1
Dos and Don’ts for Managing External Connectivity to/from Your Network
Prof. Avishai WoolCTO and Co-Founder
Confidential 2
Agenda
1. The Basics 2. Maintaining Your External Connections3. Secure Routing4. Managing Third Party Connections with AlgoSec
1. The Basics
3
Confidential 4
What is an External Connection?
An external organization that needs a permanent network connection that allows access to/from internal networked servers:
• Market data feeds • Access to supplier databases,• Messaging gateways, etc.
What is not an external connection?• Customer access to web portal; remote offices; VPN
access for field teams
Poll
• How many external connections do you estimate you handle?• Less than 50• 50-250• More than 250• I wish I knew
Confidential 5
Legal Aspects
• There is a contract governing the connection• Technical sections of the contract may specify:
• IP addresses and ports• Technical contact points: internal and external• SLAs• Problem resolution and escalation processes• Testing procedures• Physical location of servers• … and more…
Confidential 6
Who Do You Trust?
• The other side of the connection is semi-trusted• Place servers in a DMZ• Segregate DMZ by firewalls• Restrict traffic in both directions• Additional controls to consider: • Web application firewall (WAF)• Data Leak Prevention (DLP)• Intrusion Detection (IDS/IPS)
Confidential 7
Confidential 8
Are you a Target?
"Getting from a procurement portal to a cardholder data environment is a long road“
“Only highly skilled hackers could find a way around such network segmentation”
“… If Target gave the vendor too much access to the network the blame lies firmly with Target…”
Network Architecture
Confidential 9
InternalNetwork
DMZ Peer’sDMZ
Network Segmentation
Define the filtering policy as a connectivity matrix:
Confidential 10
InternalNetwork
DMZ Peer’sDMZ
Zoom In: From/To the Peer DMZ
Confidential 11
InternalNetwork
DMZ Peer’sDMZ
Zoom In: From/To Our DMZ
Confidential 12
InternalNetwork
DMZ Peer’sDMZ
Regulatory Compliance
If the data being accessed over the external connection is regulated, the systems and possibly the peer’s systems are subject to audit!
• PCI 3.0: If the connection touches credit card data then both sides of the connection are in scope
• Outsourcing does not let you off the hook…
Confidential 13
Planned Changes and Unexpected Outages
2. Maintenance
14
Reasons for Maintenance
Confidential 15
Planned changes Unplanned outages• By the IT staff• By the peer• Networking changes• …
• Server or network element down
• Device misconfiguration• …
Knowledge is Power
Change/outages affect an external connection:• Remember the contract!• Coordinate with peers• Workflow
Confidential 16
Knowledge is Power
Change/outages affect an external connection:• Remember the contract!• Coordinate with peers• Workflow
• Your Information Systems should:• Allow teams to recognize external connections• Provide access to relevant information: contact points, contract,
SLAs, etc.• Support the tweaked workflows
Confidential 17
3. Routing Considerations
18
Routing Considerations
• Your peer obviously has an Internet connection… • You do not want to use your peer as an ISP!• and you do not want to be their ISP either
Confidential 19
Routing Considerations
• Your peer obviously has an Internet connection… • You do not want to use your peer as an ISP!• and you do not want to be their ISP either
Tips:1. Point the default route toward the “trusted” side 2. No dynamic routing protocols (no BGP/OSPF)3. … and filter irrelevant traffic (in both directions)
Confidential 20
Default Routes Point Inwards
Confidential 21
InternalNetwork
DMZ Peer’sDMZ
3.3.3.0/24
0.0.0.0/0 0.0.0.0/0
4. Managing External Connections with Algosec
22
Confidential 23
Confidential 24
Confidential 25
Confidential 26
Confidential 27
Confidential 28
Confidential 29
Confidential 30
Confidential 31
Confidential 32
Confidential 33
Confidential 34
Confidential 35
Confidential 36
What-If Risk Check
• How were the risks checked?
Confidential 37
What-If Risk Check
• How were the risks checked?• Network segmentation matrix!
Confidential 38
Prepare: Risk Profile from Spreadsheet
Confidential 39
Confidential 40
Confidential 41
Confidential 42
Summary
• External connections require special attention• Design your network architecture carefully• IT systems should assist the teams:• Recognize the external connections• Track relevant information• Intelligently support planned and unplanned maintenance
scenarios
Confidential 43
More Resources
Confidential 44
Thank You
45