Campus Modules

Previous page
Table of content
Next page

The campus (or enterprise campus) modules are not as difficult to deal with (the overview of the campus was shown in Figure 6.2). In fact, the basic Access-Distribution-Core design for a given building involves nothing special in security terms. All hosts should have antivirus software, should be kept current, and should scan all files, of course. In addition, Layer 3 filtering (RFC 2827 filtering, discussed in more detail in Chapter 9), should be present. Likewise, the Edge Distribution module serves as a connector between the campus and the edge; protection is placed nearer the sources of traffic that must cross it than in this module.

The modules where you need to make modifications to implement a secure network design are the Management module and, to a lesser extent, the Server module (the group of internal useonly application servers). Because that is the lightweight problem, we deal with it first.

Server Module

The Server module inside the enterprise campus is the home of servers that support getting real work done: the enterprise's applications. Recall that network support servers (Web, DNS, DHCP, and so on) were actually located in the enterprise edge, as part of the Corporate Internet module. The servers we are concerned with here are those run by departments to deliver their portion of the enterprise's business activity.

In terms of security features, a look at Figure 6.7 reveals that you don't need to do too much.

Figure 6.7. Server module.

graphics/06fig07.gif

Although these servers are accessible only via switches with NIDS and their exposure is extremely limited, it is advisable to place HIDS on them as well. These servers are the home of sensitive, internal corporate information, whose integrity (not to mention its presence) cannot be questionable. The Layer 3 switches should have sufficient NIDS blades to handle to traffic load (to be able to monitor all of it), and the ports to the servers should be set up as private VLANs.

Design Alternatives

Again, as a simple module, there are only a few design alternatives. If resources are limited, it is possible to collapse this module into the Enterprise Core module, although there are obvious traffic-management questions to be handled in that event.

If IP Telephony (IPT) or a particular server (such as one containing financial data) are considered special risks, you can add a stateful firewall between these sensitive devices and the rest of the network.

Management Module

The Management module is more complex because it must handle many different tasks . Remember, in Figure 6.2, the Management module was connected to the Building Distribution module, but that is conceptual, not from Cisco. The Management module's component structure is shown in Figure 6.8.

Figure 6.8. Management module.

graphics/06fig08.gif

The Management module separates network management into two broad zones: outside the firewall, where network connections to devices (both in-band and out-of- band ) exist, and inside the firewall, where the management hosts and the connection to console ports exist. Of course, the management network uses a different address block than the rest of the network (and, if using one of the private RFC 1918 address spaces, often a block from a different private address space). Routing protocols on the terminal server routers and the router with the firewall do not advertise routes to the rest of the network.

This module is a priority target for any attacker, first because of its access to the devices that control the network, and, second, for its record-keeping functions (and the opportunity to " sanitize " those records). Naturally, security is many-layered here: the dedicated firewall on the access router, the separate addressing scheme, private VLANS, NIDS, and HIDS.

Design Alternatives

Alternative approaches to the design of this module are somewhat limited, not because of inherent simplicity, but rather because of the critical functions here that must be protected. If resource limitations require the use of in-band management, especially exclusively in-band management, great care must be taken to ensure that only the proper users have access to the network devices (as strong as possible authentication) and that any file manipulation (configurations and images) is done securely (SSH versus Telnet, IPSec tunnels, very restrictive access lists, and so on).

If throughput between the management stations and the network devices is an issue, a dedicated hardware firewall can be added, offloading the firewall function from the router's software.


Previous page
Table of content
Next page
CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Oracle Developer Forms Techniques
Adobe After Effects 7.0 Studio Techniques
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy