Network Policy

(slides by Jeremy, Brian, and Daniel)

What Network Policy IS

• Includes a set of preconditions required for network access and to maintain that access (access policy)

• Some Examples:– Must be running the organization’s specified

antivirus product with latest virus definitions– Must have personal firewall enabled

• Egress/ingress, particular ports, protocols, etc.

– Must pass a scan for known vulnerabilities (like CMU)

What Else Network Policy IS

• Specifies access controls for systems and resources

• Examples:– Bank teller can only connect to the bank

network during regular business hours– Staff not employed by the payroll department

must not access payroll records.

Anything Else?

• What is allowed on the network– Hotmail, Ebay, Ameritrade, Pornography?

• What is monitored– How long do you keep the logs– What do you do with them after that time

period– Who handles these logs– Who is responsible for auditing them

Network Policy is NOT

• A firewall, IDS, IPS, etc

• A certification

• Something you download and print

• Something you purchase

It is a custom tailored process!

The IKEA Analogy for Network Policy

• No policy is like having no instructions for securing the network

• Seems simple but actually a million complicated pieces with complex interactions

• “Universal Tool” – Not the best solution• It works great until it falls apart and needs to be

redone the right way– Find out what those extra parts do after the fact

• Frustrating?• Quality Issues?

But Policy is Just Paper

• True, policy needs to be enforced– People are either ignorant of or don’t care what is on

the paper. – Survey: Who has knows CMU’s Network Policy?

• How to enforce Network Policy?– Technology: firewalls, ACLs, Nessus, card readers,

network monitors, encryption, active directory etc.• Can’t effectively deploy these tools without

policy– Can’t build sturdy furniture

(security) without directions(policy)

– Policy = Directions

Designing Network Policy

• Very specific to the organization’s needs• No “one size fits all”• Try to follow best practices

– Least Privilege – Defense in Depth– ACTIVE MONITORING

• Build this into the policy!

• Threats constantly evolve, security must do the same.

The Case: Issues to Consider

• Least Privilege– Sponsors – “What do you mean I can’t do xyz, I paid

for this thing to happen!”– Money Talks, but making exceptions can break down

security of entire system

• People want money spent on something visible– Make case for security supporting visibility? Does it?

• People want invisible security • If it is a hassle, they will circumvent it

– Media – use venue as backdoor

More Issues: Insiders

• Organizations implicitly trust them• Intimate knowledge of system and its

weak points• May be sympathetic to protesters• Physical access to critical areas

– Easy to plug in a rogue WAP on the wired network

• Many new temporary employees– Where is their loyalty?

Showdown: Wireless Policy

VS

Wireless Policy Considerations

• Basic requirements for event– Can enough cable be run at the venue to

support all wired connections?– Do the participants need wireless? Why?

• Who is in charge?– Delegate who is in charge and who takes

responsibility for problems• Establishes accountability and point of contact

What is the Risk?

• Perform a Risk Assessment– Potential Threats:

• DoS, Session hijacking, sniffing, MITM, ad-hoc connections • Wardrive/Warwalk to determine physical exposure

– What is the wireless going to be used for?• casual websurfing (low risk)• Media/sponsor access (medium risk)• Confidential scheduling and voting (high risk)

– How frequently to assess risk?

• Do the threats outweigh the benefits?• See NIST 800-30 for more formal information

Consider Wireless Topology

• Network Topology– Wireless as untrusted network – Wired as trusted network– Separate them with a gateway– Install filter to control/monitor traffic at that

junction • Active monitoring goes in the wireless policy!

Other Considerations• How to Authenticate

– Cost, ease of implementation, ease of use– PKI may be too much, Open may be too little

• Maintaining Confidentiality– Encryption – WEP, WPA, IPSec

• Selection based on sensitivity of data

– Key management• How to distribute• Can we change it faster than it can be cracked?

• Availability– Most noticeable– Productivity losses– Media backlash

No WiFi For You!

• Do we allow it or not?• Is the threat greater than the benefit?

– Difficult to quantify

• Do we also allow limited wired access if wireless goes down?

• What if wireless keys are shared with outsiders?• Many other “what if’s”• See NIST 800-48 for a wealth of information

This Can Be Really Tough!• Difficulty will cause users

to circumvent security measures

• Prepare for your first line of defense to fail (D.I.D.)

• Perhaps we need something more rigorous

• A formal framework with better metrics for making critical decisions

Conclusion

• Are Network Policies such as the ones described tonight silver bullets??

• The answer is NO!!!!

Conclusion

• These are guidelines that need to be enforced, understood, documented and evaluated constantly because the environmental variables (such as new technology) change over time