The Medium Network Campus | CCSP CSI Exam Cram 2 (Exam Cram 642-541)

The medium network's Campus module has the same three types of hostscorporate servers, management servers (possibly more than one), and usersas the small network did. One difference, however, based on the number of hosts and the amount of traffic, is to use multiple Layer 2 switches here and to complement them with a Layer 3 switch working with a separate NIDS appliance.

Assets

The lowest -value assets in the campus remain the users' systems. Again, few, if any, corporate information assets should reside on any user 's system, but working copies and temporary files will remain , containing sensitive information that should be protected. Users here are no different, except that, in the larger population of a medium network, there are likely to be more technically adept users who make more extensive changes (utilities, IRC and/or IM traffic, remote access to their desktops, and so forth).

As before, the corporate servers are the gold mine for a hacker after monetary gain (if the hacker is there for ego reasons, the corporate servers are still certainly a target, but other devices might be targeted just as much). Whether the organization provides products or services, proprietary data and confidential information concerning the organization and its customers must be protected. The information stored in these servers must be considered among the most valuable information assets the organization possesses (if not the most valuable ). If this is a branch office of an even larger organization, these servers will have trust relationships with their corollaries at the corporate headquarters, increasing the local (and too often less well-protected) servers' value to a hacker.

The management servers in this module provide AAA (possibly including a server for OTP), logging, the IDS Director function, and general configuration management. Using redundant AAA servers is good practice in this size organization. The knowledgeable hacker will target these servers to facilitate future activities (which makes authorization settings critically important). In addition, the logs stored on this server are always a target for creative editing. If the hacker can access the IDS management function, he can remove the signature file for a particular attack, resulting in no alarm from the IDS when that attack is launched. These servers are not a place to economize.

The Layer 3 switch handles a larger volume of traffic among more hosts and servers. Employing a Layer 3 switch facilitates rapid traffic distribution, with QoS capability. The Layer 2 switches distribute traffic within the department or physical area as before.

Threats

The campus is reasonably well protected from an external threat: The edge modules (Corporate Internet and WAN) are both well filtered, and traffic does not pass through them to the campus lightly. The campus is much more likely to suffer an attack from an internal source than an external one. However, as we noted in the case of outsourced IT in the small network, the origin can be moot. In this case, you could easily see an external source persuading someone on the inside to "use my copy" of a seemingly innocuous application (which is actually malware), or a laptop that is not well secured could come back from travel infected with a worm that propagates through the campus. The real source was external in both cases, but the entry into the network was directly into the campus (an internal attack, strictly speaking) rather than one that penetrated through the protections in place in the edge.

Either wayor via any other path , for that matterthe campus's assets must be protected from threats that arrive inside the external protections. With greater assets and more people inside, you must expect to see more threats than you saw in the small network. The threats in the medium network campus include these:

Application-layer attacks
IP spoofing attacks
Packet sniffers
Password attacks
Port redirection
Trust exploitation
Unauthorized access
Virus and trojan horse attacks

This list includes all the threats to the small network campus, plus IP spoofing and password attacks. Why the two additions? IP spoofing can allow access to devices that trust other network devices (an argument for strong AAA, including on strictly internal resources). Password attacks can be used for the same reason: to gain access to valuable resources. If you dutifully read your logs from the perimeter but seldom get around to logs from the valuable internal hosts, you could be missing the early warnings of an internal threat.

Devices and Implementation

Device implementation in the medium campus is quite similar in principle to that in the small campus. Antivirus, OS, and application maintenance are no different. Configuration management is likely to be more difficult, in part because of the greater number of users and the presence of more applications, and in part because of the greater personal distance between IT personnel and the rest of the organization. In the larger organization, less personal knowledge of who is doing what makes nonstandard (and, therefore, less protected) configurations more likely.

All servers in this module should have HIDS installed and configured to operate very aggressively: False positives in this environment, as well as the small network environment, are better than false negatives . This is likely to be a more aggressive HIDS posture than you used in the edge and much more aggressive than you might use at the very ingress (where you might place the optional NIDS). The NIDS inside the campus should be more aggressively configured than that in the edge; it will monitor mirrored traffic from the sensitive VLANs. This device is likely to detect the first signs of a compromised host (with the compromise coming via an unauthorized external connection, imported malware, or a laptop exposed when outside the network for legitimate reasons).

The switches should be configured to have all servers on private VLANs. Management (systems-management) workstations should also be on private VLANs. Departmental VLANs should be filtered from one another (at Layer 3) unless there is a demonstrated need to communicate (Engineering need not be able to access Finance without filtering, for instance). Within these departmental VLANs, you can implement private VLANs to further protect sensitive hosts. As in the edge, all unused ports on all switches should be disabled to prevent unknown and unauthorized devices from connecting to the network. In addition, ports that need to trunk should be specified, and all others should have their trunking autonegotiation set to Off.

As you can see, although the medium campus is somewhat more complicated because of its greater size, the principles behind its secure implementation remain largely the same as those in the small campus.

Threats Mitigated

Having described the threats and the security measures to be taken in the medium campus, it's time to summarize them. Table 11.2 presents the threats and security measures taken to mitigate them.

Table 11.2. Medium Network Campus Threats and Their Mitigation

Threat	Mitigated By
Application-layer attacks	OS and applications locked down, HIDS
IP spoofing	RFC 2827 filtering by segment
Packet sniffers	Switched network, HIDS on servers
Password attacks	Strong authentication required for access to key applications and data
Port redirection	HIDS
Trust exploitation	Private VLANs, restrictive trust model, where appropriate
Unauthorized access	HIDS, strict authorization control on applications
Virus and trojan horse attacks	Antivirus on every host

The two new threats (compared to the small network) are IP spoofing and password attacks. They are mitigated by filtering according to RFC 2827 on a segment basis (traffic entering a segment should not have a source IP within that segment) and through the use of strong authentication requirements on important applications and data.

Design Alternatives

Three alternative designs can be implemented, all based on the traffic load that the medium network must bear:

Eliminate the Layer 2 switches and perform all switching on the core Layer 3 switch
Replace the Layer 3 switch with a router and Layer 2 switch
Replace the separate NIDS appliance with a NIDS module on the Layer 3 switch

Depending on the number of ports needed and the volume of traffic, either all switching can be done by the Layer 3 switch, eliminating the need for Layer 2 devices, or the Layer 3 segmentation can be offloaded to a router and the higher-speed Layer 3 switch can be eliminated. Another way of looking at these two alternatives is to collapse all of Layer 2 and 3 into one large switch, or separate Layer 3 into a router and continue to switch only at Layer 2. The third design alternative is somewhat different, relating to the NIDS. In this alternative, the NIDS module has the advantage of higher throughput via the Layer 3 switch's backplane (versus one Ethernet connection, hopefully 100Mbps); traffic selection for processing by it is done through ACLs. This tradeoff should be examined just like any other dedicated appliance versus integrated multifunction application: It should be based on the performance of the dedicated appliance versus the technical need, and then should be compared to the advantages inherent in the multifunction solution.