1

Dos and Don’ts for Managing External Connectivity to/from Your Network

Prof. Avishai WoolCTO and Co-Founder

Confidential 2

Agenda

1. The Basics 2. Maintaining Your External Connections3. Secure Routing4. Managing Third Party Connections with AlgoSec

1. The Basics

3

Confidential 4

What is an External Connection?

An external organization that needs a permanent network connection that allows access to/from internal networked servers:

• Market data feeds • Access to supplier databases,• Messaging gateways, etc.

What is not an external connection?• Customer access to web portal; remote offices; VPN

access for field teams

Poll

• How many external connections do you estimate you handle?• Less than 50• 50-250• More than 250• I wish I knew

Confidential 5

Legal Aspects

• There is a contract governing the connection• Technical sections of the contract may specify:

• IP addresses and ports• Technical contact points: internal and external• SLAs• Problem resolution and escalation processes• Testing procedures• Physical location of servers• … and more…

Confidential 6

Who Do You Trust?

• The other side of the connection is semi-trusted• Place servers in a DMZ• Segregate DMZ by firewalls• Restrict traffic in both directions• Additional controls to consider: • Web application firewall (WAF)• Data Leak Prevention (DLP)• Intrusion Detection (IDS/IPS)

Confidential 7

Confidential 8

Are you a Target?

"Getting from a procurement portal to a cardholder data environment is a long road“

“Only highly skilled hackers could find a way around such network segmentation”

“… If Target gave the vendor too much access to the network the blame lies firmly with Target…”

Network Architecture

Confidential 9

InternalNetwork

DMZ Peer’sDMZ

Network Segmentation

Define the filtering policy as a connectivity matrix:

Confidential 10

InternalNetwork

DMZ Peer’sDMZ

Zoom In: From/To the Peer DMZ

Confidential 11

InternalNetwork

DMZ Peer’sDMZ

Zoom In: From/To Our DMZ

Confidential 12

InternalNetwork

DMZ Peer’sDMZ

Regulatory Compliance

If the data being accessed over the external connection is regulated, the systems and possibly the peer’s systems are subject to audit!

• PCI 3.0: If the connection touches credit card data then both sides of the connection are in scope

• Outsourcing does not let you off the hook…

Confidential 13

Planned Changes and Unexpected Outages

2. Maintenance

14

Reasons for Maintenance

Confidential 15

Planned changes Unplanned outages• By the IT staff• By the peer• Networking changes• …

• Server or network element down

• Device misconfiguration• …

Knowledge is Power

Change/outages affect an external connection:• Remember the contract!• Coordinate with peers• Workflow

Confidential 16

Knowledge is Power

Change/outages affect an external connection:• Remember the contract!• Coordinate with peers• Workflow

• Your Information Systems should:• Allow teams to recognize external connections• Provide access to relevant information: contact points, contract,

SLAs, etc.• Support the tweaked workflows

Confidential 17

3. Routing Considerations

18

Routing Considerations

• Your peer obviously has an Internet connection… • You do not want to use your peer as an ISP!• and you do not want to be their ISP either

Confidential 19

Routing Considerations

• Your peer obviously has an Internet connection… • You do not want to use your peer as an ISP!• and you do not want to be their ISP either

Tips:1. Point the default route toward the “trusted” side 2. No dynamic routing protocols (no BGP/OSPF)3. … and filter irrelevant traffic (in both directions)

Confidential 20

Default Routes Point Inwards

Confidential 21

InternalNetwork

DMZ Peer’sDMZ

3.3.3.0/24

0.0.0.0/0 0.0.0.0/0

4. Managing External Connections with Algosec

22

Confidential 23

Confidential 24

Confidential 25

Confidential 26

Confidential 27

Confidential 28

Confidential 29

Confidential 30

Confidential 31

Confidential 32

Confidential 33

Confidential 34

Confidential 35

Confidential 36

What-If Risk Check

• How were the risks checked?

Confidential 37

What-If Risk Check

• How were the risks checked?• Network segmentation matrix!

Confidential 38

Prepare: Risk Profile from Spreadsheet

Confidential 39

Confidential 40

Confidential 41

Confidential 42

Summary

• External connections require special attention• Design your network architecture carefully• IT systems should assist the teams:• Recognize the external connections• Track relevant information• Intelligently support planned and unplanned maintenance

scenarios

Confidential 43

More Resources

Confidential 44

Thank You

45