There isn't much to design in the small network campus. Here, a single switch (likely L2) is used to connect both server and host resources to one another. Because the network is small, operational practices can mitigate the need for strong network controls. For example, a campus network with a single L2 switch can probably easily determine whether a rogue AP or other device is connected. Still, the design in this chapter assumes you want to implement some controls in your L2 environment. If you don't, there isn't much point to reading the rest of this section. Just plug your switch into your edge router and be done!
The small network design must provide connectivity for a small number of servers and clients in a cost-effective way. Mitigating the top campus attacks is certainly useful, but it is viewed as a best-effort process within the cost constraints of most small networks.
Figure 14-1 shows the basic design for the small network campus that supports the preceding requirements.
Figure 14-1. Small Network Campus Design
A single L2 switch provides connectivity between all campus resources and the edge. A WLAN AP is attached to the same network as the wired clients using 802.11 security enhancements. Internal servers and user PCs are connected to one another by the single switch. Private VLANs can be used to limited effect in controlling traffic flows.
Campus Devices and Security Roles
This section outlines the devices present in the small network campus design and outlines the security roles each devices plays as listed in Table 6-1.
The key security techniques configured on the Ethernet switch are as follows:
In the small network campus design, the task of protecting the internal servers adequately falls almost exclusively on the servers themselves. ACLs and IDS are not available in the network to help because they aren't particularly cost effective. The most common internal servers in this design are file/print servers, e-mail, intranet, and DNS servers. E-mail and DNS in particular can be outsourced as discussed in Chapter 13. The key security techniques configured on the internal servers are as follows:
Most commonly, if there is an attack on your internal systems, it will be through an attacker somehow gaining access to your user PCs. An e-mail virus/worm or other nefarious application can gain remote control of your user PCs and cause them to attack your own network or other networks. In addition, portable computers might spend a good deal of time outside the protective confines of your local campus network. While teleworkers travel or work from home, these systems can be compromised, which can then lead to further attacks when they return to your network. The key security techniques configured on user hosts are as follows:
The WLAN AP should be hardened and deployed as described in Chapter 11. Although using a separate VLAN for the wireless traffic is a recommendation from Chapter 11, because there is no capability for L3 segmentation in the small network campus design, this isn't possible. The WLAN must reside on the same network as the rest of the devices.
Optional AAA Server
Depending on your edge VPN selections and your internal WLAN security choice, you might need a AAA server to centralize user credentials for these services. AAA deployments are covered in more detail in Chapter 9. Any AAA deployment should follow the best practices of any other internal server as previously described. The following is the one key additional security technique configured on this device:
You can now evaluate the success of this design against the campus-focused attack list in Table 14-1. If you recall Chapter 12, this step appears a bit out of order because threat evaluation should also occur during the design of the network, not just after. It is presented in this form to ease understanding of the designs and threats.
Table 14-2 shows the top 10 attacks from Table 14-1 and the security elements used in this design that mitigate these threats as they pertain to campus assets. As in previous chapters, items that can stop an attack often can also detect it and, as such, aren't listed in both columns.
Reusable passwords, RADIUS/TACACS+
Rogue device detection BPs
Sessionapp crypto, L2 control BPs, port security, ARP BPs, DHCP BPs, private VLANs
Sessionapp crypto, rogue device detection BPs, ARP BPs, DHCP BPs
Rogue device detection BPs
Reusable passwords, RADIUS/TACACS+, host firewalls, sessionapp crypto, network/OS/application hardening, PVLANs
ARP BPs, private VLANs
Remote control software
Host AV, host firewalls, OS/application hardening
In this table, some of the top mitigation techniques are hardening (of all types), rogue device detection, and cryptographic protection for the session or application layer of key applications. The extent of defense-in-depth suffers in this design because of a lack of routing and any type of NIDS. In most cases, there are only two or fewer methods to stop any given attack. Still, even with a design as simple as the one presented, reasonable attack mitigation can be achieved.
The following are examples of potential design alternatives for the small campus design. There are others (including a design you develop suited to the needs of your own policies).
Increased Security Alternative
You can increase the security of the design without modifying the basic architecture in a number of ways:
Figure 14-2 shows these options implemented in the design.
Figure 14-2. Increased Security Small Network Campus Design
By using an L3 switch, this design more closely mimics the medium network campus discussed in the next section.
Decreased Security Alternative
The only way you can make this design less secure is to use a hub instead of a switch and to not harden your hosts against attack. This is not recommended.
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Guidelines on Antivirus Process