Embed Size (px)
Citation preview
Secure Network Design
Jose David Garcia
Index
1. Diagram Legend2. Layered Network Design
1. Access Layer2. Distribution Layer3. Core Layer
3. High Availability and Load Balancing4. Modular Network Design
1. Management Block1. Out of Band Management2. In Band Management
2. Server Block3. Wan Block4. Internet Block
Diagram Legend
CC
NIDS
HIDS
VPN
Router
Switch
Multilayer Switch
Load Balancer
Terminal Server
Firewall
Server
Management Console
Remote User
Network Intrusion Detection System
Host Intrusion Detection System
Virtual Private Network
Crypto Cluster
Switch Block 1 Switch Block 2
Internet Block
Wan Block
Server Block
Management Block
C C
IDS
VPN
IDS
VPN VPN VPN
IDSIDS
IDS
IDSIDS
Access LayerSwitch Block 1 Switch Block 2
VPN
Internet Block
Wan Block
Server Block
Management Block
Characteristics
• Low Cost per port
• High port density
• Uplink to higher layers
• Layer 2 Services
Security Design
•Identity based network services
•Vlan and Pvlan segregation
•Rate Limiting
•Management encryption
•Physical isolation
Best Practices
• Ports without need to Trunk should be set to OFF rather than AUTO
• Limit each port to a limited number of MAC addresses (5)
• Configure Storm Broadcast control
• Turn off Telnet and limit SNMP access to the Switches
• Logging to external server
Distribution LayerSwitch Block 1 Switch Block 2
VPN
Internet Block
Wan Block
Server Block
Management Block
Characteristics
• Aggregation of Access Layer Devices
• High layer 3 throughput
• Robust layer 3 functionality
• Security
• Media Translation
• QoS
Security
•Access Control List
•Span ports for IDS
•Physical isolation
Best practices
• Turn off unneeded services• Disable all unused ports• Limit the Mac addresses on a port to known MAC
adressess when possible (no trunking ports)• For trunking ports use a dedicated VLAN identifier• Eliminate native vlans for 802.1q trunks• Turn off Telnet and limit SNMP access to the
Switches• Logging to external server
Core LayerSwitch Block 1 Switch Block 2
VPN
Internet Block
Wan Block
Server Block
Management Block
Characteristics
• No Expensive Layer 3 Processing
• Very High Throughput
• No unnecessary packet manipulation
• Resiliency
• High Availability
Security
• Physical isolation
Best practices
• Disable all unused ports
• Limit the Mac addresses on a port to known MAC adressess when possible
• Turn off Telnet and limit SNMP access to the Switches
• Logging to external server
High AvailabilityLoad Balancing
HIDS
Management Block
NIDSNIDS
Key Devices
• Firewalls
• NIDS and HIDS
• IDS Hosts
• Syslog Hosts
• SNMP Management Hosts
• Cisco Works, HP Open View
• System Admin Host
Out Band Management
• Preferred method of management
• Isolated from production network
• Physical Isolation
In Band Management
• Only management traffic
• Different address space than Production Network
• NAT
• Encryption (IpSec, SSH, SSL)
• Firewall Security + IDS
Best Practices
• Only use In band Management when necessary.
• PVLAN segregation among hosts in management block.
• Periodic log revision
• Configuration base-line establishment
• Periodic base-line checking
Threats Mitigated
• Only use In band Management
when necessary.
• PVLAN segregation among hosts
in management block.
• Periodic log revision
• Configuration base-line
establishment
• Periodic base-line checking
• Unauthorised Access
• Man in the middle attacks
• Network reconnaissance
• Packet sniffing
• Compromised host hoping
• Hacking attempts going unnoticed
Server Block
NIDS
NIDS
NIDS
HIDS
Key Devices
• Firewalls• NIDS and HIDS• NTP Server• TACACS+ Server• Certificate server• Secur-ID Server (Strong authentication)• Corporate Servers• Call Manager• DNS Servers• E-Mail Servers• Etc…
Best Practices
• Firewall and NIDS implementation• PVLAN Isolation for each Server• Host Based IDS on each Server• Service redundancy• Backup Policy• Logging to an external server in the
mangement module• Version Control
Threats Mitigated
• Firewall and NIDS implementation
• Host Based IDS on each Server
• PVLAN Isolation for each Server
• Service redundancy• Logging to an external
server in the mangement module
• Backup Policy• Version Control
• Unauthorized Access• Ip Spoofing• Application Layer Attacks• Trust Exploitation• Compromised host hoping• Packet Sniffing• DoS• Hacking attempts going
unnoticed• Lost Data
WAN Block
C C
NIDS
Key Devices
• Firewalls
• NIDS
• Crypto Clusters
• Routers
Best Practices
• Data encryption
• Access List implementation
• High Availability thru different providers
Threats mitigated
• Data encryption
• Access List
implementation
• High Availability thru
different providers
• Data theft
• Man in the middle
attack
• IP spoofing
• Unauthorized access
• DoS
Internet Block
VPNVPN VPN VPN
NIDS
HIDS HIDS
Key Elements
• Firewalls
• HIDS and NIDS
• VPN Concentrator
• HTTP Servers
• DNS Servers
Best Practices
• Security policy with ISP to mitigate DDoS
• Private VLAN Isolation among Servers
• No corporate Servers at this point
• High Availability thru diferent ISP
• VPN for Remote user Access
Threats Mitigated
• Security policy with ISP
• Private VLAN Isolation among
Servers
• Firewall, NIDS and HIDS
implementation
• High Availability thru diferent
ISP
• VPN for Remote user Access
• No corporate Servers at this point
• IP Spoofing
• Packet Sniffing
• Compromised host hoping
• Hacking attempts going
unnoticed
• DDoS attacks
• Unauthorized Access
THE END
