Transcript Key Device
Secure Network Design
Lecture 10
Asst.Prof.Supakorn Kungpisdan, Ph.D.
[email protected]
NETE4630 Advanced Network Security and
Implementation
Network Security Design:
The 12 Step Program
1.
Identify network assets
7.
Achieve buy-in from users,
managers, and technical
staff
2.
Analyze security risks
3.
Analyze security requirements
and tradeoffs
8.
Train users, managers, and
technical staff
4.
Develop a security plan
9.
5.
Define a security policy
Implement the technical
strategy and security
procedures
6.
Develop procedures for
applying security policies
10.
Test the security and update
it if any problems are found
7.
Develop a technical
implementation strategy
11.
Maintain security
2
NETE4630 Advanced Network Security and
Implementation
Network Assets
Hardware
Software
Applications
Data
Intellectual property
Trade secrets
Company’s reputation
3
NETE4630 Advanced Network Security and
Implementation
Security Risks
Hacked network devices
Data can be intercepted, analyzed, altered, or deleted
User passwords can be compromised
Device configurations can be changed
Reconnaissance attacks
Denial-of-service attacks
4
NETE4630 Advanced Network Security and
Implementation
Security Tradeoffs
Tradeoffs must be made between security goals and
other goals:
Affordability
Usability
Performance
Availability
Manageability
5
NETE4630 Advanced Network Security and
Implementation
A Security Plan
High-level document that proposes what
an organization is going to do to meet
security requirements
It specifies time, people, and other
resources that will be required to
develop a security policy and achieve
implementation of the policy
6
NETE4630 Advanced Network Security and
Implementation
A Security Policy
Per RFC 2196, “The Site Security Handbook,” a security
policy is a
“Formal statement of the rules by which people who are
given access to an organization’s technology and
information assets must abide.”
The policy should address
Access, accountability, authentication, privacy, and
computer technology purchasing guidelines
7
NETE4630 Advanced Network Security and
Implementation
Security Mechanisms
Physical security
Authentication
Authorization
Accounting (Auditing)
Data encryption
Packet filters
Firewalls
Intrusion Detection Systems (IDSs)
8
NETE4630 Advanced Network Security and
Implementation
Modularizing Security Design
Security defense in depth
Network security should be multilayered with many
different techniques used to protect the network
Belt-and-suspenders approach
Don’t get caught with your pants down
9
NETE4630 Advanced Network Security and
Implementation
Modularizing Security Design
Secure all components of a modular design:
Internet connections
Public servers and e-commerce servers
Remote access networks and VPNs
Network services and network management
Server farms
User services
Wireless networks
10
NETE4630 Advanced Network Security and
Implementation
Cisco’s Enterprise Composite Network
Model
Enterprise Campus
Network
Management
Building
Distribution
Campus
Backbone
Server Farm
Campus Infrastructure
Building
Access
Enterprise Edge
E-Commerce
Edge
Distribution
Internet
Connectivity
VPN/ Remote
Access
Service
Provider
Edge
ISP A
ISP B
PSTN
Frame
Relay,
ATM
WAN
11
NETE4630 Advanced Network Security and
Implementation
Cisco SAFE
Cisco SAFE Blueprint addresses security in every module
of a modular network architecture.
12
NETE4630 Advanced Network Security and
Implementation
Legend
13
NETE4630 Advanced Network Security and
Implementation
SAFE Block Diagram
14
NETE4630 Advanced Network Security and
Implementation
Enterprise Campus Details
15
NETE4630 Advanced Network Security and
Implementation
Management Module
The primary goal of the
management module is
to facilitate the secure
management of all
devices and hosts within
the enterprise SAFE
architecture.
Logging and reporting
information flow from
the devices through to
the management hosts,
while content,
configurations, and new
software flow to the
devices from the
management hosts.
16
NETE4630 Advanced Network Security and
Implementation
Management Module
Key Devices
SNMP Management host – provides
SNMP management for devices
NIDS host – provides alarm aggregation
for all NIDS devices in the network
System Admin host – provides
configuration, software, and
content changes on devices
NIDS appliance – provides Layer 4
to Layer 7 monitoring of key
network segments in the module
Cisco IOS Firewall – allows granular
control for traffic flows between
the management hosts and the
managed devices
Layer 2 switch (with private VLAN
support) – ensures data from
managed devices can only cross
directly to the IOS firewall
Syslog host(s) – aggregates log
information for Firewall and NIDS hosts
Access Control Server – delivers onetime, two-factor authentication services
to the network devices
One-Time Password (OTP) Server –
authorizes one-time password
information relayed from the access
control server
17
NETE4630 Advanced Network Security and
Implementation
Management Module Details
18
NETE4630 Advanced Network Security and
Implementation
Threats Mitigated
Unauthorized Access – filtering at the IOS firewall stops most unauthorized
traffic in both directions
Man-in-the-Middle Attacks – management data is crossing a private network
making man-in-the-middle attacks difficult
Network Reconnaissance – because all management traffic crosses this
network, it does not cross the production network where it could be
intercepted
Password Attacks – the access control server allows for strong two-factor
authentication at each device
IP Spoofing – spoofed traffic is stopped in both directions at the IOS firewall
Packet Sniffers – a switched infrastructure limits the effectiveness of sniffing
Trust Exploitation – private VLANs prevent a compromised device from
masquerading as a management host
19
NETE4630 Advanced Network Security and
Implementation
Attack Mitigation Roles for Management
Module
20
NETE4630 Advanced Network Security and
Implementation
Core Module
Key Device:
Layer 3 switching – route
and switch production
network data from one
module to another
Threats Mitigated:
Packet Sniffers – a
switched infrastructure
limits the effectiveness of
sniffing
21
NETE4630 Advanced Network Security and
Implementation
Building Distribution Module
To provide distribution layer services to the
building switches; these include routing,
quality of service (QoS), and access control.
Key Device: Layer 3 switches – aggregate
Layer 2 switches in building module and
provide advanced services
Threats Mitigated
Unauthorized Access – attacks against
server module resources are limited by
Layer 3 filtering of specific subnets
IP Spoofing
Packet Sniffers – a switched infrastructure
limits the effectiveness of sniffing
22
NETE4630 Advanced Network Security and
Implementation
Building Module
SAFE defines the building module
as the extensive network portion
that contains end-user
workstations, phones, and their
associated Layer 2 access points.
Its primary goal is to provide
services to end users.
Key Devices
Layer 2 switch – provides Layer 2
services to phones and user
workstations
User workstation – provides data
services to authorized users on the
network
IP phone – provides IP telephony
services to users on the network
Threats Mitigated
Packet sniffers – a switched
infrastructure and default VLAN
services limit the effectiveness of
sniffing
Virus and Trojan horse applications –
host-based virus scanning prevents
most viruses and many Trojan horses
23
NETE4630 Advanced Network Security and
Implementation
Server Module
To provide application services to end
users and devices. Traffic flows on the
server module are inspected by on-board
intrusion detection within the Layer 3
switches.
Key Devices
L3 Switch – provides layer three
services to the servers and inspects
data crossing the server module with
NIDS
Call Manager – performs call routing
functions for IP telephony devices in
the enterprise
Corporate and Department Servers –
delivers file, print, and DNS services to
workstations in the building module
E-Mail Server – provide SMTP and
POP3 services to internal users
Threats Mitigated
Unauthorized Access
Application Layer Attacks
IP Spoofing
Packet Sniffers
Trust Exploitation
Port Redirection
24
NETE4630 Advanced Network Security and
Implementation
Edge Distribution Module
To aggregate the connectivity from the
various elements at the edge.
Key Devices: Layer 3 switches – aggregate
edge connectivity and provide advanced
services
Threats Mitigated
Unauthorized Access – filtering provides
granular control over specific edge subnets
and their ability to reach areas within the
campus
IP Spoofing – RFC 2827 filtering limits locally
initiated spoof attacks
Network Reconnaissance – filtering limits
nonessential traffic from entering the campus
limiting a hackers ability to perform network
recon
Packet Sniffers – a switched infrastructure limits
the effectiveness of sniffing
25
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
Corporate Internet Module
26
Enterprise Edge
NETE4630 Advanced Network Security and
Implementation
Corporate Internet Module
Key Devices
SMTP server – acts as a relay between
the Internet and the Internet mail
servers – inspects content
DNS server – serves as authoritative
external DNS server for the enterprise,
relays internal requests to the Internet
FTP/HTTP server – provides public
information about the organization
Firewall – provides network-level
protection of resources and stateful
filtering of traffic
NIDS appliance – provides Layer 4 to
Layer 7 monitoring of key network
segments in the module
URL Filtering Server – filters unauthorized
URL requests from the enterprise
Threats Mitigated
Unauthorized Access – mitigated through filtering
at the ISP, edge router, and corporate firewall
Application Layer Attacks – mitigated through
IDS at the host and network levels
Virus and Trojan Horse – mitigated through e-mail
content filtering and host IDS
Password Attacks – limited services available to
brute force, OS and IDS
Denial of Service
IP Spoofing –at ISP edge and enterprise edge
router
Packet Sniffers – switched infrastructure and host
IDS limits exposure
Network Reconnaissance – IDS detects recon,
protocols filtered to limit effectiveness
Trust Exploitation – restrictive trust model and
private VLANs limit trust-based attacks
Port Redirection – restrictive filtering and host IDS
limit attack
27
NETE4630 Advanced Network Security and
Implementation
Attack Mitigation Role for Corporate
Internet Module
28
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
Remote Access VPN Module
The primary objective of this module is three-fold:
Terminate the VPN traffic from remote users
Provide a hub for terminating VPN traffic from remote sites,
and
Terminate traditional dial-in users.
29
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
Remote Access VPN Module (cont.)
Key Devices
VPN Concentrator – authenticate
individual remote users using
Extended Authentication (XAUTH)
and terminate their IPSec tunnels
VPN Router – authenticate trusted
remote sites and provide
connectivity using GRE/IPSec
tunnels
Dial-In Server – authenticate
individual remote users using
TACACS+ and terminate their
analog connections
Firewall – provide differentiated
security for the three different types
of remote access
NIDS appliance – provide Layer 4
to Layer 7 monitoring of key
network segments in the module
Threats Mitigated
Network Topology Discovery –
only Internet Key Exchange (IKE)
and Encapsulating Security
Payload (ESP) are allowed into this
segment from the Internet
Password Attack – OTP
authentication reduces the
likelihood of a successful
password attack
Unauthorized Access – firewall
services after packet decryption
prevent traffic on unauthorized
ports
Man-in-the-Middle – mitigated
through encrypted remote traffic
Packet Sniffers – a switched
infrastructure limits the
effectiveness of sniffing
30
NETE4630 Advanced Network Security and
Implementation
Attack Mitigation Roles for Remote Access
VPN Module
31
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
WAN Module
Rather than being all-inclusive
of potential WAN designs, this
module shows resilience and
security for WAN termination.
Key Devices: IOS Router –
using routing, access-control,
QoS mechanisms
Threats Mitigated
IP Spoofing – mitigated
through L3 filtering
Unauthorized Access –
simple access control on
the router can limit the
types of protocols to which
branches have access
32
NETE4630 Advanced Network Security and
Implementation
Enterprise Edge
E-Commerce Module
33
NETE4630 Advanced Network Security and
Implementation
Securing Internet Connections
Physical security
Firewalls and packet filters
Audit logs, authentication, authorization
Well-defined exit and entry points
Routing protocols that support authentication
34
NETE4630 Advanced Network Security and
Implementation
Securing Public Servers
Place servers in a DMZ that is protected via firewalls
Run a firewall on the server itself
Enable DoS protection
Limit the number of connections per timeframe
Use reliable operating systems with the latest
security patches
Maintain modularity
Front-end Web server doesn’t also run other services
35
NETE4630 Advanced Network Security and
Implementation
Security Topologies
Enterprise
Network
DMZ
Internet
Web, File, DNS, Mail Servers
36
NETE4630 Advanced Network Security and
Implementation
Security Topologies
Internet
Firewall
DMZ
Enterprise Network
Web, File, DNS, Mail Servers
37
NETE4630 Advanced Network Security and
Implementation
Securing Remote-Access and Virtual
Private Networks
Physical security
Firewalls
Authentication, authorization, and auditing
Encryption
One-time passwords
Security protocols
CHAP
RADIUS
IPSec
38
NETE4630 Advanced Network Security and
Implementation
Securing Network Services
Treat each network device (routers, switches, and
so on) as a high-value host and harden it against
possible intrusions
Require login IDs and passwords for accessing
devices
Require extra authorization for risky configuration
commands
Use SSH rather than Telnet
Change the welcome banner to be less welcoming
39
NETE4630 Advanced Network Security and
Implementation
Securing Server Farms
Deploy network and host IDSs to monitor server subnets
and individual servers
Configure filters that limit connectivity from the server in
case the server is compromised
Fix known security bugs in server operating systems
Require authentication and authorization for server
access and management
Limit root password to a few people
Avoid guest accounts
40
NETE4630 Advanced Network Security and
Implementation
Securing User Services
Specify which applications are allowed to run on
networked PCs in the security policy
Require personal firewalls and antivirus software on
networked PCs
Implement written procedures that specify how the
software is installed and kept current
Encourage users to log out when leaving their desks
Consider using 802.1X port-based security on
switches
41
NETE4630 Advanced Network Security and
Implementation
Securing Wireless Networks
Place wireless LANs (WLANs) in their own subnet or VLAN
Simplifies addressing and makes it easier to configure packet
filters
Require all wireless (and wired) laptops to run personal
firewall and antivirus software
Disable beacons that broadcast the SSID, and require
MAC address authentication
Except in cases where the WLAN is used by visitors
42
NETE4630 Advanced Network Security and
Implementation
WLAN Security Options
Wired Equivalent Privacy (WEP)
IEEE 802.11i
Wi-Fi Protected Access (WPA)
IEEE 802.1X Extensible Authentication Protocol (EAP)
Lightweight EAP or LEAP (Cisco)
Protected EAP (PEAP)
Virtual Private Networks (VPNs)
Any other acronyms we can think of?
43
NETE4630 Advanced Network Security and
Implementation
Wired Equivalent Privacy (WEP)
Defined by IEEE 802.11
Users must possess the appropriate WEP key that is also
configured on the access point
64 or 128-bit key (or passphrase)
WEP encrypts the data using the RC4 stream cipher
method
Infamous for being crackable
44
NETE4630 Advanced Network Security and
Implementation
WEP Alternatives
Vendor enhancements to WEP
Temporal Key Integrity Protocol (TKIP)
Every frame has a new and unique WEP key
Advanced Encryption Standard (AES)
IEEE 802.11i
Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance
Realistic parts of IEEE 802.11i now!
45
NETE4630 Advanced Network Security and
Implementation
VPN Software on Wireless Clients
Safest way to do wireless networking for
corporations
Wireless client requires VPN software
Connects to VPN concentrator at HQ
Creates a tunnel for sending all traffic
VPN security provides:
User authentication
Strong encryption of data
Data integrity
46
NETE4630 Advanced Network Security and
Implementation
Review Questions
How does a security plan differ from a security policy?
Why is it important to achieve buy-in from users,
managers, and technical staff for the security policy?
How can a network manager secure a wireless network?
47