View
87
Download
2
Category
Preview:
Citation preview
Investigation, Design and Implementation of a Secure Network Model for the University of Tripoli.
Investigation, Design and Implementation of a Secure Network Model for the University of Tripoli.Presented By: Firas Alsayied
Outline
Network Overview
What is a Network ?A Network Is a collection of devices and End-to-End systems connected together that originate, route and terminate the data.
4
Characteristic of Networks Topology Speed Cost Security Availability Scalability Reliability
Topology : the arrangement of the network componentsSpeed: of the data transition between source and distiation Cost: less money more honey Security: indicates how protected the network is Avalibility: of the network to the subscribers 24/7 of the timeSacbility: how easily the network can accommodate more users and data transmission requirementsReliability: indicates the dependability of the components that make up the network
5
Types of network PAN LAN
WAN
PAN: is a computer network organized around an individual person.LAN: is a group of devices that share a common communications line.Wan: used in large geographical area such as cities or countries.6
Network Components
Network components can be divided into 4 groups :1- End Points: such as PC, Servers 2- Interconnections: NIC LAN Card3- Network media: which can be a physical media such as cables, wireless media4-Connector devices : switch, router7
Network Security, Policy & Vulnerabilitiesl
Security
Security has one purpose: to protect assets In terms of computer networks the assets can be:Information files, data streams ServersConfigurationsUser accountsPasswords- Devices
Assets can be defined as something of value 9
Network Security Goals (CIA Model)
1. Confidentiality: Ensure that the secrecy is enforced and the information is not read by unauthorized users.
2. Integrity: modification of data is not permitted to unauthorized Users.
3. Availability: prevention of loss of access to resources and information.
In network security certain concepts needed to be attained, which are : Confidin: whos authorized to be log in or reading the data Intig: Is the data that arrived is the same data that has being sent Avalib: of the network resources and services to subscribers. 10
Security Policy
Policy define how the security is implemented with a set of laws. And thats done by answering the following questions What are you trying to protect?What data is confidential?What resources are precious?What are you trying to protect against?Who is authorized to login into the management plan ?
11
VulnerabilitiesVulnerability is a weakness which is inherent in network, device, technology or policy.
Types of vulnerabilities:Technology weaknesses
Configuration weaknesses
- Security policy weaknesses
Vulnerabilities may exist in computer systems and networks, allowing the system to be open to a technical attack or in administrative procedures12
ThreatsThreats: are the people eager, willing, and qualified to take advantage of each security weakness, and they continually search for new methods and techniques to do so.`
Types of threats:Internal Threat
- External Threat
Internal threats can cause more damages to the network information than the external ones13
Examples of Threats Eavesdropping
MIN Denial of Service DOS
Dos : attacks that originate from a large number of systems that usually controlled from a single master sending a ping packet to network server causing it to fail.Min: Is an attack where the attacker secretly relays and alters the communication between two parties who believe they are directly communicating with each other14
Security Countermeasures
FirewallsIs anetwork securitysystem (Software/hardware) that monitors and controls the incoming and outgoing network traffic, based on predetermined security rules. Modern firewalls includes- Intrusion Prevention System- Authentication, Authorization, and Vulnerability assessment systems.
Firewall acts like a shield from outside threats, allowing only pre-determined protocols to pass throw while denying the others.16
Intrusion Detection System (IDS)Used to monitor for suspicious activity on a network
Syslog Server :
Is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities17
VPN Virtual Private Network is a type of private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate.VPN uses several protocols such as: PPTP -- Point-to-Point Tunneling Protocol L2TP -- Layer 2 Tunneling Protocol
VPN acts like a private tunnel in untrusted network such as the internet, establishing encrypted communication between the two parties.18
Encryption
Encryption -- is a method of scrambling data before transmitting it onto the Internet.
- Public Key Encryption Technique - Digital signature
or simply alters the data in such way to hide it from unauthorized Individuals to see it Encryption have several techniques such as: 19
k
1- phase one : Network infrastructure Design & layout planning
2- Phase Two : Application of Protection & Implementation of Secure Policy
Network DesignIs the process of arranging the various components of a network to supply the demands of the subscribers.Our network design must answer some pretty basic questions- What stuff do we get for the network ?- Whats the size and type of the devices ?How do we connect it all ?- How do we configure it to work right ?- Whats method of connection ?- Finally Is the network secure ?
Phase one ObjectivesDesign a sophisticated network Infrastructure to EEE and the other surrounding departments of the Engineering faculty that accomplishes the concept of availabilityConnect the total infrastructure of the departments by a main core-switch.Assigning interfaces and different DHCP pools for each departmentDistribute VLAN subnets that covers (Classes, Labs and Staff offices) Configure the Wireless access point for each
GNS3GNS3 is a Graphical Network Emulator that allows us to design complex network topologies. It provides Real Implementation to various devices such as Routers, Switches and Firewalls
EEE Department Network
As shown in figure, the EEE Department consist three floors The first floor contains 7 classes and one beta office for students The second floor consist of the staff offices and 3 labs The last floor consist of two labs and the admistration office 24
Total Infrastructure
The total contains 4 departments of the Eng faculty, (names) The infrastructure consist of 3 layers 25
Access Layer
Which Provides connectivity for network hosts and end devices, contains the 48 and 24 port switches, also the wireless access points26
Core Layer
Core layer contains fast switching layer 3 device that connect the departments together. 27
Head layer
As shown this layer contains the AAA and syslog server that are connected to the Firewall then to the isp 28
Switches distribution in each department DepartmentFloors24 - PortSwitches48 Port Switch Wireless access PointsElectric and Electronic Eng.3121Marine Eng.22-1Mechanical Eng.1111Architectural Eng.3111
Access switches are chosen depending on the number of the classes, labs, and floors that has been estimated in each department29
Assigning IP addresses and VLANs: Departments& serversStudent VLAN 10Labs VLAN 20Staff VALN30WLAN 40Electrical and Electronic Eng.10.1.0.010.2.0.010.3.0.010.4.0.0Marine Eng.10.5.0.010.6.0.010.7.0.010.8.0.0Mechanical Eng.10.9.0.010.10.0.010.11.0.010.12.0.0Architectural Eng.10.13.0.010.14.0.010.15.0.010.16.0.0AAA Server20.1.0.20---Syslog Server20.1.0.3---Firewall20.1.0.2---
Phase Two Applying the security protocols.Creating encrypted password for the management planConfigure Isolation mechanism.Allowing the head of departments networks to be able to connect to each other.Creating a syslog server.Configure VPN private network.Creating a zone-base firewall.Applying authentication for users.
1- to designate when and who is authorized to access/configure the network components.2- designated for administrators.3- to separate each VLAN for the other 4- !!!!!5-to receive and correlate events 6-for Wireless access point users.7-using captive portal application.
31
Securing the Management plan: Enable password for each network device and authentication retries limit.Enable SSH encryption for VTY auxiliary port.
3 authentication retries and 60 sec idle time32
Microsoft (M) - read vty bitchAccess List Isolation Policy for each VLAN
To segregate each vlan from the other, we used extended access list protocols in main core-switch as shown in this figure 33
Configuring Syslog Server
Using kiwi syslog program to receive messages from the core-switch and firewall, while choosing the debugging level of log 34
Initialize the Zone based Firewall Separate the Network into three zones 1- In Zone (internal network) 2- Out zone (ISP) 3- Self (Firewall) configure the interfaces of the firewall
Inside(trusted) Interfaces:Outside(untrusted) Interface: FastEthernet0/0 (20.1.0.2)/24FastEthernet1/0 (192.168.137.5)/24
Configure the Firewall through CCP
The figure demonstrate the firewall applied policies form in zone to out zone 36
Configure VPN tunnel for Wireless UsersDefine the interface for the wireless access point in the CCP then select the Pre-shared Key authentication
Group Policy for VPN and Maximum Connection Allowed
Implanting PFSense Captive Portal
Test & Results
Test the internet connection for clients and LABS1- Clients 2- LABS
Connection Between Head-Departments
Attempt to access the firewall from un-authorized user
Test the Management Plan Access
In this action we Emulate the password spoofing attack to aquire the usern & passw of the administrator, this action attack was a failure due to the ssh protocol that has been used44
Test the wireless network VPN connection
45
Check Captive Portal login k
Conclusion Network designing and security is an important field that is getting more and more attention as the internet expands. Providing the resources and the type for connection is a primary task that should be considered before implementing a network, keeping in mind the security measures and policies needed to be applied for the clients and the communication chain to keep it safe. An effective network design should be developed with: 1- Understanding of the network design concepts such as reliability and availability .2- learning the factors that make a network vulnerable and weak to potential threats and attackers.3-Needed level of security thats required to achieve stability and confidentiality of the subscribers.4- Finally implementing and configuring the network components to supply the demand of the clients while aligns with the security plan that has been imprinted.
jj
Recommended