Network Threat Modeling

Previous page
Table of content
Next page

To implement server isolation you must understand how your network really works and what traffic it needs to support. This problem sounds complicated, but can be tackled using network threat modeling. Network threat modeling is basically a technique to turn a network diagram into a data flow diagram for a network.

To start network threat modeling, you need a network diagram showing all the computers and other devices in your network. Once you have a diagram, try to abstract individual computers into host classes as much as possible. For instance, most of the clients running Vista probably are relatively interchangeable. You can abstract classes of computers that perform the same tasks into a single entity on the diagram.

Once you have a picture of the computers in your network, you annotate the picture with the communication patterns that are needed within your network. This is the traffic that is required to provide the functionality you need in your network. It represents the threats that you cannot entirely mitigate. (All traffic that is not needed represents threats that you can mitigate.) Ensure that you cover all traffic parameters, including the following:

  • Is the traffic defined by source address or host class?

  • Is the traffic defined by destination address or host class?

  • What is the source port?

  • What is the destination port?

  • Directionality-is the traffic unidirectional or bidirectional?

  • Can this type of traffic require IPsec? (Some traffic, such as a domain controller to domain member traffic may not be able to require it.)

  • Is the data being transferred sensitive?

When you are done, you can build a table that documents all the traffic. The beginnings of such a table is shown as Table 12-1.

Table 12-1: List All Communications in a Table
Open table as spreadsheet

ORIGIN HOST(CLASS)

DESTINATION HOST(CLASS)

SOURCE PORT

DESTINATION PORT

BI-DIRECTIONAL

AUTHENTICATION REQUIRED

ENCRYPTION REQUIRED

Domain members

File servers

Ephemeral

445

Yes

Yes

No

The table, for all practical purposes, defines the IPsec rules you need to implement. If you do well in this stage, the rest of the implementation is considerably easier. If you are a command-line junkie, you can build the table in Excel and use a macro to build the rules. If you are not that industrious, then just use the table as a check-off list when you build the rules.

This has been a very quick introduction to modeling your network. A more thorough discussion of this topic, with more detailed examples, is beyond the scope of this book, but this information will get you started. A useful modeling technique is detailed in Protect Your Windows Network.


Previous page
Table of content
Next page
Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Building Web Applications with UML (2nd Edition)
Introduction to 80x86 Assembly Language and Computer Architecture
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Ruby Cookbook (Cookbooks (OReilly))
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy