Cyber Attacks Protecting National Infrastructure, 1st ed. Chapter 3 Separation Copyright © 2012, Elsevier Inc. All Rights Reserved 1 • Using a firewall to separate network assets from intruders is the most familiar approach in cyber security • Networks and systems associated with national infrastructure assets tend to be too complex for firewalls to be effective Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Introduction 2 • Three new approaches to the use of firewalls are necessary to achieve optimal separation Chapter 3 – Separation Introduction – Network-based separation – Internal separation – Tailored separation Copyright © 2012, Elsevier Inc. All rights Reserved 3 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.1 – Firewalls in simple and complex networks 4 • Separation is a technique that accomplishes one of the following Chapter 3 – Separation What Is Separation? – Adversary separation – Component distribution Copyright © 2012, Elsevier Inc. All rights Reserved 5 • A working taxonomy of separation techniques: Three primary factors involved in the use of separation Chapter 3 – Separation What Is Separation? – The source of the threat – The target of the security control – The approach used in the security control (See figure 3.2) Copyright © 2012, Elsevier Inc. All rights Reserved 6 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.2 – Taxonomy of separation techniques 7 • Separation is commonly achieved using an access control mechanism with requisite authentication and identity management • An access policy identifies desired allowances for users requesting to perform actions on system entities • Two approaches Chapter 3 – Separation Functional Separation? – Distributed responsibility – Centralized control – (Both will be required) Copyright © 2012, Elsevier Inc. All rights Reserved 8 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.3 – Distributed versus centralized mediation 9 • Firewalls are placed between a system or enterprise and an un-trusted network (say, the Internet) • Two possibilities arise Chapter 3 – Separation National Infrastructure Firewalls – Coverage: The firewall might not cover all paths – Accuracy: The firewall may be forced to allow access that inadvertently opens access to other protected assets Copyright © 2012, Elsevier Inc. All rights Reserved 10 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.4 – Wide area firewall aggregation and local area firewall segregation 11 • Increased wireless connectivity is a major challenge to national infrastructure security • Network service providers offer advantages to centralized security Chapter 3 – Separation National Infrastructure Firewalls – Vantage point: Network service providers can see a lot – Operations: Network providers have operational capacity to keep security software current – Investment: Network service providers have the financial wherewithal and motivation to invest in security Copyright © 2012, Elsevier Inc. All rights Reserved 12 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.5 – Carrier-centric network-based firewall 13 • Network-based firewall concept includes device for throttling distributed denial of service (DDOS) attacks • Called a DDOS filter • Modern DDOS attacks take into account a more advanced filtering system Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation DDOS Filtering 14 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.6 – DDOS filtering of inbound attacks on target assets 15 • SCADA – Supervisory control and data acquisition • SCADA systems – A set of software, computer, and networks that provide remote coordination of control system for tangible infrastructures • Structure includes the following – – – – Chapter 3 – Separation SCADA Separation Architecture Human-machine interface (HMI) Master terminal unit (MTU) Remote terminal unit (RTU) Field control systems Copyright © 2012, Elsevier Inc. All rights Reserved 16 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.7 – Recommended SCADA system firewall architecture 17 • Why not simply unplug a system’s external connections? (Called air gapping) • As systems and networks grow more complex, it becomes more likely that unknown or unauthorized external connections will arise • Basic principles for truly air-gapped networks: – – – – Chapter 3 – Separation Physical Separation Clear policy Boundary scanning Violation consequences Reasonable alternatives Copyright © 2012, Elsevier Inc. All rights Reserved 18 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.8 – Bridging an isolated network via a dual-homing user 19 • • • • Hard to defend against a determined insider Threats may also come from trusted partners Background checks are a start Techniques for countering insider attack – – – – Chapter 3 – Separation Insider Separation Internal firewalls Deceptive honey pots Enforcement of data markings Data leakage protection (DLP) systems • Segregation of duties offers another layer of protection Copyright © 2012, Elsevier Inc. All rights Reserved 20 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.9 – Decomposing work functions for segregation of duty 21 • Involves the distribution, replication, decomposition, or segregation of national assets Chapter 3 – Separation Asset Separation – Distribution: creating functionality using multiple cooperating components that work together as distributed system – Replication: copying assets across components so if one asset is broken, the copy will be available – Decomposition: breaking complex assets into individual components so an isolated compromise won’t bring down asset – Segregation: separation of assets through special access controls, data markings, and policy enforcement Copyright © 2012, Elsevier Inc. All rights Reserved 22 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.10 – Reducing DDOS risk through CDN-hosted content 23 • Typically, mandatory access controls and audit trail hooks were embedded into the underlying operating system kernel • Popular in the 1980s and 1990s Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Multilevel Security (MLS) 24 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation Fig. 3.11 – Using MLS logical separation to protect assets 25 • Internet separation: Certain assets simply shouldn’t be accessible from the Internet • Network-based firewalls: These should be managed by a centralized group • DDOS protection: All assets should have protection in place before an attack • Internal separation: Critical national infrastructure settings need an incentive to implement internal separation policy • Tailoring requirements: Vendors should be incentivized to build tailored systems such as firewalls for special SCADA environments Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 3 – Separation National Separation Program 26
Purchase answer to see full attachment