Modules 1-4 provide insight into how hardware and software development work to protect systems and networks from modern and emerging threats. This continued technology evolution allows users to conduct business, participate in commerce, maintain communications across the globe, and manage personal affairs with minimal interruption or threat of critical information vulnerability and loss. This module provides discussion on how effective management through the use of analytic tools allows system and network administrators to optimize the secure environment users have come to expect— and upon which businesses and global commerce rely.
Security Management
Simply stated, security management exists at the region where the scope of IT security and IT operations meet.
As organizational structures grow in size and complexity, the tendency is for more network resources—machines, servers, routers, etc.—to be deployed. As the network grows, so also does the scope of potential threats to secure and efficient operation of the network to meet organizational goals. With the global nature of
modern business and e-commerce, the sheer number of branch and remote locations—and managed devices—make a consolidated network security management essential for effective IT administration. To this end, the primary goal of security management is to reduce security risks by ensuring that systems are properly configured—or hardened—to meet internal, regulatory, and/or compliance standards. Security management is a software-based solution that integrates three primary elements: Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses that a cyber-attacker could exploit.
Automated Remediation. Allows automated correction of faults or deficiencies—vulnerabilities— identified in the assessment process. Provides reports and tools to track vulnerabilities that must be remediated manually.
Configuration Management. Evaluates the security of a network’s critical servers, operating system, application-level security issues, administrative and technical controls, and identifies potential and actual weaknesses, with recommended countermeasures.
IT managers are faced with challenges that range from simple codes to threats hidden in secure packets designed to target cloud-based applications. Modern and emerging future threats present dynamic and potentially complex challenges to network security demanding comprehensive, complex security solutions. Unfortunately, studies have shown that the more complex administrative functions become, the less likely network administrators will spend the requisite amount of attention to the various apparatus and displays. For this reason, consolidating security management into a single console enabling monitoring and management of network security was developed. Through this integrated monitoring and control solution, IT managers may address the following issues:
Modern Network Security: Study Guide for NSE 1
2015
68
Device Configuration. Manages the configuration of each device on the network and maintains the system-level configuration required to manage the network environment. This includes monitoring device firmware to ensure it is kept up to date.
Firewall Policy. Provides viewing and modification of firewall configurations—access rules and inspection rules—in the context of the interfaces whose traffic are filtered.
Content Security Policy. Computer security concept to prevent cross-site scripting (XSS) and related application-level attacks. It provides a standard HTTP header allowing website administrators to determine approved sources of content that browsers may load on designated pages. Covered types include JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets, ActiveX, audio, and video files.
A conceptual diagram of security management is illustrated in Figure 56 below:
Figure 56. Security Management (SM) conceptual diagram
The primary goal is to provide high availability for the network, implying redundancy and fault tolerance managed by the network security solution. In small and medium business (SMB) networks and many large and distributed enterprise networks, network security may be provided by a managed security service provider (MSSP) for a number of reasons—as discussed in Module 1. To facilitate effective network security management, MSSPs and network administrators must have access to essential features that enable them to provide protection to the network as a whole and the data contained therein. Three principles drive these essential features: segmentation, scalability, and high performance. Segmentation. Multi-tenancy architecture is one in which the single instance of a software application
serves multiple customers, with each customer being referred to as a tenant. The key purpose of multi- tenancy is segmenting customers in a managed service provider environment. Tenants have limited
SM
Analyst Console SM DatabaseSM
Modern Network Security: Study Guide for NSE 1
2015
69
capabilities within the application, such as choosing interface colors or business rules, but have no access to application code. Administrative domains (ADOMs) are virtual domains used to isolate devices and user accounts. This enables regular user accounts visibility only into devices and data that are specific to their ADOM, such as a geographic location or business division.
Scalability. Virtual firewall positioning & deployment. Very few organizations use 100% physical or 100%
virtual IT infrastructure, necessitating deployment of interoperable hardware and virtual appliances in security strategies. For both of these firewall options, control through a centralized panel provides ease of operation to security administrators while enabling the use of complex measures to counter modern and emerging complex threats. Virtual domains (VDOMs) were introduced by Fortinet in 2004 and offer virtualized security from SMB to large and distributed enterprise networks by rapid deployment within existing virtual infrastructures. [8]
High Performance. Because security management spans the scope from home networks to SMB to large and distributed enterprise networks, security management must be able to be customized to meet the needs of each level of operation. For example, the Application Program Interface (API) specifies how software components should interact and are used when programming the graphical user interface (GUI), allowing visibility of the customized network functions. Automation is important especially for large and distributed enterprise networks, providing an automated workflow enabling users to approve, deny, defer, or even execute remediation of configuration errors, potentially saving considerable time and effort.
Managing the Security Console
Network security management includes both hardware and software appliances and virtual machine (VM) capabilities. They may be deployed as physical network security appliances, virtual appliances, or software packages. Flexible interfacing allows IT administrators to address the management system via a command line interface, web-based graphical user interface, or programmatically using JSON/XML requests (scripting, customization, etc.). This provides network security flexibility for a wide range of network sizes, from home networks and SMB up to large and distributed enterprise networks that are geographically separated.
The most important function commonly associated with a security management solution is maintaining firewall policies across a distributed enterprise. In large and distributed enterprise environments, security management and reporting/compliance functions are usually separated, with local personnel managing local nodes and a central site having visibility over configuration compliance, generally from the data center at the corporate headquarters or designated IT management division.
Because of the wide range of network security device deployment options, network security consoles are typically licensed based on the number of devices they will be managing. This provides tailored, flexible security options appropriate to organization requirements [8]. These security consoles are enabled by use of simple network management protocol (SNMP), which provides administrators capability to monitor and, when necessary, configure hosts on a network. This centralized ability to
Modern Network Security: Study Guide for NSE 1
2015
70
configure network devices is referred to as device management, and is a critical capability in allowing IT administrators to manage—monitor and configure—distributed enterprise networks.
Figure 57. Integrated security control console
Administrative Domains (ADOMs) provide the capability to organize better the network environment. A domain is the equivalent of an organizational unit. The purpose of using ADOMs is:
Limiting administrative scope to specific devices
Segmenting tenants in a managed service provider environment
Administrative domains are further segregated into Accounts, each which must have at least one User. However, permissions and policies must be set at the domain administrator and network administrator levels. [8]
Policy and Security
Policy packages enable the addressing of specific needs for an organization’s different sites by creating a tailored policy package for each site. Policy packages provide flexibility to administrators, because they may be applied to individual or multiple devices. The advantage to using a policy package is that it simplifies the installation of a set of firewall rules for sites. [8]
Object libraries contain the names and entry points of the code located in the library, as well as a list of objects on which the applications or systems using the code require in order to run the object. An example would be needing an application capable of reading a .jpg file in order to use the object with a .jpg extension. Object libraries may be configured to direct which applications are used to open or run which types of files besides the manufacturers’ default settings. Object libraries may be dragged into policy packages to define actions for traffic meeting criteria matching the identified object characteristics.
Modern Network Security: Study Guide for NSE 1
2015
71
Figure 58. Policy Package example.
Global policy packages become increasingly important as network complexity, size, or distributed configuration grow. Because large and distributed enterprise networks may delegate remote security management to local administrators, as previously introduced in the previous slide, it is important for central network administrators to have the ability to retain overall visibility and control of the entire network. To this end, global policies allow administrators of large enterprises and MSPs to “bookend” segmented/tenant firewall rules in order to ensure compliance with overall network policies and operating regulations [8].
Modern Network Security: Study Guide for NSE 1
2015
72
Firewall rules (also called firewall policies) are a major challenge for network security administrators, making it important for companies and organizations—especially distributed enterprise operations—to have and implement a firewall policy management solution. Depending on the size of the operation and network, this function may be accomplished by the network security administrator or, if a large enough enterprise, a firewall administrator. But with the fast-paced and rapidly-evolving dynamics of technology and its use, the threat of security gaps being created because of a disjointed firewall policy program is as real as the threat from external sources.
To assist the network security administrator or firewall administrator in developing, implementing, and monitoring firewall policy requirements and effectiveness, regular, systematic reviews of firewall policies should be put in place. These reviews provide important benefits, mitigating challenges such as:
Mistakenly adding duplicate, similar, or overriding firewall policies
Missing the impact of corporate policy changes that may impact particular rules
Creation of policies that are too specific at the time of implementation and may need to be broadened to be effective
Determining what/when policies should be implemented by a policy push—applying the new policies to individual security devices
In order to facilitate inputs to the firewall policy development and review process, a firewall policy workflow process should be established by which policy change recommendations are submitted, approved, and implemented by IT staff, and then the document retained for archival purposes for later analytic review. As these processes become institutionalized, the end result becomes not only more effective firewall rules management, but efficiency that leads to rules reduction, or a decrease in firewall rules via periodic reviews or automation.
Rules reduction through automation—this is where the technology of adept security change
management is necessary to improve probability that the network will remain secure. Security Change Management is the industry term for the product or feature that seeks to reduce or optimize the number of firewall rules and provides IT staff and network auditors with a clear picture of how changes were implemented. With more complex firewalls incorporating more features—such as the Next generation Firewall (NGFW)—simplification of user interfaces of complex processes increases the likelihood that comprehensive security measures will be engaged, monitored, and updated as necessary to keep up with emerging threats.
Auditing has important advantages in the security management environment. Because auditing is a mechanism that records actions that occur on a system, the associated audit log(s) contain information detailing the events (such as login, logout, file access, upload, download, etc.), who performed the action and when it was accomplished, and whether the action was successful. Some important events that should be logged include:
Login/Logoff (incl failed) Supervisor/administrator login & function Network connections (incl failed) Sensitive file access
Modern Network Security: Study Guide for NSE 1
2015
73
In the context of security management, auditing provides the following advantages:
Ensures that the organization maintains compliance with programs such as HIPAA and PCI Helps track workflows/approvals for firewall policy changes
Associates security event logs with an individual owner for forensics
Analytics
Without applying analytics to future decisions, they cease to serve a vital function to administrators. The most important function of analytics is to ensure security effectiveness and improvement while enabling optimum system and network performance.
Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the context of security management, this analysis includes factors concerning potential impacts on
performance due to attempted or successful attacks, actions taken by preventative policies and
apparatus that detected and prevented intrusion, forensic records of user data for system and network functions, and so forth.
Reporting is designed to be a cyclical process—not linear; that is, the data analyzed is used to inform decisions regarding whether policies, programming, or apparatus need to be updated or may remain as currently constituted. If updates are necessary, analytics inform decision-makers—such as corporate compliance groups—in determining what updates or reconfigurations are the right ones to accomplish. Security Information and Event Management
Security Information and Event Management (SIEM) [8] is a system that gathers security logs from multiple sources and correlates logged events to be able to focus on events of importance. SIEM ecosystem is designed to address the unique requirements of a wide range of customers, from large enterprises to managed security service providers (MSSPs) that manage thousands of individual customer environments.
Key features include near real-time visibility for threat detection and prioritization, delivering visibility across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an actionable list of suspected incidents, enabling more effective threat management while producing detailed data access and user activity reports.
SIEM operates on the basis of what logs the administrator has authorized to be forwarded from the Syslog to the SIEM. These logs may be tuned further to provide a minimum security level for log forwarding, including (in order of severity from least):
Debugging Error
Information Critical
Notification Alert
Modern Network Security: Study Guide for NSE 1
2015
74
SIEM provides three primary functions for network security:
Event logging. How systems and applications record and save data that shows what events happened at what time and place with what results on the system, in the network, or in an application.
Event correlation. Comparing of events indicated in the event and correlating like events together to determine significant instances of repetitious or associated events.
Incident alerting. Provides alerts for security incidents on the network. [8]
Perhaps the most critical function upon which the SIEM concept depends is logging, because it forms the basis for making decisions regarding system and network functions and potential anomalies. Logging is how systems and applications record and save data that shows what events happened at what time and place with what results on the system, in the network, or in an application. Logging is one of the forensic tools that may be used to analyze successful attacks, malware infections, or attempted network
intrusions. This capability, although it becomes more complex as networks grow and become geographically distributed, is important to networks of all sizes against modern and future network threats.
In the 1980s, Syslog was developed as part of the Sendmail project, but proved so valuable a tool that it
began being used by other applications as well. In today’s IT world, Syslog is still the de facto industry standard for security event logging. In fact, Syslog has become entrenched as the standard, such that operating systems such as Windows and UNIX, as well as regulations such as SOX, PCI DSS, and HIPAA either use Syslog format or have embedded capability for conversion to Syslog. [19]
Because is a necessity for networks of every size, the factor of resource balancing is an important consideration. As with determining whether application services as IaaS, PaaS, or SaaS are best suited, the most cost-effective logging/reporting method for SMB is cloud-based event logging. Similarly, some organizations may opt for standalone logging/reporting solutions to more effectively manage logs collected from multiple security devices.
Network Visibility
Network Visibility refers to the ability for administrators to know what type of traffic is crossing their network, including Web, applications, email, etc. It allows optimization of bandwidth for business critical applications. Because modern and emerging threats are able to take advantage of different traffic types in different ways, network visibility is a key capability in the administrator’s arsenal, providing the opportunity to achieve:
Network monitoring and faster troubleshooting Application monitoring and profiling
Capacity planning and network trends Detection of unauthorized WAN traffic
Modern Network Security: Study Guide for NSE 1
2015
75
Figure 60. Network visibility benefits.
Network visibility is of the utmost importance to security administrators. This includes visibility of every component of the network, including remote components geographically separated as part of a large distributed enterprise network. In order to adequately monitor system and network security events, the security administrator must have access to logging from across the entire infrastructure, including firewalls, email gateways, endpoint devices, and other network components, both physical and virtual. Network visibility must be treated as a cyclical process in order to be effective. As illustrated in Figure 60, network visibility provides a wealth of information about many facets of network operations. All of this data, however, is lost if not used to inform analyses that may improve further network operations and security. For this reason, network visibility data should be used to inform reporting on network operations and be used in developing future plans and policy.
Modern Network Security: Study Guide for NSE 1
2015
76
Summary
Security management provides vulnerability assessment, automated remediation, and configuration assessment in and environment providing complex protection with simplified administration. The goal
of security management is to reduce security risks through proper configuration and compliance.
Across all sizes and types of networks, security management provides customization and automation to assist network security administrators through administrative domains to segment users, firewall & global policy packages enabling reduction and optimization of rules, and auditing that provides oversight of compliance, workflow, approvals, and forensic tracing.
Security Information and Event Management (SIEM) provides a wide range of administrator services in managing logged events and analysis to correlate and determine the most appropriate security
measures, policy updates, and reactions to network incidents.