How to separate critical application network from network connected to the Internet within a company?

Q: How to separate critical application network from network connected to the Internet within a company?
In many companies users have to access to the Internet and also to some corporate application from the same computer. But in some cases these applications are very critical so we can't accept the fact that a computer can connect to the Internet and to the critical network in the same time, in fact this computer can be a gateway for the threats coming from the Internet to the internal network (Trojan horse, virus, intruder, ...) that's why we think about the separation. The best separation is the physical one, but here we face a problem of duplication (Cable, Computer, NIC) and users can't easily accept .
Is there solutions for this problem, and how to separate networks in the same company with less cost and if we choose the physical separation, what's the best way to do it?

For example, in a bank network, users connect to the bank critical application throw their computers, and we want to provide for them an Internet connection from the same computers without taking risk.
How we can implement a secure solution?

Regards
…..

A: Hi ….,
As you have stated it is close to impossible to guarantee that a client that is connected to Internet is 100% secure.
Here are the basic action list that we see in high risk environments:
1- Make sure that the servers are in a different segment, where access to local servers are regulated with strong security controls, start with firewalls/ACLs and you may deploy all the way up.. IPS, Anomaly detection, content control, stronger auditing, strong auth etc. Most of the banks are deploying internal server segments at the moment.
2- If segmentation is not enough, you can virtualize server access such as terminal access, SSL-VPN , citrix etc. So that server environment is different than client environment. Split tunneling from internet surfing clients to critical servers get really difficult with terminal access.
3- Another option is to virtualize clients so that you can use another client when connecting to high risk servers. This is still difficult. But this option makes split tunneling difficult

After segmentation (when it is not enough), we usually recommend SSL VPN type of control since SSL VPN intermediates all requests, so the end user is never in direct contact with the server resource. We can enforce application-layer visibility, granular authorization to the URL, file, and server level.. SSL VPN solutions usually offer detailed auditing records including user, application, resource, time and event details . You can add factored authentication so that malicious applications cannot reach the server environment without the physical factor (such as tokens)

Another interesting solution is from Blue Coat, I have not personally tried it but the their RA client encrypts all information stored by the browser, including cache, temp files and cookies, and clear all session information at the end of SSL VPN session using DoD 5220.22-spec file deletion Their pre-authentication and continuous spyware scan that leverages AMP (Adaptive Malware Protection) technology may provide a pre-login scan for framegrabbers and keyloggers and continues to scan for duration of user session Configurable split tunneling to block or enforce split tunneling is a good feature.

I can give you more insight about the high-low-medium cost options if you need.
Let me know if you have any questions,
Regards,
- yinal

PGP or S/MIME?

Q:Which one do you prefer?

A:Hi ...,
As discussed above, the right solution depends on the requirements,

Attached below are the areas that I usually check when I need to compare implementation options:

I assume that your question is for messaging (E-mail and the IM)

1- Interoperability -- For enterprise projects my first priority is the interoperability.
Whichever you choose, there will always be 3rd parties using the other method. I test interoperability before making any other decisions. Even a single protocol like S/MIME can have problems when communication with different implementations. I always check if the preferred solution can switch from PGP to S/MIME, S/MIME to OpenPGP , Open PGP to TLS etc... If you will deploy in-house only the interoperability problem goes away but in that case you can easily claim that the exchange or lotus notes built –in features are good enough.
2-Key Management: Encryption/Signing is not the problem.. Key management makes it tough. Keys/Certs have to be transparent, they should easily be reset/revoked/changed/ If you have an enterprise PKI deployment S/MIME makes sense.. PGP works great if you work with PGP Corp's commercial deployment which makes the key management easy.
3-Use S/MIME v3 only, other version (v3) may create security problems due to 40 bit keys, also check for IETF RFC compatibility in both implementations.
4-I would prefer S/MIME under perfect conditions where most of the messaging clients have built-in support.
S/MIME RFCs are more up to date as well... But again, have you ever seen a full/successful PKI deployment? S/MIME will bring all the cert problems (managing certs?) back. Expired certs and the signed messages with these certs are problem.
5-PGP Corporation's PGP solutions are preferred where you need to have it running tomorrow, and where you integrate disk encryption, transparent gateway, application encryption etc...
6- OpenPGP is a good idea (for home), but check the enterprise key management/interoperability/support issues at your operation
7- I always verify if I have an answer for the delivery of encrypted emails to users who do not have encryption capabilities. There a lot of transparent web based solutions
8- I do check in-the-cloud service providers like Google/Postini or Microsoft/Frontbridge Zix and my current employer.
9- I always check turnkey solutions from PGP, Ironport, Tumbleweed, Ciphertrust, Zix, PostX, Voltage with in-house and co-managed options.

Let me know if this list helps. I may elaborate more based on your feedback,

cheers,
- yinal

Monitor instant messaging in a regulated industry?

Q:
What are people doing to secure / monitor instant messaging in a regulated industry (healthcare to be specific)?


A:
Hi ....,

As you have stated, corporate IM is now recognized as an official productivity/collaboration tool, so it is not possible to “ban” IM traffic as it used to be in the past. This is no more different than “don’t use email”. IM needs to be “controlled” For healthcare, public IM is no more different than public web based email services like Gmail/Yahoo/Hotmail. IM can be allowed like e-mail, and I think it is pretty straightforward to adapt the policies...

That being said, I think P2P applications should be banned unless stated otherwise or allowed by corp policies. For HIPAA here are some links: http://www.akonix.com/assets/pdf/HIPAA_support_by_Akonix.pdf http://www.facetime.com/solutions/regulatoryrequirements.aspx

The problem is with the way that the public IM works. Public IM networks and the clients transmit all critical information including EPHI, PII, and SSNs etc on public network as their name make it clearer..... Usually in cleartext format. So instead of banning the usage, IT departments (including the healthcare ones) enable IM with applying appropriate controls...

As long as IM is controlled it is no more dangerous than e-mail.


Here is a classic workflow:
1) Build a corporate (internal) IM environment. Corporate IM servers usually support all public network IM clients like MSN, yahoo, gtalk, AIM, jabber etc…with a great add-on: Corp IM servers
i. Enforce your policies on IM traffic
ii. Log all communication for regulatory/audit reason
iii. Encrypt corp IM traffic
iv. Enforce authentication (usually integration with local user repositories like LDAP, AD etc)
v. Generate reports for metrics, security, audit, regulatory reasons
vi. Keep local traffic local This is very helpful because public IM clients offer none, even the data from one cubicle to another traverses Internet on most public IM networks. Big player are IBM Lotus Sametime, Microsoft Live communications Server, Jabber XCP, and Novell Groupwise...

2) When corporate IM infrastructure is built, then it is possible to “ban” the public IM traffic. Users can still message to all IM network, they will be visible by their peers on AIM, MSN, ICQ etc. but they will be using the corp IM client. All business IM traffic can be encrypted /logged etc. This requires banning of illegitimate IM traffic, uninstall of public IM clients, and dropping the packet at network enforcement points. It is very difficult to stop all IM traffic, but it is possible, I may give more detailed information on blocking IM on http/https connections if that is required

3) Build an IM policy; make it public that what is allowed what is not. Attachments are allowed? Content control is enforced? Data Leakage checks? Keyword rewrites? Make sure that your IM Use policy is managed like any other security policy. For the healthcare follow the data classification policies on what can/cannot be transferred over IM networks.

4) With your policy and infrastructure in place, you can start shopping... There are a lot of vendors as indicated above… Most well known ones are Facetime and Akonix but there are at least 20 vendors out there to enforce controls either over the network or on the desktop. Make sure that you address encrypted traffic and VOIP clients (Skype?) on network based control options.

If you have a specific question please let me know,
cheers,
- yinal

IT Governance, Risk and Compliance (ITGRC) Tools

Lately I found myself in several interlinked IT GRC projects.

Tools do not fix the governance problem but they do help in shaping your project with fewer bodies (and probably for an exchange for good hard cash)

The new era of tools have a better message than the previous "We fix your compliance problems" motto. We all knew that compliance was just another step to achieve governance on Information Security. The new tools have better connections with legacy information security products like patch managers, SEIM tools etc, they also come with several predefined policy frameworks like ISO 27001..

Not there yet, but if you are interested here is a good start list of lists for googling and reading:

IT Governance, Risk and Compliance (ITGRC) Tools


Agiliance
http://www.agiliance.com/
Brabeion
http://www.brabeion.com/
Archer
http://www.archer-tech.com/solutions/index.html
Control Path
http://www.controlpath.com/solutions_advantage.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_control_compliance_suite_05-2007.en-us.pdf
Compliance Spectrum -Spectra (Command Center)
http://www.compliancespectrum.com/spectra.pdf
Modulo
http://www.modulo.com/
NeIQ Vigelent Policy center and other NetIQ tools
http://download.netiq.com/CMS/WHITEPAPER/NetIQ_CRM_Methodology_Feb_2007.pdf
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue.shtml
CA clarity (formerly NIKU)
http://www.niku.com/it-governance-47.html
IBM Tivoli Series
http://www-306.ibm.com/software/uk/itsolutions/governance/?ca=grm_Lnav&me=w
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Iconium
http://www.iconium.co.uk/Solutions/overview.htm
Security Works - Visible Security
http://security-works.com/?page_id=27
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/governance-risk-compliance-manager.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php




There are also dedicated Risk Management Tools which will soon identify themselves (maybe they already do) for IT GRC marketspace
Callio
http://www.callio.com/
Octave
http://oattool.aticorp.org/Tool_Info.html
Casis
http://www.aprico-consult.com/ (clearpriority)
Cobra
http://www.riskworld.net/
Citicus
http://www.citicus.com/oursoftware.asp
Alion – Countermeasures (makers of Buddy System)
http://www.countermeasures.com/
Siemens – CRAMM
http://www.cramm.com/
Ebios
http://www.ssi.gouv.fr/en/confidence/ebiospresentation.html
GStool
http://www.bsi.bund.de/english/gstool/
RA2
http://www.aexis.de/RA2ToolPage.htm
RiskPAC
http://www.cpacsweb.com/riskpac.html
Risicare (French)
http://www.risicare.fr/
Riskwatch
http://www.riskwatch.com/



Methodologies for Risk Assessment and Management that can be used at IT operations... Endless discussion for quantifying the risks... My prayers are with the ISO but let’s see which method(s) will prevail:

ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems - National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA - Practical application of risk analysis
PTA - Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM - British Office of Government Commerce or The CCTA's (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI - Club de la Sécurité de l'Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP - Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management

What hardware firewall are you using? And why?

Q: What hardware firewall are you using? And why?

Cisco, Sonicwall, Watchguard? What model?

If Cisco, do you like it, is it easy to admin?

Any thoughts appreciated.


A:
Hi ...,

Let begin with classification:
By hardware firewall we do mean that the firewall software is running on the unified platform where hardware and software is purpose built.

Models do vary. In order to recommend a model, you need to define your requirements. Here is a high level of inputs that you may list for a better recommendation:
1- Aggregated throughput
2- UTM features that will be enabled (deep packet inspection, AV , content filter etc)
3- Dynamic routing requirements
4- Failover , HA, load balancing requirements
5- Total number of physical segments needed, interface types, link aggregation requirements
6- SO-HO features like dial-back, wireless, ADSL, WAN interface support
7- VPN requirements, remote access VPN required?
8- Integration requirements (SEM/SIM, Backup, Network monitoring, MSS, desktop security IPS)
9- Your existing environment (all Cisco, all Check Point etc.., routing)
10- Primary function (e.g. Web Farm Protection, Internet Access, VPN, Server Farm Protection etc)

If you send more data on your planned firewall deployments with the hints for the questions above, I can be more specific on the comparison

Sonicwall and Watchguard fit the bill when all you need is a security appliance. They offer not only the firewall functionality, but several other network security features like content filtering, deep packet inspection or AV...They are more often called as UTM (unified threat management) instead of a firewall. Management is rather easy since the interface is unified, and central management servers do exist. Model selection is usually based on performance and interface requirements.


I would prefer Sonicwall on the enterprise (high-traffic) side if you have demanding infrastructure, performance wise multi-core parallel processing will help you a lot...

In Cisco world you have options for models... You can go with ISR series, ASA appliances, good old PIX boxes and the 6509 blades. Performance wise you can never get close to core since multi gig performance is limited unless you choose FWSM. (more blades maybe but not the ASAs ,ISRs etc)
I have managed several Cisco Systems in the past.. Administration is not miraculous when you compare with other systems; there are local GUIs, central management systems, 3rd parties, network management tools... Cisco is actually trying to unify the management piece... CiscoWorks VPN/Security Management Solution (Big bundle), CiscoWorks Management Center for Firewalls (VMS), Cisco Security Manager(this is the new one), Cisco Router and Security Device Manager (SDM) ,Cisco Adaptive Security Device Manager [ASDM]), PIX Device Manager (PDM), command-line interface (CLI) are the just few names in Cisco Firewall management space ..Overall the GUI is not miraculous but it works. If you are the CLI guy you will be happy. Managing a Cisco firewall on any of the models is no more difficult than managing routers. If you like scripting, you can automate 90% of the tasks. Cisco is already integrated with all network management products so you won’t have problems. Base code is stable lately and it does support enterprise features like VOIP or multicast up to a level... New additions to transport mode VPNs will help a lot …Upgrades downgrades are usually easy, backup is simple. Downside with Cisco is the segregation of duties, if your entire infrastructure is Cisco, it won’t help a lot to add one more layer of Cisco for firewalling esp. on the perimeter.

I can give more details on ISRs , ASAs, FWSM and PIX based on your specific questions.

If you are looking at hardware only firewalls you should also be looking at Juniper and Fortinet as well. Check Point/Nokia, Check Point/Crossbeam, Check Point UTM-1, Stonesoft, Secure Computing, Palo Alto Networks and Symantec are other players in the firewall space.

Let me know if you have any questions,
cheers,
- yinal ozkan