SlideShare a Scribd company logo

Network Security Architecture

InnoTech
InnoTech

Presented at InnoTech Oklahoma on October 4, 2012. All rights reserved.

1 of 19
Or… How industry standard network security models can help achieve better network security without introducing unneeded complexity in your environment
 History of a network… • From initial state to current state  Threats to current state  We still have problems  Why do architecture?  What does it look like?
 Networks were closed  No Internet connection  Risk – relatively low PC Server Laptop
 Let’sget an Internet connection  Mostly outbound connections  eMail/Web browsing Internet PC Server Laptop
 Let’s do business on the web  Web server Internet • Mostly static content  E-Business Web Server PC Server Laptop
 Multi-tieredapplications  Sensitive data exposed through Internet facing applications Internet Database Web Server Server PC Server Laptop
 Networks are open  Arguably mature set of standards  Web sites integral part of business  Security controls developed as we moved from Closed to Open architectures  Linear development of security controls is not sufficient
 Because we have exposed resources and data to Internet customers multiple attack vectors exist  Proven vulnerabilities in web servers  Can be used as launching point for further attacks • Pivoting
 Wehave used individual technological components to address specific needs • PCI problems solved by a WAF?  Throw some firewalls at it  Let’s try an IDS/IPS  Segmentation (PCI)
 Security tends to be reactive  No structure for security controls • (or undocumented security assumptions/requirements)  Every system has a unique set of controls  Hard to manage • Is the control managed properly? • What are the governing rules for the management of the controls? • Are we in compliance with all of the controls?
 We can’t just throw technology at these problems without proper process and staffing to manage the technology  We can’t throw security point solutions at the problems without considering how they work together and how they impact the production system
 AlignIT Security Architecture with other architectural domains • Must align systems security with network and application security  Align IT Security Architecture with the business requirements • Are we trying to solve a problem that the business doesn’t need? • Security Architecture needs to align with the business risk appetite
 Ensure technical controls function as an integrated system • IDS and vulnerability management integration reduces false positives • Is there alignment between what our tools are telling us • SEIM?  Not so sure without good brains behind it(people)  BIG PICTURE THINKING • One candidate …
Principles General principles - These principles are the default unless a more specific rule is indicated below Traffic traversing any security zone boundary must traverse an IA control (firewall/proxy/etc). Any traffic traversing any security zone boundary should only allow the ports and protocols necessary for the operations of the particular application. Any traffic traversing any security zone boundary should have source and destination IP address restrictions as narrow in scope as possible to support the operations of the particular application. Exceptions shall be approved by the business and IT. Approval process to be defined. Traffic from a zone with a higher security rating to a zone with a lower security rating shall be allowed. Traffic from a zone with a lower security rating to a zone with a higher security rating shall be denied. Any server providing a public service to clients in the untrusted zone should not be allowed to directly connect back to the untrusted zone. Traffic within specific zones should be as segmented as much as possible to provide separation between applications. Application level security such as Active Directory trust levels should be closely aligned to the network architecture. - No trust levels should be implied because network traffic is either allowed or denied Specific principles Traffic from the untrusted zone(0) to the trusted or restricted zone(100) shall be specifically denied. Traffic from the untrusted zone (0) to the public facing DMZ zone (1-49) shall be allowed. Traffic from the DMZ zone (1-99) to the trusted zone will be allowed after a thorough analysis of the risk and approval by the business and IT. Traffic from the DMZ zone (1-99) to the restricted zone will be specifically denied. Traffic from servers in the trusted zone(100) to the untrusted zone(0) shall be specifically denied. Traffic from clients in the trusted zone(100) to the untrusted zone(0) shall be allowed.
 Document what you have (AS IS) • Capture rationale, history, narrative behind why things are  Develop the target architecture (TO BE) • Document guiding principles  Develop plans to move from AS IS to TO BE • This is a LONG process… Months and years, not weeks.  Preach the process!
 Piecemeal, ad hoc security control development insufficient • Architecturally • Operationally  Pick an architecture that fits and do it  Operate your security discipline according to the architecture  “Manage the hell out of it!”
Network Security Architecture

Recommended

Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagramSyed Ubaid Ali Jafri
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 

Recommended

Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagramSyed Ubaid Ali Jafri
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Network Intelligence India
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfCybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfHaris Chughtai
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)Sarfaraz Chougule
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagramSyed Ubaid Ali Jafri
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 

More Related Content

What's hot

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfCybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfHaris Chughtai
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)Sarfaraz Chougule
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 

What's hot (20)

Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architecture
 
Security policy
Security policySecurity policy
Security policy
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfCybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdf
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 

Viewers also liked

2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
u10a1 Network and Security Architecture _FINAL - Kent Haubein
u10a1 Network and Security Architecture _FINAL - Kent Haubeinu10a1 Network and Security Architecture _FINAL - Kent Haubein
u10a1 Network and Security Architecture _FINAL - Kent HaubeinKent Haubein
 
Day care facility business model
Day care facility business modelDay care facility business model
Day care facility business modelAnkit Uttam
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Project audit & review checklist
Project audit & review checklistProject audit & review checklist
Project audit & review checklistRam Srivastava
 

Viewers also liked (11)

Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
u10a1 Network and Security Architecture _FINAL - Kent Haubein
u10a1 Network and Security Architecture _FINAL - Kent Haubeinu10a1 Network and Security Architecture _FINAL - Kent Haubein
u10a1 Network and Security Architecture _FINAL - Kent Haubein
 
Day care facility business model
Day care facility business modelDay care facility business model
Day care facility business model
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Project audit & review checklist
Project audit & review checklistProject audit & review checklist
Project audit & review checklist
 

Similar to Network Security Architecture

00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalAndrew White
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds5nine
 
Network and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle TransformationNetwork and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle TransformationMatsuo Sawahashi
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDocker, Inc.
 
Reducing Cost with DNA Automation
Reducing Cost with DNA AutomationReducing Cost with DNA Automation
Reducing Cost with DNA AutomationCisco Canada
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...Amazon Web Services
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaHamilton Oliveira
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf
secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdfsecure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf
secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdfrhunter5312
 
Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Kimberly Macias
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...LeMeniz Infotech
 
SplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT BreakoutSplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT BreakoutSplunk
 

Similar to Network Security Architecture (20)

00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - final
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
 
Network and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle TransformationNetwork and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle Transformation
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
6 Effective Ways to Evaluate Your On-Premise Law Software
6 Effective Ways to Evaluate Your On-Premise Law Software6 Effective Ways to Evaluate Your On-Premise Law Software
6 Effective Ways to Evaluate Your On-Premise Law Software
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
 
Reducing Cost with DNA Automation
Reducing Cost with DNA AutomationReducing Cost with DNA Automation
Reducing Cost with DNA Automation
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação Cibernética
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf
secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdfsecure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf
secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf
 
Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...
 
SplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT BreakoutSplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT Breakout
 

More from InnoTech

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"InnoTech
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is MaturingInnoTech
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?InnoTech
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostInnoTech
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering StormInnoTech
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the fieldInnoTech
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implicationsInnoTech
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged InfrastructureInnoTech
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365InnoTech
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studiesInnoTech
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential InnoTech
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?InnoTech
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...InnoTech
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeInnoTech
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacyInnoTech
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio InnoTech
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumInnoTech
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2InnoTech
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionInnoTech
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentationInnoTech
 

More from InnoTech (20)

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is Maturing
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering Storm
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the field
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implications
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged Infrastructure
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studies
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacy
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentation
 

Network Security Architecture

  • 1. Or… How industry standard network security models can help achieve better network security without introducing unneeded complexity in your environment
  • 2.
  • 3.  History of a network… • From initial state to current state  Threats to current state  We still have problems  Why do architecture?  What does it look like?
  • 4.  Networks were closed  No Internet connection  Risk – relatively low PC Server Laptop
  • 5.  Let’sget an Internet connection  Mostly outbound connections  eMail/Web browsing Internet PC Server Laptop
  • 6.  Let’s do business on the web  Web server Internet • Mostly static content  E-Business Web Server PC Server Laptop
  • 7.  Multi-tieredapplications  Sensitive data exposed through Internet facing applications Internet Database Web Server Server PC Server Laptop
  • 8.  Networks are open  Arguably mature set of standards  Web sites integral part of business  Security controls developed as we moved from Closed to Open architectures  Linear development of security controls is not sufficient
  • 9.  Because we have exposed resources and data to Internet customers multiple attack vectors exist  Proven vulnerabilities in web servers  Can be used as launching point for further attacks • Pivoting
  • 10.  Wehave used individual technological components to address specific needs • PCI problems solved by a WAF?  Throw some firewalls at it  Let’s try an IDS/IPS  Segmentation (PCI)
  • 11.  Security tends to be reactive  No structure for security controls • (or undocumented security assumptions/requirements)  Every system has a unique set of controls  Hard to manage • Is the control managed properly? • What are the governing rules for the management of the controls? • Are we in compliance with all of the controls?
  • 12.  We can’t just throw technology at these problems without proper process and staffing to manage the technology  We can’t throw security point solutions at the problems without considering how they work together and how they impact the production system
  • 13.  AlignIT Security Architecture with other architectural domains • Must align systems security with network and application security  Align IT Security Architecture with the business requirements • Are we trying to solve a problem that the business doesn’t need? • Security Architecture needs to align with the business risk appetite
  • 14.  Ensure technical controls function as an integrated system • IDS and vulnerability management integration reduces false positives • Is there alignment between what our tools are telling us • SEIM?  Not so sure without good brains behind it(people)  BIG PICTURE THINKING • One candidate …
  • 15.
  • 16. Principles General principles - These principles are the default unless a more specific rule is indicated below Traffic traversing any security zone boundary must traverse an IA control (firewall/proxy/etc). Any traffic traversing any security zone boundary should only allow the ports and protocols necessary for the operations of the particular application. Any traffic traversing any security zone boundary should have source and destination IP address restrictions as narrow in scope as possible to support the operations of the particular application. Exceptions shall be approved by the business and IT. Approval process to be defined. Traffic from a zone with a higher security rating to a zone with a lower security rating shall be allowed. Traffic from a zone with a lower security rating to a zone with a higher security rating shall be denied. Any server providing a public service to clients in the untrusted zone should not be allowed to directly connect back to the untrusted zone. Traffic within specific zones should be as segmented as much as possible to provide separation between applications. Application level security such as Active Directory trust levels should be closely aligned to the network architecture. - No trust levels should be implied because network traffic is either allowed or denied Specific principles Traffic from the untrusted zone(0) to the trusted or restricted zone(100) shall be specifically denied. Traffic from the untrusted zone (0) to the public facing DMZ zone (1-49) shall be allowed. Traffic from the DMZ zone (1-99) to the trusted zone will be allowed after a thorough analysis of the risk and approval by the business and IT. Traffic from the DMZ zone (1-99) to the restricted zone will be specifically denied. Traffic from servers in the trusted zone(100) to the untrusted zone(0) shall be specifically denied. Traffic from clients in the trusted zone(100) to the untrusted zone(0) shall be allowed.
  • 17.  Document what you have (AS IS) • Capture rationale, history, narrative behind why things are  Develop the target architecture (TO BE) • Document guiding principles  Develop plans to move from AS IS to TO BE • This is a LONG process… Months and years, not weeks.  Preach the process!
  • 18.  Piecemeal, ad hoc security control development insufficient • Architecturally • Operationally  Pick an architecture that fits and do it  Operate your security discipline according to the architecture  “Manage the hell out of it!”

Editor's Notes

  1. Networks were introduced to get cost savings from shared resourcesIntroduction of Network ServerInternal business applications (eMail, Calendaring/etc)
  2. What does this do for you? Keep real data tucked away deep in the networkDMZ hosts can be sacrificedStatic content didn’t require DMZ hosts to connect in to the network
  3. Analogy of house built room by room as the family growsNow always sufficient to the task
  4. Analogy of house built room by room as the family growsNow always sufficient to the task
  5. Analogy of house built room by room as the family growsNow always sufficient to the task
  6. Things like making security zones truly separate… (Not only network controls, but ensuring there are no implied application (AD) trusts)If we harden the networks without hardening the applications and systems, we don’t achieve the objective
  7. These are only a few examples…
  8. Nothing new. Fairly standard industry model. Requires adaptation