined, indicating trends that may assist security administrators in determining the most effective system and network configurations. SQL Injection. Insertion or injection of an SQL query via input data from the client to the application. This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void transactions of various types, enable complete disclosure of the system’s database—or destroy it or make it unavailable, or even become a new database server administrator. Common with PHP and ASP applications, less likely with J2EE and ASP.NET applications. Severity depends on the attacker’s creativity and computer skills, but have the potential to be devastating. SQL Injection is a high impact threat. Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into otherwise benign and trusted web sites, generally used in the form of browser side scripts to be transmitted to end users. Because the end user’s browser regards the site as trusted, it will execute the script, allowing access to any cookies, session tokens, or other information retained by the browser and used with the site. Some of these scripts are even capable of rewriting content on HTML pages.
54
Modern Network Security: Study Guide for NSE 1 2015 Broken Authentication & Session Management. This area includes all aspects of user authentication and active session management handling. Even robust authentication protocols may be undermined by flawed credential management functions, such as password changing, “forgot my password” and “remember my password” options, account update options, and other functions. The complexity for this issue comes with the fact that many developers prefer to create their own session tokens—which may not be properly protected, depending on the skill of the creator, steps may not be in place to protect them throughout the application’s life cycle, and if not protected with SSL and against other flaws (such as XSS), an attacker may hijack the user’s session and assume their identity. Insecure Direct Object References. When an application provides direct access to objects because of user-based inputs, attackers may bypass authorization and access resources in the system directly. These resources may include valuable data such as databases and organizational files. Insecure Direct Object References allow attackers to bypass authorization and gain access to resources by modifying parameter values used to point directly to objects. These resources may be any type of information stored on the system. This method simply takes the user’s supplied input and uses it to retrieve data as though the attacker were the authorized user. Individual, targeted attacks are often manageable and, in many cases, traceable. These attacks aim increasingly at denying use of a network to outside users, known as Denial of Service (DoS). However, with continued evolution of networking for both productive purposes as well as malicious intentions, the prospect for coordinated networks attacks from multiple sources present an even more critical challenge for continued secure and uninterrupted network operations. These simultaneous coordinated attacks target a network from a number of outside systems, referred to as a Distributed Denial of Service (DDoS), which will be addressed in the following section.
Distributed Denial of Service (DDoS) A malicious act designed to deny access to a system, network, application, or information to a legitimate user is called Denial-of-Service (DoS). In a Distributed Denial-of-Service (DDoS) attack, the malicious act originates from a large number of systems. DDoS are most often launched from a single system, using a large remote network to actually conduct the attack [15]. A basic DDoS method is called the Smurf Attack, where the hacker sends a ping packet to a large network while spoofing the target system’s source address to overload the target system. A more sophisticated DDoS method is the Low-Orbit Ion Cannon (LOIC) that allows hackers to allow others to use their own systems temporarily as a slave in a DDoS attack. More detailed discussion of DDoS attacks appear following the notional DDoS architecture illustration in Figure 45. Referring back to the classifications illustrated in Table 3 (page 50), attacks focusing on content components of systems and networks focus on ISO/OSI Model layers 3, 4, and 7 application services. Although layers 3, 4, and 7 are at risk from DDoS attacks, the attacks against layer 7 are often detected through actions affecting the associated port in layer 4 as a method by which to sneak undetected into layer 7 to accomplish its malicious task. As an analogy, one may think of it as the attack on layer 7 riding
55
Modern Network Security: Study Guide for NSE 1 2015 like a signal on the carrier wave into layer 4. As a result, most recommended parameter adjustments focus on layers 3 and 4, while events to watch include a broader range of indicators.
Figure 45. DDoS architecture. DDoS attacks have a wide range of methods, from simple to complex, from a single hacker using a single system to a network of hackers coordinating multiple systems. Common types of DDoS attacks include the SYN flood, ICMP flood, and Zombie attack. In each case, the DDoS relies on overloading network capability to process seemingly valid traffic, resulting in denial of service. These attacks are referred to as volumetric attacks because of their focus on overloading the network in order to deny service.
SYN Flood. This attack consists of an excessive number of packets directed to a specific TCP port. In most cases, the source address is spoofed (Figure 46).
Figure 46. SYN Flood DDoS attack.
56
Modern Network Security: Study Guide for NSE 1 2015
ICMP Flood. This attack results from an excessive number of ICMP packets targeting the network (Figure 47).
Figure 47. ICMP Flood DDoS attack.
Zombie Attack. This attack results when too many legitimate IP sources send valid TCP packets to the network (Figure 48).
Figure 48. Zombie DDoS attack. The common thread in each of these DDoS attacks is the flooding of the network with seemingly valid inputs in a way that slows, stalls, or shuts down the network’s ability to operate. For each of these attacks, threshold monitoring and adjustments at layer 3 and 4 protocols, ports, and SYN may allow network administrators to detect and counter DDoS efforts against layers 3, 4, and 7 and keep the network from extended down times. Even with the global trend toward increasing IPv6 traffic, DDoS attacks above the 50 Mbps benchmark are rare. South Korea’s average network speed leads the world with 24.6 Mbps, with Hong Kong a distant second at 15.7 Mbps. The US ranks 14th at 11.4 Mbps. As the shift from IPv4 to IPv6 traffic moves forward, the incidences of DDoS attacks appear to be inversely proportional to IPv6 network growth [16]. This may be an indicator that average network speeds available through IPv6 are making the cost and coordination of DDoS more difficult—or prohibitively costly, in some cases.
57
Modern Network Security: Study Guide for NSE 1 2015 Application Security Solutions The Next Generation Firewall (NGFW) [Module 2] and Unified Threat Management (UTM) [Module 3] brought enhanced capabilities to network security. An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond port and protocol to examine the signature—or actual content—of network traffic to identify and stop threats. FortiGate NGFW and UTM appliances, using enhanced capabilities such as Advanced Threat Protection (ATP), protect the L3 & L4 regions of the network against DDoS attacks by combining hardware and programmable software solutions to target modern and emerging threats. In addition to protection against L3 & L4 threats, the enhanced NGFW and UTM capabilities also include L4 routing and load balancing to increase efficiency and availability of application traffic in the network. Beyond NGFW and UTM as stand-alone capabilities, using these appliances in concert with other network security capabilities presents additional end-to-end protection that is both scalable and futureready. The capabilities discussed in the following sections add critical security solutions to protect against DDoS attacks and protect L3, L4, and L7 functions. Application Delivery Controllers (ADC) Application Delivery Controllers (ADC) are network devices that manage client interfaces to complex Web and enterprise applications—beyond the scope of SMB and home office applications. An ADC functions primarily as a server load balancer, resulting in optimized end-user system performance and reliability by increased Gbps of L4 throughput, accessibility to data center resources, and enterprise application security. ADC controllers are deployed in data centers, strategically placed behind the firewall and in front of application server(s), acting as the point of control for application security and providing authentication, authorization, and accounting (AAA) [17].
Figure 49. Application Delivery Controller (ADC). The ADC is part of a larger process that makes applications available, responsive, and secure for users. This end-to-end model is called the Application Delivery Network (ADN), consisting of an application delivery controller, firewall, and link load balancer. Figure 50 illustrates a typical ADN infrastructure.
58
Modern Network Security: Study Guide for NSE 1 2015 Application Delivery Network (ADN) The ADN is divided into three elements—a server side, security, and an outer perimeter. Each of these elements performs functions that enable user access to applications (Figure 50):
Figure 50. Typical Application Delivery Network (ADN) infrastructure. Server Side. When applications outgrow a single server, an ADC manages multiple servers to enable applications beyond a single server—essentially creating a single virtual server. Once the ADC selects the best server for the application, the ADC uses Connection Persistence to maintain a connection back to the original server where the transaction began. The ADC routes traffic to the best available server based on configurable rules, as well as providing options to offload encrypted traffic and conduct HTTP compression for bandwidth reduction. SSL offloading does not protect against DDoS attacks; however, the ADC may reduce the need for additional servers by as much as 25%. Security Core. This element is where the tools and services to defend applications from threats reside. Capabilities include a strong firewall, VPN, AV/antimalware scanning, and other security features, which may include NGFW with IPS and deep packet scanning, application control, and user access policies to enhance protection. Outer Perimeter. Basic Link Load Balancing (LLB) manages bandwidth and redundancy using multiple WAN links. If application use includes multiple data center access for operations such as disaster recovery, Global Server Load Balancing (GSLB) uses a DNS-based resolution platform to route traffic between multiple data centers, allowing either automatic or programmable data center routing based on infrastructure performance needs.
59
Modern Network Security: Study Guide for NSE 1 2015 ADC: Solutions and Benefits Part I An advanced, modern ADC provides enhanced capabilities that provide both security and efficiency to networks. The capabilities brought by ADCs to the Server Side of the ADN include: Server Load Balancing. The ADC allows the use of software-based intelligent load balancing to enhance performance over hardware-based simple load balancing. This not only provides a path to open server capability, but also matches the best server for the incoming traffic based on programmed policies and application-layer knowledge that supports business requirements (Figure 51). Benefits. Because the ADC conducts continuous health checks of network servers, only routes traffic to online devices, and routes to the best performing devices using intelligent load balancing capability, Server Load Balancing provides a 25% increase in capacity and reduces servers hardware requirements by 25% over traditional DNS round-robin configurations.
Figure 51. Intelligent Load Balancing. L7 Content Routing. By designating different servers for different types of data functions, the ADC may be configured to route traffic to the server(s) best configured to process applications based on their specific needs (Figure 51). Benefits. By using L7 content routing, the ADC can optimize data center resources while protecting the network and applications from security threats. Connection Persistence. This capability is critical to transaction-based applications. For example, if you begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different server for checkout without a persistent connection back to the original server, your cart will be empty at checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers remain persistent throughout the transaction. Benefits. By maintaining a persistent connection to the original server that started the transaction, the transaction may be completed without loss of data or loss of connection.
60
Modern Network Security: Study Guide for NSE 1 2015 SSL Offloading/Acceleration. SSL traffic may result in overloading servers, reducing capacity to a range in the 100’s TPS. By offloading and accelerating SSL encryption, decryption, and certificate management from servers, the ADC enables web and application servers to focus CPU and memory resources to deliver application content, responding more quickly to user requests. This offloading boosts capacity up to 10’s of 1,000’s TPS, pushes HTTPS to servers, and HTTPS to users (Figure 52). Benefits. SSL offloading and acceleration provides a 100X increase in traffic flow, reducing the need for additional servers in order to accommodate data volume.
Figure 52. SSL offloading and HTTP compression. HTTP Compression. One of the challenges as the number of network users grow, application programming becomes more complex, and data sets become larger, is concerns over bandwidth limitations. One way that an ADC acts to reduce bandwidth constraints is through HTTP compression to remove non-essential data from traversing network links between servers to user web browsers (Figure 52). Benefits. By reducing bandwidth demands, HTTP compression creates increased throughput capability, increasing data flow efficiency to the user. In addition to the ADC, the ADN includes a firewall component that provides security for traffic flowing between the server side and outer perimeter. To accomplish this function in a content-focused, application-level environment, the Web Application Firewall (WAF).
Web Application Firewall (WAF) Characteristics Essential for businesses that host web-based applications, Web Application Firewalls (WAFs) deployed in the data center provide protection, load balancing, and content acceleration to and from web servers. The primary use of WAFs is to protect web-based applications from attacks that attempt to exploit vulnerabilities. They protect web applications and associated database content by WAF Vulnerability Scanning, mitigating prevalent threats such as cross-site scripting (XSS), buffer overflows, denial of
61
Modern Network Security: Study Guide for NSE 1 2015 service (DoS), SQL injection, and cookie poisoning, as well as focusing on the OWASP Top 10 web application vulnerabilities [8]. The primary use of WAFs is to protect web-based applications from attacks that attempt to exploit vulnerabilities (Figure 53).
Figure 53. Web Application Firewall (WAF). The question may be asked why the NGFW or IPS cannot mitigate these threats. As discussed in modules 2 and 3, IPS signatures only detect known problem, may produce false positives, do not protect against threats embedded in SSL traffic, and have no application or user awareness. Basic firewalls look for network-based attacks, not at application-based attacks. For these reasons, the Web Application Firewall (WAF) provides critical protections to the network security arsenal (Table 7). Table 7. Web Application Firewall (WAF) application-level security measures.
Heuristics One of the key features that enables WAFs to counter DDoS threats is heuristic—or behavior-based— analysis. Behavior-based DDoS protection measures, however, require different mitigating parameters than content-based protections. Some of these protection measures include configuring systems to identify potential threats based on source volume (intent vs. content), ping rates (hardcoded vs. custom), packet dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using these behavior-based DDoS protection measures—focusing on traffic characteristics rather than content—policies do not require threat signature updates like content-based measures do.
62
Modern Network Security: Study Guide for NSE 1 2015 WAFs and PCI DSS Compliance In the increasingly more technology-driven and mobile lifestyle of the 21st Century, the ability to provide secure data transactions is not limited to considerations of data and program corruption, throughput limitations, or network operational parameters in the strict sense of providing digital pathways and storage. Additional considerations regarding Personal Identifiable information (PII), credit security, and other personal account and data safety are regulated from outside the technology sector. Payment Card Industry Data Security Standards (PCI DSS) set requirements for security practices that apply to any vendors or organizations that process, store, or transmit cardholder data. Regulated also by government agencies and addressable by fines of up to $10,000 per breach, the PCI DSS program is a necessary consideration for most of the technology industry. PCI Data Security Standard consists of 12 requirements covering 6 common sense goals that reflect security best practices. Table 8 depicts the current standards for PCI data security compliance [18]. Of the 6 goals listed, goal number 3 most closely influences the ability of the network to maintain secure operations and effective monitoring against DDoS and other malicious threats to network security. Of course, all appliances, software, policy and processes within control of the network administrator should be regularly monitored and updated against modern, advanced, and emerging complex threats. Table 8: Payment Card Industry Data Security Standards (PCI DSS).
63
Modern Network Security: Study Guide for NSE 1 2015 ADC: Solutions and Benefits Part II While the modern ADC provides enhanced capabilities to the Server Side of the ADN, an ADC also provides capabilities to the Outer Perimeter function of the ADN, which include: Disaster Recovery. This capability of the ADC provides redundancy while scaling applications across multiple data centers. This DNS-based function uses Global Server Load Balancing (GSLB) smart routing between data centers using configurable business rules, with automatic response that switches between data centers for disaster recovery contingency when a data center or connectivity link becomes unavailable (Figure 54). Benefits. The disaster recovery and GSLB feature provide important network security capabilities. The automatic switching feature provides the ability to survive data center or transmission link outages while ensuring data is automatically recovered. Because of intelligent switching, users are rerouted to the next best data center for their needs, making the process seamless to the end user.
Figure 54. Global Server Load Balancing (GSLB). Mask Server IPs. A challenge to keeping individual servers secure from threats is to segregate them from access by unauthorized users. One method to accomplish this is to mask the individual server ID by rewriting content—such as headers and other identifying information—to a single IP address when data is transmitted outside the internal network (Figure 55). Benefits. By masking individual server IDs behind the ID of the ADC routing data to individual servers, all data flows through the ADC, reducing chances for external threats to gain access to individual servers without passing through network security inspections.
64
Modern Network Security: Study Guide for NSE 1 2015
Figure 55. Server ID masking with ADC. Quality of Service (QoS). One of the challenges to the seemingly constant increase in data traffic as society becomes more mobile and more web- and application-enabled is identifying and prioritizing important traffic over routine or less important traffic. QoS is managed by configuring rules and policies for traffic policing, traffic shaping, and queuing that ensure the most important traffic for the organization is prioritized above other data. Benefits. QoS results in higher quality data flow for the most critical traffic based on organization priorities, whether it be VoIP for sales and customer support, eCommerce transactions, or corporate file transfers. By setting the appropriate rules and policies in the ADC, organization and user quality of service—and efficiency and satisfaction—may be enhanced. Link Load Balancing (LLB). LLB addresses the issues of bandwidth and redundancy by using multiple WAN links. A link load balancer connects many WAN links to the network and routes inbound and outbound traffic based on criteria like availability, performance, or business rules to use lowest-cost links. If a link should fail, traffic is routed to others to ensure your application remains available to users. Benefits. LLB provides redundancy to maintain application availability by rerouting traffic to users via another available link. By selectively routing traffic over the most available and appropriate links based on programmed rules and policies, LLB optimizes bandwidth use, reducing bandwidth needs. These two features both serve to influence improved application response times to users.
65
Modern Network Security: Study Guide for NSE 1 2015 Summary Because applications are a primary method by which users of all types create, access, transmit, and store data, application security is a critical concern for modern and future technology—from personal to corporate use, handheld to mainframes, and small to multinational global scopes. Application threats evolve along with applications and technology. Complex threats—such as Distributed Denial of Service (DDoS) attacks—require new and robust protections and countermeasures. Developments like IPv6, Web Application Firewalls (WAF), and use of Application Delivery Controllers (ADC) in integrated Application Delivery Networks (ADN) provide layered defenses to protect the integrity and operability of application functions in OSI levels 3-7. Building on these protections and those discussed in previous modules, the final module will focus on management of security apparatus and the importance of analytics in network management.
66
Modern Network Security: Study Guide for NSE 1 2015 Module 5: Management and Analytics Modules 1-4 provide insight into how hardware and software development work to protect systems and networks from modern and emerging threats. This continued technology evolution allows users to conduct business, participate in commerce, maintain communications across the globe, and manage personal affairs with minimal interruption or threat of critical information vulnerability and loss. This module provides discussion on how effective management through the use of analytic tools allows system and network administrators to optimize the secure environment users have come to expect— and upon which businesses and global commerce rely.
Security Management Simply stated, security management exists at the region where the scope of IT security and IT operations meet. As organizational structures grow in size and complexity, the tendency is for more network resources—machines, servers, routers, etc.—to be deployed. As the network grows, so also does the scope of potential threats to secure and efficient operation of the network to meet organizational goals. With the global nature of modern business and e-commerce, the sheer number of branch and remote locations—and managed devices—make a consolidated network security management essential for effective IT administration. To this end, the primary goal of security management is to reduce security risks by ensuring that systems are properly configured—or hardened—to meet internal, regulatory, and/or compliance standards. Security management is a software-based solution that integrates three primary elements: Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses that a cyber-attacker could exploit. Automated Remediation. Allows automated correction of faults or deficiencies—vulnerabilities— identified in the assessment process. Provides reports and tools to track vulnerabilities that must be remediated manually. Configuration Management. Evaluates the security of a network’s critical servers, operating system, application-level security issues, administrative and technical controls, and identifies potential and actual weaknesses, with recommended countermeasures. IT managers are faced with challenges that range from simple codes to threats hidden in secure packets designed to target cloud-based applications. Modern and emerging future threats present dynamic and potentially complex challenges to network security demanding comprehensive, complex security solutions. Unfortunately, studies have shown that the more complex administrative functions become, the less likely network administrators will spend the requisite amount of attention to the various apparatus and displays. For this reason, consolidating security management into a single console enabling monitoring and management of network security was developed. Through this integrated monitoring and control solution, IT managers may address the following issues:
67
Modern Network Security: Study Guide for NSE 1 2015 Device Configuration. Manages the configuration of each device on the network and maintains the system-level configuration required to manage the network environment. This includes monitoring device firmware to ensure it is kept up to date. Firewall Policy. Provides viewing and modification of firewall configurations—access rules and inspection rules—in the context of the interfaces whose traffic are filtered. Content Security Policy. Computer security concept to prevent cross-site scripting (XSS) and related application-level attacks. It provides a standard HTTP header allowing website administrators to determine approved sources of content that browsers may load on designated pages. Covered types include JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets, ActiveX, audio, and video files. A conceptual diagram of security management is illustrated in Figure 56 below: SM Analyst
SM Console
SM Database
SM – Monitored Devices
Figure 56. Security Management (SM) conceptual diagram The primary goal is to provide high availability for the network, implying redundancy and fault tolerance managed by the network security solution. In small and medium business (SMB) networks and many large and distributed enterprise networks, network security may be provided by a managed security service provider (MSSP) for a number of reasons—as discussed in Module 1. To facilitate effective network security management, MSSPs and network administrators must have access to essential features that enable them to provide protection to the network as a whole and the data contained therein. Three principles drive these essential features: segmentation, scalability, and high performance. Segmentation. Multi-tenancy architecture is one in which the single instance of a software application serves multiple customers, with each customer being referred to as a tenant. The key purpose of multitenancy is segmenting customers in a managed service provider environment. Tenants have limited
68
Modern Network Security: Study Guide for NSE 1 2015 capabilities within the application, such as choosing interface colors or business rules, but have no access to application code. Administrative domains (ADOMs) are virtual domains used to isolate devices and user accounts. This enables regular user accounts visibility only into devices and data that are specific to their ADOM, such as a geographic location or business division. Scalability. Virtual firewall positioning & deployment. Very few organizations use 100% physical or 100% virtual IT infrastructure, necessitating deployment of interoperable hardware and virtual appliances in security strategies. For both of these firewall options, control through a centralized panel provides ease of operation to security administrators while enabling the use of complex measures to counter modern and emerging complex threats. Virtual domains (VDOMs) were introduced by Fortinet in 2004 and offer virtualized security from SMB to large and distributed enterprise networks by rapid deployment within existing virtual infrastructures. [8] High Performance. Because security management spans the scope from home networks to SMB to large and distributed enterprise networks, security management must be able to be customized to meet the needs of each level of operation. For example, the Application Program Interface (API) specifies how software components should interact and are used when programming the graphical user interface (GUI), allowing visibility of the customized network functions. Automation is important especially for large and distributed enterprise networks, providing an automated workflow enabling users to approve, deny, defer, or even execute remediation of configuration errors, potentially saving considerable time and effort. Managing the Security Console Network security management includes both hardware and software appliances and virtual machine (VM) capabilities. They may be deployed as physical network security appliances, virtual appliances, or software packages. Flexible interfacing allows IT administrators to address the management system via a command line interface, web-based graphical user interface, or programmatically using JSON/XML requests (scripting, customization, etc.). This provides network security flexibility for a wide range of network sizes, from home networks and SMB up to large and distributed enterprise networks that are geographically separated. The most important function commonly associated with a security management solution is maintaining firewall policies across a distributed enterprise. In large and distributed enterprise environments, security management and reporting/compliance functions are usually separated, with local personnel managing local nodes and a central site having visibility over configuration compliance, generally from the data center at the corporate headquarters or designated IT management division. Because of the wide range of network security device deployment options, network security consoles are typically licensed based on the number of devices they will be managing. This provides tailored, flexible security options appropriate to organization requirements [8]. These security consoles are enabled by use of simple network management protocol (SNMP), which provides administrators capability to monitor and, when necessary, configure hosts on a network. This centralized ability to
69
Modern Network Security: Study Guide for NSE 1 2015 configure network devices is referred to as device management, and is a critical capability in allowing IT administrators to manage—monitor and configure—distributed enterprise networks.
Figure 57. Integrated security control console Administrative Domains (ADOMs) provide the capability to organize better the network environment. A domain is the equivalent of an organizational unit. The purpose of using ADOMs is: Limiting administrative scope to specific devices Segmenting tenants in a managed service provider environment Administrative domains are further segregated into Accounts, each which must have at least one User. However, permissions and policies must be set at the domain administrator and network administrator levels. [8]
Policy and Security Policy packages enable the addressing of specific needs for an organization’s different sites by creating a tailored policy package for each site. Policy packages provide flexibility to administrators, because they may be applied to individual or multiple devices. The advantage to using a policy package is that it simplifies the installation of a set of firewall rules for sites. [8] Object libraries contain the names and entry points of the code located in the library, as well as a list of objects on which the applications or systems using the code require in order to run the object. An example would be needing an application capable of reading a .jpg file in order to use the object with a .jpg extension. Object libraries may be configured to direct which applications are used to open or run which types of files besides the manufacturers’ default settings. Object libraries may be dragged into policy packages to define actions for traffic meeting criteria matching the identified object characteristics.
70
Modern Network Security: Study Guide for NSE 1 2015
Figure 58. Policy Package example. Global policy packages become increasingly important as network complexity, size, or distributed configuration grow. Because large and distributed enterprise networks may delegate remote security management to local administrators, as previously introduced in the previous slide, it is important for central network administrators to have the ability to retain overall visibility and control of the entire network. To this end, global policies allow administrators of large enterprises and MSPs to “bookend” segmented/tenant firewall rules in order to ensure compliance with overall network policies and operating regulations [8].
Figure 59. Global Policy “Bookend” flow.
71
Modern Network Security: Study Guide for NSE 1 2015 Firewall rules (also called firewall policies) are a major challenge for network security administrators, making it important for companies and organizations—especially distributed enterprise operations—to have and implement a firewall policy management solution. Depending on the size of the operation and network, this function may be accomplished by the network security administrator or, if a large enough enterprise, a firewall administrator. But with the fast-paced and rapidly-evolving dynamics of technology and its use, the threat of security gaps being created because of a disjointed firewall policy program is as real as the threat from external sources. To assist the network security administrator or firewall administrator in developing, implementing, and monitoring firewall policy requirements and effectiveness, regular, systematic reviews of firewall policies should be put in place. These reviews provide important benefits, mitigating challenges such as: Mistakenly adding duplicate, similar, or overriding firewall policies Missing the impact of corporate policy changes that may impact particular rules Creation of policies that are too specific at the time of implementation and may need to be broadened to be effective Determining what/when policies should be implemented by a policy push—applying the new policies to individual security devices In order to facilitate inputs to the firewall policy development and review process, a firewall policy workflow process should be established by which policy change recommendations are submitted, approved, and implemented by IT staff, and then the document retained for archival purposes for later analytic review. As these processes become institutionalized, the end result becomes not only more effective firewall rules management, but efficiency that leads to rules reduction, or a decrease in firewall rules via periodic reviews or automation. Rules reduction through automation—this is where the technology of adept security change management is necessary to improve probability that the network will remain secure. Security Change Management is the industry term for the product or feature that seeks to reduce or optimize the number of firewall rules and provides IT staff and network auditors with a clear picture of how changes were implemented. With more complex firewalls incorporating more features—such as the Next generation Firewall (NGFW)—simplification of user interfaces of complex processes increases the likelihood that comprehensive security measures will be engaged, monitored, and updated as necessary to keep up with emerging threats. Auditing has important advantages in the security management environment. Because auditing is a mechanism that records actions that occur on a system, the associated audit log(s) contain information detailing the events (such as login, logout, file access, upload, download, etc.), who performed the action and when it was accomplished, and whether the action was successful. Some important events that should be logged include: Login/Logoff (incl failed) Network connections (incl failed)
72
Supervisor/administrator login & function Sensitive file access
Modern Network Security: Study Guide for NSE 1 2015 In the context of security management, auditing provides the following advantages: Ensures that the organization maintains compliance with programs such as HIPAA and PCI Helps track workflows/approvals for firewall policy changes Associates security event logs with an individual owner for forensics
Analytics Without applying analytics to future decisions, they cease to serve a vital function to administrators. The most important function of analytics is to ensure security effectiveness and improvement while enabling optimum system and network performance. Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the context of security management, this analysis includes factors concerning potential impacts on performance due to attempted or successful attacks, actions taken by preventative policies and apparatus that detected and prevented intrusion, forensic records of user data for system and network functions, and so forth. Reporting is designed to be a cyclical process—not linear; that is, the data analyzed is used to inform decisions regarding whether policies, programming, or apparatus need to be updated or may remain as currently constituted. If updates are necessary, analytics inform decision-makers—such as corporate compliance groups—in determining what updates or reconfigurations are the right ones to accomplish. Security Information and Event Management Security Information and Event Management (SIEM) [8] is a system that gathers security logs from multiple sources and correlates logged events to be able to focus on events of importance. SIEM ecosystem is designed to address the unique requirements of a wide range of customers, from large enterprises to managed security service providers (MSSPs) that manage thousands of individual customer environments. Key features include near real-time visibility for threat detection and prioritization, delivering visibility across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an actionable list of suspected incidents, enabling more effective threat management while producing detailed data access and user activity reports. SIEM operates on the basis of what logs the administrator has authorized to be forwarded from the Syslog to the SIEM. These logs may be tuned further to provide a minimum security level for log forwarding, including (in order of severity from least):
Debugging Information Notification Warning
73
Error Critical Alert Emergency
Modern Network Security: Study Guide for NSE 1 2015 SIEM provides three primary functions for network security: Event logging. How systems and applications record and save data that shows what events happened at what time and place with what results on the system, in the network, or in an application. Event correlation. Comparing of events indicated in the event and correlating like events together to determine significant instances of repetitious or associated events. Incident alerting. Provides alerts for security incidents on the network. [8] Perhaps the most critical function upon which the SIEM concept depends is logging, because it forms the basis for making decisions regarding system and network functions and potential anomalies. Logging is how systems and applications record and save data that shows what events happened at what time and place with what results on the system, in the network, or in an application. Logging is one of the forensic tools that may be used to analyze successful attacks, malware infections, or attempted network intrusions. This capability, although it becomes more complex as networks grow and become geographically distributed, is important to networks of all sizes against modern and future network threats. In the 1980s, Syslog was developed as part of the Sendmail project, but proved so valuable a tool that it began being used by other applications as well. In today’s IT world, Syslog is still the de facto industry standard for security event logging. In fact, Syslog has become entrenched as the standard, such that operating systems such as Windows and UNIX, as well as regulations such as SOX, PCI DSS, and HIPAA either use Syslog format or have embedded capability for conversion to Syslog. [19] Because is a necessity for networks of every size, the factor of resource balancing is an important consideration. As with determining whether application services as IaaS, PaaS, or SaaS are best suited, the most cost-effective logging/reporting method for SMB is cloud-based event logging. Similarly, some organizations may opt for standalone logging/reporting solutions to more effectively manage logs collected from multiple security devices. Network Visibility Network Visibility refers to the ability for administrators to know what type of traffic is crossing their network, including Web, applications, email, etc. It allows optimization of bandwidth for business critical applications. Because modern and emerging threats are able to take advantage of different traffic types in different ways, network visibility is a key capability in the administrator’s arsenal, providing the opportunity to achieve:
Network monitoring and faster troubleshooting Application monitoring and profiling Capacity planning and network trends Detection of unauthorized WAN traffic
74
Modern Network Security: Study Guide for NSE 1 2015
Figure 60. Network visibility benefits. Network visibility is of the utmost importance to security administrators. This includes visibility of every component of the network, including remote components geographically separated as part of a large distributed enterprise network. In order to adequately monitor system and network security events, the security administrator must have access to logging from across the entire infrastructure, including firewalls, email gateways, endpoint devices, and other network components, both physical and virtual. Network visibility must be treated as a cyclical process in order to be effective. As illustrated in Figure 60, network visibility provides a wealth of information about many facets of network operations. All of this data, however, is lost if not used to inform analyses that may improve further network operations and security. For this reason, network visibility data should be used to inform reporting on network operations and be used in developing future plans and policy.
75
Modern Network Security: Study Guide for NSE 1 2015 Summary Security management provides vulnerability assessment, automated remediation, and configuration assessment in and environment providing complex protection with simplified administration. The goal of security management is to reduce security risks through proper configuration and compliance. Across all sizes and types of networks, security management provides customization and automation to assist network security administrators through administrative domains to segment users, firewall & global policy packages enabling reduction and optimization of rules, and auditing that provides oversight of compliance, workflow, approvals, and forensic tracing. Security Information and Event Management (SIEM) provides a wide range of administrator services in managing logged events and analysis to correlate and determine the most appropriate security measures, policy updates, and reactions to network incidents. Network visibility provides administrators with the necessary end-to-end monitoring, troubleshooting, profiling, and analysis tools to plan and address modern and emerging threats to the network. Adept management, using the right analytics to inform decisions and actions, are key to establishing and maintaining an efficient and secure network environment.
76
Modern Network Security: Study Guide for NSE 1 2015 Key Acronyms AAA
Authentication, Authorization, and Accounting
AD
Active Directory
ADC
Application Delivery Controller
ADN
Application Delivery Network
ADOM Administrative Domain
HTML Hypertext Markup Language HTTP
Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure IaaS
Infrastructure as a Service
ICMP
Internet Control Message Protocol
ICSA
International Computer Security Association
AM
Antimalware
API
Application Programming Interface
ID
Identification
APT
Advanced Persistent Threat
IDC
International Data Corporation
ASIC
Application-Specific Integrated Circuit
IDS
Intrusion Detection System
ASP
Analog Signal Processing
IM
Instant Messaging
ATP
Advanced Threat Protection
IMAP
Internet Message Access Protocol
AV
Antivirus
IMAPS Internet Message Access Protocol Secure
AV/AM Antivirus/Antimalware BYOD Bring Your Own Device CPU
Central Processing Unit
DDoS
Distributed Denial of Service
DLP
Data Leak Prevention
DNS
Domain Name System
DoS
Denial of Service
DPI
Deep Packet Inspection
DSL
Digital Subscriber Line
FTP
File Transfer Protocol
FW
Firewall
Gb
Gigabyte
GbE
Gigabit Ethernet
Gbps
Gigabits per second
GSLB
Global Server Load Balancing
GUI
Graphical User Interface
77
IoT
Internet of Things
IP
Internet Protocol
IPS
Intrusion Prevention System
IPSec
Internet Protocol Security
IPTV
Internet Protocol Television
IT
Information Technology
J2EE
Java Platform Enterprise Edition
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol
LLB
Link Load Balancing
LOIC
Low Orbit Ion Cannon
MSP
Managed Service Provider
MSSP Managed Security Service Provider NGFW Next Generation Firewall NSS
NSS Labs
OSI
Open Systems Infrastructure
Modern Network Security: Study Guide for NSE 1 2015 OTS
Off the Shelf
SPoF
Single Point of Failure
PaaS
Platform as a Service
SQL
Structured Query Language
PC
Personal Computer
SSL
Secure Socket Layer
SWG
Secure Web Gateway
SYN
Synchronization packet in TCP
PCI DSS Payment Card Industry Data Security Standard PHP
PHP Hypertext Protocol
POE
Power over Ethernet
Syslog Standard acronym for Computer Message Logging
POP3
Post Office Protocol (v3)
TCP
POP3S Post Office Protocol (v3) Secure QoS
Quality of Service
Radius Protocol server for UNIX systems
Transmission Control Protocol
TCP/IP Transmission Control Protocol/Internet Protocol (Basic Internet Protocol) TLS
Transport Layer Security
RDP
Remote Desktop Protocol
TLS/SSL Transport Layer Security/Secure Socket Layer Authentication
SaaS
Software as a Service
UDP
User Datagram Protocol
SDN
Software-Defined Network
URL
Uniform Resource Locator
SEG
Secure Email Gateway
USB
Universal Serial Bus
SFP
Small Form-Factor Pluggable
UTM
Unified Threat Management
SFTP
Secure File Transfer Protocol
VDOM Virtual Domain
SIEM
Security Information and Event Management
VM
Virtual Machine
SLA
Service Level Agreement
VoIP
Voice over Internet Protocol
SM
Security Management
VPN
Virtual Private Network
SMB
Small & Medium Business
WAF
Web Application Firewall
SMS
Simple Messaging System
SMTP Simple Mail Transfer Protocol SMTPS Simple Mail Transfer Protocol Secure SNMP Simple Network Management Protocol
78
WANOpt Wide Area Network Optimization WLAN Wireless Local Area Network WAN
Wide Area Network
XSS
Cross-site Scripting
Modern Network Security: Study Guide for NSE 1 2015 References 1.
StrataIT. Did you leave your backdoor open over the holidays? 2012 [cited 2014 October 20]; Image: Fortinet UTM vs. Adhoc Network Security Model]. Available from: http://www.stratait.com/content/did-you-leave-your-backdoor-open-over-holidays.
2.
UAB, M., Fortinet Secure Gateways, Firewalls. 2013.
3.
Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.
4.
Bray, G., SaaS vs PaaS vs IaaS. 2010, Stack Exchange.
5.
Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.
6.
Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.
7.
Gartner, Defining the Next Generation Firewall. 2009.
8.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
9.
Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
10.
Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.
11.
Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential Guide, 2014.
12.
Janssen, C., Quality of Service (QoS), in Techopedia.com. n.d.
13.
Rischbeck, T. XML Appliances for Service-Oriented Architectures. SOA Magazine, 2010.
14.
OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31]; Available from: https://www.owasp.org/index.php/About_OWASP.
15.
Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.
16.
Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register, 2014.
17.
Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15]; Available from: http://searchnetworking.techtarget.com/definition/Application-deliverycontroller.
18.
Council, P.S.S., PCI Quick Reference Guide. 2008.
19.
Gerhards, R., The Syslog Protocol.
79
View more...
Comments
