Tuesday, July 29, 2014

Software Defined Networking (SDN) and it's Potential for Real-Time Defense

Working with the team on the day job researching and soon-to-be-testing SDN controllers in the lab.  Had a stimulating conversation on the "state of networking and security" with someone with whom I trust in our company...it was an intellectually stimulating conversation.  He is on the SDN working group with other prestigious fellows and I he brought up a paper, a PhD dissertation, that touched on at a high level the topic of "Active Network Defense using SDN".  He didn't have any more information but it got me and the team thinking...Yes...the north and southbound interfaces all exist to do this.  If we had to design it the architecture might look something like this:

 



OpenFlow rules can be written to match on any combination of 12 items:

Ingress Port
Ethernet Source (Layer 2 source)
Ethernet Destination (Layer 2 Destination)
Ether Type
VLAN ID
VLAN Priority
IP Source
IP Destination
IP Protocol
IP ToS
TCP/UDP Source Port
TCP/UDP Destination Port

An example flow table entry for a layer2 port would look like this…

Rule:
     In Port:  e1/4
     In VLAN:  Untagged
     Source Mac:  0024:2214:a5ba
     Destination Mac:  0024:2025:2a44
Action:  FORWARD
     Out Port:  e1/2

This essentially says that any Ethernet frames coming into ingress port ethernet1/4 with no vlan ID with a specific source and destination MAC address, forward it out port 1/2.  Reminds me of a route-map at layer 3 but instead it's happening at layer 2 instead.
Posted by at

Wednesday, July 16, 2014

Security Compliance Monitoring in a Virtual "Cloud" tied to Risk Management Framework

I've been wanting to do this for some time now.  Build a "security compliance monitoring solution in-a-box".  A virtual box that is.  My VMware lab server has about 8 virtual machines running all sorts of clients and servers, of several OS types, and I thought it would be great to design and deploy an entire security solution based on the MONITOR aspect of regulatory compliance frameworks.  I came up with the drawing below:

 
The challenge I've given myself is:  Can I do this all with opensource software and can it be monitored/managed easily with as many automation functions using custom scripting where possible.  Within 10 minutes I had four VMs fired up installing (Simultaneously) a network IDS/IPS server, a SIEM, a Vulnerability Scanner and an all-in-one Firewall/Router/Proxy/web-content-filter appliance.
 
Next I'm looking into a DLP (Host and Network) solution.  Then on to the exciting part, to INTEGRATE THEM ALL!  I'll be installing agents on the clients I already have (Windows XP, 7, Ubuntu/Debian and Redhat/Ubuntu) in the virtual environment.
Posted by at

Friday, July 4, 2014

One of my former SNRians is off to Abu Dhabi

I found Stan Chua at the University during his last year there in the fall of 2009.  He was young, shy, and unsure of his future but willing to push hard and eager to learn all he could about security.  It's been five years and we've long since parted with SNR but we've kept in touch and today he mentioned he was moving to Abu Dhabi to be part of a cybersecurity team.  He's one of the best engineers in Hawaii and these islands are just too small for him.  I know he'll do well since the way we continue to develop our wings is to constantly keep jumping off of cliffs!
Posted by at

Wednesday, July 2, 2014

Consultative Selling

A dear friend called last night and asked if I could help out with one of their mid-sized healthcare accounts.  He wanted me to act as an "advisor" in matters related to security controls and HIPAA.  I'm familiar with the HIPAA administrative, physical and technical security requirements and thought it would be great to be part of the team.

It became apparent to me after about two minutes sitting with the "team" that not only had they brought me there to play as if I was their Information Security Officer, but they were pushing the client for a hard sell on a storage system to meet one of the encryption requirements for PII/ePHI.  I couldn't help myself as I saw the client in a semi-dazed and confused trance as the "team" bombarded them with technical babble and regulatory draconian speak...I had to jump in!
I found my chance...there was a pause from the team where they were seeking a reply from the client, the doctor and nurses were still trying to figure out what "data at rest" meant, and I jumped in.... "Excuse me, can I ask a question?".  The client looked at me with a stare that I couldn't make out, either it was a "yeah what do you want? I'm busy trying to reconcile all the data here in my head" or "please save us".  I wasn't sure which it was.



I asked the client if they had ever taken a HIPAA self-assessment survey.  Aha!  It was as if that was the missing link...they got it!  The excitement grew as I held their hand and took them on a journey of possibilities that would ensue once they had all the answers to their questions, and it was interesting to see how the "team" was dumbfounded.  The "team" looked like I had just stolen their lunch money, but I knew they saw value in what was being presented.  We closed up the meeting with the client asking for a follow up next week after they finish the assessment (I had the "team" take that one for action) and as we all walked to our vehicles, I explained to the "team" that although they had not walked away with a signed contract this day, they would see the value in what we are doing as it paves the way for becoming a STRATEGIC PARTNER in the long-run and will lead to not only this single box solution sale, but many others that they cannot begin to imagine occurring over the next two years.
Posted by at
Subscribe to: Comments (Atom)