Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.

1. Beware the
Firewall, My
Son!
The Jaws That Bite,
The Claws That Catch!
The Workshop*
*With apologies to Lewis Carroll

2. Who Am I?
• Michele Chubirka, aka Mrs. Y.
• Senior security architect.
• Blogs and hosts Healthy
Paranoia, information security
podcast channel of
Packetpushers.
• Researches and pontificates on
topics such as security
architecture and best practices.

3. Agenda
•
•
•
•
•
•
•
Firewall State of the Union
Current Architectural Models
Challenges
Security Vs. Compliance
Design Recommendations
Case Study
Overcoming Barriers

4. Let’s Make it Simpler
Why?
What?
How?

5. Beware the
proxy server,
and shun The
frumious packet
filter!

6. WHY?
What’s the big deal, can’t I just install a
firewall to protect my organization?

7. Recent Findings: Trustwave and Verizon
•
•
•
Customer records make up 89% of
breached data.
92% of breaches come from outsiders.
76% of intrusions utilize weak or stolen
credentials.

8. Death of AV?
• In 2012, SANS and Bruce Schneier publicly criticized
effectiveness of anti-malware protection.
• According to Mikko Hypponen of F-Secure:
“Stuxnet went undetected for more than a year after it
was unleashed in the wild, and was only discovered
after an antivirus firm in Belarus was called in to look
at machines in Iran that were having problems.”

9. Are You Depressed Yet?
The most common password used by
organizations is “Password1” because it
satisfies the default Microsoft Active
Directory complexity setting.

10. Trustwave 2012 Global Security
Report
Only 16% of
compromises
were selfdetected and
attackers had
an average of
173.5 days
before
detection.

11. Verizon Data Breach Report 2013
“…three-quarters of breaches
are of low or very low difficulty
for initial compromise, and the
rest land in the moderate
category.”

12. Verizon Data Breach Investigations Report 2013

13. Verizon Data Breach Investigations Report 2013

14. Verizon Data Breach Investigations Report 2013

15. Verizon Data Breach Report 2013
“When you consider the methods used by attackers
to gain a foothold in organizations—brute force,
stolen creds, phishing, tampering—it’s really not all
that surprising that none receive the highly difficult
rating. Would you fire a guided missile at an
unlocked screen door?”

16. High Profile Attacks
• Major news media organizations compromised.
• DDoS attacks against financial institutions.
• Breach of credit card processor Global Payments
went undetected for over a year with 7 million
accounts compromised.
• Prominent defense contractors penetrated via
information stolen from RSA Security.
Do you think they had firewalls?

17. "The entire security industry is wired so
that the oldest and least effective methods
will profit most….”
Josh Corman, Director of Security
Intelligence at Akamai, the content delivery
network.

18. Why Do We Say We Use Firewalls?
• Infosec design “best practice.”
• Because compliance rules and auditors say so.
• To protect data, applications, servers and users
from attacks.

19. Why Do We Really Use Firewalls?
FUD
(Fear, Uncertainty and Doubt)

20. Why Do We Still Use Firewalls?
According to Infoworld’s Roger Grimes, they “…
need to go away.”
•Most attacks are client-side (http and https) and
can bypass the firewall rules.
•Network choke-points.
•Rules are a mess, often breaking access.
•Management is difficult, at best.
•More of a problem than a solution.

21. Why Do You Hate Firewalls?
I don’t hate
firewalls.
I hate how we use
them.

22. April Fool’s RFC 3514
Firewalls [CBR03], packet filters, intrusion
detection systems, and the like often have difficulty
distinguishing between packets that have
malicious intent and those that are merely unusual.
The problem is that making such determinations is
hard. To solve this problem, we define a security
flag, known as the "evil" bit, in the IPv4 [RFC791]
header.

23. April Fool’s RFC 3093
We propose the Firewall Enhancement Protocol
(FEP).… Our methodology is to layer any
application layer Transmission Control
Protocol/User Datagram Protocol (TCP/UDP)
packets over the HyperText Transfer Protocol
(HTTP) protocol, since HTTP packets are typically
able to transit Firewalls. … FEP allows the best of
both worlds: the security of a firewall, and
transparent tunneling through the firewall.

24. Questions?

25. WHAT?

26. She took her
vorpal sword in
hand:
Long time the
TCP flow she
sought --

27. Definitions Con’t
Firewall
From The Oxford American Dictionary:
A wall or partition designed to inhibit or prevent
the spread of fire. Any barrier that is intended to
thwart the spread of a destructive agent.
A firewall does not prevent a fire.

28. So rested she by
the DMZ,
And stood
awhile in
thought.

29. Current Model: The Sandwich

30. Typical Network Security Segmentation
INET : Public facing, the internet.
CORP : Corporate network, your user community.
DATA : Database systems
APP: Applications
DMZ : Anything requiring public access; web-front ends,
mail, DNS
MGMT : management segment
PCI or other compliance standards are usually wedged in
somewhere as an afterthought.

31. Typical Data Classification Model
•
•
•
•
Routine or Public
Sensitive
Private
Business-Critical or Confidential

32. Routine or Public
Information not presenting a risk to the business if it
were compromised. The lowest degree of protection.
Examples
•Master list of projects
•Employee names associated with public projects or
documents

33. Sensitive
Information not of specific value to an attacker, but it
might provide information that could be useful in an
attack.
Examples:
•Details of a project
•Employee email addresses
•Types of applications used internally

34. Private
Personal information that the organization is required
to keep secure, either by regulation or to maintain the
confidence of its customers. Disclosure could impact
reputation of company.
Examples:
•Credit card information
•Medical data

35. Business-Critical or Confidential
Internal data containing details about how the
organization operates its business. Could affect the
organization's competitive advantage or have a
financial impact if it were compromised.
Examples:
•Intellectual property
•Source code

36. What You Really Get

37. And, as in
uffish thought
she stood,
The firewall,
with eyes of
flame,

38. Data Owner
Member of the management team who makes
decisions regarding data and is ultimately responsible
for ensuring its protection.

39. Data Custodian
Individual, usually in the security department, who is
a delegate appointed by the data owner to oversee
the protection of data. The responsibilities of this role
could also be divided between various roles in an
operations team.

40. The Challenge
• The data owner is responsible for classifying
information within an organization.
• A Security team is responsible for managing the
technical or logical controls for accessing data.
• They are data custodians for the data owners.
• The challenge is to ensure that they closely
align the network security segmentation design
with an information classification matrix.

41. Came whiffling through the Ethernet,
And burbled as it came!

42. Security Vs. Compliance
• Adherence to PCI-DSS, SOX, HIPAA or any other
compliance standard does not equate to
organizational security.
• Compliance is conformance to a standard dictated
by a governing body.

43. Definitions
Compliance - the act of conforming, acquiescing, or yielding. A
tendency to yield readily to others, especially in a weak and
subservient way. Conformity; accordance: in compliance with
orders. Cooperation or obedience.
From The American Heritage Dictionary

44. Definitions
Security - freedom from danger, risk, etc.; safety.
Freedom from care, anxiety, or doubt; well-founded
confidence. Something that secures or makes safe;
protection; defense. Precautions taken to guard against
crime, attack, sabotage, espionage, etc.
From The American Heritage Dictionary

45. Compliance != Security
Venn diagram courtesy of @grecs

46. The Auditor Is Not Your Friend

47. Questions?

48. HOW?
Emphasize strategic
solutions over tactical
ones.

49. One, two! One,
two! And
through and
through
The vorpal
blade went
snicker-snack!

50. Elements of a Good Security Design
• Well-documented data classification model
• Business service catalog
• Technical service catalog

51. Information Classification Best Practices
• Data represents the digital assets of a company.
• Different data has varying levels of value, organized
according to sensitivity to loss, disclosure, or unavailability.
• Data is segmented according to level, then security controls
are applied.
• An information classification matrix represents the
foundation of a security design.
For additional information, see “Understanding Data
Classification Based On Business and Security
Requirements” by Rafael Etges and Karen McNeil

52. The Goal: Enterprise Security Architecture
• Integration of security into the enterprise
architecture.
• Design driven by business needs.
• Built in, not bolted on.
• Utilize frameworks or models such as:
OSA (Open Security Architecture)
SABSA (Sherwood Applied Business
Security Architecture)

53. Definition
Security Architecture
“…the art and science of designing and supervising the
construction of business systems, usually business
information systems, which are: free from danger,
damage, etc.; free from fear, care, etc.; in safe
custody; not likely to fail; able to be relied upon; safe
from attack.”
From Enterprise Security Architecture: A
Business-Driven Approach

54. OSA Design Principles
The design artifacts that describe how the security controls (=
security countermeasures) are positioned, and how they relate to
the overall IT Architecture.

55. A New and Improved DMZ Sandwich
http://www.opensecurityarchitecture.org/cms/images/OSA_ima...
AU-02 Auditable Events
AU-03 Content Of Audit
Records
AU-04 Audit Storage
Capacity
AC-04 Information Flow
Enforcement
SC-10 Network Disconnect
AU-11
Audit Record
Retention
AC-06 Least Privilege
SC-23 Session Authenticity
AC-12 Session Termination
SI-03 Malicious Code
Protection
CM-07 Least Functionality
SI-08 Spam Protection
AU-10 Non-Repudiat ion
SC-05
Denial Of Service
Protection
AU-05 Response To Audit
Processing Failures
SI-06
Security
Functionality Verif..
AU-06 Audit Monitoring,
Analysis, And Repor..
SI-07 Software And
Information Integri..
AU-08 Time Stamps
AU-09 Protection Of Audit
Information
Proxy/Gateway/Web
-minimal services
-hardened configuration
-management/monitoring
by seperate network
interfaces/VLAN
Internal
Services
External
Services
Untrusted public network
e.g. Internet
Default rule: DENY ALL
Enable specific port
and IP addresses.
Stateful inspection and
DOS protection
Load balance/High
availability
External
Firewall
SC-07 Boundary Protection
Internal
Firewall
Bastion
Host
DNS
SC-20 Secure Name /
Address Resolution ..
IDS/IPS
Trusted network
e.g. CorpNet
Default rule: DENY ALL
Enable specific port
and IP addresses/ranges
Stateful inspection
System
SI-04 InformationTools An..
Monitoring
SC-21 Secure Name /
Address Resolution ..
SC-22 Architecture And Na..
Provisioning For
AC-07 Unsuccessful Login
Attempts
http://www.opensecurityarchitecture.org/c
ms/en/library/patternlandscape/286-sp-016dmz-module
OSA is licensed according to Creative Commons Share-alike.
Please see:http://www.opensecurityarchitecture.org/cms/about/license-terms.
AU-07 Audit Reduction And
Report Generation
Actor: Security Operations
Configuration of
environment
Monitoring and response
to emerging threats
CA-03 Information System
Connections
CA-04 Security
Certification
CA-05 Plan Of Action And
Milestones
RA-05 Vulnerability
Scanning
SI-05 Security Alerts And
Advisories

56. SABSA Overview

57. SABSA Model
Contextual Layer – Business policymaking, risk assessment,
requirements collection and specification.
Conceptual Layer – Programs for training and awareness,
business continuity, audit/review, process development,
standards and procedures.
Logical Layer – Security policymaking, classification,
management of security services, audit trail monitoring.
Physical Layer – Development and execution of security rules,
practices and procedures.
Component Layer – Products, technology, evaluation and
selection of standards and tools, project management.

58. SABSA Matrix

59. Security Architecture Lifecycle

60. Form Follows Function
•What's the purpose of the structure? Who must it
serve?
•What's the environment like? Is it closed or open?
What is the context?
•Complex or simple? Think of the technical environment
and the capabilities of those involved.

61. Definitions
Defense-in-depth
According to the Committee on National Security
Systems Instruction No. 4009, National Information
Assurance Glossary, it is defined as:
IA [information assurance] strategy integrating
people, technology, and operations capabilities to
establish variable barriers across multiple layers
and dimensions of networks.

62. Defense-in-depth is comprised of
multiple types of controls, not only
multiples of the same controls.

63. Multi-Layered Security
1. Information Assets
2. Data Security
3. Application Software Security
4. System Software Security
5. Hardware Security
6. Physical Security
7. Procedures, Training, Audit, Business Continuity
8. Policy
It is like an onion!

64. Security Service Types
•
•
•
•
•
•
Prevention
Containment
Detection and notification
Event collection and event tracking
Recovery and restoration
Assurance
Think in terms of services, not products or solutions.
You need to consider all when addressing
requirements.

65. Security as an enabler of
business, not a roadblock.
“Consider the brakes on a car…. having better brakes
enables the car to be driven at much higher speeds,
because the driver now has the confidence that if the
need arises, braking will be fast and efficient.”
From Enterprise Security Architecture: A
Business-Driven Approach

66. She left it dead, and with its NAT
policy, she went galumphing back.

67. Implementing Good Network
Segmentation: Phase One
1. Establish a new network segmentation model, based upon
some of the existing or implicit standards from your
security team.
2. Verify that this will meet current compliance needs,
proactively.
3. Document this fully and get sign off, so that there is an
agreed upon model or standard for all divisions.
4. Build new systems and networks on this design, migrating
legacy systems where possible with minimal impact to
customers and when required for compliance.

68. Implementing Good Network
Segmentation: Phase Two
1. Build a business and service technical catalog, then a full
data classification matrix.
2. Develop the next generation of network segmentation
based upon the data classification matrix.
3. Document this fully, so that there is an agreed upon
model or standard.
Implementation of phase one, will make phase two feasible.
The goal is a thoughtful design that meets the needs of all
customers and divisions within an organization.

69. Case Study: Recovery from PCI-DSS
Audit Failure
1.
2.
3.
4.
Inventory of the cardholder data environment (CDE).
Data classification.
User classification.
Proposed segmentation based upon the intersection
of users and data.
5. Documentation of business rules.
Warning:
You will experience PCI scope creep. Think of anything
touching the CDE as contaminated and plan
accordingly.

70. Now for the Real Challenge

71. Prevention is a hard sell.

72. A NEW KIND OF INGRATITUDE
Who gets rewarded, the central banker who avoids a
recession or the one who comes to "correct" his
predecessors' faults and happens to be there during
some economic recovery?
...everybody knows that you need more prevention than
treatment, but few reward acts of prevention. …We
humans are not just a superficial race (this may be
curable to some extent); we are a very unfair one.
-from “The Black Swan” by Nassim Taleb

73. Selling the Design
• The WAY we present information is just as important
as WHAT we present.
• In the first few minutes we interact with someone,
we’re being assessed for our potential to provide
reward or punishment.

74. The Threat Response
• Cortex receives input.
• Limbic system, the emotional area, and prefrontal
cortex (the executive or evaluator of the brain)
take in data simultaneously.
• Amygdala, responsible for emotional response and
memory, acts as an alarm activating fight/flight
response if threat is perceived.
• Sympathetic nervous system sets up organs and
muscles for fight/flight response.

75. Key Concepts
• The limbic system is an “open loop,” influenced by
other people’s emotions, aka mirror neurons. Also
known as emotional contagion.
• The brain has a negativity bias because the limbic
system is quicker than the prefrontal cortex at
perceiving and analyzing potential threats.
• Traumatic experiences are “stickier” than positive,
happy experiences, i.e. harder to un-map.

76. No Escape From Threat
• Most of us are in a permanent state of cortisol
overload due to the constant stressors of modern life
and the fact that stress hormones stay in the body
for hours.
• This decreases intellectual capacity, memory
capacity and lowers impulse control.
• Stress makes you stupid.

77. Amygdala Hijack
Intense and immediate emotional reaction, followed
by the understanding that it was inappropriate.

78. Examples
• I thought that stick on the ground was a snake!
• I don’t like you or I’m bored, so I won’t cooperate or
listen to what you have to say.
• That guy who cut me off in traffic was trying to kill
me!
• Why were you so insulting to me in that email
yesterday? (studies show there’s a negativity bias in
email.)

79. Thin Slicing: Bedside Manner
• In an analysis of malpractice lawsuits, there was no
correlation between the number of mistakes by
doctors and how many lawsuits were filed against
them.
• In studies, psychologists were able to predict which
doctors would be sued more by analyzing the
amount of time spent with patients and if the tone of
their voices sounded “concerned.”

80. Mirror Neurons
Marie Dasborough observed two groups:
•One group was given negative feedback accompanied
by positive emotional signs, nods and smiles.
•Another was provided positive feedback that was
delivered using negative emotional cues, frowns and
narrowed eyes.

81. Entrainment
• Those who received the positive feedback
accompanied by negative emotional signs reported
that they felt worse than participants who received
negative feedback given with positive emotional
cues.
• Delivery was more important than the message.
• This is similar to a phenomenon known in physics as
entrainment.

82. Conflict Avoidance != Conflict
Resolution
“…conflicts are like fish, and if you put this fish under
the table, what happens after a while? It starts to
smell.”
- George Kohlrieser
By addressing conflict through respectful methods,
opposition can be transformed into an engaged
dialogue.

83. You’re Ready,
Right?

84. Operational Security To Do List
• Focus on containment.
• Improve standardization and documentation.
• Gather metrics. If you can’t measure, you can’t
demonstrate value.
• Visibility and monitoring (and no, that doesn’t
mean email alerts).
• Consistently audit access.
• Emphasize a proactive over reactive posture.
• Be a partner to the business.

85. Warning!
Don’t implement
solutions before
understanding the
problem.

86. And, has thou slain the Firewall?
Come to my arms, my beamish girl!
O stateful day! Callooh! Callay!'
She chortled in her joy.

87. Questions?

88. Where Am I?
Spending quality time in kernel mode practicing and
refining my particular form of snark.
www.healthyparanoia.net
Twitter @MrsYisWhy
Google+ MrsYisWhy
networksecurityprincess@gmail.com
chubirka@packetpushers.net
http://www.networkcomputing.com/blogs/author/Mich
ele-Chubirka

89. References
Covert, Edwin. Using Enterprise Security Architecture S to Align
Business Goals and IT Security within an Organization. Tech.
Columbia: Applied Network Solutions, n.d. Print.
Gladwell, Malcolm. Blink: The Power of Thinking without Thinking. New
York: Little, Brown and, 2005. Print.
Goleman, Daniel, and Richard Boyatzis. "Social Intelligence and
Biology of Leadership." Harvard Business Review (2008): n. pag. Web.
Goleman, Daniel. Working with Emotional Intelligence. New York:
Bantam, 1998. Print.
Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15
May 2012. Web. 15 May 2012.
<http://www.infoworld.com/d/security/why-you-dont-need-firewall193153?page=0,1>.
Harris, Shon. CISSP Exam Guide. Berkeley, CA: Osborne, 2012. Print.

90. References Con’t
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May 2012. Web.
16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-payments-breachwindow-expands/>.
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May 2012. Web.
16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-payments-breachnow-dates-back-to-jan-2011/>.
Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation Created for
Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012. Web. 16 Apr. 2013.
http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-areal-world-simulation-created-for-forensic-data-yields-surprising-results.
"Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17 Apr.
2013.
Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog. Antian
Security, 3 Jan. 2013. Web. 16 Apr. 2013.
"SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013.

91. References Con’t
Sherwood, John, Andrew Clark, and David Lynas. Enterprise Security Architecture: A
Business-driven Approach. San Francisco: CMP, 2005. Print.
Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web.
Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web.
Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S. Computers to
Chinese Military." Washington Post. The Washington Post, 19 Feb. 2013. Web. 16 Apr.
2013. <http://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-onus-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75dab0201670da_story.html>.
Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting Compromise."
Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr. 2013.
<http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/>.