\documentclass{beamer} % Copyright (c) 2001,2002,2003,2004,2005 Alexandre Dulaunoy % Permission is granted to copy, distribute and/or modify this document % under the terms of the GNU General Public License, Version 2.0 % or any later version published by the Free Software Foundation; %\usetheme{PaloAlto} \usetheme{Goettingen} \usepackage[english]{babel} \usepackage[latin1]{inputenc} \setbeamertemplate{blocks}[rounded][shadow=true] \setbeamercovered{transparent} % % The following info should normally be given in you main file: % \title{Security Infrastructure Management} \subtitle {} \keywords {Out-of-Band Management Security} \subject {Security Infrastructure Management - an overview} \author{Alexandre Dulaunoy} \institute{ ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg)\\ http://www.csrrt.org/} \begin{document} \frame{\titlepage} \section*{Security Infrastructure Management} \subsection{Introduction} \frame[containsverbatim]{ \nameslide{Security Infrastructure Management} \frametitle{Security Infrastructure Management} \begin{itemize} \item Often network/system security infrastructure are built without management \item Management is often a critical part of the network security infrastructure \begin {itemize} \item but often forgotten \item or worse... over-designed \end {itemize} \item Security Infrastructure Management is a requirement to correctly manage, monitor and maintain the devices \item Keep the management infrastructure simple and very secure... \end{itemize} } \subsection{Out-of-Band (OOBI)} \frame[containsverbatim]{ \nameslide{Out-of-Band (OOBI)} \frametitle{Out-of-Band (OOBI)} \begin{itemize} \item In the 1950, OOBI was used as a "control path" to control phone services in case of failure or for maintaining them \item The same approach was used in the early IT networks to control via "other path" devices (e.g. IBM mainframe and modem) \begin {itemize} \item The famous period of remote maintenance over modem... \item but also the famous period of "wardialing" \end {itemize} \item Out-of-Band Infrastructure is now part of data centers (e.g. IPMI, KVM-IP,...) \item In-Band versus Out-of-Band management is somewhat converging (e.g. Serial-Over-IP,...) \end{itemize} } \subsection{Security and Network Management} \frame[containsverbatim]{ \nameslide{Security and Network Management} \frametitle{Security and Network Management} \begin{itemize} \item Practical Management : "local-only" versus remote management \begin{itemize} \item Disabling remote management is often the best way to eliminate the risk.. \item but this is not always practical. \end{itemize} \item Hardening remote management is important but you have to find a balance between practical and secure approaches \end{itemize} } \subsection{Management of Security Devices} \frame[containsverbatim]{ \nameslide{Management of Security Devices} \frametitle{Management of Security Devices} \begin{itemize} \item Who is doing the management/monitoring of the security devices ? employee or external companies ? \item From where the management/monitoring of the security devices will be done ? \item What are the risks associated to use and build a management network ? \item What will be the protocols used ? Serial only ? IPs ? \end{itemize} } \subsection{Good Practices} \frame[containsverbatim]{ \nameslide{Good Practices} \frametitle{Good Practises} \begin{itemize} \item When building an IP Out-of-Band network, clearly separate production and management network (e.g. no IP routing between the two) \item Monitoring is important but the monitoring of management network is *more* important \item Availability of the management network is critical \item Strong authentication is mandatory (e.g. default password) and ... keep trace of every action done (e.g. TACAC+, rancid) \item Packet filtering must be applied on each management port \item For In-Band, you must keep a clear separation of network and IP used \end{itemize} } \subsection{Network Management - OpenSSH / jail-chroot TP} \frame[containsverbatim]{ \nameslide{Network Management - OpenSSH / jail-chroot TP} \frametitle{Network Management - OpenSSH / jail-chroot TP} \begin{itemize} \item You'll need to provide on a single system, two SSH access, one for network management (full access for an admin only) but another one used for file transfert with multiple customers. You must ensure a clear separation between the two access and only give scp access to the customers. \end{itemize} } \section*{Q and A} \frame { \nameslide {Q and A} \frametitle {Q and A} \begin{itemize} \item Thanks for listening. \item http://www.csrrt.org.lu/ \item adulau@foo.be \end{itemize} %%\includegraphics[scale=0.50]{Hack2005lu-banner.png} } \end{document}