Enterprise Network Security

Enterprise Network 101 Workshop

Security is Hard

• Securing and monitoring the security of a campus network is

difficult

• Campus networks need to be fairly open

• Always will have viruses, attacks, and people generally acting bad

Enterprise Networks and Security

• Goal: Prepare for problems you will have

– You will have compromises and hackers

– You will have viruses�

• You get a call from your ISP saying that they have a report that

one of your hosts is participating in a Denial of Service (DoS) attack

– What do you do?

– How do you find the host (can be very hard with NAT)?

Security is a Process

You can never achieve security – it is a process that you have to

continually work on

– Assessment – what is at risk

– Protection – efforts to mitigate risk

– Detection – detect intrusions or problem

– Response – respond to intrusion or problem

– Do it all over again

Policy Framework

Why are policies important?

– IT is part of the basic and foundational infrastructure of your institution

– You must have policies to guide how cybersecurity operates

– These policies need to be developed and approved by the institutional

leadership

What kind of policies do you include?

– Policy to form cybersecurity group

– Policy to describe types or categories of data your institution holds and

who is responsible for this data

– Policy to describe how to respond to security incidents

– You need to have procedures to handle common cases

Security Foundation

• You must have managed equipment in your network

• You must have some basic network monitoring and management in place

• Network Monitoring and Management is the foundation that virtually all network security framework operates on

Classical Network Management Tools

• Are some devices not responding or responding poorly, possibly

because of a DoS attack or break-in?

– Nagios

– Smokeping

• Are you seeing unusual levels of traffic?

– Cacti

– LibreNMS

– NetFlow with NfSen (sFlow, J-Flow, IPFix)

Modern Network Management Tools

• Software stacks that allow for real-time network state monitoring

• Generally, involve the mixed use of SNMP, http and agents installed

on servers using both a pull and push models

• Are more complex, but provide

– alerting on events,

– detailed dashboards of network state,

– detection of anomalies,

– trend analysis

– network traffic inspection using network flows

• Some popular software stacks include:

– Prometheus

– ELK

– TICK and many others

Network Traffic Analysis

• It is important to know what traverses your network

– You learn about a new virus and find out that all infected machines

connect to 128.129.130.131

– Can find out which machines have connected?

• What tools are available?

– NetFlow: you will learn about this

– Snort, Suricata, Zeek (formerly Bro) and others: open source intrusion detection systems that are very useful to find viruses

Log Analysis

• Can be just as important as traffic analysis

• Central syslog server and gather logs from:

– DHCP server, DNS servers, Mail servers, switches, routers, etc.

– Now, you have data to look at

– Given an IP, you can probably find user

• Lots of tools to correlate logs and alarm on critical events

Network Flows

• Routers can generate summary records about every traffic

session seen

– src addr, src port, dst addr, dst port, bytes/packets

• Software to record and analyze this data

– Nfdump + NfSen (traditional)

– ElastiFlow, ntop-ng (modern)

• Easily identify the top bandwidth users

• Drill down to find out what they were doing

Anomalous Traffic

• Intrusion Detection Systems (e.g. Snort) can identify suspicious

traffic patterns, e.g.

– machines using Bittorrent

– machines infected with certain viruses/worms

– some network-based attacks

• Typically connect IDS to a mirror port on a switch

• Risk of false positives, need to tune the rules

• Starting point for further investigation

How useful are firewalls?

• A long time ago, end user machines used to get infected through

direct network attacks (no action by the user)

• All end-user systems have firewalls turned on by default

– Windows (since XP SP2), MacOS, and Linux

– Don’t turn the end-user systems firewalls off!

• User machines don’t get viruses without users’ action

• We've already discussed how firewalls don’t help

• People still design networks as if firewalls would help

Where to put Firewalls

• Traditional recommendation for firewalls is based on old

experience with Windows prior to XP service pack 2

– Windows machines would get infected from the Internet just by being on the network

• Firewalls were placed to do NAT and to protect entire enterprise

• This is a very “Corporate” approach and doesn’t allow for

innovation by users

Firewall Placement

• Firewalls don’t protect users from getting viruses that come via

the two most common mechanisms

– “clicked links” while web browsing

– Email attachments

– Both are encrypted and firewalls won't help

• As bandwidth increases, in-line firewalls limit performance for all

users. This gets to be a bigger problem at higher speeds.

Firewall Placement

Questions/Discussion?