safe and sound
DESCRIPTION
SAFE AND SOUND. INTRODUCTION. Elements of Security Auditing Applications to Customers Network. Modular Approach. User layer…….Server layer……..Network layer …………..interconnects (cabling)……………. User Layer. Thin-clients, or physically-secure workstations Login + passworded access - PowerPoint PPT PresentationTRANSCRIPT
SAFE AND SOUNDSAFE AND SOUND
INTRODUCTIONINTRODUCTION
Elements of Security AuditingElements of Security Auditing
Applications to Customers NetworkApplications to Customers Network
Modular ApproachModular Approach
User layer…….Server User layer…….Server layer……..Network layerlayer……..Network layer
……………………..interconnects (cabling)..interconnects (cabling)…………………………
User LayerUser Layer
Thin-clients, or physically-secure Thin-clients, or physically-secure workstationsworkstations
Login + passworded accessLogin + passworded access
Access only to relevant services, Access only to relevant services, applicationsapplications
Run background malware prevention Run background malware prevention softwaresoftware
Server LayerServer Layer
Remove unnecessary servicesRemove unnecessary services
User groups to match physical User groups to match physical topologytopology
Don’t run services as root / adminDon’t run services as root / admin
Run OS as read-onlyRun OS as read-only
Network LayerNetwork Layer
Backup IOS, OS, data
Distribute & centralise topology (failover, and ordered & documented design & layout)
Use firewalls & logging
Use IDS, IPS, traffic monitoring
CablingCabling
Use more secure cable typesUse more secure cable types
Use patch-panels and colour-Use patch-panels and colour-codingcoding
Layouts that make testing, fault-Layouts that make testing, fault-finding easyfinding easy
Security ConsiderationsSecurity Considerations
Network ThreatsNetwork Threats
VirusesViruses
Tend to be inadvertently Tend to be inadvertently activatedactivated
…….or may be installed .or may be installed deliberatelydeliberately
Network ThreatsNetwork Threats
WormsWorms
Travel the internet, scanning for Travel the internet, scanning for vulnerabilitiesvulnerabilities
Often disrupt networks by Often disrupt networks by flooding, forkingflooding, forking
Network ThreatsNetwork Threats
Spiders and webbotsSpiders and webbots
Can be used maliciously –Can be used maliciously – Automated signups, website Automated signups, website
duplication, spamduplication, spam
Network ThreatsNetwork Threats
TrojansTrojans
Masquerade as Masquerade as regular softwareregular software
Tend to allow Tend to allow attacker to attacker to control infected control infected machinemachine
Network ThreatsNetwork Threats
Spyware and PhishingSpyware and Phishing
Information stealing, user Information stealing, user profilingprofiling
Used in advert targeting, spam, Used in advert targeting, spam, ID theftID theft
Network ThreatsNetwork Threats
SpamSpam
Can contain other malwareCan contain other malware Congests networksCongests networks
Network ThreatsNetwork Threats
Delete traces of Delete traces of intrusionsintrusions
Alter logsAlter logs
Forensics get-Forensics get-aroundaround
BombsBombs
Solutions for CustomerSolutions for Customer
Separate physical network for Separate physical network for WAN accessWAN access
Honeypot to track & ID intrusionsHoneypot to track & ID intrusions
Monitoring station for internal Monitoring station for internal LANsLANs
Solutions for CustomerSolutions for Customer
HoneypotHoneypot
Mimics internal network or DMZ Mimics internal network or DMZ Allows profiling of network Allows profiling of network
threatsthreats
Solutions for CustomerSolutions for Customer
SAN - storage area networkSAN - storage area network
RAID 40 : RAID level 4 & RAID RAID 40 : RAID level 4 & RAID level 0level 0
4 – block striping with parity: 4 – block striping with parity:
failure tolerant & faster rebuildsfailure tolerant & faster rebuilds
0 – striping: faster writes0 – striping: faster writes
Solutions for CustomerSolutions for Customer
RAID 40RAID 40
Tenable’s Security CenterTenable’s Security Center
Each node is a router, hosts Each node is a router, hosts behind routerbehind router
AdvisorAdvisor
Parallel co-ordinate plot of firewall Parallel co-ordinate plot of firewall logslogs
FlamingoFlamingo
Port scanPort scan
1 source1 source
manymany
targetstargets
RumintRumintVisualisation Jamming Attack Visualisation Jamming Attack
PsadPsad
Nachi worm Nachi worm
network network behaviourbehaviour
Red nodes Red nodes are ICMP are ICMP packetspackets
Web server log, Raju Web server log, Raju VargheseVarghese
Spider attack on web server from Spider attack on web server from single IPsingle IP
Red colouration indicates 5xx status Red colouration indicates 5xx status codescodes
f i nf i n
Network monitoring visualisations Network monitoring visualisations from:from:
http://www.secviz.org/category/http://www.secviz.org/category/image-galleries/graph-exchangeimage-galleries/graph-exchange