The Small Network Campus | CCSP CSI Exam Cram 2 (Exam Cram 642-541)

The small network's Campus module has three types of hostscorporate servers, a management server, and users. Traffic is distributed among them by a switch.

Assets

The lowest -value assets in the campus are probably the users' systems (if the organization practices centralized file managementif not, security is only one of its problems). Theoretically, few corporate information assets should primarily reside on any user's system. What might be found there, however, are working copies and temporary files that contain sensitive information, and those should be protected. That is made difficult by user behavior, which frequently weakens the security posture of the systems. Users download or copy in files, executables, and assorted utilities, not all of which are benign ; some are actual malware, and none is likely to be known about by the person responsible for security.

The primary copies of the important data should reside in the corporate servers. These are not just document files, of course, but also databases, the email server with its archived copies of correspondence, the business's financial records, and so on. If the company provides services, detailed data concerning its customers and the contracts with them could be here. If the company produces tangible goods, product specifications, testing results, safety data, and so on could be here. Depending on the product or service, legal requirements might need to be met, such as those of HIPAA, GLBA, and/or the Sarbanes-Oxley Act in the United States.

All the information stored in these servers must be considered among the most valuable information assets the organization possesses. If this is a branch office of a larger organization, these servers probably have trust relationships with their corollaries at the corporate headquarters, increasing their value to a hacker.

The management server in this module provides AAA, logging, the IDS Director function, and general configuration management. This is a prime target for the savvy hacker because, if it can be compromised, a user account can be created to allow entry, with high (even root/Administrator) privileges on every device in the network. Likewise, logs stored on this server can be "edited" to remove signs that the hacker was ever there. If the hacker can recognize the IDS, he can remove the signature file for a particular attack before it is begunresulting in no alarm from the IDS. This server protects other resources, so it must be protected at least as well as the highest level of data that it protects.

A switch is the usual campus distribution device; most small networks do not require the network segmentation provided by a router, at least for traffic-management purposes. Again, be sure that you have a switch capable of supporting private VLANs.

Threats

As when discussing the edge, we have alluded to some of the campus's threats in the previous discussion. However, it's important to take a little different perspective here: Most of the threats to the edge are likely to originate somewhere outside the organization's network. This certainly reinforces the need for a firewall in the edge (whether software or a dedicated device) that is capable of handling the load. You cannot afford to reduce its security profile.

The more likely threat in the campus is an internal threat, someone authorized (at least, authorized at some time) to use a system on the network. This person starts from a position that the hacker must work to achievehaving a trusted account on the system. From there, the hacker can work at escalating his privileges. In addition, the internal threat starts with some knowledge of the system that the hacker must acquire through reconnaissance.

Even given this stronger human security threat, the technical threats in the campus are somewhat fewer:

Application-layer attacks
Packet sniffers
Port redirection
Trust exploitation
Unauthorized access
Virus and trojan horse attacks

Not present in this list are password attacks (because new user accounts likely will be created or existing account privileges will be escalated), network reconnaissance (not needed), IP spoofing (not needed), and DoS attacks (possible, but unlikely ). Note that the ones missing are also ones that might be easier to spot if you are reading logs and have filtering in place.

Devices and Implementation

That naturally leads us to look at how to protect the devices in the campus. All hosts , both users and servers, should have an antivirus software installed, should be updated regularly, and should have the systems scanned frequently. Likewise, every host should be fully maintained (fully patched), in both its OS and its applications. Configuration control must be practiced to ensure that users do not install their own additional applications and utilitiessometimes in the interest of productivity and more often in the interest of convenience.

In addition, both corporate and management servers should have HIDS installed and tuned to operate very aggressively: Although false positives in this environment are indisputably annoying, they are better than false negatives . This is likely to be a more aggressive HIDS posture than you used in the edge, where the public, rather than your internal users, would be inconvenienced.

The switch should be configured to have all servers on private VLANs. In addition, certain user workstations, such as administrative workstations, might benefit from this. As in the edge, all unused ports should be disabled to prevent unknown and unauthorized devices from being able to connect to the network. In addition, ports that need to trunk should be specified, and all others should have their trunking autonegotiate set to Off.

As you might have noticed, most of the security work to be done here is system administration rather than networking. However, this area should not be penetrated by outsiders if the edge is well secured (although there can never be any guarantees ). Managing insiders largely is a system-administration function.

Threats Mitigated

Having described the threats and the security measures to be taken, it's time to summarize them in Table 10.2.

Table 10.2. Small Network Campus Threats and Their Mitigation

Threat	Mitigated By
Packet sniffers	Switched network, HIDS on servers
Trust exploitation	Private VLANs, restrictive trust model (where appropriate)
Unauthorized access	HIDS, strict authorization control on applications
Port redirection	HIDS
Application-layer attacks	OS and applications locked down, HIDS
Virus and trojan horse attacks	Antivirus on every host

Even though there are many similarities between this table and Table 10.1, there is more of a system administration orientation in Table 10.2, just as there was with the configuration section. Because this is the heart of the operation, much data exchange must be permitted to get the work done. A restrictive trust model, for instance, can be more aggressively applied in the edge than in the campus because of the differing requirements for data exchange. Note that you should still use the restrictive trust model in the campus as much as possible. Strict authorization controls and the aggressive use of HIDS are required because there is no Layer 3 device in this model to filter traffic.

Design Alternatives

The design alternative in the campus is to add Layer 3 filtering (without this, you must work harder in other areas). This could be done with a router or a small firewall (placed to isolate high-value assets), which might require a second switch for traffic distribution on the isolated segment.