TOP-DOWN NETWORK DESIGN Developing

Network Security
CHAPTER SIX Strategies
1
Oppenheimer
 NETWORK SECURITY DESIGN:
THE 12 STEP PROGRAM
1. Identify network assets 8. Achieve buy-in from users, managers, and
technical staff
2. Analyze security risks
9. Train users, managers, and technical staff
3. Analyze security requirements and tradeoffs
10. Implement the technical strategy and
4. Develop a security plan security procedures
5. Define a security policy 11. Test the security and update it if any
6. Develop procedures for applying security problems are found
policies 12. Maintain security
7. Develop a technical implementation strategy

2
NETWORK ASSETS
Hardware – switch, router, firewall, end device, server
Software – network software (network monitoring/
management, server monitoring, networking tools,
security management), OS/IOS software, Computer
software/Application software (word processing, web
browsers), System software,
Applications
Data
Intellectual property –pattern, copyright
Trade secrets - encompass manufacturing or
industrial secrets and commercial secrets.
Company’s reputation
3
 SECURITY RISKS
Hacked network devices
 Data can be intercepted, analyzed, altered, or deleted
 User passwords can be compromised
 Device configurations can be changed

Reconnaissance attacks [preliminary surveying]

 A reconnaissance attack occurs when an adversary tries to learn information about your network
Reconnaissance is also known as information gathering and, in most cases, precedes an actual access or DoS attack.

First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive.
Then the intruder determines which services or ports are active on the live IP addresses. From this information, the intruder
queries the ports to determine the type and version of the application and operating system running on the target host.
[http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/reconnaissance-attacks.html]

Denial-of-service attacks
a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS
attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols.

[http://searchsoftwarequality.techtarget.com/definition/denial-of-service] 4
 SECURITY REQUIREMENTS AND TRADEOFFS
Tradeoffs must be made between security goals and other goals:
 Affordability
 Usability
 Performance
 Availability
 Manageability

An example of a tradeoff is that security can reduce network

redundancy. If all traffic must go through an encryption device, for
example, the device becomes a single point of failure. This makes it
hard to meet availability goals.

5
A SECURITY PLAN
WHAT?
High-level document that proposes what an
organization is going to do to meet security
requirements

HOW?
Specifies time, people, and other resources
that will be required to develop a security
policy and achieve implementation of the
policy

6
A SECURITY POLICY
RFC 2196, “The Site Security Handbook,” stated that a security policy is a:

“Formal statement of the rules by which people who are given access to an
organization’s technology and information assets must abide.”

The policy should address:

Access, accountability, authentication, privacy, and computer technology purchasing
guidelines

7
 SECURITY MECHANISMS
Physical security
Physical security is the protection of personnel, hardware, programs,
networks, and data from physical circumstances and events that could
cause serious losses or damage to an enterprise, agency, or
institution.
Authentication
Authentication is the process of determining whether someone or
something is, in fact, who or what it is declared to be.
Authorization
Authorization is the process of giving someone permission to do or
have something.
Accounting (Auditing)
auditing usage 8
SECURITY MECHANISMS (CONTINUE)
Data encryption
To hide the data
Packet filters
Filters the packet, choose the needed one/right one only
Firewalls
Restriction in place to secure the data travel thru in/out the network
Intrusion Detection Systems (IDSs)
Software/system to detect any threats/attacks

9
 MODULARIZING SECURITY DESIGN
Security defense in depth:
Network security should be multilayered with many different techniques used to protect
the network

Secure all components of a modular design:

 Internet connections
 Public servers and e-commerce servers
 Remote access networks and VPNs
 Network services and network management
 Server farms
 User services
 Wireless networks

10
SECURE NETWORK TOPOLOGY-CASE
STUDY –DESIGN A SECURE LAN
11
 DESIGNING A SECURE LAN
Securing LAN from the viewpoint of the network architecture, focusing on 3
main areas:
1. The network topology – physical & logical design of the network
2. Securing the routers and switches – which connects segments and hosts to
form the network

Ref: SANS slide 14-22 12

CHALLENGES FACES TO SECURE THE NETWORK
•Securing the network from Internet launched attacks
•Securing Internet facing web, DNS and mail servers
•Damage from compromised system and preventing internally launched attacks
•Securing sensitive and mission critical internal resources such as financial records,
customer databases etc
•Building a framework for administrators to securely manage the network
•Providing systems for logging and intrusion detection.

13
TOPOLOGY AND ARCHITECTURE
•A critical step in designing a secure network design is defining the network topology.
•On the physical side, need to provide distribution to the offices or buildings where the
users are located.
•Need to provide connectivity to the servers which comprise our intranet, to the
Internet and to other company locations , remote users, etc.
•Logical topology concerns with technologies to adopt such as VLAN or VPAN.
•Need to consider the security policy in logical topology.
•Which part of the network is trusted ? Which is less trusted
•Which groups of devices and users should be grouped together and which should be
separated?

14
 Connection to the Internet with a border router and firewall.
The public extranet servers are connected to the firewall.
EXAMPLE The firewall, workgroup switch and Intranet switch are all
connected to core router/layer 3 switch.

This topology illustrate how devices with similar function and

security profiles are group together.
 The public extranet servers, user workstations and the
intranet servers.
 Creating a separate zones, we can enforce security
policy with the appropriate firewall rules and layer 3
access list.

Disadvantage in this design :

Lack of infrastructure for managing the network.
Need one or more management workstations, tftp servers ,
more syslog server, server to create one time password etc.

Ref: SANS 15
EXAMPLE 2: MANAGEMENT VLAN
Need to keep management traffic off the
production traffic- to ensure data is
secure.
Have different VLAN for each type of
services offered.
Encrypted the link using ssh or IPSEC.

AAB2014 16
SECURING ROUTERS AND SWITCHES -BUILDING SECURITY INTO
NETWORK ELEMENTS AND CONFIGURATIONS

Segment the network into subnets based on function and possibly location.
•By implementing routing at the network core, our segments are isolated into individual
broadcast domain.
 This improves performance and also security by preventing sniffing or arp based attacks between segments.

•Within each subnet the hosts are connected to an Ethernet switch. A switch provides high
performance by putting each host in its own Collison domain.
Improves security by making sniffing and arp based attacks difficult.

17
LAYER 3 DESIGN AND ACCESS LISTS

Use access list at layer 3 to implement security policy.

For traffic coming into a subnet, permit only appropriate incoming packets, based
on the policy of that subnet.
The outbound traffic will also be monitored and filtered to eliminate spoofing and
to minimize any malicious or illegitimate activities.

18
SECURING LAYER 3
 need to ensure that routers are free from attacks.
 how to ensure this?
Many mechanism can be apply.
1. the management VLAN – ensures that the management traffic does not flow using
the production traffic.
2. Access list should be configured on the management ports to block illegitimate
connections. Use out-of-band(OOB) communication such as a terminal server to secure
the management traffic.
3. use strong authentication provided by one-time password server.
Encrypted the link
Logging to the syslog servers will meet the auditing requirements.

19
LAYER 2 DESIGN
To achieve the highest level of security, need to configure only one VLAN per switch.
This will minimize the chance of an attacker jumping VLANs and reduce the chance of
misconfiguration.
The switch port is the getaway into the network, hence need to implement physical security
when possible.
Need to control access to switch ports and disabling unused ports.
let user to be authenticate via RADIUS or LDAP before they are granted any
services/information.
Limiting the MAC addresses that are permitted to communicate on the ports.
Limit the MAC addresses that can be appear on each port.
Apply the Spanning tree mechanism
20
DMZ
Used by a company to host its
own Internet services without
sacrificing unauthorized access to
its private network
Sits between Internet and internal
network’s line of defense, usually
some combination of firewalls and
bastion hosts
Traffic originating from it should
be filtered

www.cuyamaca.net/gainswor/security/chap11.ppt
DMZ
Typically contains devices accessible to Internet traffic
 Web (HTTP) servers
 FTP servers
 SMTP (e-mail) servers
 DNS servers

Optional, more secure approach to a simple firewall; may include a proxy server

www.cuyamaca.net/gainswor/security/chap11.ppt
EXAMPLE 1

Ref : Google/images
AAB2014 23
EXAMPLE 2

Ref: Google/images AAB2014 24

EXAMPLE 3

Ref: Google/images AAB2014 25

SECURITY TOPOLOGIES

DMZ
Enterprise Internet
Network

Web, File, DNS, Mail Servers

AAB2014 26
SECURITY TOPOLOGIES
Internet

Firewall
DMZ
Enterprise Network

Web, File, DNS, Mail Servers

AAB2014 27
DMZ DESIGN GOALS
Minimize scope of damage
Protect sensitive data on the server
Detect the compromise as soon as possible
Minimize effect of the compromise on other organizations
The bastion host is not able to initiate a session back into the
private network. It can only forward packets that have already
been requested.

www.cuyamaca.net/gainswor/security/chap11.ppt
DMZ DESIGN GOALS
A useful mechanism to meet goals is to add the
filtering of traffic initiated from the DMZ network to
the Internet, impairs an attacker's ability to have a
vulnerable host communicate to the attacker's host
 keep the vulnerable host from being exploited altogether
 keep a compromised host from being used as a traffic-
generating agent in distributed denial-of-service attacks.
 The key is to limit traffic to only what is needed, and to
drop what is not required, even if the traffic is not a direct
threat to your internal network

www.cuyamaca.net/gainswor/security/chap11.ppt
DMZ DESIGN GOALS
Filtering DMZ traffic would identify
 traffic coming in from the DMZ interface of the firewall or
 router that appears to have a source IP address on a network other the DMZ network number (spoofed
traffic).

the firewall or router should be configured to initiate a log message or rule alert to
notify administrator

www.cuyamaca.net/gainswor/security/chap11.ppt
WHAT TO SECURE?

AAB2014 31
SECURING INTERNET CONNECTIONS
Physical security
Firewalls and packet filters
Audit logs, authentication, authorization
Well-defined exit and entry points
Routing protocols that support authentication

AAB2014 32
SECURING PUBLIC SERVERS
Place servers in a DMZ that is protected via firewalls
Run a firewall on the server itself
Enable DoS (denial of attack) protection
 Limit the number of connections per timeframe

Use reliable operating systems with the latest security patches

Maintain modularity
 Front-end Web server doesn’t also run other services
*Security experts recommend that FTP services not run on the same server as Web services.
FTP users have more opportunities for reading and possibly changing files than Web users do.
A hacker could use FTP to damage a company’s Web pages, thus damaging the company’s image
and possibly compromising Web-based electronic-commerce and other applications.
In addition, any e-commerce database server that holds sensitive customer financial information
should be separate from the front-end Web server that users see.

AAB2014 33
SECURING REMOTE-ACCESS AND VIRTUAL
PRIVATE NETWORKS
Physical security
Firewalls
Authentication, authorization, and auditing
Encryption
One-time passwords
Security protocols
 CHAP
 RADIUS
 IPSec

AAB2014 34
SECURING NETWORK SERVICES
Treat each network device (routers, switches, and so on) as a high-
value host and harden it against possible intrusions
Require login IDs and passwords for accessing devices
 Require extra authorization for risky configuration commands

Use SSH rather than Telnet

Change the welcome banner to be less welcoming

AAB2014 35
SECURING SERVER FARMS
Deploy network and host IDSs to monitor server subnets and individual
servers
Configure filters that limit connectivity from the server in case the server
is compromised
Fix known security bugs in server operating systems
Require authentication and authorization for server access and
management
Limit root password to a few people
Avoid guest accounts

AAB2014 36
SECURING USER SERVICES
Specify which applications are allowed to run on networked PCs in
the security policy
Require personal firewalls and antivirus software on networked PCs
 Implement written procedures that specify how the software is installed and kept
current

Encourage users to log out when leaving their desks

Consider using 802.1X port-based security on switches

AAB2014 37
SECURING WIRELESS NETWORKS
Place wireless LANs (WLANs) in their own subnet or VLAN
 Simplifies addressing and makes it easier to configure packet filters

Require all wireless (and wired) laptops to run personal firewall and
antivirus software
Disable beacons that broadcast the SSID, and require MAC address
authentication
 Except in cases where the WLAN is used by visitors

AAB2014 38
WLAN SECURITY OPTIONS
Wired Equivalent Privacy (WEP)
IEEE 802.11i
Wi-Fi Protected Access (WPA)
IEEE 802.1X Extensible Authentication Protocol (EAP)
 Lightweight EAP or LEAP (Cisco)
 Protected EAP (PEAP)

Virtual Private Networks (VPNs)

Any other acronyms we can think of? :-)

AAB2014 39
WIRED EQUIVALENT PRIVACY (WEP)
Defined by IEEE 802.11
Users must possess the appropriate WEP key that is also configured
on the access point
 64 or 128-bit key (or passphrase)

WEP encrypts the data using the RC4 stream cipher method
Infamous for being crackable

AAB2014 40
WEP ALTERNATIVES
Vendor enhancements to WEP
Temporal Key Integrity Protocol (TKIP)
 Every frame has a new and unique WEP key

Advanced Encryption Standard (AES)

IEEE 802.11i
Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance
 Realistic parts of IEEE 802.11i now!

AAB2014 41
EXTENSIBLE AUTHENTICATION PROTOCOL
(EAP)
With 802.1X and EAP, devices take on one of three roles:
The supplicant resides on the wireless LAN client
The authenticator resides on the access point
An authentication server resides on a RADIUS server

AAB2014 42
EAP (CONTINUED)
An EAP supplicant on the client obtains credentials from the user,
which could be a user ID and password

The credentials are passed by the authenticator to the server

and a session key is developed

Periodically the client must reauthenticate to maintain network

connectivity

Reauthentication generates a new, dynamic WEP key

AAB2014 43
CISCO’S LIGHTWEIGHT EAP (LEAP)
Standard EAP plus mutual authentication
 The user and the access point must authenticate

Used on Cisco and other vendors’ products

AAB2014 44
OTHER EAPS
EAP-Transport Layer Security (EAP-TLS) was developed by Microsoft
 Requires certificates for clients and servers.

Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security

 Uses a certificate for the client to authenticate the RADIUS server
 The server uses a username and password to authenticate the client

EAP-MD5 has no key management features or dynamic key generation

 Uses challenge text like basic WEP authentication
 Authentication is handled by RADIUS server

AAB2014 45
VPN SOFTWARE ON WIRELESS CLIENTS
Safest way to do wireless networking for corporations
Wireless client requires VPN software
Connects to VPN concentrator at HQ
Creates a tunnel for sending all traffic
VPN security provides:
 User authentication
 Strong encryption of data
 Data integrity

AAB2014 46
VPN
Extends a private network across a public network., i.e internet.
It is created by establishing a virtual point-to-point connection through the use of
dedicated connections , virtual tunneling protocols or traffic encryptions.
Advantage of having VPN- data send and receive across shared or public networks
as it if were directly connected to the private network and get the benefit from the
private network security , management policies and functionality.

AAB2014 47
EXAMPLE -VPN

Ref: wiki AAB2014 48

SECURITY MECHANISM ON VPN
only allowed authenticate user to use it
provide security via tunneling protocols and via security procedures such as
encryption.
The VPN security model provides:
Confidentiality – attacker only see the encrypted data
Sender authentication to prevent unauthorized users from accessing the VPN
Message integrity to detect any instances of tampering with transmitted messages

AAB2014 49
REFERENCES
1. SANS institute InfoSec Reading Room.
2. google/images

AAB2014 50