NERCOMP SIG Security Architectures Christopher Misra University of Massachusetts September 2007 Outline What is security architecture Example: Network Access Control (NAC) ƒ Network Topology ƒ Wired and Wireless ƒ Automating Policy Enforcement ƒ Registration and Endpoint Intergrity Diagnostics (How do we know it all works) ƒ Logging, Monitoring, Netflow, Support ƒ Integrating security Why Architecture? Network security is composed of a variety of components ƒ Policies ƒ Procedures ƒ Technologies/Tools But what provides a coherent plan to ensure that we meet our IT security goals? Why Architecture? IT Security Policy: ƒ Formally state rules ƒ Support Ethical use ƒ Assign responsibility ƒ Set strategic goals Procedures: ƒ Sequence of tasks and decisions ƒ Ensure consistency ƒ Implement tactical goals Why Architecture? IT Security tools: ƒ Perform technical actions ƒ Require technical skill Architecture ƒ “Art and discipline of creating or inferring an implied or apparent plan of any complex object or system” http://en.wikipedia.org/wiki/Architecture Security Architecture Security systems are complex The interrelation between components is not obvious The technical details of security systems can obscure perspective with respect to other critical systems Tools are not always completely compatible with the desired outcome Security Architectures What do we mean by network security architecture? Architecture: n. Orderly arrangement of parts; structure Creating organized structures, using tools, techniques, and procedures, to cohesively mitigate information security risk consistent with policy. Security Architecture and Models “Rather than grafting security onto existing systems, it is more effective to redesign systems to make security an integral part of them. However, developing a security architecture for colleges and universities is complex because of the needs of different groups sharing the network (for example, academic, administrative, clinical, and residential). Many college and university networks must be able to accommodate unknown devices, including handheld devices and being connected by visitors, students, and other members of the community.” https://wiki.internet2.edu/confluence/display/secguide/Security+Architecture+an d+Models Network Topology Many network design decisions impact security ƒ Providing capabilities ƒ Constraining available tools Different networks behave differently ƒ Wired vs Wireless ƒ Consistency of use experience Network Segmentation Drivers Wide availability of 802.1q ƒ Ability to deploy multiple security domains with limited overhead ƒ Effective use of existing wiring ƒ Cost savings Layer 2 isolation ƒ Perceived vs. actual security Unmanaged systems Wireless Network Segmentation Network quarantines ƒ Automated policy enforcement (NetAuth) SCADA devices ƒ Supervisory Control And Data Acquisition VPN ƒ User-based and LAN-to-LAN VoIP ƒ Device and application Other Network Segmentation Additional security perimeters ƒ Residential and Academic ƒ Campus Surveillance ƒ Life Safety ƒ Wireless ƒ Parking meters ƒ Vending machines ƒ Door Swipes Firewalls and VPN Firewalls are traditional segment boundaries ƒ Now, often implemented with vLANs, ACLs, VPNs, etc. Segmentation paradigm is not intrinsically dependent on the firewalling capabilities VPN often serve this role for remote sites ƒ Unique set of challenges Network Segmentation Benefits Smaller perimeters mitigate some risks Inability to properly secure some endpoints ƒ SCADA devices Perform endpoint policy compliance ƒ Posture assessment Limit spread of ‘bad things’ ƒ Reactive or automated Network Segmentation Challenges Network edge is now contingent on switch port configuration ƒ What is the system of record? ƒ Configuration management Limited end user visibility ƒ How do I know what network I am in? Who can use what? ƒ Sounds like middleware Network Segmentation Challenges Adding complexity to mitigate risk ƒ Difficulty in problem diagnosis Does not improve basic service May constrict or preclude 'good things’ ƒ Apparent non-deterministic behavior to end users ƒ What works here, doesn’t work there Reduces network transpency ƒ So much for end-to-end connectivity Policy enforcement Preventative policy enforcement often implemented by segmentation Automated remediation systems frequently rely on segmentation ƒ positive security impact on a large number of hosts ƒ relatively small time investment from computing staff. Policy compliance: Posture assessment Proper patch level Up-to-date antivirus software Other administratively defined conditions. Commercial software ƒ Cisco Network Admission Control (NAC) ƒ Microsoft Network Access Protection (NAP) ƒ Countless others (at least 35) Policy compliance: Posture assessment Open-source software ƒ Southwestern NetReg,CMU NetReg, Packetfence, RINGS Standards ƒ IETF Network Endpoint Assessment (NEA) • https://www1.ietf.org/mailman/listinfo/nea ƒ Trusted Network Connect (TNC) • https://www.trustedcomputinggroup.org/groups/network/ Network Quarantines Isolation is enforced by changing network devices (or state) ƒ to limit the access of non-compliant hosts Protects other hosts from isolated host Protect isolated host from additional compromise May provide a conduit for notifying the responsible individual/department Network Quarantines May be result of initial or periodic host assessment Possibly event driven ƒ IDS result ƒ abuse@ mail ƒ Other security or forensic result Communication with end user ƒ Non-user endpoint device? Fine-grained Policy Enforcement Proliferation of different classes of devices ƒ VoIP phones ƒ SCADA devices Allocation of device privileges may depend on class of device ƒ Per device network segment assignment ƒ Potential additional security risks Fine-grained Policy Enforcement Meta-data about devices is increasingly rich ƒ Relationship to the enterprise directory Network privilege assignment is complex ƒ Posture assessment ƒ Device class ƒ User-centric or Device-centric eduDevice? Fine-grained Policy Enforcement How are devices authenticated? Devices that can’t speak EAP? Can you handle fall-through authentication? ƒ If (can 802.1x) elsif (web-redirect) elsif (MAC address filter) else (deny access) Fine-grained Policy Enforcement VPN ƒ Per-user privilege allocation ƒ Transport security and security perimeter in one ƒ Application-centric proxies Tight IdM integration ƒ This isn’t a new problem, just an application of middleware to a different medium Fine-grained Policy Enforcement Non IdM data sources Applying security perimeters based on non-network centric characteristics ƒ Certain devices in certain buildings ƒ Some devices in no buildings ƒ Time of day limitation Generic network device authorizations Fine-grained Policy Enforcement We still need a limited set of resultant policy classes ƒ Policy is a continuum (real number) ƒ vLANs are not (hopefully small integer) How are policy class communicated to the user ƒ What are the challenges of dynamic policy class assignment Managing Complexity How do new technologies impact current and future segmentation capabilities ƒ Optical ƒ Federated network access Does segmentation map directly to security perimeters ƒ Linearly or non-linearly How do we understand these changes Wired vs Wireless Wired and wireless network equipment each have distinct capabilities ƒ Users do not see it this way Same security capabilites ƒ 802.1x ƒ Endpoint integrity Different security capabilites ƒ Wireless: WEP/WPA/WPA2 Wired vs Wireless Open edge ƒ Open DHCP (“free love”) ƒ DHCP with MAC registration (“netreg”) ƒ VPN-only access (“vpn”) ƒ Web middlebox (“portal”) • Cisco Clean Access, Bluesocket, AP portals, etc… Static WEP (“doesn’t scale”) 802.1x w/ Dynamic WEP, WPA, WPA2 Open Wired Edge No client authentication ƒ Application encryption encouraged Often depends on physical security ƒ Jacks are usually in locked offices Lowest Common Denominator ƒ Nearly any device/user can connect Open Wireless Edge : Common Features No encryption between client and AP ƒ Application encryption encouraged, naturally ƒ But – can’t guarantee this for all sites ƒ Some information disclosure anyway (src, dest IP) Lowest Common Denominator – Nearly any device/user can connect Unrestricted WiFi : Challenges Isolating systems requires DHCP configuration changes or AP MAC filters Difficult to notify isolated users if you can’t identify them ƒ Notifying help desk/support also a challenge Legal, security, and resource usage implications ƒ Of course, wireless authn should not be the sole factor in granting application privileges ƒ YMMV… DHCP/MAC Registration : Common Features Can limit access to valid users ƒ Via authenticated registration interface ƒ Web browser not necessarily required Infrequent registration ƒ e.g. once per semester Users are identified ƒ e.g. for isolation, notification, etc DHCP/MAC Registration: Challenges Devices (not users) are identified ƒ Associated to a given user at time of registration Subject to MAC address spoofing NetAuth: active/passive scanning required Mandatory VPN : Common Features Provides network-layer encryption and authentication Can use ACLs to require VPN for access outside of wireless network Not necessary to track/filter MAC address ƒ Each session is authenticated Limited to authorized users Mandatory VPN : Challenges Client software install often required Not all systems supported ƒ Linux/MacOS clients may be limited Client support = Help Desk Hell ƒ If you think email was difficult… Increased overhead No easy access for guests NetAuth: active/passive scanning required Web Middlebox (portal): Common Features Middlebox often required to be inline ƒ Many support 802.1q termination Web-based authentication interface ƒ Per-session authentication MAC address filter bypass ƒ Devices may be registered to bypass authentication NetAuth scans may be triggered from reg page (assuming portal support) Web Middlebox (portal): Challenges Physical infrastructure constraints ƒ Parallel backbone or distributed middleboxes Requires web browser on client Possible spoofing ƒ More complicated to attack than DHCP/MAC registration 802.1x migration challenges Static WEP Not worth much consideration, as it simply doesn’t scale Adds encryption between client and AP But.. ƒ One key shared by everyone ƒ Key can be easily recovered given time 802.1x Edge Authentication Authn required prior to network access Client software (“supplicant”) required ƒ Windows XP/2K: framework built-in, some supplicants built-in ƒ Mac OS X: framework and most supplicants built-in ƒ Linux: Add-on software provides supplicants ƒ Windows Mobile: Add-on software 802.1x ~ Encryption 802.1x authn provides keys for edge encryption Several levels of encryption: ƒ Dynamic WEP: 40/104-bit RC4 • Proprietary extension, widely supported ƒ WPA/TKIP: 104-bit RC4 • Standard, good client & AP support ƒ WPA2/802.11i: 128-bit AES • Standard, limited client & AP support 802.1x ~ Authentication Types Multiple authentication types possible with 802.1x. This modularity comes from the Extensible Authentication Protocol (EAP) Some EAP supplicants builtin to OSs, others as third party ƒ Microsoft Windows EAP framework [builtin to XP, 2K] ƒ Apple OS X EAP framework [builtin to Mac OS X 10.3+] ƒ SecureW2 ƒ Funk Odyssey ƒ Meetinghouse AEGIS ƒ wpa_supplicant ƒ Xsupplicant ƒ Wire1x 802.1x ~ EAP Deployment Each site should choose one (one+ possible) EAP method for authentication Most popular EAP methods: ƒ TLS: X.509 client certificate authn ƒ TTLS: Tunneled TLS; no client cert required. Can transport plaintext password (TTLS:PAP) ƒ PEAP: Protected EAP; often used w/ MS AD (PEAP:MS-CHAPv2, PEAP:GTC) Other EAP methods ƒ LEAP: Proprietary; cracked. ƒ FAST: Proprietary; not widely supported. ƒ SIM: Authentication for mobile phones. 802.1x ~ EAP Compatibility 98/ XP/ OS Li Pckt TLS PEAP TTLS License Client ME 2K X nux PC Win Builtin CHAP Builtin 8 9 8 8 8 9 v2 8 OSX Builtin Builtin 8 8 9 8 8 9 9 9 SecureW2 Free 8 9 8 8 9 8 8 9 Odyssey $$ 9 9 8 8 9 9 9 9 AEGIS 9 9 9 9 9 9 9 9 $$ wpa_supp Free 9 9 8 9 8 9 9 9 Xsupplicant Free 8 8 8 9 8 9 9 9 Reference: LIN 802.1x factsheet 802.1x ~ Encryption Compatibility Client WEP WPA WPA2 License Win Builtin 9 9 9 Builtin OSX Builtin 9 9 9 Builtin SecureW2 Free 9 9 8 Odyssey 9 9 9 $$ AEGIS $$ 9 9 8 wpa_supp 9 9 9 Free Xsupplicant 9 9 9 Free Note: Some hardware & operating system restrictions may apply to support. Reference: LIN 802.1x factsheet 802.1x ~ EAP, what’s missing? Current practical authn types: ƒ X.509 Certs (TLS) ƒ Plaintext password (TTLS:PAP, PEAP:GTC) • e.g. for LDAP, Kerberos, OTP ƒ Windows hashed password (PEAP:MSCHAPv2, TTLS:MSCHAPv2) Many sites use Kerberos; EAP-Kerb/EAP- GSSAPI would be ideal ƒ Somewhat tricky, as recall there is no network connectivity pre-auth ƒ Some work on this by Shumon Huque @ UPenn 802.1x ~ RADIUS RADIUS authn required for EAP Server must support chosen type Multiple servers provide redundancy (but accounting becomes trickier) Servers: ƒ Cisco ACS ƒ FreeRADIUS ƒ Radiator ƒ Infoblox ƒ Funk Steel-belted ƒ Many others… 802.1x ~ NetAuth Edge authentication provides no easy opportunity for pre-connection scanning Instead: ƒ Active, periodic scans can be used ƒ Passive detection ƒ Could monitor RADIUS Acctng to launch scan Common issue: handling insecure boxes ƒ Could use dynamic vlan support to drop users into a walled garden (AP support required) 802.1x ~ Putting it Together Access Points ƒ Must support EAP type (should just pass-through all types) ƒ Must support 802.1x auth and encryption mechanism Encryption Type (WEP/WPA/WPA2) ƒ Must be supported by APs ƒ Must be supported by client hardware, OS drivers, and supplicant Authentication Type (EAP Method: TLS, TTLS, etc..) ƒ Must be supported by client hardware, OS drivers, and supplicant ƒ Must be supported by RADIUS server RADIUS Server(s) ƒ Must support backend authn using EAP credentials 802.1x ~ Deploying Client config / software may be required ƒ Can’t provide instructions over 802.1x net, due to pre- auth requirement Common solution: a limited-access open SSID to provide instructions Debate over SSID broadcast ƒ Windows tends to ignore “hidden” SSIDs when preferred broadcast SSIDs are present ƒ But broadcasts can create confusion, and.. ƒ Some APs can only broadcast a single SSID (a waning issue) Example Deployment: 802.1x Deployment at a “well-known” University Pilot deployment began Aug 2005 in one building Encryption: WPA ƒ Believed the number of older machines would be very small ƒ But WPA2 has only limited client support currently (APs are capable) Authentication: EAP-TTLS:PAP ƒ Backend auth against central Kerberos database ƒ All users login as “userid@example.edu” RADIUS Server: FreeRADIUS Instructions are provided via an open SSID, which doubles as a web login portal for guests ƒ Any University user can generate one time use “tokens” granting a guest up to 2 weeks of access Diagnostics Diagnosis (from the Greek words dia = by and gnosis = knowledge) is the process of identifying a disease by its signs, symptoms and results of various diagnostic procedures. The conclusion reached through that process is also called a diagnosis. ƒ http://en.wikipedia.org/wiki/Diagnosis Diagnostic ƒ A symptom or a distinguishing feature serving as supporting evidence in a diagnosis. Network Diagnostics Provide effective exchange, management, and correlation of log and event information ƒ between dependent layers ƒ among interdependent components A data orchestration function http://www.cmu.edu/computing/eddy/introduction.htm Network Diagnostics Enable system managers to pinpoint problems as they occur Allow autonomic processes to assist in prediction, management, and maintenance. http://www.cmu.edu/computing/eddy/introduction.htm Local Network Bandwidth Edge1 <-> Border Edge2 <-> Border Local Peers Peering Network Bandwidth Internet2 Commodity ISP1 Commodity ISP2 CPU Utilization Monthly Yearly Memory Utilization Monthly ƒ 5 minute polling ƒ Used vs Free Yearly ƒ 5 minute polling ƒ Used vs Free Environmental Monthly ƒ Temperature ƒ Humidity Yearly ƒ Temperature ƒ Humidity Netflow Netflow “NetFlow technology efficiently provides the metering base for a key set of applications including network traffic accounting, …” Data export mechanism that records information about router flows. ƒ Src/dst IP, port, etc ƒ Bytes ƒ No packet content is logged Unified logging Given the number and variety of systems that generate logs, it is intractable to manually parse them ƒ Syslog helps, but doesn’t reduce the data ƒ Databases help, but add complexity Given sufficient unification, registration may not be necessary ƒ GULP from Columbia Config Management Given the large number of infrastructure devices, automated management is required ƒ Device availability ƒ Scheduled outages Configurations need to be centrally stored ƒ And retrievable Accountability and audit capability ƒ To allow efficient restoration of service Help Desk and security Are security incidents different from traditional trouble ticketing? ƒ Not always Many schools have support incidents through existing help desk services. Involved some training and awareness for help desk staff Also been significant work done in facilitating interactions between the information security team and the help desk. Conclusions These tools can form an architecture ƒ Often site local However the tools in and of themselves are insufficient ƒ We need an architecture to tie together these components Security should be part of the infrastructure, not retofit Conclusions We need a coherent plan to ensure that we meet our IT security goals Security and IdM share aligned goals ƒ But not always aligned implentations We need to develop this area ƒ Staff that are fluent across layers ƒ Policies, Procedures,Technologies/Tools This requires more than just technical managers… Resources CAMP: Bridging Security and Identity Management ƒ http://www.educause.edu/camp081 References EDUCAUSE ‘Security Architecture’ ƒ Jack Suess, UMBC http://www.educause.edu/ir/library/pdf/pub7008j.pdf Windows Security Architecture Blueprint http://www.microsoft.com/technet/itsolutions/wssra/raguide/ ArchitectureBlueprints/rbabsa.mspx?mfr=true This Presentation http://people.umass.edu/crispy/conf/