Secure Network Design Lecture 10 - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

Secure Network Design Lecture 10

Description:

Title: Lecture01: Network Security Overview Subject: IS427 Author: S. Kungpisdan Last modified by: Supakorn Kungpisdan Document presentation format – PowerPoint PPT presentation

Number of Views:377
Avg rating:3.0/5.0
Slides: 48
Provided by: S1063
Category:

less

Transcript and Presenter's Notes

Title: Secure Network Design Lecture 10


1
Secure Network DesignLecture 10
  • Asst.Prof.Supakorn Kungpisdan, Ph.D.
  • supakorn_at_mut.ac.th

2
Network Security Design The 12 Step Program
  1. Identify network assets
  2. Analyze security risks
  3. Analyze security requirements and tradeoffs
  4. Develop a security plan
  5. Define a security policy
  6. Develop procedures for applying security policies
  7. Develop a technical implementation strategy
  1. Achieve buy-in from users, managers, and
    technical staff
  2. Train users, managers, and technical staff
  3. Implement the technical strategy and security
    procedures
  4. Test the security and update it if any problems
    are found
  5. Maintain security

3
Network Assets
  • Hardware
  • Software
  • Applications
  • Data
  • Intellectual property
  • Trade secrets
  • Companys reputation

4
Security Risks
  • Hacked network devices
  • Data can be intercepted, analyzed, altered, or
    deleted
  • User passwords can be compromised
  • Device configurations can be changed
  • Reconnaissance attacks
  • Denial-of-service attacks

5
Security Tradeoffs
  • Tradeoffs must be made between security goals and
    other goals
  • Affordability
  • Usability
  • Performance
  • Availability
  • Manageability

6
A Security Plan
  • High-level document that proposes what an
    organization is going to do to meet security
    requirements
  • It specifies time, people, and other resources
    that will be required to develop a security
    policy and achieve implementation of the policy

7
A Security Policy
  • Per RFC 2196, The Site Security Handbook, a
    security policy is a
  • Formal statement of the rules by which people
    who are given access to an organizations
    technology and information assets must abide.
  • The policy should address
  • Access, accountability, authentication, privacy,
    and computer technology purchasing guidelines

8
Security Mechanisms
  • Physical security
  • Authentication
  • Authorization
  • Accounting (Auditing)
  • Data encryption
  • Packet filters
  • Firewalls
  • Intrusion Detection Systems (IDSs)

9
Modularizing Security Design
  • Security defense in depth
  • Network security should be multilayered with many
    different techniques used to protect the network
  • Belt-and-suspenders approach
  • Dont get caught with your pants down

10
Modularizing Security Design
  • Secure all components of a modular design
  • Internet connections
  • Public servers and e-commerce servers
  • Remote access networks and VPNs
  • Network services and network management
  • Server farms
  • User services
  • Wireless networks

11
Ciscos Enterprise Composite Network Model
Enterprise Campus
Service Provider Edge
Enterprise Edge
Network Management
Campus Infrastructure
Edge Distribution
12
Cisco SAFE
  • Cisco SAFE Blueprint addresses security in every
    module of a modular network architecture.

13
Legend
14
SAFE Block Diagram
15
Enterprise Campus Details
16
Management Module
  • The primary goal of the management module is to
    facilitate the secure management of all devices
    and hosts within the enterprise SAFE
    architecture.
  • Logging and reporting information flow from the
    devices through to the management hosts, while
    content, configurations, and new software flow to
    the devices from the management hosts.

17
Management ModuleKey Devices
  • SNMP Management host provides SNMP management
    for devices
  • NIDS host provides alarm aggregation for all
    NIDS devices in the network
  • Syslog host(s) aggregates log information for
    Firewall and NIDS hosts
  • Access Control Server delivers one-time,
    two-factor authentication services to the network
    devices
  • One-Time Password (OTP) Server authorizes
    one-time password information relayed from the
    access control server
  • System Admin host provides configuration,
    software, and content changes on devices
  • NIDS appliance provides Layer 4 to Layer 7
    monitoring of key network segments in the module
  • Cisco IOS Firewall allows granular control for
    traffic flows between the management hosts and
    the managed devices
  • Layer 2 switch (with private VLAN support)
    ensures data from managed devices can only cross
    directly to the IOS firewall

18
Management Module Details
19
Threats Mitigated
  • Unauthorized Access filtering at the IOS
    firewall stops most unauthorized traffic in both
    directions
  • Man-in-the-Middle Attacks management data is
    crossing a private network making
    man-in-the-middle attacks difficult
  • Network Reconnaissance because all management
    traffic crosses this network, it does not cross
    the production network where it could be
    intercepted
  • Password Attacks the access control server
    allows for strong two-factor authentication at
    each device
  • IP Spoofing spoofed traffic is stopped in both
    directions at the IOS firewall
  • Packet Sniffers a switched infrastructure
    limits the effectiveness of sniffing
  • Trust Exploitation private VLANs prevent a
    compromised device from masquerading as a
    management host

20
Attack Mitigation Roles for Management Module
21
Core Module
  • Key Device
  • Layer 3 switching route and switch production
    network data from one module to another
  • Threats Mitigated
  • Packet Sniffers a switched infrastructure
    limits the effectiveness of sniffing

22
Building Distribution Module
  • To provide distribution layer services to the
    building switches these include routing, quality
    of service (QoS), and access control.
  • Key Device Layer 3 switches aggregate Layer 2
    switches in building module and provide advanced
    services
  • Threats Mitigated
  • Unauthorized Access attacks against server
    module resources are limited by Layer 3 filtering
    of specific subnets
  • IP Spoofing
  • Packet Sniffers a switched infrastructure
    limits the effectiveness of sniffing

23
Building Module
  • SAFE defines the building module as the extensive
    network portion that contains end-user
    workstations, phones, and their associated Layer
    2 access points. Its primary goal is to provide
    services to end users.
  • Key Devices
  • Layer 2 switch provides Layer 2 services to
    phones and user workstations
  • User workstation provides data services to
    authorized users on the network
  • IP phone provides IP telephony services to
    users on the network
  • Threats Mitigated
  • Packet sniffers a switched infrastructure and
    default VLAN services limit the effectiveness of
    sniffing
  • Virus and Trojan horse applications host-based
    virus scanning prevents most viruses and many
    Trojan horses

24
Server Module
  • To provide application services to end users and
    devices. Traffic flows on the server module are
    inspected by on-board intrusion detection within
    the Layer 3 switches.
  • Key Devices
  • L3 Switch provides layer three services to the
    servers and inspects data crossing the server
    module with NIDS
  • Call Manager performs call routing functions
    for IP telephony devices in the enterprise
  • Corporate and Department Servers delivers file,
    print, and DNS services to workstations in the
    building module
  • E-Mail Server provide SMTP and POP3 services to
    internal users
  • Threats Mitigated
  • Unauthorized Access
  • Application Layer Attacks
  • IP Spoofing
  • Packet Sniffers
  • Trust Exploitation
  • Port Redirection

25
Edge Distribution Module
  • To aggregate the connectivity from the various
    elements at the edge.
  • Key Devices Layer 3 switches aggregate edge
    connectivity and provide advanced services
  • Threats Mitigated
  • Unauthorized Access filtering provides granular
    control over specific edge subnets and their
    ability to reach areas within the campus
  • IP Spoofing RFC 2827 filtering limits locally
    initiated spoof attacks
  • Network Reconnaissance filtering limits
    nonessential traffic from entering the campus
    limiting a hackers ability to perform network
    recon
  • Packet Sniffers a switched infrastructure
    limits the effectiveness of sniffing

26
Enterprise Edge Corporate Internet Module
27
Enterprise Edge Corporate Internet Module
  • Key Devices
  • SMTP server acts as a relay between the
    Internet and the Internet mail servers inspects
    content
  • DNS server serves as authoritative external DNS
    server for the enterprise, relays internal
    requests to the Internet
  • FTP/HTTP server provides public information
    about the organization
  • Firewall provides network-level protection of
    resources and stateful filtering of traffic
  • NIDS appliance provides Layer 4 to Layer 7
    monitoring of key network segments in the module
  • URL Filtering Server filters unauthorized URL
    requests from the enterprise
  • Threats Mitigated
  • Unauthorized Access mitigated through filtering
    at the ISP, edge router, and corporate firewall
  • Application Layer Attacks mitigated through IDS
    at the host and network levels
  • Virus and Trojan Horse mitigated through e-mail
    content filtering and host IDS
  • Password Attacks limited services available to
    brute force, OS and IDS
  • Denial of Service
  • IP Spoofing at ISP edge and enterprise edge
    router
  • Packet Sniffers switched infrastructure and
    host IDS limits exposure
  • Network Reconnaissance IDS detects recon,
    protocols filtered to limit effectiveness
  • Trust Exploitation restrictive trust model and
    private VLANs limit trust-based attacks
  • Port Redirection restrictive filtering and host
    IDS limit attack

28
Attack Mitigation Role for Corporate Internet
Module
29
Enterprise Edge Remote Access VPN Module
  • The primary objective of this module is
    three-fold
  • Terminate the VPN traffic from remote users
  • Provide a hub for terminating VPN traffic from
    remote sites, and
  • Terminate traditional dial-in users.

30
Enterprise Edge Remote Access VPN Module (cont.)
  • Key Devices
  • VPN Concentrator authenticate individual remote
    users using Extended Authentication (XAUTH) and
    terminate their IPSec tunnels
  • VPN Router authenticate trusted remote sites
    and provide connectivity using GRE/IPSec tunnels
  • Dial-In Server authenticate individual remote
    users using TACACS and terminate their analog
    connections
  • Firewall provide differentiated security for
    the three different types of remote access
  • NIDS appliance provide Layer 4 to Layer 7
    monitoring of key network segments in the module
  • Threats Mitigated
  • Network Topology Discovery only Internet Key
    Exchange (IKE) and Encapsulating Security Payload
    (ESP) are allowed into this segment from the
    Internet
  • Password Attack OTP authentication reduces the
    likelihood of a successful password attack
  • Unauthorized Access firewall services after
    packet decryption prevent traffic on unauthorized
    ports
  • Man-in-the-Middle mitigated through encrypted
    remote traffic
  • Packet Sniffers a switched infrastructure
    limits the effectiveness of sniffing

31
Attack Mitigation Roles for Remote Access VPN
Module
32
Enterprise Edge WAN Module
  • Rather than being all-inclusive of potential WAN
    designs, this module shows resilience and
    security for WAN termination.
  • Key Devices IOS Router using routing,
    access-control, QoS mechanisms
  • Threats Mitigated
  • IP Spoofing mitigated through L3 filtering
  • Unauthorized Access simple access control on
    the router can limit the types of protocols to
    which branches have access

33
Enterprise Edge E-Commerce Module
34
Securing Internet Connections
  • Physical security
  • Firewalls and packet filters
  • Audit logs, authentication, authorization
  • Well-defined exit and entry points
  • Routing protocols that support authentication

35
Securing Public Servers
  • Place servers in a DMZ that is protected via
    firewalls
  • Run a firewall on the server itself
  • Enable DoS protection
  • Limit the number of connections per timeframe
  • Use reliable operating systems with the latest
    security patches
  • Maintain modularity
  • Front-end Web server doesnt also run other
    services

36
Security Topologies
DMZ
Enterprise Network
Internet
Web, File, DNS, Mail Servers
37
Security Topologies
Internet
Firewall
DMZ
Enterprise Network
Web, File, DNS, Mail Servers
38
Securing Remote-Access and Virtual Private
Networks
  • Physical security
  • Firewalls
  • Authentication, authorization, and auditing
  • Encryption
  • One-time passwords
  • Security protocols
  • CHAP
  • RADIUS
  • IPSec

39
Securing Network Services
  • Treat each network device (routers, switches, and
    so on) as a high-value host and harden it against
    possible intrusions
  • Require login IDs and passwords for accessing
    devices
  • Require extra authorization for risky
    configuration commands
  • Use SSH rather than Telnet
  • Change the welcome banner to be less welcoming

40
Securing Server Farms
  • Deploy network and host IDSs to monitor server
    subnets and individual servers
  • Configure filters that limit connectivity from
    the server in case the server is compromised
  • Fix known security bugs in server operating
    systems
  • Require authentication and authorization for
    server access and management
  • Limit root password to a few people
  • Avoid guest accounts

41
Securing User Services
  • Specify which applications are allowed to run on
    networked PCs in the security policy
  • Require personal firewalls and antivirus software
    on networked PCs
  • Implement written procedures that specify how the
    software is installed and kept current
  • Encourage users to log out when leaving their
    desks
  • Consider using 802.1X port-based security on
    switches

42
Securing Wireless Networks
  • Place wireless LANs (WLANs) in their own subnet
    or VLAN
  • Simplifies addressing and makes it easier to
    configure packet filters
  • Require all wireless (and wired) laptops to run
    personal firewall and antivirus software
  • Disable beacons that broadcast the SSID, and
    require MAC address authentication
  • Except in cases where the WLAN is used by visitors

43
WLAN Security Options
  • Wired Equivalent Privacy (WEP)
  • IEEE 802.11i
  • Wi-Fi Protected Access (WPA)
  • IEEE 802.1X Extensible Authentication Protocol
    (EAP)
  • Lightweight EAP or LEAP (Cisco)
  • Protected EAP (PEAP)
  • Virtual Private Networks (VPNs)
  • Any other acronyms we can think of?

44
Wired Equivalent Privacy (WEP)
  • Defined by IEEE 802.11
  • Users must possess the appropriate WEP key that
    is also configured on the access point
  • 64 or 128-bit key (or passphrase)
  • WEP encrypts the data using the RC4 stream cipher
    method
  • Infamous for being crackable

45
WEP Alternatives
  • Vendor enhancements to WEP
  • Temporal Key Integrity Protocol (TKIP)
  • Every frame has a new and unique WEP key
  • Advanced Encryption Standard (AES)
  • IEEE 802.11i
  • Wi-Fi Protected Access (WPA) from the Wi-Fi
    Alliance
  • Realistic parts of IEEE 802.11i now!

46
VPN Software on Wireless Clients
  • Safest way to do wireless networking for
    corporations
  • Wireless client requires VPN software
  • Connects to VPN concentrator at HQ
  • Creates a tunnel for sending all traffic
  • VPN security provides
  • User authentication
  • Strong encryption of data
  • Data integrity

47
Review Questions
  • How does a security plan differ from a security
    policy?
  • Why is it important to achieve buy-in from users,
    managers, and technical staff for the security
    policy?
  • How can a network manager secure a wireless
    network?
Write a Comment
User Comments (0)
About PowerShow.com