WS2 - Risk-Based Approach to IT Infrastructure Security and ...

WS2 - Risk-Based Approach to IT Infrastructure Security and ...

Next Generation Firewalls Do We Need Them? D12 Wednesday 18th July 10.30-11.45 am John Tannahill Mail: [email protected] 2018 J. Tannahill & Associates Network Security Key Risk Areas

Internet Network Perimeter Virtual Private Networks (VPN) Wireless LAN Networks Sensitive Network Segments WAN Connectivity Software Defined Networking (SDN) 2018 J. Tannahill & 2 Common Network Vulnerabilities

Network services with known vulnerabilities and not patched Network services with poor authentication Unnecessary network services that are not properly configured or secured Network transmission of clear text credentials and data 2018 J. Tannahill & Associates 3 Network Perimeter Controls Firewall Application Servers

External Router Internet Browser Defense in Depth: -Firewalls - Security Zones -Switch / VLAN -Hardened OS -Hardened TCP/IP Services -IDS/IPS Architecture -Sandbox Appliances 2018 J. Tannahill & Associates DMZ Servers: -Mail -Web

-VPN Database Servers Network Traffic Ingress Traffic Egress Traffic 2018 J. Tannahill & 5 Egress Traffic Controls

Network monitoring for egress traffic relating to C2 traffic Understand anomalous outbound traffic Firewall rules to restrict outbound protocols NGFW to inspect traffic (e.g. https) Use indicators of compromise Use blacklists for C&C Servers 2018 J. Tannahill & 6 Network Firewall Technologies

Packet Filters Stateful Inspection Next Generation Firewalls 2018 J. Tannahill & 7 NGFW Examples Palo Alto Cisco ASA with Firepower

Fortigate 2018 J. Tannahill & 8 Next Generation Firewall Functions Palo Alto Example

User-id / App-id Wildfire (Anti-malware) Vulnerability Protection URL Filtering Data Filtering (Data Loss Prevention) Zone Protection SSL Decryption 2018 J. Tannahill & 9 Critical Security Controls Source: cisecurity.org 2018 J. Tannahill &

10 Key Network Controls Next Generation Firewalls Egress Filtering Network Segmentation and Isolation NetFlow (Detect Anomalous Activity) Network Access Control Threat / Vulnerability Intelligence Indicators of Compromise

Vulnerability Management 2018 J. Tannahill & 11 Network Security Assessment Network Discovery & Mapping TCP/IP Service Enumeration Network Vulnerability Assessment Penetration Testing / Red Team Exercises Firewall Security Assessment

Architecture Configuration Rules Wireless Security Assessment 2018 J. Tannahill & Associates Network Security Controls Configuration Management

cisecurity.org (Cisco ASA; Palo Alto) iase.disa.mil - STIGs (Cisco; Palo Alto) / Firewall SRG Compliance Process to ensure proper security configuration and patch levels Privilege Management Logging and Monitoring 2018 J. Tannahill & 13 Risks of Unsupported/Unpatched Network Perimeter Devices

E.g. Fortinet Firewall backdoor E.g. Cisco PIX 2018 J. Tannahill & 14 Summary No Silver Bullets

Avoid Snake Oil Pay Attention to NGFW Configuration Vulnerability Management Layered Defence Firewall as a Service 2018 J. Tannahill & 15

Recently Viewed Presentations

  • Secondary Sources of Law

    Secondary Sources of Law

    R. v. Lavallee- no law was created but a case created a law through the decision of the SCC- battered woman syndrome must be included as a form of defence. To prepare a court case lawyers and judges will look...
  • The charter of 1732 Quiz

    The charter of 1732 Quiz

    Arial Century Gothic Wingdings 2 Calibri Trek 1_Trek 2_Trek 3_Trek 4_Trek 5_Trek 6_Trek 7_Trek 8_Trek The charter of 1732 Quiz Instructions 1) What was James Oglethorpe famous for? 2) How many trustees were allowed to rule at a time? 3)...
  • Uncontrolled copy not subject to amendment Principles of

    Uncontrolled copy not subject to amendment Principles of

    High lift devices come in many shapes and forms. They are mounted on the leading and trailing edges of wings. They create more lift at lower speeds to allow lower take-off and landing speeds. The aircraft nose will be lower,...
  • Exploring Solar Energy

    Exploring Solar Energy

    PROJECT TITLE. PROJECT TITLE. Drying Agricultural Products. Source: Thermal Science, 2014 ... NREL 2016 Renewable Energy Data Book. PROJECT TITLE. Global Regional PV Installations per Inhabitant. ... Environmental Impact of PV Cell Production. PROJECT TITLE. Using a Digital Multimeter.
  • DC Power Supply - khu.ac.kr

    DC Power Supply - khu.ac.kr

    is a recursive acronym for "GNU's Not Unix!",chosen because GNU's design is Unix-like, but differs from Unix by being free software and containing no Unix code. Development of GNU was initiated by Richard Stallman in 1983. ... DC Power Supply
  • Ontario's Tourism Regions

    Ontario's Tourism Regions

    This report summarizes key characteristics of visitors and visitor spending of trips in Ontario which includedgoing to a casinoData was sourced from Statistics Canada's Travel Survey of the Residents of Canada and International Travel Survey, 2014Some slides include an index...
  • The Galactic Zoo Denizens of the Night Sky

    The Galactic Zoo Denizens of the Night Sky

    So this diagram, which also is on your map, shows what the moons look like tonight (23Aug2019). ... Notice how it is a kite-shaped constellation. It used to be a shorter kite -- in ancient Greek & Roman times (2,000...
  • Maths Workshop for Parents - Hodnet Primary School

    Maths Workshop for Parents - Hodnet Primary School

    Display a traditional calendar. Board games that involve dice and spinners - helps not only with counting but with the concepts of chance. Traditional playing cards - simple games such as snap are a natural way of learning about sorting...