Assignment

 

Each student will write an APA paper with no less than 6 peer reviewed references and no less than 3 pages of findings on one aspect of the weekly readings.

Don't use plagiarized sources. Get Your Custom Essay on
Assignment
Just from $13/Page
Order Essay

For this week you can choose any topic that is in our material to write on.

Subject Name :  

Emerging Threats & Countermeas

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter

3

Separation

Cyber Attacks
Protecting National Infrastructure, 1st ed.

2

• Using a firewall to separate network assets from
intruders is the most familiar approach in cyber
security

• Networks and systems associated with national
infrastructure assets tend to be too complex for
firewalls to be effective

Copyright © 2012, Elsevier Inc.

All rights Reserved

C
h
a
p
te

r 3

S
e
p
a
ra

tio
n

Introduction

3

• Three new approaches to the use of firewalls are
necessary to achieve optimal separation
– Network-based separation

– Internal separation

– Tailored separation

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra

tio
n

Introduction

4

Fig. 3.1 – Firewalls in simple and
complex networks

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

5

• Separation is a technique that accomplishes one of
the following
– Adversary separation

– Component distribution

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

What Is Separation?

6

• A working taxonomy of separation techniques: Three
primary factors involved in the use of separation
– The source of the threat

– The target of the security control

– The approach used in the security control

(See figure 3.2)

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n
What Is Separation?

7

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.2 – Taxonomy of separation
techniques

8

• Separation is commonly achieved using an access
control mechanism with requisite authentication and
identity management

• An access policy identifies desired allowances for
users requesting to perform actions on system
entities

• Two approaches
– Distributed responsibility

– Centralized control

– (Both will be required)

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Functional Separation?

9

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.3 – Distributed versus centralized
mediation

10

• Firewalls are placed between a system or enterprise
and an un-trusted network (say, the Internet)

• Two possibilities arise
– Coverage: The firewall might not cover all paths

– Accuracy: The firewall may be forced to allow access that
inadvertently opens access to other protected assets

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

National Infrastructure Firewalls

11

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.4 – Wide area firewall
aggregation and local area firewall

segregation

12

• Increased wireless connectivity is a major challenge
to national infrastructure security

• Network service providers offer advantages to
centralized security
– Vantage point: Network service providers can see a lot

– Operations: Network providers have operational capacity
to keep security software current

– Investment: Network service providers have the financial
wherewithal and motivation to invest in security

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n
National Infrastructure Firewalls

13

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.5 – Carrier-centric network-based
firewall

14

• Network-based firewall concept includes device for
throttling distributed denial of service (DDOS) attacks

• Called a DDOS filter

• Modern DDOS attacks take into account a more
advanced filtering system

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

DDOS Filtering

15

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.6 – DDOS filtering of inbound
attacks on target assets

16

• SCADA – Supervisory control and data acquisition

• SCADA systems – A set of software, computer, and
networks that provide remote coordination of
control system for tangible infrastructures

• Structure includes the following
– Human-machine interface (HMI)

– Master terminal unit (MTU)

– Remote terminal unit (RTU)

– Field control systems

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

SCADA Separation Architecture

17

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.7 – Recommended SCADA system
firewall architecture

18

• Why not simply unplug a system’s external
connections? (Called air gapping)

• As systems and networks grow more complex, it
becomes more likely that unknown or unauthorized
external connections will arise

• Basic principles for truly air-gapped networks:
– Clear policy

– Boundary scanning

– Violation consequences

– Reasonable alternatives

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Physical Separation

19

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.8 – Bridging an isolated network
via a dual-homing user

20

• Hard to defend against a determined insider

• Threats may also come from trusted partners

• Background checks are a start

• Techniques for countering insider attack
– Internal firewalls

– Deceptive honey pots

– Enforcement of data markings

– Data leakage protection (DLP) systems

• Segregation of duties offers another layer of
protection

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Insider Separation

21

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.9 – Decomposing work functions
for segregation of duty

22

• Involves the distribution, replication, decomposition,
or segregation of national assets
– Distribution: creating functionality using multiple

cooperating components that work together as distributed
system

– Replication: copying assets across components so if one
asset is broken, the copy will be available

– Decomposition: breaking complex assets into individual
components so an isolated compromise won’t bring down
asset

– Segregation: separation of assets through special access
controls, data markings, and policy enforcement

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Asset Separation

23

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.10 – Reducing DDOS risk through
CDN-hosted content

24

• Typically, mandatory access controls and audit trail
hooks were embedded into the underlying operating
system kernel

• Popular in the 1980s and 1990s

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Multilevel Security (MLS)

25

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.11 – Using MLS logical separation
to protect assets

26

• Internet separation: Certain assets simply shouldn’t
be accessible from the Internet

• Network-based firewalls: These should be managed
by a centralized group

• DDOS protection: All assets should have protection in
place before an attack

• Internal separation: Critical national infrastructure
settings need an incentive to implement internal
separation policy

• Tailoring requirements: Vendors should be
incentivized to build tailored systems such as firewalls
for special SCADA environments

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

National Separation Program

Calculator

Calculate the price of your paper

Total price:$26
Our features

We've got everything to become your favourite writing service

Need a better grade?
We've got you covered.

Order your paper