IS 6973

1
IS 6973

• Secure Network Design
• Chapter Seven
• Network Security Platform Options and Best
  Deployment Practices

2
Secure Design Decisions

• What kinds of devices should be deployed?
• Where should they be deployed?

3
Network Security Platform Options

• General purpose OS security
• Appliance-Based security
• Network-Integrated security

4
General Purpose OS Security

• Security admin. Build a general-purpose PC and
  install the technology of top.
• PC runs some form of generally accepted OS
  Windows, Unix, etc.

5
Pros

• Flexibility wide range of security s/w is
  available not tied to one vendor (tell that to
  MS)
• Use the same platform, h/w cost are low, system
  less complex

6
Cons

• Need to manage two systems the security s/w and
  OS PLUS the hardware
• Security system sits on top of PC platform (e.g.,
  not fully integrated)
• Support who are you going to call system
  vendor, PC vendor, OS vendor, NIC manufacturer,
  etc?

7
Appliance-Based Security Devices

• General purpose hardware/OS with appliance
  packaging (purchasing total system from single
  vendor)
• Pros one place for support (maybe)
• Cons not very versatile, locked into one
  vendor, lack of flexibility
• Fully Custom Appliance proprietary OS
• Pros usually means better performance, one
  place to call
• Cons more likely to have undiscovered problems,
  locked into one vendor

8
Network-Integrated Security Functions

• Takes advantage of your existing n/w
  infrastructure. Security capabilities are
  embedded inside a router or switch using either
  s/w or h/w
• Router/switch s/w integration Stateful
  firewall, IDS, IPsec VPN
• Pros reduces number of devices to support and
  maintain can add functions without impacting
  design
• Cons making a device do something is wasnt
  designed to do more complex can impede
  performance
• Router/switch h/w integration (Fig. 7- 1 vs. Fig.
  7-2)
• Pros less performance impedance than above
• Cons more complex configuration than above

9
Network Security Platform Option Recommendations

• Which platform should you use? How qualified are
  your staff?
• Appliance-Based Convery suggests should be bulk
  of security system because of ease of support,
  configuration, and deployment. Use appliances in
  locations with high performance requirements and
  where uptime is critical (VPN gateways, stateful
  firewalls).
• General-Purpose OS use for specialized security
  functions (proxy servers, antivirus, URL
  filtering)
• Network-Integrated use in remote locations with
  minimal IT staffing, or an existing n/w that is
  rarely modified (integrating h/w NIDS into a
  switch allows remote monitoring)

10
Network Security Device Best Practices

• Technologies discussed include
• Firewall
• Proxy servers/content filtering
• NIDS

11
Firewall Best Practices

• Generally the principal element is secure n/w
  design
• Topology options
• Basic filtering router
• Classic dual-router DMZ
• Stateful firewall DMZ design
• Modern 3-interface firewall design
• Multi-firewall design

12
Basic Filtering Router (Fig. 7-3)

• Easy to implement, but least secure
• Public servers are on the internal side of the
  router compromised public server can attack
  internal systems without further filtering
• Single point of access control failure
• Requires multiple open ports

13
Classic Dual-Router DMZ (Fig. 7-4)

• Public servers are separated from the rest of the
  internal n/w
• Filtering (2nd) router should have more
  restrictive ACLs

14
Stateful Firewall DMZ (Fig. 7-5)

• Improves dual-router DMZ by allowing strong
  filtering between the internal n/w and the public
  servers and the Internet
• BUT, can impact performance, some firewalls do
  not support advanced routing or multicast
  functions

15
Modern 3-Interface Firewall Design (Fig.
7-6)

• Most common topology used today
• Considered best balance of security, cost, and
  management
• All traffic must flow through the firewall
• Caution remember to limit access from public
  server to the internal network

16
Multi-Firewall Design (Fig. 7-7)

• Many variations primarily used for e-commerce
  or other sensitive transactions
• Organizations may require multiple levels of
  trust
• Trusted servers may support transaction requests
  from less trusted servers
• Attackers must first compromise untrusted
  servers, but there is a very limited number of
  ports available to more trusted servers

17
General Firewall Best Practices

• Expressly permit, implicitly deny
• Block outbound public server access (web servers
  dont need to surf the web)

18
Proxy Servers/Content Filtering

• Internal User Aggregation (Fig. 7-9)
• Firewall access rules define who can initiate
  outbound web requests
• Firewall-Enforce User Aggregation (Fig. 7-10)
• Firewall enforces who can access the proxy
  servers adds a significant load to the firewall
• DMZ Proxy Design (Fig. 7-11)
• Commonly used with SOCKS-based proxy servers
• Supports applications that dont work with
  traditional access control techniques

19
Network Intrusion Detection Systems (NIDS)

• Major areas of concern
• Device placement
• Tuning
• Management (discussed in ch 16)

20
NIDS placement

• Either before or after the firewall the closer
  to the core of the n/w, more characteristic of
  the pre-firewall NIDS employment
• Pre-firewall NIDS (Fig. 7-12) manpower
  intensive many alarms not practical in most
  cases, except for securing SECOPS jobs
• Post-firewall NIS (Fig. 7-13) detected attacks
  have already passed through the firewall,
  increasing degree of severity deals with limited
  number of hosts and services, so it is easier to
  tune

21
NIDS General Best Practices

• Deploy close to the systems you are trying to
  protect (Fig. 7-14)
• Monitor your NIDS 24/7/365

22
NIDS Tuning

• Implies focusing on the events you care about and
  ignoring the rest. Could take weeks, and is on
  on-going process from initial tuning
• Want to report actual network attacks
• Dont monitor n/w management traffic
• Turn off alarms to benign attacks
• Turn off alarms you dont care about
• Reduce priority of low-impact attacks
• Match NIDS events against systems affected by
  this event
• Clean up remaining false positives

23
NIDS Attack Response

• Determine which attacks (if any) you want to
  attempt to stop
• Most common response
• Shunning when attack detected, INS reconfigures
  the router or firewall with an ACL blocking the
  source IS address (Fig. 7-15) Caveats if false
  positive, are blocking legitimate user could be
  blocking spoofed IP address damage could already
  be done
• TCP Resets use sequence and ACK numbers in a
  TCP session to reset the session, thereby
  stopping the attack. Concerns not foolproof
  may not guess correct sequence number on faster,
  more active sessions spoofing not much concern,
  because TCP sessions are hard to spoof works
  only with TCP communications monitor constantly

24
Chapter Seven Review Questions

• How do you determine what devices to deploy and
  where to place them?
• Compare and contrast the following options
• General purpose OS security
• Appliance-Based security
• Network-Integrated security
• Discuss the network security best practices for
  the following
• Firewall
• Proxy servers/content filtering
• NIDS
• Compare and contrast the following firewalls
• Basic filtering router
• Classic dual-router DMZ
• Stateful firewall DMZ design
• Modern 3-interface firewall design
• Multi-firewall design
• What is a false positive? How can you delete the
  occurrence of NIDS false positives?
• What is NIDS tuning? Compare and contrast
  shunning and TCP resets.