Professional Documents
Culture Documents
From data loss to denial of service, cyber attacks are able to shut down an
regulatory penalties, or even criminal charges. All this being said, the
where so-called "zero-day" attacks are occurring with alarming frequency, it's
enough to cause many a sleepless night for IT managers and business owners
IT environments today are generally woefully lacking in visibility, with most environments
employing very basic security controls - usually just a firewall and some anti-virus. The following
is a logical diagram of the components a well-thought out secure infrastructure should contain:
HEADQUARTERS
IPS
FIREWALL
VPN
VPN
VPN
INTERNET
2
WHITE PAPER
The Definitive Guide to IT Security
As can be seen from this diagram, there are two remote encrypting this traffic, thus trusting the privacy of an
offices connected back to the headquarters site via ISP-provided private network, means you are allowing raw
encrypted site-to-site VPN's. This is traditionally known as unencrypted packets to leave your network (and thus
the "hub-and-spoke" model, and in some cases the control). Considering that ISP's typically provide these
connectivity between offices is connected via a layer-2 networks by encapsulating over layer-3 routers, that gives
network provided by the ISP (e.g. MPLS). Note here that plenty of opportunity for eavesdropping on such
IPS/IDS
Typically sitting at the edge of your network, the IPS (or Intrusion Prevention System) watches your
traffic in real time, and attempts to block requests that are deemed a security risk. This component is
essential for real-time network protection, and many compliance auditors will insist on it being
available. One thing to note here is that the IPS can only read (and thus protect) unencrypted data,
so an IPS with a built-in SSL proxy is critical for complete coverage. This typically works by
terminating any SSL sessions at the IPS, decrypting, analyzing, then re-establishing the SSL session
with the remote website. Unfortunately this will necessitate pushing out a root certificate to all of
your internal systems. This is required to prevent user browsers from displaying the "invalid
certificate" warning since the IPS has to pretend to be every SSL site that users are going to. This is
also known as a Man-in-the-Middle proxy (MITM), and while it can take a little time to properly roll
out, it is highly recommended as a significant amount of malware comes in over SSL connections.
3
WHITE PAPER
The Definitive Guide to IT Security
FIREWALL
The ubiquitous firewall typically requires no introduction - or explanation of why it's critical. This
device ensures that internal services stay internal and are inaccessible - except where permitted - by
external users. Firewalls should be used to control traffic between all internal zones, and rules should
be reviewed regularly to ensure old rules are not left lying around. Ensure that your firewall can
handle the throughput of your network, and is a stateful firewall. You should also utilize your firewall
to segregate your network in to multiple firewall zones for each segment (VLAN) of your network, and
limit the traffic between zones to allow legitimate traffic only, and anything accessible from the
outside should be in their own private DMZ network. This will limit the effectiveness of any malware
that infects your network, and slow down - or halt - its spread throughout your organization.
VPN
The VPN device handles all VPN traffic for end users and remote sites. The VPN server should be
powerful enough to handle multiple concurrent connections at a strong encryption level. Typically
we recommend IPSec (using AES encryption) which is used for site-to-site connections, and client-
based connections come in over SSL VPN technology (again, over AES). All users should use VPN
tunnels to access any administrative ports, and if possible, web servers should be configured to
deny access to administration URL's to specific source IP addresses. This reduces the number of
ports across available for compromise, and significantly reduces your attack surface area.
4
WHITE PAPER
The Definitive Guide to IT Security
WAF
The Web Application Firewall (WAF) is a form of IPS, in that it proxies all traffic from the outside to
internal web servers. These servers include off-the-shelf servers, such as Microsoft Exchange, as well
as custom sites - either built from scratch, or based on a framework such as Wordpress. Web
Application firewalls examine specific HTTP requests, and perform checks to stop common web
Command Injection, and much more (e.g. the OWASP Top-10). Again, these devices can only do their
work if the traffic can be unencrypted, so this device should include SSL offloading, where the WAF
takes care of the SSL connection to the client, and speaks to the backend web server over a seperate
encrypted connection.
SIEM/SENSOR
Tying all the previously mentioned components together is the Security Incident & Event
Management (SIEM) system. This system should be able to ingest data from all sources - IPS/IDS,
Firewall, Logger, VPN, Vulnerability Scanner, and Endpoint agents - as well as monitor raw packets on
your network (internal IDS), analyze netflow data, and correlate all these data sources to provide
actionable alerts across your network. The SIEM is essentially the brains of the security strategy, and
is a very important component to tie everything together. Additionally, each remote site should have
a Sensor device that looks at local switch mirror ports, collects local data, and forwards it to the main
5
WHITE PAPER
The Definitive Guide to IT Security
VULNERABILITY SCANNER
The vulnerability scanner is critical for proactive security. This device will scan the network
periodically (typically recommended at least once a week) to seek out vulnerable systems, or services
that should not be open. Finding and fixing a vulnerability before it is exploited is the ideal situation,
and makes it that much harder for your network to be compromised. An ideal scanner will include
both network and web application testing, and should be tunable to select how aggressive the scan
ENDPOINT
Endpoint protection comes in many flavors, but this system essentially manages the agent's locations
many systems as possible to ensure that security is being monitored locally. In addition to Anti-Virus
and Anti-Malware agents, there should also be a Host Intrusion Detection (HIDS) agent installed. This
agent will ensure that logs are converted and sent to the Logger, and critical system files are
monitored (e.g. Windows registry and system files). The HIDS agent should also detect rootkit activity.
Additionally, on critical systems a File Integrity Monitoring (FIM) agent should be installed. This reports
back file changes, adds and deletions for specific sensitive directories, and is another critical
requirement for many compliances, such as PCI and HIPAA. Finally, full-disk-encryption should be
deployed to all critical systems, and especially any laptop systems that leave your network. Laptop
theft is one of the most common way of data loss occurring, and if you value your corporate data, and
want to ensure that it stays out of the hands of unauthorized users, encrypting the drive is critical.
6
WHITE PAPER
The Definitive Guide to IT Security
BACKUP
When all else fails, make sure you have good backups. The security solutions above are all essential
to detecting and preventing data loss in your network, however, no solution on the planet is 100%
effective. With new threats emerging every hour of every day, and your own users being a big
potential security risk as they bring in unauthorized USB keys, use personal email accounts, and trawl
the latest social media sites, being 100% secure is a fantasy. It's often said that the most secure
system is one that is unplugged and buried a mile underground, but even that cannot be guaranteed
to be entirely safe! Backups then are the biggest failsafe you can have. If, for example, you are
attacked by a new flavor of Ransomware, it's much easier - and cheaper - to simply pull from the last
backup, than pay the ransom. Backup strategy should encompass all servers, network device
configurations, security device logs, and anywhere users store data - their workstations, file shares,
cloud storage system, etc. Do not trust that a cloud file sharing service is backing up your data. Even if
they are, they rarely release it if you are compromised! The backups are purely for their own internal
recovery. Additionally, cloud CRM and ERP systems are often neglected. These systems should be
backed up regularly to your own backup systems too, as they contain all the operational data to keep
your organization running. The backups the rule of thumb is to backup as much as you can - it's
always better to have more and not need it, than less and find out you don't have it when you need it!
7
WHITE PAPER
The Definitive Guide to IT Security
LOGGER
The logger is a system that can store logs from all of your servers and devices. This includes switches,
firewalls, routers, workstations, servers, and IoT (Internet of Things) devices. Centralized logging
helps with troubleshooting when problems occur. More importantly, having a copy of a server's logs
is very helpful if a malicious user or application tampers with that server's logs. The logger should
sign all logs to ensure that the data has not been tampered with, and the retention period should be
appropriate to your organization (based on any regulatory compliances or internal policies). The
Other Considerations
In addition to the above security devices required to secure your network, there are a
number of other items that should be covered when thinking about security. A good starting
point are the following items:
Multi-Factor Authentication as users are again more likely to write it down. A much
Password protection is the most common way of securing better solution is to require users to use multi-factor (or
systems today. However, it also has a critical flaw - it can be 2-factor) authentication. This means that the user will have
easily compromised. If a user sets a weak password, a to provide something they know (their password), and
simple brute-force attack might find it in minutes. If the something they have (e.g. a token with a changing code
password is too complex, users will sometimes write it down every minute). This is much more difficult to crack as most
and stick it on their desk! Forcing users to change passwords people are compromised by malicious hackers located far
too often can lead to a false sense of security too, away, and who are unlikely to have access to the physical
8
WHITE PAPER
The Definitive Guide to IT Security
token. Many MFA & 2FA solutions include a variety of token approach, sending out large numbers of emails to random
technology, including smartphone apps making it easy for people claiming to be from a popular social media site, or a
your users to carry tokens without any extra hardware. well-known bank hoping that the recipient is tricked into
thinking the email is about their account and will click the
Consider having your users utilize "passphrases" instead of and target specific organizations or even people. Imagine a
passwords. The biggest determiner of how fast a brute- malicious user pretending to be your finance team and
force cracker can guess a password is the length of the asking a customer to change their wire details so that
password. Educating users to use longer (15-20 character) instead of payment coming to you, it goes to a malicious
passphrases (simple sentences, with spaces and bank account. We've seen this happen, and all it required
punctuation) means they are much more likely to was access to one user's email account. Don't expect law
remember it without writing it down, and this also means enforcement to be able to be fix everything either - most of
you can reduce - or eliminate if using multi-factor - regular the time in situations like that, the money is irrecoverable.
password changes. The best way to combat this, and the many other ways
Keeping your systems up-to-date is critical to ensure the saying that such training, if provided, should be mandatory
security of your systems and your network. Ensure that all for all users to attend!
43%
systems are updated regularly (monthly at the very least).
User Training
HALF OF THOSE WERE INTENTIONAL,
One of the biggest security flaws in your network are the
WHILE THE OTHER HALF WERE DUE
people in your network. People who have not had security
9
WHITE PAPER
The Definitive Guide to IT Security
users that your organization is serious about security, and External Penetration Testing
also provides some legal standing. This is especially Performing regular testing from outside your network is
important in publicly traded companies, but can also come critical in ensuring that your infrastructure remains secure.
in to play with private organizations of all sizes. Showing Often a requirement in many compliances (e.g. HIPAA and
policies are in place, as well as user training as discussed PCI-DSS), this should be considered by all companies as part
above, is a good way to ensure that your organization is of their security strategy. This basically involves performing
seen as being pro-active (as opposed to negligent) in its both manual and automated scans of your external IP
mission to secure sensitive data. addresses, thoroughly testing any open services found (e.g.
web servers, email servers, etc). This should include (but not
High-Risk Devices limited to) checking software versions for known
Today there is a rapid proliferation of what we would term vulnerabilities, testing for insecure configurations (e.g.
"high risk" devices. These devices typically fall under the allowing anyone to send email through your email server),
Internet of Things (IoT) category, and due to their outward performing a full web application scan of any web
appearance are often neglected as part of any security applications, and checking SSL certificates for validity &
evaluation. However, these devices typically contain full strong encryption/hashing. Doing this is critical to knowing
operating systems (e.g. Linux or Windows embedded your external attack surface is as small as can be, and doing
editions), and often manufacturers of these devices spend this regularly will ensure that accidental misconfiguration
very little effort on securing them. An endless list of devices does not expose your organization to unnecessary risk.
10
WHITE PAPER
The Definitive Guide to IT Security
$2.1
However, there are some drawbacks to this - you can never
TRILLION
"black box testing"), and typically cannot test non-web
through the source code and finds every single path through
the application, and can find issues buried deep in the code
According to insurers Lloyds of London this way. Therefore, these two methodologies, in addition to
ensuring that your customers are protected, and that (in the
One place often neglected are any applications you may be secure too.
11
WHITE PAPER
The Definitive Guide to IT Security
applications? Do they provide security awareness training to Depending on the technology (Java & .NET being the easiest),
their developers? In some cases, it may also be possible to there are tools that can look at the bytecode and perform an
scan their application yourself before deployment. Doing a exhaustive test to find vulnerabilities across their
dynamic test (DAST) is straightforward, but even though they application. Being diligent about third-party applications on
may not give you their source code, it is also often possible your network can, and will, drastically reduce the attack
to still do a static analysis (SAST) test of their application. surface area in your infrastructure.
THE SOLUTION
This whitepaper has covered many aspects of security, but RackFoundry TSM
yet still scratches the surface of what you can - and should - Total Security Management (TSM) by RackFoundry is a
do. Doing all of the above will drastically improve your powerful integrated suite of security tools that will allow you
security, but there is always more that can be done. to solve most of the security vectors covered in this docu-
Integration is a big part of security too, so ensuring all the ment, allowing you to be secure - and compliant - in one
components work together seam-lessly is critical also. easy, affordable, step. No matter if you have one small office
There are a couple of ways to go about this - buy all the with 20 assets, or dozens of offices all over the world with
tools and integrate yourself, or buy a device that is fully thousands of assets, TSM will scale with you and your
integrated. Depending on your available resources, and environment, giving you a single-pane management experi-
budget, buying everything individually and integrating ence - and comes with security expertise built in! Our
yourself will provide the absolutely bleeding edge of philosophy at RackFoundry is to help organizations be
security. However, this strategy is typically unrealis-tic for all secure no matter their budgetary constraints or security
but the largest banks, governments and financial resources available.
institutions with legions of security professionals on staff.
12
WHITE PAPER
The Definitive Guide to IT Security
INTERNET
VPN
VPN VPN
TSM SECURITY
MODULE / CONSOLE
HEADQUARTERS
13
WHITE PAPER
The Definitive Guide to IT Security
SIEM
Log Management
Event Management
Event Correlation
Reporting
Ticket Management
DETECTION
Asset Discovery
Network IDS
Host IDS
Netflow
Packet Capture
Vulnerability Scans
14
WHITE PAPER
The Definitive Guide to IT Security
PERIMETER PROTECTION
Firewall
GATEWAY FEATURES
Routing
DHCP Service
DNS Relay
TUNNEL FEATURES
HARDWARE FEATURES
SSD-based Storage
MANAGEMENT
24/7 Monitoring
15
WHITE PAPER
The Definitive Guide to IT Security
If you would like to know more about TSM or how we can help you secure your
infrastructure, please contact us at info@rackfoundry.com, and one of our engineers
will be happy to walk you through a quick overview.
About RackFoundry
RackFoundry™, the maker of Total Security Management (TSM), is a leader in complete coverage security appliances, secure
cloud services and professional services such as SecurityXpert that provides security expertise to organizations of all sizes
and industries. The RackFoundry security team, FortressLabs™, help find new vulnerabilities in the wild, mitigate any found
15
© 2019 RackFoundry, Inc.