Learn, hack!

URL

http://events.ccc.de/congress/2004/fahrplan/files/89-security-frameworks-paper.pdf

File name

89-security-frameworks-paper.pdf

File size

69.5 KB

MD5

7a5a4a0f911c9527886517f093913c42

SHA1

2c91495979f936c5392d417b20e2ee75cf719f13

The presentation looks at security from a framework approach, using the OSI 7 layer model to map security tools across the enterprise. The discussion centers on how security tools map to the OSI model to provide end-to-end security. With the advent of e-business, transactions and information is used across all parts of the enterprise, from the DMZ to the database. Security no longer stops at the perimeter. All of the enterprise has to be secured – and the security program has to meet the business goals of the organization. This cannot be done with individual security appliances acting alone or in parallel. Security has to be deployed in a systematic fashion and designed to work together in a security framework. Taking a framework approach helps ensure that the security extends from end-to-end of the enterprise. To build an effective framework, the security engineer maps security tools, processes, policies and procedures to the layers of the OSI model. The security framework also adds two additional “network” layers – financial and business layers. Using a framework approach security is mapped to the OSI layers. Physical security, cable plant, wiring closets are mapped to Layer One – Physical – of the OSI model. At Layers Two and Three -- the Data Link and Network layers of the OSI model -- are security tools and devices such as switches, VPNs, Network Intrusion Detection, etc. Moving to the Layer Three and Four – Netork and Transport – security is carried out by firewalls doing stateful inspection of incoming and outgoing packets, routers using Access Control Lists (ACLs) filtering packets bound between networks, and Virus scanning of attachments at the e-mail gateways. Moving up the OSI model, to Layers Five Six and Seven, the Session Presentation and Application layers respectively, security tools such as OS and application hardening at the system level are found. Also included is security health checking to determine if security polices for types of applications allowed to run, password composition and length, services allowed on hosts, etc. are being followed. Vulnerability scanning to test the configuration of applications and systems, looking for vulnerabilities, missing patches, etc. are also at these layers. The list of tools and where they fit on the OSI model goes on and on. Some of the tools overlap different layers. It can be argued at what layer a particular tool actually works, but the important concept is the framework approach. But the important concept is to understand that a systematic approach to security is the key. Security must be carried out with the same operational consistently as is network and system management. With this in mind, the capstone to the security framework is a Security Operations Center (SOC) that monitors and manages security just as a NOC oversees network operations. At the so-called “financial layer” using a framework allows for more efficient use of tools and security professionals. It also allows for more accurate budgeting and tracking of costs related to security. At the “business layer” the framework provides a platform to turn security policies and procedures into practice and operations. The framework allows for new networks and technologies to be securely incorporated into the overall enterprise. Security frameworks are a rational and comprehensive approach to securing the network.