Secure Network Design
-
Upload
conferencias-fist -
Category
Technology
-
view
314 -
download
2
Transcript of Secure Network Design
![Page 1: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/1.jpg)
Secure Network Design
Jose David Garcia
![Page 2: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/2.jpg)
Index
1. Diagram Legend2. Layered Network Design
1. Access Layer2. Distribution Layer3. Core Layer
3. High Availability and Load Balancing4. Modular Network Design
1. Management Block1. Out of Band Management2. In Band Management
2. Server Block3. Wan Block4. Internet Block
![Page 3: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/3.jpg)
Diagram Legend
CC
NIDS
HIDS
VPN
Router
Switch
Multilayer Switch
Load Balancer
Terminal Server
Firewall
Server
Management Console
Remote User
Network Intrusion Detection System
Host Intrusion Detection System
Virtual Private Network
Crypto Cluster
![Page 4: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/4.jpg)
Switch Block 1 Switch Block 2
Internet Block
Wan Block
Server Block
Management Block
C C
IDS
VPN
IDS
VPN VPN VPN
IDSIDS
IDS
IDSIDS
![Page 5: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/5.jpg)
Access LayerSwitch Block 1 Switch Block 2
VPN
Internet Block
Wan Block
Server Block
Management Block
![Page 6: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/6.jpg)
Characteristics
• Low Cost per port
• High port density
• Uplink to higher layers
• Layer 2 Services
![Page 7: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/7.jpg)
Security Design
•Identity based network services
•Vlan and Pvlan segregation
•Rate Limiting
•Management encryption
•Physical isolation
![Page 8: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/8.jpg)
Best Practices
• Ports without need to Trunk should be set to OFF rather than AUTO
• Limit each port to a limited number of MAC addresses (5)
• Configure Storm Broadcast control
• Turn off Telnet and limit SNMP access to the Switches
• Logging to external server
![Page 9: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/9.jpg)
Distribution LayerSwitch Block 1 Switch Block 2
VPN
Internet Block
Wan Block
Server Block
Management Block
![Page 10: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/10.jpg)
Characteristics
• Aggregation of Access Layer Devices
• High layer 3 throughput
• Robust layer 3 functionality
• Security
• Media Translation
• QoS
![Page 11: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/11.jpg)
Security
•Access Control List
•Span ports for IDS
•Physical isolation
![Page 12: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/12.jpg)
Best practices
• Turn off unneeded services• Disable all unused ports• Limit the Mac addresses on a port to known MAC
adressess when possible (no trunking ports)• For trunking ports use a dedicated VLAN identifier• Eliminate native vlans for 802.1q trunks• Turn off Telnet and limit SNMP access to the
Switches• Logging to external server
![Page 13: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/13.jpg)
Core LayerSwitch Block 1 Switch Block 2
VPN
Internet Block
Wan Block
Server Block
Management Block
![Page 14: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/14.jpg)
Characteristics
• No Expensive Layer 3 Processing
• Very High Throughput
• No unnecessary packet manipulation
• Resiliency
• High Availability
![Page 15: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/15.jpg)
Security
• Physical isolation
![Page 16: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/16.jpg)
Best practices
• Disable all unused ports
• Limit the Mac addresses on a port to known MAC adressess when possible
• Turn off Telnet and limit SNMP access to the Switches
• Logging to external server
![Page 17: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/17.jpg)
High AvailabilityLoad Balancing
![Page 18: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/18.jpg)
HIDS
Management Block
NIDSNIDS
![Page 19: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/19.jpg)
Key Devices
• Firewalls
• NIDS and HIDS
• IDS Hosts
• Syslog Hosts
• SNMP Management Hosts
• Cisco Works, HP Open View
• System Admin Host
![Page 20: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/20.jpg)
Out Band Management
• Preferred method of management
• Isolated from production network
• Physical Isolation
![Page 21: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/21.jpg)
In Band Management
• Only management traffic
• Different address space than Production Network
• NAT
• Encryption (IpSec, SSH, SSL)
• Firewall Security + IDS
![Page 22: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/22.jpg)
Best Practices
• Only use In band Management when necessary.
• PVLAN segregation among hosts in management block.
• Periodic log revision
• Configuration base-line establishment
• Periodic base-line checking
![Page 23: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/23.jpg)
Threats Mitigated
• Only use In band Management
when necessary.
• PVLAN segregation among hosts
in management block.
• Periodic log revision
• Configuration base-line
establishment
• Periodic base-line checking
• Unauthorised Access
• Man in the middle attacks
• Network reconnaissance
• Packet sniffing
• Compromised host hoping
• Hacking attempts going unnoticed
![Page 24: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/24.jpg)
Server Block
NIDS
NIDS
NIDS
HIDS
![Page 25: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/25.jpg)
Key Devices
• Firewalls• NIDS and HIDS• NTP Server• TACACS+ Server• Certificate server• Secur-ID Server (Strong authentication)• Corporate Servers• Call Manager• DNS Servers• E-Mail Servers• Etc…
![Page 26: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/26.jpg)
Best Practices
• Firewall and NIDS implementation• PVLAN Isolation for each Server• Host Based IDS on each Server• Service redundancy• Backup Policy• Logging to an external server in the
mangement module• Version Control
![Page 27: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/27.jpg)
Threats Mitigated
• Firewall and NIDS implementation
• Host Based IDS on each Server
• PVLAN Isolation for each Server
• Service redundancy• Logging to an external
server in the mangement module
• Backup Policy• Version Control
• Unauthorized Access• Ip Spoofing• Application Layer Attacks• Trust Exploitation• Compromised host hoping• Packet Sniffing• DoS• Hacking attempts going
unnoticed• Lost Data
![Page 28: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/28.jpg)
WAN Block
C C
NIDS
![Page 29: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/29.jpg)
Key Devices
• Firewalls
• NIDS
• Crypto Clusters
• Routers
![Page 30: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/30.jpg)
Best Practices
• Data encryption
• Access List implementation
• High Availability thru different providers
![Page 31: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/31.jpg)
Threats mitigated
• Data encryption
• Access List
implementation
• High Availability thru
different providers
• Data theft
• Man in the middle
attack
• IP spoofing
• Unauthorized access
• DoS
![Page 32: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/32.jpg)
Internet Block
VPNVPN VPN VPN
NIDS
HIDS HIDS
![Page 33: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/33.jpg)
Key Elements
• Firewalls
• HIDS and NIDS
• VPN Concentrator
• HTTP Servers
• DNS Servers
![Page 34: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/34.jpg)
Best Practices
• Security policy with ISP to mitigate DDoS
• Private VLAN Isolation among Servers
• No corporate Servers at this point
• High Availability thru diferent ISP
• VPN for Remote user Access
![Page 35: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/35.jpg)
Threats Mitigated
• Security policy with ISP
• Private VLAN Isolation among
Servers
• Firewall, NIDS and HIDS
implementation
• High Availability thru diferent
ISP
• VPN for Remote user Access
• No corporate Servers at this point
• IP Spoofing
• Packet Sniffing
• Compromised host hoping
• Hacking attempts going
unnoticed
• DDoS attacks
• Unauthorized Access
![Page 36: Secure Network Design](https://reader034.fdocuments.net/reader034/viewer/2022052505/556475b8d8b42ae57c8b54c9/html5/thumbnails/36.jpg)
THE END