Network Segmentation 201 - Indiana Bankers Association
-
Upload
khangminh22 -
Category
Documents
-
view
6 -
download
0
Transcript of Network Segmentation 201 - Indiana Bankers Association
Jason Mikolanis, Vice President of Security ServicesDaniel Bruss, Senior ConsultantVirtual Innovation, Inc.
Network Segmentation 201
October 5, 2018 | 1
Introduction• Virtual Innovation, Inc.
– Chesterton, Indiana– Information Technology & Security Consulting Firm– Serving Financial Institutions in Indiana since 2010
• Jason Mikolanis, CISSP– Senior Consultant and Information Security Specialist– Former CSO for First National Bank of La Grange
• Daniel Bruss– Senior Consultant and Networking Specialist– Former Network Administrator for Bank of Highland
October 5, 2018 | 2
Rules of the Class
• No playing on your cell phone
• No passing notes or texting
• No napping
• No tough questions to make me look bad
• Everyone will laugh at my stupid jokes
Syllabus / Agenda• Network Segmentation 101
– Prerequisites– What is network segmentation?– Why should we do it?
• Network Segmentation 201 – Getting started– Types of connections – Logical vs. Physical– Open book test – Where to start in your network– Technical information – How do we do it?
• Next Semester 301 – Micro-segmentation • Extra credit• Final Project • Cliff Notes
Network Segmentation 101 – Prerequisites
• Everyone knows the basics of a subnet – Logical subdivision of an IP network
• Everyone knows or has heard of the OSI model – “All people seem to need data Processing”– Layer 2 (data link) is non-routable – typically switches – Layer 3 (network) is routable – Routers, Firewall and layer 3 switches
• Everyone has basic knowledge about routing
• Everyone understands the concept of a DMZ
• Everyone understands virtualization – at least conceptually
101 - Prerequisites• Everyone understands the basics of a VLAN
• Everyone understands what we mean by the “Cloud”
• We are community bankers – we have limited resources
• Feeling lost or confused? Check out the vendor management speech!
101 – What is Network Segmentation?
• The physical or virtual separation of a network into sub-networks typically for security purposes
• Isolating or grouping systems with similar security or compliance requirements– Keeping the critical and non-critical systems separated
101 – Why Should We Segment?
• Defense in Depth– Another way to limit users access to only access systems or services
they need.
• External vs Internal segmentation is flawed – Internet is considered bad– Inside the network is safe
• Limits the exposure if a portion of the network becomes compromised.– Prevents attackers from hopping between servers or systems
• Lateral Movement in the Network
• Improves performance – Less broadcast traffic
101 – Why Should We Do It? • If an attacker were able to compromise an internal system,
they could move system to system inside the network
101 - Why Should We Do It?• Traditional security does not always work
– New attack vectors through Phishing and Social Engineering
• Security controls in the wrong place– Too much on the perimeter and not enough on the interior
• Weak systems put strong systems at risk– Compromise one weak system and conduct man in middle attack. – Get credentials instead of cracking them
• Assume you will be breached!
Downfall of the EmpireLack of segmentation in the empire’s network allowed the rebels to “hack” the Death Star
Episode 4 – Star Wars - A New Hope
• R2-D2 was able to interface with the Death Star network to:
– Find out how/where to shut off the tractor beam– That the princess was on the Death Star and she was scheduled to be
executed– Details on what detection block she was being held– Shut off trash compactors to save the Rebels
Downfall of the EmpireEpisode 5 – Empire Strikes Back • R2-D2 talks to the Cloud City network to find out the hyper
drive was disconnected on the Falcon• R2-D2 opens up the security doors in Cloud City
Downfall of the Empire
• Episode 6 – Return of the Jedi– R2-D2 unlocked the doors to power station for the shield generator on
the forest moon
• Thankfully the Empire didn’t implement network segmentation!
Network Segmentation 201 – Getting Started
Examples of Segmentation• Traditional network segmentation – Separated by routers or
Firewall.• Private, Semi-Private, Public
– Strong controls on the internet segment (Firewall)
• DMZ – Used to protect externally facing systems that need to access data inside the network. (Horizon View Server for remote access, web servers, email)
• Wireless segmentation (Wi-fi)– Public network – Private network – Shared with current ISP or separate segment
• Server drive mappings
201 – Where Do We Start• Know your network
– You can’t secure what you don’t know– Develop strong documentation
• Server • Network (LAN/WAN)• Devices
• Data Flow Diagram – Know where your data is stored – Baseline Requirement for the CAT
• Data Classification – How valuable is the data?– Baseline requirement for the CAT
201 – Where Do We Start• What are my high risk systems?
• Where are my high risk systems?
• What systems can logically be grouped together
• What traffic is needed for least privilege access – What ports need to be opened
201 – Where Do We Start• Set the scope
– Start small and build
• Develop Project Plan • Set a manageable timeline
– Be realistic
• Have the technical resources you need– Know what you are doing and test
• TEST! TEST! TEST! – Did I mention TEST?
• Engage auditors to validate security
201 – Type of Connections - Physical• Separation of devices through physical connectivity
– Cord connected to network device (switch, router, or firewall)
• Separation of devices from all other systems – Top secret – Typically has own internet access or not connected at all
201 – Types Of Connections - Logical• Using virtual LANs (VLANs) to create multiple network
segments on one physical device.
• VLANs– Group network resources together logically– Operate at Layer 2 of the OSI model– Logically separate network segments
• Nodes in one VLAN cannot talk to nodes on another VLAN without going through a Layer 3 device such as a router
201 – Types Of Connections - Logical• Because VLANs operate at Layer 2 of the OSI model, nodes on
one VLAN cannot directly communicate with nodes on a different VLAN so a Layer 3 device is required to facilitate that communication (routing).
• All VLANs on Layer 2 switch would be added to one interface using 802.1q encapsulation (VLAN “trunking”).
• On Layer 3 device, the same VLANs would also be added to an interface using 802.1q encapsulation and then the switch interface and router interface would be physically connected.
• As the switch sends data to the router, VLAN “tags” are added to the header so that the router knows which VLAN the traffic came from.
201 – Types of Connections - Virtual • Virtual software – Through the use of VMWare, network admins
can logically separate networks within the virtual infrastructure. • Segments networks on the same hardware using virtual switches• Virtual machines attached to same vSwitch can communicate
directly (below, ubuntu1 and ubuntu2 can talk to each other and any physical nodes beyond the vmnic0 physical uplink.
201 – Types of Connections - Virtual• Through the use of port groups, VMware vSwitches can be segmented
just like a physical switch using VLANs. VMs attached to one port group can communicate with each other but VMs in one port group cannot communicate with VMs in another port group without being routed.
• In example below, Win2003-1 and Win2003-2 can communicate directly (both are on VLAN100) but to reach Win2003-3 on VLAN200, traffic would need to get sent out the physical uplink vmnic1 to a router outside the VMware system.
201 – Types of Connections - Cloud
• Cloud computing – Hosting data or an application in the “cloud.”
• Information is segmented from the inside of your network.
• Only connects to the hosted site over specific protocols and applications
201 – Types of Connections - Cloud
PC PC PC
Printer
File Server Database Web Server
Microsoft 365
Core Processor
Loan Application
Trust Application
201 – Open Book Test! • Everyone loves when the answers are given to them• Let’s get started on some quick and easy places to start
201 – ATM’s• The Bank should not have their ATM connected to the User
network.
Printers
Server
Layer 2Switch
Layer 3Router
Server
ATM
Bank’s Core Processor
Server
Production VLAN
ATM VLAN
201 – Voice Over IP / Phone Network• Can your data network access the voice network?
– Is the phone system security > or = data network?
Data Network
Voice Mail Server
Phone Network
Phone Server
201 – Cloud Computing• You may be already doing this!
– System and data are housed physically offsite and the only access is through the web or application connected over specific ports.
• Managed services / Systems in the Bank
– Email system
– Loan systems
– Trust systems
– HR Systems
201 – Non IT Systems • Industrial Control Systems –
– Security systems – Third party security systems are insecure. • Security camera systems.
– Vendors historically do not have strong controls on legacy systems .
– HVAC systems – Target • Hacker entered through HVAC and navigated to POS
– Internet of things• Casino was hacked through FISH TANK!
201 – DR / Test Environment • Typically will use virtual environment to segment production and
test environment
• Allows testing of DR servers on the same devices as the production network
– Bring up collection of backup servers and test interconnectivity on isolated network
201 - Printers• Relatively insecure • Large number of vulnerability findings
Layer 2Switch
Layer 3Router
GigE 0/0
Servers
Workstations
Printers
Server
Server Server
Server
Server
Server
201 – Servers / Virtual Appliances• The most difficult and time consuming.• Need to determine least privilege specifications • Separate or group systems based on criticality
– Domain controllers – File servers – Management Servers– Web Servers– Database servers – Virtual Appliances
• RSA• Security systems (IDS/Log Management)
201 – Server / Virtual Appliances
Layer 2Switch
Layer 3Router
GigE 0/0
Application Servers
Server
Server Server
Server
Server
Server
Server
Server Server
Server
Server
Server
Server
Server Server
Server
Server
Server
DC / File Servers
IT Management Servers
September 27, 2018 | 40
201 – Technical Information
Technology Needed for Network Segmentation Assignment
• Routers• Layer 3 switches• Firewalls
• All of these devices operate at Layer 3 (or higher) of the OSI model and all of them facilitate communications between VLANs
201 – Routers • Routers operate at Layer 3 of the OSI model and are
sometimes referred to as “Layer 3 devices.”• Routers are typically installed near the hub or the center of
a network because they help connect network segments together. For this reason, they are sometimes called “core” networking devices.
• As indicated before, nodes on one VLAN cannot communicate directly with nodes on a different VLAN and so routers act like traffic cops to get traffic from one VLAN to another.
• Routers are often called “gateway” devices because they are typically the default gateway device for a given network segment.
201 – Routers • In more advanced configurations, routers can also be
programmed with access control lists or ACLs. ACLs are responsible for allowing certain types of network communications and denying other types of communications.
• ACLs get applied to router interfaces in either an inbound or outbound direction.
• ATM example:– With an ATM isolated on its own VLAN, you would want to prevent
that ATM from communicating to any of your internal segments or the Internet but you would want to allow it to communicate with the host provider.
– Conversely, you want to prevent your internal segments or the Internet from reaching the ATM but you would want to allow traffic coming back from the host to reach the ATM
201 – Layer 3 Switches • Layer 3 switches are essentially multi-port routers. They
combine the elements of a Layer 2 switch and a Layer 3 router.
• Layer 3 switches operate at (you guessed it) Layer 3 of the OSI model
• Layer 3 switches, like routers, often get installed at the hub or the center of the network and therefore, they are often referred to as “core switches” whereas Layer 2 switches, which typically get installed near end devices, are typically referred to as “access switches”.
201 – Layer 3 Switches • Typically, a Layer 3 switch gets configured by defining all of
the VLANs that will be used. Then, virtual VLAN interfaces are created and IP addresses are assigned to the VLAN interfaces. These interfaces are sometimes referred to as “switched virtual interfaces” or SVIs.
• In most cases, the SVIs will be the “default gateways” for each segment that is connected to the Layer 3 switch.
• Just like with routers, the Layer 3 switch acts like a traffic cop and gets traffic from one VLAN to another.
• And, also like routers, ACLs can be applied to the SVIs to filter network traffic.
201 - Firewalls• Traditionally, firewalls are installed at the perimeter of the
network and they separate the network into two (or sometimes three) segments: inside, outside, and (sometimes) DMZ.
• A traditional firewall is configured so that the inside networks are the most trusted, the DMZ networks are somewhat trusted, and the outside (typically Internet) networks are untrusted.
• The firewall is then configured with access rules to allow most traffic to flow from the trusted networks to the untrusted networks and to allow select traffic to flow from the untrusted networks to the trusted networks.
201 - Firewalls• Next-generation firewalls (NGFWs) have become very popular
in recent years and in certain cases, these devices can be installed at the core of the network to replace a device like a router or a Layer 3 switch.
• NGFWs can be configured with “zones” so that trusted networks on the inside can be logically grouped together. The overall goal is to set up the network such that only VLANs that need to talk to each other can do so and then, only allow certain nodes on one VLAN to talk to certain nodes on the other VLAN.
201 - Firewalls• A NGFW at the core of a network that is configured with
zones is like a router or Layer 3 switch on steroids. Whereas a router or Layer 3 switch using ACLs can filter traffic based on source and destination IP addresses and ports, a NGFW can provide full scanning capabilities at the Layer 7 application level as that traffic passes from one VLAN to another.
• The downside to this approach is that the NGFW can become quickly overwhelmed and so the device needs to be configured with adequate resources in order to avoid creating a network bottleneck.
301 – Next Semester – Micro-segmentation
• Micro-segmentation - is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It's aimed at making network security more granular.
• Admins can define a security policy based on type of workload (Website, applications or DB’s) where it might be used (Development, staging, production) and what kind of data it will be accessing (financial, HR, etc.)
301 – Next Semester – Micro-segmentation• Third party products:
– VMWare NSX – Cisco ACI– vArmour DSS– Illumio
• Network virtualization is the foundation on which these security measures can be implemented.
301 – Next Semester – Micro-segmentation• In 2009 Forrester created “ Zero Trust” model of network
security .
• Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything insideor outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
Extra Credit• Make sure to address monitoring and security in the
segmented areas
• Have your auditors or a third party validate the security
• Review regularly to ensure security requirements haven’t changed– Check, check and recheck whenever everything changes
• Giving this talk a 5 star rating!
Final Class Project – Take Away• Update your documentation• Classify your data • Identify critical systems – Risk Assessments• Develop project plan • Determine how will you route the traffic? • Make sure network / system security controls are updated• Test – Test and then Re-test • Follow up and evaluate whenever changes occur • Engage with third parties (Auditors) to help validate security
controls
Cliff Notes (Resources )• Additional resources for further learning:
– CISCO • https://www.cisco.com/c/en/us/about/security-center/framework-
segmentation.html
– US-Cert – Establishing Network Segmentation, Firewalls and DMZs• https://ics-cert.us-cert.gov/Standards-and-References
– VMWare• (PDF) https://www.vmware.com/techpapers/2008/network-
segmentation-in-virtualized-environments-1052.html
• Micro-segmentation – https://www.vmware.com/products/nsx/security.html
Cliff Notes (Resources )• NIST
– Virtual Network Configuration for VM Protection• https://csrc.nist.gov/publications/detail/sp/800-125b/final
– Network Segmentation Techniques in Cloud Data Centers• https://www.nist.gov/publications/analysis-network-segmentation-
techniques-cloud-data-centers
• FS-ISAC– Check the forums and talk to your piers!
• Call/Email Virtual Innovation!
Question & Answer
October 5, 2018 | 56
Thank you!
Virtual Innovation, Inc.Contact – Jason MikolanisEmail - [email protected] - 219-793-6745