Transcript Key Device

Secure Network Design
Lecture 10
Asst.Prof.Supakorn Kungpisdan, Ph.D.
[email protected]
NETE4630 Advanced Network Security and
Implementation
Network Security Design:
The 12 Step Program
1.
Identify network assets
7.
Achieve buy-in from users,
managers, and technical
staff
2.
Analyze security risks
3.
Analyze security requirements
and tradeoffs
8.
Train users, managers, and
technical staff
4.
Develop a security plan
9.
5.
Define a security policy
Implement the technical
strategy and security
procedures
6.
Develop procedures for
applying security policies
10.
Test the security and update
it if any problems are found
7.
Develop a technical
implementation strategy
11.
Maintain security
2
NETE4630 Advanced Network Security and
Implementation
Network Assets
 Hardware
 Software
 Applications
 Data
 Intellectual property
 Trade secrets
 Company’s reputation
3
NETE4630 Advanced Network Security and
Implementation
Security Risks
 Hacked network devices
 Data can be intercepted, analyzed, altered, or deleted
 User passwords can be compromised
 Device configurations can be changed
 Reconnaissance attacks
 Denial-of-service attacks
4
NETE4630 Advanced Network Security and
Implementation
Security Tradeoffs
 Tradeoffs must be made between security goals and
other goals:
 Affordability
 Usability
 Performance
 Availability
 Manageability
5
NETE4630 Advanced Network Security and
Implementation
A Security Plan
 High-level document that proposes what
an organization is going to do to meet
security requirements
 It specifies time, people, and other
resources that will be required to
develop a security policy and achieve
implementation of the policy
6
NETE4630 Advanced Network Security and
Implementation
A Security Policy
 Per RFC 2196, “The Site Security Handbook,” a security
policy is a
 “Formal statement of the rules by which people who are
given access to an organization’s technology and
information assets must abide.”
 The policy should address
 Access, accountability, authentication, privacy, and
computer technology purchasing guidelines
7
NETE4630 Advanced Network Security and
Implementation
Security Mechanisms
 Physical security
 Authentication
 Authorization
 Accounting (Auditing)
 Data encryption
 Packet filters
 Firewalls
 Intrusion Detection Systems (IDSs)
8
NETE4630 Advanced Network Security and
Implementation
Modularizing Security Design
 Security defense in depth
 Network security should be multilayered with many
different techniques used to protect the network
 Belt-and-suspenders approach
 Don’t get caught with your pants down
9
NETE4630 Advanced Network Security and
Implementation
Modularizing Security Design
 Secure all components of a modular design:







Internet connections
Public servers and e-commerce servers
Remote access networks and VPNs
Network services and network management
Server farms
User services
Wireless networks
10
NETE4630 Advanced Network Security and
Implementation
Cisco’s Enterprise Composite Network
Model
Enterprise Campus
Network
Management
Building
Distribution
Campus
Backbone
Server Farm
Campus Infrastructure
Building
Access
Enterprise Edge
E-Commerce
Edge
Distribution
Internet
Connectivity
VPN/ Remote
Access
Service
Provider
Edge
ISP A
ISP B
PSTN
Frame
Relay,
ATM
WAN
11
NETE4630 Advanced Network Security and
Implementation
Cisco SAFE
 Cisco SAFE Blueprint addresses security in every module
of a modular network architecture.
12
NETE4630 Advanced Network Security and
Implementation
Legend
13
NETE4630 Advanced Network Security and
Implementation
SAFE Block Diagram
14
NETE4630 Advanced Network Security and
Implementation
Enterprise Campus Details
15
NETE4630 Advanced Network Security and
Implementation
Management Module
 The primary goal of the
management module is
to facilitate the secure
management of all
devices and hosts within
the enterprise SAFE
architecture.
 Logging and reporting
information flow from
the devices through to
the management hosts,
while content,
configurations, and new
software flow to the
devices from the
management hosts.
16
NETE4630 Advanced Network Security and
Implementation
Management Module
Key Devices

SNMP Management host – provides
SNMP management for devices

NIDS host – provides alarm aggregation
for all NIDS devices in the network


System Admin host – provides
configuration, software, and
content changes on devices

NIDS appliance – provides Layer 4
to Layer 7 monitoring of key
network segments in the module

Cisco IOS Firewall – allows granular
control for traffic flows between
the management hosts and the
managed devices

Layer 2 switch (with private VLAN
support) – ensures data from
managed devices can only cross
directly to the IOS firewall
Syslog host(s) – aggregates log
information for Firewall and NIDS hosts

Access Control Server – delivers onetime, two-factor authentication services
to the network devices

One-Time Password (OTP) Server –
authorizes one-time password
information relayed from the access
control server
17
NETE4630 Advanced Network Security and
Implementation
Management Module Details
18
NETE4630 Advanced Network Security and
Implementation
Threats Mitigated
 Unauthorized Access – filtering at the IOS firewall stops most unauthorized
traffic in both directions
 Man-in-the-Middle Attacks – management data is crossing a private network
making man-in-the-middle attacks difficult
 Network Reconnaissance – because all management traffic crosses this
network, it does not cross the production network where it could be
intercepted
 Password Attacks – the access control server allows for strong two-factor
authentication at each device
 IP Spoofing – spoofed traffic is stopped in both directions at the IOS firewall
 Packet Sniffers – a switched infrastructure limits the effectiveness of sniffing
 Trust Exploitation – private VLANs prevent a compromised device from
masquerading as a management host
19
NETE4630 Advanced Network Security and
Implementation
Attack Mitigation Roles for Management
Module
20
NETE4630 Advanced Network Security and
Implementation
Core Module
 Key Device:
 Layer 3 switching – route
and switch production
network data from one
module to another
 Threats Mitigated:
 Packet Sniffers – a
switched infrastructure
limits the effectiveness of
sniffing
21
NETE4630 Advanced Network Security and
Implementation
Building Distribution Module
 To provide distribution layer services to the
building switches; these include routing,
quality of service (QoS), and access control.
 Key Device: Layer 3 switches – aggregate
Layer 2 switches in building module and
provide advanced services
 Threats Mitigated
 Unauthorized Access – attacks against
server module resources are limited by
Layer 3 filtering of specific subnets
 IP Spoofing
 Packet Sniffers – a switched infrastructure
limits the effectiveness of sniffing
22
NETE4630 Advanced Network Security and
Implementation
Building Module
 SAFE defines the building module
as the extensive network portion
that contains end-user
workstations, phones, and their
associated Layer 2 access points.
Its primary goal is to provide
services to end users.
 Key Devices
 Layer 2 switch – provides Layer 2
services to phones and user
workstations
 User workstation – provides data
services to authorized users on the
network
 IP phone – provides IP telephony
services to users on the network
Threats Mitigated
Packet sniffers – a switched
infrastructure and default VLAN
services limit the effectiveness of
sniffing
Virus and Trojan horse applications –
host-based virus scanning prevents
most viruses and many Trojan horses
23
NETE4630 Advanced Network Security and
Implementation
Server Module

To provide application services to end
users and devices. Traffic flows on the
server module are inspected by on-board
intrusion detection within the Layer 3
switches.

Key Devices
 L3 Switch – provides layer three
services to the servers and inspects
data crossing the server module with
NIDS
 Call Manager – performs call routing
functions for IP telephony devices in
the enterprise
 Corporate and Department Servers –
delivers file, print, and DNS services to
workstations in the building module
 E-Mail Server – provide SMTP and
POP3 services to internal users

Threats Mitigated

Unauthorized Access

Application Layer Attacks

IP Spoofing

Packet Sniffers


Trust Exploitation
Port Redirection
24
NETE4630 Advanced Network Security and
Implementation
Edge Distribution Module
 To aggregate the connectivity from the
various elements at the edge.
 Key Devices: Layer 3 switches – aggregate
edge connectivity and provide advanced
services
 Threats Mitigated
 Unauthorized Access – filtering provides
granular control over specific edge subnets
and their ability to reach areas within the
campus
 IP Spoofing – RFC 2827 filtering limits locally
initiated spoof attacks
 Network Reconnaissance – filtering limits
nonessential traffic from entering the campus
limiting a hackers ability to perform network
recon
 Packet Sniffers – a switched infrastructure limits
the effectiveness of sniffing
25
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
Corporate Internet Module
26
Enterprise Edge
NETE4630 Advanced Network Security and
Implementation
Corporate Internet Module

Key Devices

 SMTP server – acts as a relay between
the Internet and the Internet mail
servers – inspects content
 DNS server – serves as authoritative
external DNS server for the enterprise,
relays internal requests to the Internet
 FTP/HTTP server – provides public
information about the organization
 Firewall – provides network-level
protection of resources and stateful
filtering of traffic
 NIDS appliance – provides Layer 4 to
Layer 7 monitoring of key network
segments in the module
 URL Filtering Server – filters unauthorized
URL requests from the enterprise
Threats Mitigated
 Unauthorized Access – mitigated through filtering
at the ISP, edge router, and corporate firewall
 Application Layer Attacks – mitigated through
IDS at the host and network levels
 Virus and Trojan Horse – mitigated through e-mail
content filtering and host IDS
 Password Attacks – limited services available to
brute force, OS and IDS
 Denial of Service
 IP Spoofing –at ISP edge and enterprise edge
router
 Packet Sniffers – switched infrastructure and host
IDS limits exposure
 Network Reconnaissance – IDS detects recon,
protocols filtered to limit effectiveness
 Trust Exploitation – restrictive trust model and
private VLANs limit trust-based attacks
 Port Redirection – restrictive filtering and host IDS
limit attack
27
NETE4630 Advanced Network Security and
Implementation
Attack Mitigation Role for Corporate
Internet Module
28
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
Remote Access VPN Module
 The primary objective of this module is three-fold:
 Terminate the VPN traffic from remote users
 Provide a hub for terminating VPN traffic from remote sites,
and
 Terminate traditional dial-in users.
29
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
Remote Access VPN Module (cont.)
 Key Devices
 VPN Concentrator – authenticate
individual remote users using
Extended Authentication (XAUTH)
and terminate their IPSec tunnels
 VPN Router – authenticate trusted
remote sites and provide
connectivity using GRE/IPSec
tunnels
 Dial-In Server – authenticate
individual remote users using
TACACS+ and terminate their
analog connections
 Firewall – provide differentiated
security for the three different types
of remote access
 NIDS appliance – provide Layer 4
to Layer 7 monitoring of key
network segments in the module
 Threats Mitigated
 Network Topology Discovery –
only Internet Key Exchange (IKE)
and Encapsulating Security
Payload (ESP) are allowed into this
segment from the Internet
 Password Attack – OTP
authentication reduces the
likelihood of a successful
password attack
 Unauthorized Access – firewall
services after packet decryption
prevent traffic on unauthorized
ports
 Man-in-the-Middle – mitigated
through encrypted remote traffic
 Packet Sniffers – a switched
infrastructure limits the
effectiveness of sniffing
30
NETE4630 Advanced Network Security and
Implementation
Attack Mitigation Roles for Remote Access
VPN Module
31
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
WAN Module
 Rather than being all-inclusive
of potential WAN designs, this
module shows resilience and
security for WAN termination.
 Key Devices: IOS Router –
using routing, access-control,
QoS mechanisms
 Threats Mitigated
 IP Spoofing – mitigated
through L3 filtering
 Unauthorized Access –
simple access control on
the router can limit the
types of protocols to which
branches have access
32
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
E-Commerce Module
33
NETE4630 Advanced Network Security and
Implementation
Securing Internet Connections
 Physical security
 Firewalls and packet filters
 Audit logs, authentication, authorization
 Well-defined exit and entry points
 Routing protocols that support authentication
34
NETE4630 Advanced Network Security and
Implementation
Securing Public Servers
 Place servers in a DMZ that is protected via firewalls
 Run a firewall on the server itself
 Enable DoS protection
 Limit the number of connections per timeframe
 Use reliable operating systems with the latest
security patches
 Maintain modularity
 Front-end Web server doesn’t also run other services
35
NETE4630 Advanced Network Security and
Implementation
Security Topologies
Enterprise
Network
DMZ
Internet
Web, File, DNS, Mail Servers
36
NETE4630 Advanced Network Security and
Implementation
Security Topologies
Internet
Firewall
DMZ
Enterprise Network
Web, File, DNS, Mail Servers
37
NETE4630 Advanced Network Security and
Implementation
Securing Remote-Access and Virtual
Private Networks
 Physical security
 Firewalls
 Authentication, authorization, and auditing
 Encryption
 One-time passwords
 Security protocols
 CHAP
 RADIUS
 IPSec
38
NETE4630 Advanced Network Security and
Implementation
Securing Network Services
 Treat each network device (routers, switches, and
so on) as a high-value host and harden it against
possible intrusions
 Require login IDs and passwords for accessing
devices
 Require extra authorization for risky configuration
commands
 Use SSH rather than Telnet
 Change the welcome banner to be less welcoming
39
NETE4630 Advanced Network Security and
Implementation
Securing Server Farms
 Deploy network and host IDSs to monitor server subnets
and individual servers
 Configure filters that limit connectivity from the server in
case the server is compromised
 Fix known security bugs in server operating systems
 Require authentication and authorization for server
access and management
 Limit root password to a few people
 Avoid guest accounts
40
NETE4630 Advanced Network Security and
Implementation
Securing User Services
 Specify which applications are allowed to run on
networked PCs in the security policy
 Require personal firewalls and antivirus software on
networked PCs
 Implement written procedures that specify how the
software is installed and kept current
 Encourage users to log out when leaving their desks
 Consider using 802.1X port-based security on
switches
41
NETE4630 Advanced Network Security and
Implementation
Securing Wireless Networks
 Place wireless LANs (WLANs) in their own subnet or VLAN
 Simplifies addressing and makes it easier to configure packet
filters
 Require all wireless (and wired) laptops to run personal
firewall and antivirus software
 Disable beacons that broadcast the SSID, and require
MAC address authentication
 Except in cases where the WLAN is used by visitors
42
NETE4630 Advanced Network Security and
Implementation
WLAN Security Options
 Wired Equivalent Privacy (WEP)
 IEEE 802.11i
 Wi-Fi Protected Access (WPA)
 IEEE 802.1X Extensible Authentication Protocol (EAP)
 Lightweight EAP or LEAP (Cisco)
 Protected EAP (PEAP)
 Virtual Private Networks (VPNs)
 Any other acronyms we can think of?
43
NETE4630 Advanced Network Security and
Implementation
Wired Equivalent Privacy (WEP)
 Defined by IEEE 802.11
 Users must possess the appropriate WEP key that is also
configured on the access point
 64 or 128-bit key (or passphrase)
 WEP encrypts the data using the RC4 stream cipher
method
 Infamous for being crackable
44
NETE4630 Advanced Network Security and
Implementation
WEP Alternatives
 Vendor enhancements to WEP
 Temporal Key Integrity Protocol (TKIP)
 Every frame has a new and unique WEP key
 Advanced Encryption Standard (AES)
 IEEE 802.11i
 Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance
 Realistic parts of IEEE 802.11i now!
45
NETE4630 Advanced Network Security and
Implementation
VPN Software on Wireless Clients
 Safest way to do wireless networking for
corporations
 Wireless client requires VPN software
 Connects to VPN concentrator at HQ
 Creates a tunnel for sending all traffic
 VPN security provides:
 User authentication
 Strong encryption of data
 Data integrity
46
NETE4630 Advanced Network Security and
Implementation
Review Questions
 How does a security plan differ from a security policy?
 Why is it important to achieve buy-in from users,
managers, and technical staff for the security policy?
 How can a network manager secure a wireless network?
47