Designing Converged Networks
Download
Report
Transcript Designing Converged Networks
Designing for Pervasive
Network Security
Designing for Security
• Our aim in this section will be to concentrate on how campus
Networks can be designed to address some of the security overlays
– Detailed security implementations and HP's Pervasive Network
Security strategy available in the corresponding sessions
• Key Security implementations in Enterprise Campus Networks
– Device Management Security
– VLAN centric design
• Separate VLANs for management
• Separate VLANs for Wireless clients
– If using WLAN switching wireless users can be on separate VLANs
• Map VLANs to Security zones and use firewalls/security appliances where
appropriate
– Authentication and Authorisation
• Network Login 802.1X
• AutoVLANs using 802.1X
– Identifying and Controlling Rogue Applications
VLAN Centric Design
• VLANs provide security and traffic segmentation and are supported by
Network Cards, switches, wireless access points, routers and security
appliances
• Use VLANs to segment network in logical groups or business
functions
• VLANs can be mapped to IP Subnets and are terminated by
routers/Layer 3 switches
• 802.1Q Tagging a standards based VLAN tagging mechanism
• VLAN Deployment Guidelines
– Use consistent naming and VLAN Tags for all VLANs across the network
– Configure the correct VLAN Tags on both ends of switch-switch links
– Configure all VLANs across all switches for complete user mobility across the
campus
– In resilient topologies ensure STP does inadvertently block VLANs between
switches (use MSTP instead)
– Ensure that Aggregated Links carry the correct VLAN tagging information
– Create a separate management VLAN for all active devices
Device Management Security
• For networks concerned about the security of their active devices
the following security capabilities should be considered
– User Authentication for Device Management: Only authenticated users
can access device management (RADIUS or Local)
– Authorised manager access (Trusted IP): Only authorised IP addresses or
subnets can gain management access
– Device Management VLAN: Separate configurable VLAN/subnet for
management
– Selectable Device management options and encrypted management
sessions: Enable/Disable TELNET, HTTP access and support for SSH,
HTTPS etc.
• A combination or all of these capabilities could be deployed to
provide device protection for switches, routers and appliances
Device Management VLAN
•
•
A dedicated VLAN for management of active
devices can be deployed for greater control
The Device Management VLAN can span the
entire campus using VLAN tagging
Access to management can be in-band or out of
band
–
•
For inband access, use routing with ACLs or
security appliances to control traffic to the
management VLAN
Considerations for Device Management VLAN
–
–
–
Ensure devices support configurable VID for
management
Campus wide management VLANs are more
applicable in centralised Layer 3 topologies
Device Management VLANs can also be
localised within a wiring closet or a building for
distributed L3 topologies
VLAN10
VLAN20
Management VLAN
VID=1
•
VLAN30
VLAN40
VLAN50
VLAN60
Network Authentication and Authorisation
• Why use 802.1X?
– Users must authenticate before gaining access to network resources
– All authorizations can be administered centrally
– Accounts can be held ( who, when, where )
• Log files can record various session data, packet counts, session
durations, user names.
• Information can be used for billing
– Security Auditing
• Network Administrators can record who is accessing the network realtime
– Management
• Network Management applications can display user information
• Clients can be dynamically tracked in real time using Network
Management
Network Login and wired VLANs
• 802.1X Network Login can be associated with VLANs using
the following methods
• Static
– Authenticated users assume the pre-configured VLAN membership
of their connected port
• Dynamic (AutoVLANs)
– Authenticated users are dynamically placed in their corresponding
VLAN based on RADIUS attributes
• Non-authenticated users are either excluded or become
members of a “guest” VLAN
• Some devices such as telephones are automatically
authenticated based on MAC address
Auto VLAN and QoS Assignment using 802.1X
User ID: Teacher
PWD: @#$%^
Valid User
VLAN ID: Teacher VLAN
QoS Profile: Email LowP,
Web LowP, guest Records
Server HighP
Guest
VLAN
Staff
VLAN
User ID: Teacher
PWD: @#$%^
User ID: ?
Pwd: ?
Network Login and wireless VLANs
• Wireless users can be placed dynamically in the appropriate
VLAN using 802.1X Network Login and RADIUS (VLAN
ID)
• VLAN tagging on Ethernet port of Access point ensures that
AP is aware of all configured VLANs
• Wireless Access point will tunnel wireless user traffic on the
appropriate tagged VLAN already configured on Ethernet
port
• Network Login based Wireless VLANs can deliver end to
end mobility across wired and wireless media
• Access Points also support multiple SSIDs that can be
mapped to separate VLANs for greater level of security
Auto VLAN Assignment using 802.1X with Wireless Access Points
Valid User
VLAN ID: Teacher VLAN
User ID: Teacher
PWD: @#$%^
Guest
VLAN
Staff
VLAN
User ID: Teacher
PWD: @#$%^
User ID: ?
Pwd: ?
Mapping VLANs to Security Zones
•
•
Map vulnerable VLANs (i.e. wireless,
guest VLAN) to Security zones in
security appliances/Firewalls for
greater control
If all VLANs are mapped to security
zones then routing will be centralised
by security appliance
– May have performance implications
•
•
•
A combination of Layer 3 switching,
ACLs and Security zones can provide
greater protection without major
performance compromises
When multiple VLANs are mapped to
a Security zone interVLAN routing
within the security zone can be
controlled by local Layer 3 switch
Use routing policies or default routes
for sending traffic to enforcement
point
WAN
Security Zone
LAN 1
Security Zone
Policy
Enforcement Point
LAN 2
Security Zone
Internet DMZ
Wireless
Security Zone
Security Zones and VLANs
Security
Zone C
Security
Zone D
Security
Zone E
Routed virtual interfaces
VLAN1
VLAN2
VLAN10
VLAN3
Security Zone A
VLAN11
VLAN12
Security Zone B
Controlling Rogue Applications
•
•
•
•
•
Use QoS and Application Filtering to control rogue applications where they
originate from: the Access Layer
Using Network Management rogue users and applications can be identified
quickly and corrective action taken
Example:
How Application Filtering and autoQoS assignment on the Switch 4400 could
stop the proliferation of the W32.Blaster.Worm virus
W32.Blaster.Worm virus exploits TCP:135 “DCOM RPC” and UDP:69
“TFTP”
– Create a classifier on the 4400 for TCP:135 and UDP:69
– Create a QoS profile called Blaster and assign the previous classifiers and apply
the discard service level
– Enable 802.1X and AutoVLANs, autoQoS on the user ports
– On the RADIUS server assign to all users the filter-id=Blaster attribute
– Next time a user logs in to the network the Blaster profile will be applied on the
switched port the user connects to
Summary
• Efficient Convergence Network Design is key to performance,
business continuity and scalability
• Multi-tiered hierarchical network design provides significant
benefits in terms of scalability and fault tolerance
• Business Continuity is delivered by introducing high availability
capabilities across all network design layers
• Campus Network Designs can be optimised to support
Convergence applications by taking into account service
performance parameters, traffic prioritisation and support for
multicast
• Pervasive Network security addresses multiple threats, at multiple
network design areas and through a variety of mechanisms