1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 3
Separation
Cyber Attacks Protecting National Infrastructure, 1st ed.
2
• Using a firewall to separate network assets from intruders is the most familiar approach in cyber security
• Networks and systems associated with national infrastructure assets tend to be too complex for firewalls to be effective
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Introduction
3
• Three new approaches to the use of firewalls are necessary to achieve optimal separation – Network-based separation
– Internal separation
– Tailored separation
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Introduction
4
Fig. 3.1 – Firewalls in simple and complex networks
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
5
• Separation is a technique that accomplishes one of the following – Adversary separation
– Component distribution
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
What Is Separation?
6
• A working taxonomy of separation techniques: Three primary factors involved in the use of separation – The source of the threat
– The target of the security control
– The approach used in the security control
(See figure 3.2)
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
What Is Separation?
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.2 – Taxonomy of separation techniques
8
• Separation is commonly achieved using an access control mechanism with requisite authentication and identity management
• An access policy identifies desired allowances for users requesting to perform actions on system entities
• Two approaches – Distributed responsibility
– Centralized control
– (Both will be required)
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Functional Separation?
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.3 – Distributed versus centralized mediation
10
• Firewalls are placed between a system or enterprise and an un-trusted network (say, the Internet)
• Two possibilities arise – Coverage: The firewall might not cover all paths
– Accuracy: The firewall may be forced to allow access that inadvertently opens access to other protected assets
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
National Infrastructure Firewalls
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.4 – Wide area firewall aggregation and local area firewall
segregation
12
• Increased wireless connectivity is a major challenge to national infrastructure security
• Network service providers offer advantages to centralized security – Vantage point: Network service providers can see a lot
– Operations: Network providers have operational capacity to keep security software current
– Investment: Network service providers have the financial wherewithal and motivation to invest in security
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
National Infrastructure Firewalls
13
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.5 – Carrier-centric network-based firewall
14
• Network-based firewall concept includes device for throttling distributed denial of service (DDOS) attacks
• Called a DDOS filter
• Modern DDOS attacks take into account a more advanced filtering system
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
DDOS Filtering
15
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.6 – DDOS filtering of inbound attacks on target assets
16
• SCADA – Supervisory control and data acquisition
• SCADA systems – A set of software, computer, and networks that provide remote coordination of control system for tangible infrastructures
• Structure includes the following – Human-machine interface (HMI)
– Master terminal unit (MTU)
– Remote terminal unit (RTU)
– Field control systems
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
SCADA Separation Architecture
17
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.7 – Recommended SCADA system firewall architecture
18
• Why not simply unplug a system’s external connections? (Called air gapping)
• As systems and networks grow more complex, it becomes more likely that unknown or unauthorized external connections will arise
• Basic principles for truly air-gapped networks: – Clear policy
– Boundary scanning
– Violation consequences
– Reasonable alternatives
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Physical Separation
19
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.8 – Bridging an isolated network via a dual-homing user
20
• Hard to defend against a determined insider
• Threats may also come from trusted partners
• Background checks are a start
• Techniques for countering insider attack – Internal firewalls
– Deceptive honey pots
– Enforcement of data markings
– Data leakage protection (DLP) systems
• Segregation of duties offers another layer of protection
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Insider Separation
21
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.9 – Decomposing work functions for segregation of duty
22
• Involves the distribution, replication, decomposition, or segregation of national assets – Distribution: creating functionality using multiple
cooperating components that work together as distributed system
– Replication: copying assets across components so if one asset is broken, the copy will be available
– Decomposition: breaking complex assets into individual components so an isolated compromise won’t bring down asset
– Segregation: separation of assets through special access controls, data markings, and policy enforcement
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Asset Separation
23
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.10 – Reducing DDOS risk through CDN-hosted content
24
• Typically, mandatory access controls and audit trail hooks were embedded into the underlying operating system kernel
• Popular in the 1980s and 1990s
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Multilevel Security (MLS)
25
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
Fig. 3.11 – Using MLS logical separation to protect assets
26
• Internet separation: Certain assets simply shouldn’t be accessible from the Internet
• Network-based firewalls: These should be managed by a centralized group
• DDOS protection: All assets should have protection in place before an attack
• Internal separation: Critical national infrastructure settings need an incentive to implement internal separation policy
• Tailoring requirements: Vendors should be incentivized to build tailored systems such as firewalls for special SCADA environments
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 3 –
S e p a ra
tio n
National Separation Program