StudyDaddy Computer Science Q:After reading chapter 3, analyze how separation within a network is a great technical control. The response must contain at least one external citation and reference in APA format. Resources : Pleas

Q:After reading chapter 3, analyze how separation within a network is a great technical control. The response must contain at least one external citation and reference in APA format. Resources : Pleas

1 Copyright © 2012, Elsevier Inc. All Rights Reser ved Chapter 3 Separation Cyber Attacks Protecting National Infrastructure, 1 st ed. 2 • Using a firewall to separate network assets from intruders is the most familiar approach in cyber security • Networks and systems associated with national infrastructure assets tend to be too complex for firewalls to be effective Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Introduction 3 • Three new approaches to the use of firewalls are necessary to achieve optimal separation – Network -based separation – Internal separation – Tailored separation Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Introduction 4 Fig. 3.1 – Firewalls in simple and complex networks Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation 5 • Separation is a technique that accomplishes one of the following – Adversary separation – Component distribution Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation What Is Separation? 6 • A working taxonomy of separation techniques: Three primary factors involved in the use of separation – The source of the threat – The target of the security control – The approach used in the security control (See figure 3.2) Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation What Is Separation? 7 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.2 – Taxonomy of separation techniques 8 • Separation is commonly achieved using an access control mechanism with requisite authentication and identity management • An access policy identifies desired allowances for users requesting to perform actions on system entities • Two approaches – Distributed responsibility – Centralized control – (Both will be required) Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Functional Separation? 9 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.3 – Distributed versus centralized mediation 10 • Firewalls are placed between a system or enterprise and an un -trusted network (say, the Internet) • Two possibilities arise – Coverage: The firewall might not cover all paths – Accuracy: The firewall may be forced to allow access that inadvertently opens access to other protected assets Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation National Infrastructure Firewalls 11 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.4 – Wide area firewall aggregation and local area firewall segregation 12 • Increased wireless connectivity is a major challenge to national infrastructure security • Network service providers offer advantages to centralized security – Vantage point: Network service providers can see a lot – Operations: Network providers have operational capacity to keep security software current – Investment: Network service providers have the financial wherewithal and motivation to invest in security Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation National Infrastructure Firewalls 13 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.5 – Carrier - centric network - based firewall 14 • Network -based firewall concept includes device for throttling distributed denial of service (DDOS) attacks • Called a DDOS filter • Modern DDOS attacks take into account a more advanced filtering system Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation DDOS Filtering 15 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.6 – DDOS filtering of inbound attacks on target assets 16 • SCADA – Supervisory control and data acquisition • SCADA systems – A set of software, computer, and networks that provide remote coordination of control system for tangible infrastructures • Structure includes the following – Human -machine interface (HMI) – Master terminal unit (MTU) – Remote terminal unit (RTU) – Field control systems Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation SCADA Separation Architecture 17 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.7 – Recommended SCADA system firewall architecture 18 • Why not simply unplug a system’s external connections? (Called air gapping ) • As systems and networks grow more complex, it becomes more likely that unknown or unauthorized external connections will arise • Basic principles for truly air -gapped networks: – Clear policy – Boundary scanning – Violation consequences – Reasonable alternatives Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Physical Separation 19 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.8 – Bridging an isolated network via a dual - homing user 20 • Hard to defend against a determined insider • Threats may also come from trusted partners • Background checks are a start • Techniques for countering insider attack – Internal firewalls – Deceptive honey pots – Enforcement of data markings – Data leakage protection (DLP) systems • Segregation of duties offers another layer of protection Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Insider Separation 21 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.9 – Decomposing work functions for segregation of duty 22 • Involves the distribution, replication, decomposition, or segregation of national assets – Distribution : creating functionality using multiple cooperating components that work together as distributed system – Replication : copying assets across components so if one asset is broken, the copy will be available – Decomposition : breaking complex assets into individual components so an isolated compromise won’t bring down asset – Segregation : separation of assets through special access controls, data markings, and policy enforcement Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Asset Separation 23 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.10 – Reducing DDOS risk through CDN - hosted content 24 • Typically, mandatory access controls and audit trail hooks were embedded into the underlying operating system kernel • Popular in the 1980s and 1990s Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Multilevel Security (MLS) 25 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation Fig. 3.11 – Using MLS logical separation to protect assets 26 • Internet separation : Certain assets simply shouldn’t be accessible from the Internet • Network -based firewalls : These should be managed by a centralized group • DDOS protection : All assets should have protection in place before an attack • Internal separation : Critical national infrastructure settings need an incentive to implement internal separation policy • Tailoring requirements : Vendors should be incentivized to build tailored systems such as firewalls for special SCADA environments Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 3 – Separation National Separation Program

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!