from enterprise perimeter to distributed virtual
play

From Enterprise Perimeter to Distributed, Virtual Enterprise - PowerPoint PPT Presentation

May 11, 2023 •318 likes •946 views

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&T eamoroso@att.com Page 1 Sandbags Piled in Front of AT&T Building 12/15/41 Page 2 Original Perimeter Objective (Circa 1995)

  1. From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO – AT&T eamoroso@att.com Page 1

  2. Sandbags Piled in Front of AT&T Building – 12/15/41 Page 2

  3. Original Perimeter Objective (Circa 1995) Enterprise Perimeter Untrusted External Actor “Inside the “Outside the Firewall” Firewall” Page 3

  4. Enabling Browser Access to Enterprise Website Web (External) Untrusted External Actor Page 4

  5. Rule Added to Firewall to Allow Inbound Access to TCP/Port 80 (http) Web (External) Untrusted External Actor “Off the Shelf” Web Software Packets from Browsers and Tools with Potentially “Anywhere” Enter the Exploitable Vulnerabilities Perimeter Page 5

  6. Perimeter Design Scan UTM PKI Firewall Router Enterprise DLP SIEM IPS Access to Web Server “Allowed” A/V Proxy A/S Web (External) Admin Access to 2FA Log RBAC FW Web Server Page 6

  7. Web (External) Page 7

  8. Enabling External VPN Access to Enterprise Web (External) VPN Designed for VPN/RA Client Page 8

  9. Perimeter Design Scan UTM PKI Firewall Router Enterprise DLP SIEM IPS Access to Web Server “Allowed” A/V Proxy A/S Web (External) Admin Access to 2FA Log RBAC FW Web Server Integrate into Common Physical Perimeter VPN Admin FW Access to 2FA Log RBAC VPN Server Firewall Scan UTM PKI Router Enterprise Access to DLP SIEM IPS VPN Server “Allowed” A/V Proxy A/S Page 9

  10. Web (External) VPN Page 10

  11. Adding Third Party Gateway Access to Enterprise Web (External) Third Party Gateway VPN Designed for Third Party Care, Contact, Support, etc. Page 11

  12. Perimeter Design Admin Scan UTM PKI Access to Third Party Gateways DLP SIEM IPS 2FA A/V Proxy A/S Web (External) Log Typically FW RBAC Source IP-Based Authentication Integrate into Common Physical Third Party Perimeter Gateway VPN FW FW Scan UTM PKI Scan UTM PKI “Allowed” DLP SIEM IPS DLP SIEM IPS Enterprise Access to A/V Proxy A/S A/V Proxy A/S Third Party Gateways Integrate into Common Physical Perimeter Page 12

  13. Enterprise Assets Web (External) Third Party Gateway VPN Page 13

  14. Adding Inbound Email to Enterprise Enterprise Assets Email Web (External) Third Party Gateway VPN Page 14

  15. Perimeter Design Scan UTM PKI Scan UTM PKI DLP SIEM IPS DLP SIEM IPS A/V Proxy A/S A/V Proxy A/S Email Web (External) FW FW Allow Integrate into Exchange with Common Physical Third Party any Sender or Perimeter Gateway VPN Receiver FW FW “Allowed” Integrate into Enterprise Scan UTM PKI Scan UTM PKI Common Physical Access to Perimeter Mail DLP SIEM IPS DLP SIEM IPS A/V Proxy A/S A/V Proxy A/S Integrate into Common Physical Perimeter Page 15

  16. Enterprise Assets Email Web (External) Third Party Gateway VPN Page 16

  17. “Hundreds” to “Millions” of Rules (1995 – 2015) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party Exceptions Gateway VPN Page 17

  18. Expanded Third Party Gateways Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party Exceptions VPN Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Page 18

  19. Expanded Employee Remote Access Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Road Warriors Page 19

  20. Network Vulnerabilities Network Unauthorized Network Misconfigurations Connections (Internet Exposing) (Internet Exposing) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Road Warriors Page 20

  21. Employee Use of Mobile Network Unauthorized Network Misconfigurations Connections (Internet Exposing) (Internet Exposing) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Enterprise Use of Mobility Road Warriors Page 21

  22. Typical State of the Practice Enterprise Design Network Unauthorized Network Misconfigurations Connections (Internet Exposing) (Internet Exposing) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Enterprise Use of Mobility Road Warriors Page 22

  23. Enterprise Perimeter Reality (Circa 2015) Enterprise Perimeter Outside Page 23

  24. Nation State Exfiltration Attacks North/South Exploit (Perimeter) East/West Exploit (Enterprise) Phishing Attack Data Exfiltration Successfully attack this . . . and gain access to this . . . Page 24

  25. Nation State Exfiltration Attacks North/South Exploit (Perimeter) Inbound Outbound Filtering Filtering Many Solutions Many Solutions Exist to Reduce Risk Exist to Reduce Risk East/West Inbound Outbound Exploit (Enterprise) No Good Solutions Exist to Reduce Traversal Risk Page 25

  26. Baseline Perimeter Page 26

  27. Enabling Browser Access to Web Server Web Page 27

  28. Micro-Perimeter Design (Web Server) Virtual Micro Perimeter Web Page 28

  29. Micro-Perimeter Provisioning to Cloud Scan UTM PKI Step 2: Provision Virtual Micro-Perimeter DLP SIEM IPS into Run Time System A/V Proxy A/S Web Step 1: Provision Web Server into FW Integrated Cloud Page 29

  30. East-West Protection for Web Cloud Tenant Hypervisor Security Orchestration . . . Web FW FW A/S Proxy Virtual Appliances Virtual Perimeter Sampling of Vendors with Virtual Appliances Page 30

  31. Virtual Micro Perimeter Web Page 31

  32. Adding Security Command & Control – Virtual Virtual Micro Perimeter Web Security C&C Virtual Micro Perimeter Page 32

  33. Micro-Perimeter Provisioning to Cloud Scan UTM PKI DLP SIEM IPS A/V Proxy A/S Web FW Integrate into Common Virtual Perimeter Scan UTM PKI Security C&C Step 1: Provision DLP SIEM IPS Security Cmd/Ctrl into Virtual Data Center A/V Proxy A/S Step 2: Provision FW Virtual Micro-Perimeter into Run Time System Page 33

  34. East-West Protection for Web and C&C Cloud Tenant Hypervisor Security Orchestration . . . Web FW FW A/S Proxy Server Virtual Appliances Security APIs Tenant Risk Compliance Security Reporting Security Alerting SIEM Security APIs Tenant Hypervisor Security Orchestration . . . C&C FW FW A/S Proxy Virtual Appliances Page 34

  35. Virtual Micro Perimeter Enterprise Assets Web SOC Virtual Micro Perimeter Page 35

  36. Adding Gateway – Virtual Virtual Micro Perimeter Enterprise Assets Web Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 36

  37. Cloud Tenant Hypervisor Security Orchestration . . . Gate FW FW A/S Proxy way Virtual Appliances Tenant Hypervisor Security Orchestration . . . Web FW FW Proxy A/S Server Virtual Appliances East-West Security APIs Tenant Protection for Risk Compliance Security Alerting Security Reporting SIEM Web, C&C, and Gateway Security APIs Tenant Hypervisor Security Orchestration . . . FW SOC FW A/S Proxy Virtual Appliances Page 37

  38. Virtual Micro Perimeter Enterprise Assets Web Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 38

  39. East-West Traversal Mitigated by Virtual Perimeter North/South Exploit (Perimeter) East/West Exploit (Enterprise) Successfully attack this . . . and gain NO access to this . . . Page 39

  40. Legacy Assets Dependent on Existing Perimeter Virtual Micro Legacy Perimeter Assets Enterprise Assets Web Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 40

  41. Legacy Assets Dependent on Existing Perimeter Enterprise Perimeter (Legacy Assets) Legacy Web Gateway SOC Page 41

  42. Enterprise Perimeter Has Less to Defend Legacy Web Gateway SOC Page 42

  43. Legacy Web Gateway SOC Page 43

  44. Web Back-End Legacy Web Gateway SOC Page 44

  45. Web Back-End Legacy Web Gateway SOC SOC (Primary) (Backup) Page 45

  46. Web Back-End Legacy Web Gateway SOC SOC (Primary) (Backup) Page 46

  47. Web Web Back-End Legacy Gateway SOC SOC (Primary) (Backup) Page 47

  48. Legacy Web Web Back-End Gateway SOC SOC (Primary) (Backup) Page 48

  49. Legacy Gateway Web Web Back-End SOC SOC (Primary) (Backup) Page 49

  50. Legacy Gateway Web Web Back-End SOC SOC (Primary) (Backup) Page 50

  51. Ring Ring Ring Ring (Gateway) (Legacy) (Back-End) (Web Server) SOC SOC (Primary) (Backup) Page 51

  52. SOC SOC (Primary) (Backup) Page 52

  53. Page 53

  54. Page 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introducing World Message Virtual ID and Core New Virtual Mobile Enterprise Services

Introducing World Message Virtual ID and Core New Virtual Mobile Enterprise Services

Introducing World Message Virtual ID and Core New Virtual Mobile Enterprise Services Norwood Systems Ltd ASX:NOR March 2017 Paul Ostergaard CEO and Founder Norwood Systems Ltd Our Enterprise Mission We put a virtual business phone in

527 views • 20 slides
Outline General Principles of Distributed Virtual Environments: CSCI 8220 Parallel &

Outline General Principles of Distributed Virtual Environments: CSCI 8220 Parallel &

Outline General Principles of Distributed Virtual Environments: CSCI 8220 Parallel & Distributed ! What are they? Simulation ! Distributed Virtual Environments (DVE) versus Analytical Simulations Distributed Virtual Environments !

444 views • 5 slides
Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Area and Perimeter.notebook May 13, 2020 Steps To Success: LO - To calculate the perimeter I can calculate the perimeter of a 2D shape by adding all of its sides together of a range of 2D shapes I can accurately measure the lengths of a 2D

1.18k views • 65 slides
Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a wholesale distribution business providing complete range of Electronic Security Systems Kamlesh 093232 51184 Adit Enterprise Adit Enterprise Adit

619 views • 29 slides
1 Everyone Has a Why The Rise of a Virtual Workplace Going Virtual About 30 million

1 Everyone Has a Why The Rise of a Virtual Workplace Going Virtual About 30 million

1 Everyone Has a Why The Rise of a Virtual Workplace Going Virtual About 30 million Americans work from home. Virtual. Remote. Distributed. This style of organization is becoming more common among many industries including web shops

926 views • 49 slides
Zerto Virtual Replication 4.5 Disaster Recovery Evolved Zerto provides enterprise-class, virtual

Zerto Virtual Replication 4.5 Disaster Recovery Evolved Zerto provides enterprise-class, virtual

Zerto Virtual Replication 4.5 Disaster Recovery Evolved Zerto provides enterprise-class, virtual replication and recovery solutions for VMware & Hyper-V virtualized datacenters 2 PRIVATE AND CONFIDENTIAL How Zerto Revolutionized Disaster

1.22k views • 21 slides
Verification in Scientific Computing: from Pristine to Practical to Perimeter-Extending Joseph M.

Verification in Scientific Computing: from Pristine to Practical to Perimeter-Extending Joseph M.

Verification in Scientific Computing: from Pristine to Practical to Perimeter-Extending Joseph M. Powers Department of Aerospace and Mechanical Engineering University of Notre Dame ASME V&V 2020 Virtual Verification and Validation

791 views • 55 slides
1 Chances to weaken ordering Virtual Synchrony at a glance Suppose that any conflicting

1 Chances to weaken ordering Virtual Synchrony at a glance Suppose that any conflicting

Virtual Synchrony Goal: Simplifies distributed systems Virtual synchrony development by introducing emulating a simplified world a synchronous one Features of the virtual synchrony model Process groups with state transfer,

275 views • 9 slides
Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Michael Rossberg, Rene Golembewski, Guenter Schaefer Ilmenau University of Technology, Germany ICCCN 2012 Attack-Resistant Distributed Time Synchronization for Virtual Private Networks Overview Distributed Services for Distributed VPNs

212 views • 9 slides
The perimeter and area of both a rhombus and a parallelogram can be found by applying the

The perimeter and area of both a rhombus and a parallelogram can be found by applying the

D AY 118 P ERIMETER AND AREA OF A RHOMBUS AND A PARALLELOGRAM ON XY - PLANE I NTRODUCTION The perimeter and area of rhombi and parallelograms have been dealt with in earlier lessons. Both the area and perimeter of these quadrilaterals can

437 views • 15 slides
Accelerate Innovation in the Enterprise Solutions and Reference architecture with Distributed ML

Accelerate Innovation in the Enterprise Solutions and Reference architecture with Distributed ML

Accelerate Innovation in the Enterprise Solutions and Reference architecture with Distributed ML / DL on GPUs Thomas Phelan and Nanda Vijaydev BlueData (recently acquired by HPE) NVIDIA GTC March 2019 Agenda AI, Machine Learning

640 views • 39 slides
Plan 1. Application Servers 2. Servlets, JSP, JDBC 3. J2EE: Vue densemble 4. Distributed

Plan 1. Application Servers 2. Servlets, JSP, JDBC 3. J2EE: Vue densemble 4. Distributed

Plan 1. Application Servers 2. Servlets, JSP, JDBC 3. J2EE: Vue densemble 4. Distributed Programming 5. Enterprise JavaBeans 6. Enterprise JavaBeans: Special Topics 7. Prise de recul critique Department of Informatics 5. Enterprise JavaBeans

878 views • 29 slides
Accelerate Innovation in the Enterprise Solutions and Reference with Distributed ML / DL

Accelerate Innovation in the Enterprise Solutions and Reference with Distributed ML / DL

Accelerate Innovation in the Enterprise Solutions and Reference with Distributed ML / DL architecture Nanda Vijaydev BlueData (recently acquired by HPE) The AI Conference, New York Agenda AI, Machine Learning (ML), and Deep Learning

803 views • 35 slides
Zerto Virtual Replication 5.0 BC/DR Technology for the Enterprise Cloud R M Sugiarto Wisepac

Zerto Virtual Replication 5.0 BC/DR Technology for the Enterprise Cloud R M Sugiarto Wisepac

Zerto Virtual Replication 5.0 BC/DR Technology for the Enterprise Cloud R M Sugiarto Wisepac Mobile 0815 167 2882 We now liv live in in a world of f 24/7 business where IT IT has to maximize upti time & dri rive effi ficiency wit

526 views • 23 slides
Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin

Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin

Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin Tate & Jeff Hansberger University of Edinburgh & US Army Research Lab http://openvce.net Project to provide a Virtual Collaboration

370 views • 34 slides
A Decomposi+on-Based Architecture for Distributed Virtual Network

A Decomposi+on-Based Architecture for Distributed Virtual Network

A Decomposi+on-Based Architecture for Distributed Virtual Network Embedding Flavio Esposito Ibrahim Ma2a Advanced Technologies Computer Science Department

812 views • 53 slides
Implications of the AEMCs Implications of the AEMCs economic regulation of network service

Implications of the AEMCs Implications of the AEMCs economic regulation of network service

Implications of the AEMCs Implications of the AEMCs economic regulation of network service providers draft rule for consumers Ed Willett Acting AER Chairman EUAA Annual Conference - October 2012 Topics Rationale for the AERs

455 views • 7 slides
( 11 9 )

( 11 9 )

5/4/2016 ( 11 9 ) 1 5/4/2016 .

701 views • 47 slides
Inside IHE: Patient Care Device Webinar Series 2017 Presented by Monroe Pattillo Practical

Inside IHE: Patient Care Device Webinar Series 2017 Presented by Monroe Pattillo Practical

Inside IHE: Patient Care Device Webinar Series 2017 Presented by Monroe Pattillo Practical Health Interoperability, LLC IHE PCD Planning Committee Co-Chair Patient Care Device (PCD) Domain Formed in 2005 to address Point-of-Care Medical

424 views • 24 slides
IS511 Introduction to Information Security Lecture 1 Introduction Yongdae Kim Instructor, TA,

IS511 Introduction to Information Security Lecture 1 Introduction Yongdae Kim Instructor, TA,

IS511 Introduction to Information Security Lecture 1 Introduction Yongdae Kim Instructor, TA, Office Hours Yongdae Kim 4 yongdaek (at) kaist. ac. kr, yongdaek (at) gmail. com 4 Office: N26 201 Insik Shin 4 insik.shin (at) cs.

836 views • 47 slides
Carl W. Stenberg Ingrid Schroeder University of North Carolina- The Pew Charitable Trusts

Carl W. Stenberg Ingrid Schroeder University of North Carolina- The Pew Charitable Trusts

Carl W. Stenberg Ingrid Schroeder University of North Carolina- The Pew Charitable Trusts Chapel Hill Raymond Scheppach Ed DeSeve University of Virginia Brookings Institution Big Questions About Intergovernmental Relations Carl W.

444 views • 42 slides
The Exciting World of Policies Sarah Hoy Principal Policy Advisor, Emergency Access System

The Exciting World of Policies Sarah Hoy Principal Policy Advisor, Emergency Access System

The Exciting World of Policies Sarah Hoy Principal Policy Advisor, Emergency Access System Relationships Branch, MoH June 2014 What is different about Health Policies? Very few NSW Health Policies are based on Legislation (medications,

363 views • 5 slides
Experimental Design & Evaluation 1. Introduction to ED&E SunyoungKim,PhD

Experimental Design & Evaluation 1. Introduction to ED&E SunyoungKim,PhD

Experimental Design & Evaluation 1. Introduction to ED&E SunyoungKim,PhD Todays agenda Who are we? What is this course about? Syllabus Evaluation Class policy Introduction to ED&E

1.03k views • 79 slides
Where Angels Fear to Tread: Becoming More Effective with Emotionally Vulnerable Clients BECCA

Where Angels Fear to Tread: Becoming More Effective with Emotionally Vulnerable Clients BECCA

UNC-CH School of Social Work & Wake AHEC Clinical Lecture Series Where Angels Fear to Tread: Becoming More Effective with Emotionally Vulnerable Clients BECCA EDWARDS-POWELL, MSW, LCSW Feelings like disappointment, embarrassment,

787 views • 52 slides

More recommend