1. 1. @NTXISSA The Evolving DMZ John Fehan Regional Practice Lead OpenSky Corp 24 April 2015
2. 2. @NTXISSA An Evolution A brief history The principles are important Some stay the same Other have progressed A couple are rapidly evolving 2 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
3. 3. @NTXISSA The DMZ in the Past Medieval towns walls around a marketplace The gate controlled access The marketplace limited risk as the transactions were closely watched 3 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015 The keep was off limits
4. 4. @NTXISSA The DMZ in the Present Bank lobby is a modern DMZ Building around a lobby The guard controls access The lobby limits risk as transactions are closely watched Protected by a cage and the safe, the money is off limits 4 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
5. 5. @NTXISSA The DMZ in IT Infrastructure Firewall around the DMZ DMZ segments limit risk as transactions are closely watched Protected by another firewall, the inside network is off limits 5 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
6. 6. @NTXISSA The Principles of a DMZ All traffic is exposed and examined. Access is granted only as needed. Security incidents are minimized, compromises more contained and recovery more swift. Compliance with audit requirements is effective. 6 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
7. 7. @NTXISSA DMZ Networking Use of multiple DMZ segments contain breaches and speed recovery VLAN extension risky HA DNS must be split and hardened Network services should be static and limited within the DMZ 7 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
8. 8. @NTXISSA DMZ Networking Management VLAN should be enforced Jump boxes must be hardened but enabled Powerful tools Two factor authentication Secured logging Management systems must be protected from the DMZ 8 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
9. 9. @NTXISSA Partner Connections Represent a great risk Isolate from revenue generating, business applications Dont deserve to bypass examination Should be assessed once a year 9 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
10. 10. @NTXISSA Cloud Connections Requires large file transfer capability occasionally Should be built out with its own media store for reimaging Authentication should integrate but be subordinate 10 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
11. 11. @NTXISSA DMZ Hosting No durable data within the DMZ Remote access evolving to virtual desktop infrastructure (VDI) and client-less VPN 11 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
12. 12. @NTXISSA Virtualization Virtualization has enabled great improvements Restoral can be faster Rebalancing of application workloads Capacity management easier Firewall rules can be distributed and be portable 12 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
13. 13. @NTXISSA Virtualization Challenges that remain Security of the shared hypervisor Improved management capabilities yet to be tapped; CLI addiction Helps with understanding the application flows 13 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
14. 14. @NTXISSA Virtualization 14 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015 Networks can now be virtualized.
15. 15. @NTXISSA Virtualization Virtualize the appliances and then the network Share the glass Invest in the understanding 15 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
16. 16. @NTXISSA DMZ Value Remains The technology evolves The principles remain All traffic is exposed and examined Access is granted only as needed Security incidents are minimized, compromises more contained and recovery more swift Compliance with audit requirements is effective 16 Copyright John Fehan 2015. All rights reserved. NTX ISSA Cyber Security Conference April 24-25, 2015
17. 17. @NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference April 24-25, 2015 17 Thank you