NET-403_final

How to deploy and secure a 40,000 d t k inode network in under 40 days Mark Townsend Enterasys Networks 04/24/09 | Session ID: NET-403| Session Classification: Intermediate Agenda Mission Setting the StageSetting the Stage A ti !Action! Epilogue 2 Mission:Mission: Simple, Stable, Secure • Leverage best practices design • No proprietary configurations or hardware • Not afraid to leverage new technology 4 SettingSetting the Stage: Key Technologies • Network Access Control R l b d t l– Role-based access controls • Security Information & Event Management C l i– Correlation • Virtualization – Availability / DR 6 What the NAC? Hold access • Evaluate identity • Evaluate compliance Network policiesNetwork policies • Assign a VLAN 7 What the NAC? Accept ‘everyone’ MAC b d th ti ti• MAC based authentication • Location awareness • Overrides for media end-points (e.g. VoIP) Network policies Enables role based access controls• Enables role-based access controls 8 Role Based Access Controls (RBAC) • ANSI INCITS 359-2004 • NIST Project pages:• NIST Project pages: http://csrc.nist.gov/groups/SNS/rbac/ 9 Role Based Access Controls (RBAC) Apply communication patterns to network policies 10 Monitoring & Correlation • Leverage wide array of data sourcesof data sources – NetFlow, IDS, network management • Correlate information• Correlate information to actionable data – Event/Source/Target/Source Locationg • Integrate NAC data – Provide end-point context toProvide end point context to security feeds 11 Action! :Action! : What Are We Building? • Big network – lots of users!Big network lots of users! • Open connectivity N t b !• New team members! 13 Team Building • Experts recruited • Teams created based on expertise • Focused meetings • Collaboration! 14 Network Characterize devices – build templatesSimple S bl D l t k li iStable Deploy network access policies Secure Assign key monitor points 15 Device Templates Master device-type configuration t l t 2 4 li t 101 it tset vlan create 2-4 set vlan name 2 Enterprise set vlan name 3 Guest set vlan name 4 Remediation set vlan egress 2 ge.1.1,41-48 set vlan egress 3 ge.1.1,41-48 set vlan egress 4 ge.1.1,41-48 set vlan dynamicegress 1-4 e ! access-list 101 permit t access-list 102 permit t route-map 101 pe match ip add set next-hop route-map 101 pe 16 Approaches to Policy Control Allow all communications D ll i ti Open Closed Allow all communications • Deny specific Benefit Deny all communications • Allow specific B fitBenefit • Easy to deploy • Fewer helpdesk calls Benefit • Secure • Predictable Negative • Lesser security for simplicity Negative • Increased Helpdesk calls • Potential increase in risk Increased Helpdesk calls • Really need to know your clients and their communication needs “Clients Can’t Be Servers” Standard network filter policy for access layer • Restrict server protocols • Map media protocols to QoS Enforce policy at edge port Deny DHCP S Deny DNS S Deny OSPFX X R Allow DCHP C Allow DNS C X R 18 RBAC Exceptions “Special” access requirements E ti t t d & i i d i tiException to expected & provisioned communications examples Hi-Def video conferencing Private network link video conferencing 19 Example RBAC Exceptions X R X X R X R X X R X X X R R 20 Big Pipes: Large Threat Potential • Heavy in-bound scan activity • Distributed Denial of Service (DDoS) • MY-SQL buffer overflow (alive & well) • Worm infected internal hosts (accident) • Policy violations• Policy violations • Internal scan activity 21 Intrusion Detection AND Correlation 22 Intrusion Detection AND Correlation • Reduced Events 65 illi t t f h d d tt k– 65 million events to a few hundred attackers • Mitigated several infected systems – Event and source location (port) correlation in seconds • Lunch hour is an interesting hourg – Amazing what you learn when they think nobody is watching 23 Visibility Unregistered NOC media device and DHCP not configured on device DHCP not configured on device Using static IP not valid for network 24 Virtualization • All servers that were not appliances were installed in VMWare environmentinstalled in VMWare environment – ESX environment in core NOC and backup NOC – VMotion allowed services to be always availabley • NAC coordinated access for virtual machines 25 Epilogue:Epilogue: Application: What We’ve Learned 1. Capacity planning Pl f i t i i th f t b 10• Plan for intensive scanning – then factor by 10 2. RBAC must be easy to understandy • Policies must be intuitive and expected results communicated • Troubleshooting tools/procedures need to be adapted for t k RBACnetwork RBAC 3. Beer fixes many things, people make it happen!3. Beer fixes many things, people make it happen! 27 Apply! • Evaluate your environment for RBAC St t ith li i ti t l f th d– Start with eliminating common server protocols from the edge • Evaluate how your equipment provides visibility• Evaluate how your equipment provides visibility – Netflow, sFlow, endpoint location (by various identity markers) • Evaluate stability Virtualization to enable DR– Virtualization to enable DR – Stored device templates 28 Questions?Questions? markt enterasys commarkt enterasys com