avoid outages-from-misconfigured-devices-webinar-slides

60
HOW TO AVOID BUSINESS OUTAGES FROM MISCONFIGURED NETWORK DEVICES

Upload: algosec

Post on 15-Apr-2017

684 views

Category:

Technology


0 download

TRANSCRIPT

HOW TO AVOID BUSINESS OUTAGES FROM MISCONFIGURED NETWORK DEVICES

TOPICS COVERED TODAY

• Understanding the problem: misconfigured network devices

• Typical change control processes

• The Gap between Business and IT Security

• Data center migration

2 | Confidential

THE BALANCING ACT

3

Security

Agility

Firewall Breaches

5% Vulnerabilities

95% Misconfiguration

THE BALANCING ACT

Security

Agility

Prevent Cyber Attacks

Firewall Breaches

Data Center Automation5% Vulnerabilities

95% Misconfiguration

THE BALANCING ACT

5

Security

Agility

Prevent Cyber Attacks

Enable Business Applications

Resource Time to Provision

Server Minutes

Storage Minutes

Security Access Days/Weeks

JUST SOME CONTEXT…

6 | Confidential

JUST SOME CONTEXT…

7 | Confidential

HOW CAN A DEVICE BE MISCONFIGURED?

SECURITY DEVICE CHANGE CONTROL PROCESS

• Understand and map your enterprise infrastructure topology before you make a change

• Proactively assess the impact of a change to ensure it does not break connectivity, affect compliance or create a security hole

• Avoid common mistakes when making changes to your network security devices and firewalls

• Monitor all changes in case there is an outage. You can easily reverse the newest implemented change if necessary

• Translate business requirements into the network and security policies that are implemented on firewalls

24 | Confidential

TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS

25 | Confidential

Plan

Approve

ImplementValidate

Close

Request

1 2

3

4

6

5

TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS

26 | Confidential

Plan

Approve

ImplementValidate

Close

Request

1 2

3

4

6

5

In some cases, “Recertify”… but that’s a topic for another day

TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS

27 | Confidential

Plan

Approve

ImplementValidate

Close

Request

1 2

3

4

6

5

• Identify what devices need to be changed

• In our example, there are three devices• CheckPoint• Juniper• AWS Server

• How did we know?

VISIBILITY INTO THE PLANNING STAGE

• We understand the topology of the network and the security policies associated with the devices in the path

28 | Confidential

Plan

Approve

ImplementValidate

Close

Request

TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS

29 | Confidential

1 2

3

4

6

5

• Always perform a risk check BEFORE you approve

• Understanding the risk during the approval phase gives you a chance to “replan” the change or deny it if it will cause undue risk to the environment

Plan

Approve

ImplementValidate

Close

Request

TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS

30 | Confidential

1 2

3

4

6

5

• During the implementation phase consider how to insert the new security rule into the device’s current policy• Add a new rule?• Modify an existing rule?• Create new objects?• Automatically document the rule change

Plan

Approve

ImplementValidate

Close

Request

TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS

32 | Confidential

1 2

3

4

6

5

• Check the request and validate it is implemented correctly before notifying stakeholders

• Was the original request implemented:• In good working order for the entire path,

so the requester does not ask for the same information again!

• Exactly as requested?• With an overly permissive rule (ie. “any”

vs https service)

Plan

Approve

ImplementValidate

Close

Request

TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS

33 | Confidential

1 2

3

4

6

5

Need to figure out why the change was not

implemented correctly

GAP BETWEEN BUSINESS AND IT SECURITY

• A simplistic summary of the Business and IT relationship:1. The business created value for customer’s and has stored this data in databases and

allowed users to access the data via applications2. IT maintains the infrastructure to support the data (databases) and applications. 3. IT Security maintains secure access to data and applications so these assets don’t

compromise the value of the business

• Without 1, 2 & 3 above, a business would not exist

• Applications provide a vehicle to create additional value for their customers

• Applications and “data” MUST be secure and maintainable• Application developers and database administrators request security

infrastructure changes as business requirements adapt to new customer and market demands

• The security change management process has to improve - just like provisioning a web or database server….It only takes minutes now…

40 | Confidential

A SIMPLE DIAGRAM WILL DO….PLEASE!!!

• The current challenge is that Information security talk a different language than application developers and database administrators (DBA’s) who are requesting application changes

• Security architects must bridge the gap between a secure business application and operational disasters

• How many organizations can document their business applications so the security team has a prayer in understanding how their applications works?

41 | Confidential

A SIMPLE DIAGRAM WILL DO….PLEASE!!!

• The diagram to the right can bedynamically created to help document how the applicationinteracts with the network infrastructure

• Provides Security Architects with a communication vehicle to start the conversation

• Dive one level deeper and understand the security

42 | Confidential

DATACENTER AND/OR CLOUD MIGRATION MOTIVES

• Upgrade capacity

• Save money – server consolidation

• Mergers and acquisitions to combine resources

54 | Confidential

DATA CENTER (DC) MIGRATION

• Requirements for DC • Complete inventory of what needs to move

• Official and “unofficial” equipment• Discover the hidden assets via the security policy

• New hardware and IP address schemes• Change Firewall Rulebase for transition connectivity• Migrate IPs in DNS servers• After migration is complete, decommission original application

• Planning• What if analysis

• What applications are using these servers?• What applications are impacted by these firewalls?• What applications are vulnerable to these security issues?

55 | Confidential

CUSTOMER PHILOSOPHY IS CHANGING

• We currently see connectivity requests being manually planned, assessed, designed and implemented• This needs to change…..and quickly! • How do you manage these 1,000 security change requests?

• Customers are moving to agile development & deployment

• The Internet of Things is impacting service expectations • We are required to intelligently automate as much of the

change process as possible• The bottom line is that security needs to dramatically

improve change responsiveness with zero errors at a lower cost!

57 | Confidential

SUMMARY

• Misconfigured devices can cause outages and security breaches

• Use automation and validation to help reduce human errors

• Help application developers and information security understand each other by automatically documenting applications and translating security policy rules into flows that everyone can understand

• Use “projects” to help accelerate data center migration security policies so that it will be completed on time!

58 | Confidential

MORE RESOURCES

59 | Confidential