Security

Previous page
Table of content
Next page

The head-office and branch-office networks will both be located behind a firewall. The basic rules of a firewall are that traffic that originates from the inside network is allowed to return; however, traffic that originates from outside is not allowed to penetrate the corporate network. As with most rules, these basic firewall rules are often broken, but with add-on precautions.

As an example, we examine Venti Systems' VPN connectivity, illustrated in Figure 12-7. When a remote user wants to connect to the head office, he launches his VPN client software, which in turn attempts to build a VPN tunnel with the destination as the firewall. By default, a firewall drops all packets that originate from the outside. But a VPN connection needs to terminate on the VPN concentrator, and therefore must transit through the firewall to the VPN concentrator. For VPN connectivity to work, the firewall must be configured with a rule stipulating that incoming IPsec traffic will be allowed in. This traffic must make its way to the VPN concentrator, which is in the demilitarized zone (DMZ), on interface E3 of the firewall in this network. Any other traffictraffic that is not IPsec datais refused entry at the E0 interface on the firewall. This exception to the firewall rule is sometimes referred to "punching a hole" in the firewall.

Figure 12-7. Firewall Rules Allow VPN Tunnels


If the VPN concentrator succeeds at decrypting the data, it treats this as an indication that the originator is a safe source. However, when the remote user's data first transited through the firewall, it was encrypted, and therefore the firewall could not do a deep packet inspection. So that no chances are taken, the VPN concentrator is therefore configured to send the data that it just unencrypted back through the firewall (on interface E4 in the figure) for a deep inspection, before allowing it access to the internal head-office network (interface E1 in Figure 12-7).

Venti Systems, like any corporation, needs to create and disseminate its acceptable usage and security policies and procedures to all employees. These policies apply to the following items:

  • Users' laptops

  • Network usage

  • Wireless usage

  • Internet usage

  • E-mail

  • Instant messaging (IM)

Note

IM programs typically tunnel through other protocols, bypassing firewalls, thus leaving the network open to viruses and other security problems. Corporate confidential information (such as financial spreadsheets or staffing details) can also be sent in an IM message, so policies similar to those for e-mail should be in place. Employees should be made aware that IM, like e-mail, is neither secure nor private.


Note

A more extensive discussion on security policies and best practices can be found in The Business Case for Network Security: Advocacy, Governance, and ROI, by Paquet and Saxe, Cisco Press, 2005.


Strong authentication will be implemented for local and remote access to all managed devices, through an access control server (ACS). The ACS is located in the Management module, as discussed in the section "Network Management," later in this chapter. Strong authentication requires a two-factor authentication method, including two items from the following list:

  • What a user knows

  • What a user has

  • What a user is

  • What a user does

A password or personal identification number (PIN) is something a user knows, while a token (for example, a bank card or small device with an LCD) is something a user has. As an example, to be granted remote access at an automated teller machine (ATM), a customer must produce something he hashis bank cardalong with something he knowshis PIN. In this design, we will use a security token as part of a two-factor, one-time password (OTP) authentication. Tokens (key-chain-size devices) will be provided to users. The LCD on the tokens shows OTPs, one at a time, in a predefined order, for about 1 minute before the next password in the sequence appears. The token is synchronized with a token server that has the same predefined list of OTPs for that one user. Therefore, at any given time, only one valid password exists between the server and each token. The user must enter both the OTP (from something he has) and his PIN (something he knows) to be granted access to the network.

Within the new design, data will be encrypted while stored on a server, because static data located on a server is vulnerable. (Some pundits equate the encrypted WAN transmission of data, which is otherwise clear text while stored on a server, to using an armored truck to transfer money from a paper bag to a cardboard box.)

For server backup, the company is considering using a third-party backup service in which a service provider backs up data onto its disks over a WAN connection, eliminating issues such as dealing with tapes, off-site storage, and so forth. However, this also means that the data is now on the disks of another company, so the security and privacy of such data must be ensured. For example, if sensitive data were encrypted on the main servers, it would also be encrypted on the backup server, which would provide one level of protection. The service provider should be investigated thoroughly to ensure that it meets the policies and procedures required by the company.

Note

Storing off-site data is also part of the company's disaster recovery plan.


Head-Office Security

All the standard security best practices will be implemented at the head office, including changing default passwords on network devices, locking access to the server room and wiring closet, deactivating unused switch ports, and so forth.

Best practices call for redundancy of critical infrastructure. Because the firewall bridges the head office to the Internet and to the company's other facilities, redundancy of this deep-inspection device is a must.

The Cisco PIX Firewall allows two firewalls, a primary and a secondary, to implement failover mode, as shown earlier in Figure 12-3. Provided that the secondary firewall is identical to the primary, Cisco charges only for the hardware, so the cost for the secondary unit is minimal. The secondary firewall is configured exactly the same as the primary firewall and maintains an identical copy of the connections table used by the primary firewall, to monitor the status of individual data sessions. This connections table is synchronized over a dedicated Ethernet cable. The secondary firewall monitors the health of the primary firewall through the failover serial cable, and will be ready to take over should the primary unit experience significant performance issues.

To use failover mode, you need two identical PIX Firewalls. They must have the following characteristics:

  • They must be running the same version of the PIX OS.

  • They must have the same number and type of interfaces in the same slots.

  • The primary must be running an unrestricted license of the PIX OS.

  • The secondary must run either an unrestricted license or a failover license of the PIX OS.

  • If the primary has a Data Encryption Standard (DES) or Triple Data Encryption Standard (3DES) license, the secondary must also have one.

The critical network segments and devices will be equipped with IDS sensors and IPS software, respectively, as shown in Figure 12-8. This figure shows the Server and Management modules of the Enterprise Campus functional area and the Enterprise Edge functional area.

Figure 12-8. Intrusion Detection and Protection at Work


IDS sensors monitor traffic on a network and attempt to identify intrusions and hostile activity. IDS sensors can operate in stealth mode, meaning that their interfaces that connect to the DMZ or the outside network operate strictly at Layer 2, in promiscuous mode, copying the data, as it transits a network segment, to the IDS management server through its nonstealth interface. This is done either through a hub or by connecting to a Switched Port Analyzer (SPAN) port of a switch. Operating in stealth mode, sensors are not vulnerable to IP attacks from hackers because the interface is not reachable by IP. Sensors are configured to alert a management console should they detect suspicious activity, though invariably by the time the alert is delivered to the network administrator, the attack has already taken place.

Note

A SPAN port is a port on a switch that is configured to mirror the data passing through any other switch port or group of switch ports.


IPS software installed on critical devices scans incoming traffic and actively monitors all the devices' resources, such as memory, processes, and so forth.

Venti Systems will investigate the possibility of subcontracting the analysis of the data reported by its security systems, because the company believes in the saying, "If you log it, read it." Because Venti will have multiple IDS sensors potentially releasing many false positive alarms, the job of parsing through all those events will be subcontracted to a company that specializes in this field and uses sophisticated correlation tools. This firm will therefore inform the network administrator of a security event only when her intervention is warranted.

All servers will be equipped with IPS software to monitor all functions of the serverprocesses, memory usage, disk space, directory creation or deletion, and so forthand to report suspicious activity to the IDS Management server. Depending on the configuration, these IPS systems should be able to shun a malicious user, that is, to report the malicious activity to the firewall and request that this particular source be denied further access to the network.

Port-level security will be implemented on all Layer 2 switch ports.

Wireless networks present security risks which must also be mitigated. Strategies include the following:

  • Monitoring, in real time, of rogue access point detection, to ensure that only authorized access points are installed in the network

  • Using IEEE 802.1x port-level authentication and Temporal Key Integrity Protocol (TKIP) encryption

  • Changing the service set identifier (SSID), a unique identifier for a wireless access point or router, from the default (for example, from linksys or tsunami) to something difficult to guess, thereby prohibiting hackers from easily finding the access point

  • Disabling SSID broadcasts so that drive-by hackers cannot detect an access point whose name they don't know

Branch-Office Security

The Seattle office router will be configured with the firewall feature set. The router-firewall configuration will be the default so that only traffic that originated from the inside network will be allowed to return. Traffic originating from outside will not be allowed to enter the network.

Remote User Security

Remote users' laptops will be configured with antivirus software, a personal firewall, and the corporate VPN client. Personnel will use strong authentication to be granted access to the corporate network.



Previous page
Table of content
Next page
Campus Network Design Fundamentals
Campus Network Design Fundamentals
ISBN: 1587052229
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Diane Teare, Catherine Paquet
BUY ON AMAZON
The Complete Cisco VPN Configuration Guide
Visual C# 2005 How to Program (2nd Edition)
C & Data Structures (Charles River Media Computer Engineering)
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
GO! with Microsoft Office 2003 Brief (2nd Edition)
Microsoft VBScript Professional Projects
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy