Secure Network Design Lecture 10

1
Secure Network DesignLecture 10

• Asst.Prof.Supakorn Kungpisdan, Ph.D.
• supakorn_at_mut.ac.th

2
Network Security Design The 12 Step Program

1. Identify network assets
2. Analyze security risks
3. Analyze security requirements and tradeoffs
4. Develop a security plan
5. Define a security policy
6. Develop procedures for applying security policies
7. Develop a technical implementation strategy

1. Achieve buy-in from users, managers, and
   technical staff
2. Train users, managers, and technical staff
3. Implement the technical strategy and security
   procedures
4. Test the security and update it if any problems
   are found
5. Maintain security

3
Network Assets

• Hardware
• Software
• Applications
• Data
• Intellectual property
• Trade secrets
• Companys reputation

4
Security Risks

• Hacked network devices
• Data can be intercepted, analyzed, altered, or
  deleted
• User passwords can be compromised
• Device configurations can be changed
• Reconnaissance attacks
• Denial-of-service attacks

5
Security Tradeoffs

• Tradeoffs must be made between security goals and
  other goals
• Affordability
• Usability
• Performance
• Availability
• Manageability

6
A Security Plan

• High-level document that proposes what an
  organization is going to do to meet security
  requirements
• It specifies time, people, and other resources
  that will be required to develop a security
  policy and achieve implementation of the policy

7
A Security Policy

• Per RFC 2196, The Site Security Handbook, a
  security policy is a
• Formal statement of the rules by which people
  who are given access to an organizations
  technology and information assets must abide.
• The policy should address
• Access, accountability, authentication, privacy,
  and computer technology purchasing guidelines

8
Security Mechanisms

• Physical security
• Authentication
• Authorization
• Accounting (Auditing)
• Data encryption
• Packet filters
• Firewalls
• Intrusion Detection Systems (IDSs)

9
Modularizing Security Design

• Security defense in depth
• Network security should be multilayered with many
  different techniques used to protect the network
• Belt-and-suspenders approach
• Dont get caught with your pants down

10
Modularizing Security Design

• Secure all components of a modular design
• Internet connections
• Public servers and e-commerce servers
• Remote access networks and VPNs
• Network services and network management
• Server farms
• User services
• Wireless networks

11
Ciscos Enterprise Composite Network Model
Enterprise Campus
Service Provider Edge
Enterprise Edge
Network Management
Campus Infrastructure
Edge Distribution
12
Cisco SAFE

• Cisco SAFE Blueprint addresses security in every
  module of a modular network architecture.

13
Legend
14
SAFE Block Diagram
15
Enterprise Campus Details
16
Management Module

• The primary goal of the management module is to
  facilitate the secure management of all devices
  and hosts within the enterprise SAFE
  architecture.
• Logging and reporting information flow from the
  devices through to the management hosts, while
  content, configurations, and new software flow to
  the devices from the management hosts.

17
Management ModuleKey Devices

• SNMP Management host provides SNMP management
  for devices
• NIDS host provides alarm aggregation for all
  NIDS devices in the network
• Syslog host(s) aggregates log information for
  Firewall and NIDS hosts
• Access Control Server delivers one-time,
  two-factor authentication services to the network
  devices
• One-Time Password (OTP) Server authorizes
  one-time password information relayed from the
  access control server

• System Admin host provides configuration,
  software, and content changes on devices
• NIDS appliance provides Layer 4 to Layer 7
  monitoring of key network segments in the module
• Cisco IOS Firewall allows granular control for
  traffic flows between the management hosts and
  the managed devices
• Layer 2 switch (with private VLAN support)
  ensures data from managed devices can only cross
  directly to the IOS firewall

18
Management Module Details
19
Threats Mitigated

• Unauthorized Access filtering at the IOS
  firewall stops most unauthorized traffic in both
  directions
• Man-in-the-Middle Attacks management data is
  crossing a private network making
  man-in-the-middle attacks difficult
• Network Reconnaissance because all management
  traffic crosses this network, it does not cross
  the production network where it could be
  intercepted
• Password Attacks the access control server
  allows for strong two-factor authentication at
  each device
• IP Spoofing spoofed traffic is stopped in both
  directions at the IOS firewall
• Packet Sniffers a switched infrastructure
  limits the effectiveness of sniffing
• Trust Exploitation private VLANs prevent a
  compromised device from masquerading as a
  management host

20
Attack Mitigation Roles for Management Module
21
Core Module

• Key Device
• Layer 3 switching route and switch production
  network data from one module to another
• Threats Mitigated
• Packet Sniffers a switched infrastructure
  limits the effectiveness of sniffing

22
Building Distribution Module

• To provide distribution layer services to the
  building switches these include routing, quality
  of service (QoS), and access control.
• Key Device Layer 3 switches aggregate Layer 2
  switches in building module and provide advanced
  services
• Threats Mitigated
• Unauthorized Access attacks against server
  module resources are limited by Layer 3 filtering
  of specific subnets
• IP Spoofing
• Packet Sniffers a switched infrastructure
  limits the effectiveness of sniffing

23
Building Module

• SAFE defines the building module as the extensive
  network portion that contains end-user
  workstations, phones, and their associated Layer
  2 access points. Its primary goal is to provide
  services to end users.
• Key Devices
• Layer 2 switch provides Layer 2 services to
  phones and user workstations
• User workstation provides data services to
  authorized users on the network
• IP phone provides IP telephony services to
  users on the network

• Threats Mitigated
• Packet sniffers a switched infrastructure and
  default VLAN services limit the effectiveness of
  sniffing
• Virus and Trojan horse applications host-based
  virus scanning prevents most viruses and many
  Trojan horses

24
Server Module

• To provide application services to end users and
  devices. Traffic flows on the server module are
  inspected by on-board intrusion detection within
  the Layer 3 switches.
• Key Devices
• L3 Switch provides layer three services to the
  servers and inspects data crossing the server
  module with NIDS
• Call Manager performs call routing functions
  for IP telephony devices in the enterprise
• Corporate and Department Servers delivers file,
  print, and DNS services to workstations in the
  building module
• E-Mail Server provide SMTP and POP3 services to
  internal users

• Threats Mitigated
• Unauthorized Access
• Application Layer Attacks
• IP Spoofing
• Packet Sniffers
• Trust Exploitation
• Port Redirection

25
Edge Distribution Module

• To aggregate the connectivity from the various
  elements at the edge.
• Key Devices Layer 3 switches aggregate edge
  connectivity and provide advanced services
• Threats Mitigated
• Unauthorized Access filtering provides granular
  control over specific edge subnets and their
  ability to reach areas within the campus
• IP Spoofing RFC 2827 filtering limits locally
  initiated spoof attacks
• Network Reconnaissance filtering limits
  nonessential traffic from entering the campus
  limiting a hackers ability to perform network
  recon
• Packet Sniffers a switched infrastructure
  limits the effectiveness of sniffing

26
Enterprise Edge Corporate Internet Module
27
Enterprise Edge Corporate Internet Module

• Key Devices
• SMTP server acts as a relay between the
  Internet and the Internet mail servers inspects
  content
• DNS server serves as authoritative external DNS
  server for the enterprise, relays internal
  requests to the Internet
• FTP/HTTP server provides public information
  about the organization
• Firewall provides network-level protection of
  resources and stateful filtering of traffic
• NIDS appliance provides Layer 4 to Layer 7
  monitoring of key network segments in the module
• URL Filtering Server filters unauthorized URL
  requests from the enterprise

• Threats Mitigated
• Unauthorized Access mitigated through filtering
  at the ISP, edge router, and corporate firewall
• Application Layer Attacks mitigated through IDS
  at the host and network levels
• Virus and Trojan Horse mitigated through e-mail
  content filtering and host IDS
• Password Attacks limited services available to
  brute force, OS and IDS
• Denial of Service
• IP Spoofing at ISP edge and enterprise edge
  router
• Packet Sniffers switched infrastructure and
  host IDS limits exposure
• Network Reconnaissance IDS detects recon,
  protocols filtered to limit effectiveness
• Trust Exploitation restrictive trust model and
  private VLANs limit trust-based attacks
• Port Redirection restrictive filtering and host
  IDS limit attack

28
Attack Mitigation Role for Corporate Internet
Module
29
Enterprise Edge Remote Access VPN Module

• The primary objective of this module is
  three-fold
• Terminate the VPN traffic from remote users
• Provide a hub for terminating VPN traffic from
  remote sites, and
• Terminate traditional dial-in users.

30
Enterprise Edge Remote Access VPN Module (cont.)

• Key Devices
• VPN Concentrator authenticate individual remote
  users using Extended Authentication (XAUTH) and
  terminate their IPSec tunnels
• VPN Router authenticate trusted remote sites
  and provide connectivity using GRE/IPSec tunnels
• Dial-In Server authenticate individual remote
  users using TACACS and terminate their analog
  connections
• Firewall provide differentiated security for
  the three different types of remote access
• NIDS appliance provide Layer 4 to Layer 7
  monitoring of key network segments in the module

• Threats Mitigated
• Network Topology Discovery only Internet Key
  Exchange (IKE) and Encapsulating Security Payload
  (ESP) are allowed into this segment from the
  Internet
• Password Attack OTP authentication reduces the
  likelihood of a successful password attack
• Unauthorized Access firewall services after
  packet decryption prevent traffic on unauthorized
  ports
• Man-in-the-Middle mitigated through encrypted
  remote traffic
• Packet Sniffers a switched infrastructure
  limits the effectiveness of sniffing

31
Attack Mitigation Roles for Remote Access VPN
Module
32
Enterprise Edge WAN Module

• Rather than being all-inclusive of potential WAN
  designs, this module shows resilience and
  security for WAN termination.
• Key Devices IOS Router using routing,
  access-control, QoS mechanisms
• Threats Mitigated
• IP Spoofing mitigated through L3 filtering
• Unauthorized Access simple access control on
  the router can limit the types of protocols to
  which branches have access

33
Enterprise Edge E-Commerce Module
34
Securing Internet Connections

• Physical security
• Firewalls and packet filters
• Audit logs, authentication, authorization
• Well-defined exit and entry points
• Routing protocols that support authentication

35
Securing Public Servers

• Place servers in a DMZ that is protected via
  firewalls
• Run a firewall on the server itself
• Enable DoS protection
• Limit the number of connections per timeframe
• Use reliable operating systems with the latest
  security patches
• Maintain modularity
• Front-end Web server doesnt also run other
  services

36
Security Topologies
DMZ
Enterprise Network
Internet
Web, File, DNS, Mail Servers
37
Security Topologies
Internet
Firewall
DMZ
Enterprise Network
Web, File, DNS, Mail Servers
38
Securing Remote-Access and Virtual Private
Networks

• Physical security
• Firewalls
• Authentication, authorization, and auditing
• Encryption
• One-time passwords
• Security protocols
• CHAP
• RADIUS
• IPSec

39
Securing Network Services

• Treat each network device (routers, switches, and
  so on) as a high-value host and harden it against
  possible intrusions
• Require login IDs and passwords for accessing
  devices
• Require extra authorization for risky
  configuration commands
• Use SSH rather than Telnet
• Change the welcome banner to be less welcoming

40
Securing Server Farms

• Deploy network and host IDSs to monitor server
  subnets and individual servers
• Configure filters that limit connectivity from
  the server in case the server is compromised
• Fix known security bugs in server operating
  systems
• Require authentication and authorization for
  server access and management
• Limit root password to a few people
• Avoid guest accounts

41
Securing User Services

• Specify which applications are allowed to run on
  networked PCs in the security policy
• Require personal firewalls and antivirus software
  on networked PCs
• Implement written procedures that specify how the
  software is installed and kept current
• Encourage users to log out when leaving their
  desks
• Consider using 802.1X port-based security on
  switches

42
Securing Wireless Networks

• Place wireless LANs (WLANs) in their own subnet
  or VLAN
• Simplifies addressing and makes it easier to
  configure packet filters
• Require all wireless (and wired) laptops to run
  personal firewall and antivirus software
• Disable beacons that broadcast the SSID, and
  require MAC address authentication
• Except in cases where the WLAN is used by visitors

43
WLAN Security Options

• Wired Equivalent Privacy (WEP)
• IEEE 802.11i
• Wi-Fi Protected Access (WPA)
• IEEE 802.1X Extensible Authentication Protocol
  (EAP)
• Lightweight EAP or LEAP (Cisco)
• Protected EAP (PEAP)
• Virtual Private Networks (VPNs)
• Any other acronyms we can think of?

44
Wired Equivalent Privacy (WEP)

• Defined by IEEE 802.11
• Users must possess the appropriate WEP key that
  is also configured on the access point
• 64 or 128-bit key (or passphrase)
• WEP encrypts the data using the RC4 stream cipher
  method
• Infamous for being crackable

45
WEP Alternatives

• Vendor enhancements to WEP
• Temporal Key Integrity Protocol (TKIP)
• Every frame has a new and unique WEP key
• Advanced Encryption Standard (AES)
• IEEE 802.11i
• Wi-Fi Protected Access (WPA) from the Wi-Fi
  Alliance
• Realistic parts of IEEE 802.11i now!

46
VPN Software on Wireless Clients

• Safest way to do wireless networking for
  corporations
• Wireless client requires VPN software
• Connects to VPN concentrator at HQ
• Creates a tunnel for sending all traffic
• VPN security provides
• User authentication
• Strong encryption of data
• Data integrity

47
Review Questions

• How does a security plan differ from a security
  policy?
• Why is it important to achieve buy-in from users,
  managers, and technical staff for the security
  policy?
• How can a network manager secure a wireless
  network?