TOP-DOWN NETWORK

Developing
DESIGN Network
Security
CHAPTER SIX Strategies
1
Oppenheimer
 NETWORK SECURITY DESIGN:
THE 12 STEP PROGRAM

1. Identify network assets 8. Achieve buy-in from users,

managers, and technical staff
2. Analyze security risks
9. Train users, managers, and
3. Analyze security requirements and
tradeoffs technical staff

4. Develop a security plan 10. Implement the technical strategy

and security procedures
5. Define a security policy
11. Test the security and update it if
6. Develop procedures for applying any problems are found
security policies
12. Maintain security
7. Develop a technical
implementation strategy
2
NETWORK ASSETS
Hardware switch, router, firewall, end device,
server
Software network software (network
monitoring/ management, server monitoring,
networking tools, security management), OS/IOS
software, Computer software/Application
software (word processing,web browsers),
System software,
Applications
Data
Intellectual property pattern, copyright
Trade secrets - encompass manufacturing or
industrialsecrets and commercialsecrets.
Companys reputation
3
 SECURITY RISKS
Hacked network devices
Data can be intercepted, analyzed, altered, or deleted
User passwords can be compromised
Device configurations can be changed

Reconnaissance attacks [preliminary surveying]

A reconnaissance attack occurs when an adversary tries to learn information about your network
Reconnaissance is also known as information gathering and, in most cases, precedes an actual access or
DoS attack.

First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP
addresses are alive.
Then the intruder determines which services or ports are active on the live IP addresses. From this information,
the intruder queries the ports to determine the type and version of the application and operating system
running on the target host.
[http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/reconnaissance-
attacks.html]

Denial-of-service attacks
a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic
. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols.
[http://searchsoftwarequality.techtarget.com/definition/denial-of-service] 4
 SECURITY REQUIREMENTS AND TRADEOFFS

Tradeoffs must be made between security goals and other goals:

Affordability
Usability
Performance
Availability
Manageability

An example of a tradeoff is that security can

reduce network redundancy. If all traffic must go
through an encryption device, for example, the
device becomes a single point of failure. This
makes it hard to meet availability goals.

5
A SECURITY PLAN
WHAT?
High-level document that proposes
what an organization is going to
do to meet security requirements

HOW?
Specifies time, people, and other
resources that will be required to
develop a security policy and
achieve implementation of the
policy
6
A SECURITY POLICY
RFC 2196, The Site Security Handbook, stated that a security
policy is a:

Formal statement of the rules by which people who are given

access to an organizations technology and information assets
must abide.

The policy should address:

Access, accountability, authentication, privacy, and computer
technology purchasing guidelines

7
 SECURITY
MECHANISMS
Physical security
Physical security is the protection of personnel,
hardware, programs, networks, and data from
physical circumstances and events that could
cause serious losses or damage to an enterprise,
agency, or institution.
Authentication
Authentication is the process of determining
whether someone or something is, in fact, who or
what it is declared to be.
Authorization
Authorization is the process of giving someone
permission to do or have something.
Accounting (Auditing) 8
SECURITY MECHANISMS
(CONTINUE)
Data encryption
To hide the data
Packet filters
Filters the packet, choose the needed one/right one only
Firewalls
Restriction in place to secure the data travel thru in/out the
network
Intrusion Detection Systems (IDSs)
Software/system to detect any threats/attacks

9
 MODULARIZING
SECURITY DESIGN
Security defense in depth:
Network security should be multilayered with many different techniques
used to protect the network

Secure all components of a modular design :

Internet connections
Public servers and e-commerce servers
Remote access networks and VPNs
Network services and network management
Server farms
User services
Wireless networks

10
SECURE NETWORK
TOPOLOGY-CASE
STUDY DESIGN A
11
 DESIGNING A SECURE LAN
Securing LAN from the viewpoint of the network architecture,
focusing on 3 main areas:
1. The network topology physical & logical design of the
network
2. Securing the routers and switches which connects
segments and hosts to form the network

Ref: SANS slide 14-22 12

CHALLENGES FACES TO
SECURE THE NETWORK
Securing the network from Internet launched attacks
Securing Internet facing web, DNS and mail servers
Damage from compromised system and preventing internally
launched attacks
Securing sensitive and mission critical internal resources such as
financial records, customer databases etc
Building a framework for administrators to securely manage the
network
Providing systems for logging and intrusion detection.

13
TOPOLOGY AND
ARCHITECTURE
A critical step in designing a secure network design is defining the network
topology.
On the physical side, need to provide distribution to the offices or buildings
where the users are located.
Need to provide connectivity to the servers which comprise our intranet, to the
Internet and to other company locations , remote users, etc.
Logical topology concerns with technologies to adopt such as VLAN or VPAN.
Need to consider the security policy in logical topology.
Which part of the network is trusted ? Which is less trusted
Which groups of devices and users should be grouped together and which
should be separated?
14
 Connection to the Internet with a border router
and firewall.
EXAMPLE The public extranet servers are connected to the
firewall.
The firewall, workgroup switch and Intranet switch
are all connected to core router/layer 3 switch.

This topology illustrate how devices with similar

function and security profiles are group together.
The public extranet servers, user
workstations and the intranet servers.
Creating a separate zones, we can enforce
security policy with the appropriate firewall
rules and layer 3 access list.

Disadvantage in this design :

Lack of infrastructure for managing the network.
Need one or more management workstations, tftp
servers , more syslog server, server to create one
time password etc.

Ref: SANS 15
EXAMPLE 2: MANAGEMENT
VLAN
Need to keep management
traffic off the production traffic-
to ensure data is secure.
Have different VLAN for each
type of services offered.
Encrypted the link using ssh or
IPSEC.

AAB2014 16
SECURING ROUTERS AND SWITCHES -BUILDING SECURITY
INTO NETWORK ELEMENTS AND CONFIGURATIONS

Segment the network into subnets based on function and possibly

location.
By implementing routing at the network core, our segments are isolated
into individual broadcast domain.
This improves performance and also security by preventing sniffing or arp based
attacks between segments.

Within each subnet the hosts are connected to an Ethernet switch. A

switch provides high performance by putting each host in its own Collison
domain.
Improves security by making sniffing and arp based attacks difficult.

17
LAYER 3 DESIGN AND
ACCESS LISTS
Use access list at layer 3 to implement security policy.
For traffic coming into a subnet, permit only appropriate incoming
packets, based on the policy of that subnet.
The outbound traffic will also be monitored and filtered to
eliminate spoofing and to minimize any malicious or illegitimate
activities.

18
SECURING LAYER 3
need to ensure that routers are free from attacks.
how to ensure this?
Many mechanism can be apply.
1. the management VLAN ensures that the management traffic does
not flow using the production traffic.
2. Access list should be configured on the management ports to block
illegitimate connections. Use out-of-band(OOB) communication such as a
terminal server to secure the management traffic.
3. use strong authentication provided by one-time password server.
Encrypted the link
Logging to the syslog servers will meet the auditing requirements.

19
LAYER 2 DESIGN
To achieve the highest level of security, need to configure only one VLAN per switch.
This will minimize the chance of an attacker jumping VLANs and reduce the chance
of misconfiguration.
The switch port is the getaway into the network, hence need to implement physical
security when possible.
Need to control access to switch ports and disabling unused ports.
let user to be authenticate via RADIUS or LDAP before they are granted any
services/information.
Limiting the MAC addresses that are permitted to communicate on the ports.
Limit the MAC addresses that can be appear on each port.
Apply the Spanning tree mechanism

20
DMZ
Used by a company to
host its own Internet
services without
sacrificing unauthorized
access to its private
network
Sits between Internet and
internal networks line of
defense, usually some
combination of firewalls
and bastion hosts
Traffic originating from it
should be filtered
www.cuyamaca.net/gainswor/security/chap11
.ppt
DMZ
Typically contains devices accessible to Internet traffic
Web (HTTP) servers
FTP servers
SMTP (e-mail) servers
DNS servers

Optional, more secure approach to a simple firewall; may include a

proxy server

www.cuyamaca.net/gainswor/security/chap11
.ppt
EXAMPLE 1

Ref : Google/images
AAB2014 23
EXAMPLE 2

Ref: Google/images AAB2014 24

EXAMPLE 3

Ref: Google/images AAB2014 25

SECURITY
TOPOLOGIES

DMZ
Enterprise Internet
Network

Web, File, DNS, Mail Servers

AAB2014 26
SECURITY
TOPOLOGIES
Internet

Firewall
DMZ
Enterprise Network

Web, File, DNS, Mail Servers

AAB2014 27
DMZ DESIGN GOALS
Minimize scope of damage
Protect sensitive data on the server
Detect the compromise as soon as possible
Minimize effect of the compromise on other
organizations
The bastion host is not able to initiate a session back
into the private network. It can only forward packets
that have already been requested.
www.cuyamaca.net/gainswor/security/chap11
.ppt
DMZ DESIGN GOALS
A useful mechanism to meet goals is to
add the filtering of traffic initiated from
the DMZ network to the Internet, impairs
an attacker's ability to have a vulnerable
host communicate to the attacker's host
keep the vulnerable host from being exploited
altogether
keep a compromised host from being used as a
traffic-generating agent in distributed denial-
of-service attacks.
The key is to limit traffic to only what is
needed, and to drop what is not required, even
if the traffic is not a direct threat to your
internal network
www.cuyamaca.net/gainswor/security/chap11
.ppt
DMZ DESIGN GOALS
Filtering DMZ traffic would identify
traffic coming in from the DMZ interface of the firewall or
router that appears to have a source IP address on a network other the DMZ
network number (spoofed traffic).
the firewall or router should be configured to initiate a log message
or rule alert to notify administrator

www.cuyamaca.net/gainswor/security/chap11
.ppt
WHAT TO SECURE?

AAB2014 31
SECURING INTERNET
CONNECTIONS
Physical security
Firewalls and packet filters
Audit logs, authentication, authorization
Well-defined exit and entry points
Routing protocols that support authentication

AAB2014 32
SECURING PUBLIC
SERVERS
Place servers in a DMZ that is protected via firewalls
Run a firewall on the server itself
Enable DoS (denial of attack) protection
Limit the number of connections per timeframe

Use reliable operating systems with the latest security patches

Maintain modularity
Front-end Web server doesnt also run other services
*Security experts recommend that FTP services not run on the same server as Web
services.
FTP users have more opportunities for reading and possibly changing files than Web
users do.
A hacker could use FTP to damage a companys Web pages, thus damaging the companys
image and possibly compromising Web-based electronic-commerce and other applications.
In addition, any e-commerce database server that holds sensitive customer financial
information should be separate from the front-end Web server that users see.

AAB2014 33
SECURING REMOTE-ACCESS AND
VIRTUAL PRIVATE NETWORKS
Physical security
Firewalls
Authentication, authorization, and auditing
Encryption
One-time passwords
Security protocols
CHAP
RADIUS
IPSec

AAB2014 34
SECURING NETWORK
SERVICES
Treat each network device (routers, switches, and so
on) as a high-value host and harden it against possible
intrusions
Require login IDs and passwords for accessing devices
Require extra authorization for risky configuration commands

Use SSH rather than Telnet

Change the welcome banner to be less welcoming

AAB2014 35
SECURING SERVER
FARMS
Deploy network and host IDSs to monitor server subnets
and individual servers
Configure filters that limit connectivity from the server
in case the server is compromised
Fix known security bugs in server operating systems
Require authentication and authorization for server
access and management
Limit root password to a few people
Avoid guest accounts

AAB2014 36
SECURING USER
SERVICES
Specify which applications are allowed to run on
networked PCs in the security policy
Require personal firewalls and antivirus software on
networked PCs
Implement written procedures that specify how the software is
installed and kept current

Encourage users to log out when leaving their desks

Consider using 802.1X port-based security on switches

AAB2014 37
SECURING WIRELESS
NETWORKS
Place wireless LANs (WLANs) in their own subnet or VLAN
Simplifies addressing and makes it easier to configure packet filters

Require all wireless (and wired) laptops to run personal

firewall and antivirus software
Disable beacons that broadcast the SSID, and require
MAC address authentication
Except in cases where the WLAN is used by visitors

AAB2014 38
WLAN SECURITY
OPTIONS
Wired Equivalent Privacy (WEP)
IEEE 802.11i
Wi-Fi Protected Access (WPA)
IEEE 802.1X Extensible Authentication Protocol (EAP)
Lightweight EAP or LEAP (Cisco)
Protected EAP (PEAP)

Virtual Private Networks (VPNs)

Any other acronyms we can think of? :-)

AAB2014 39
WIRED EQUIVALENT
PRIVACY (WEP)
Defined by IEEE 802.11
Users must possess the appropriate WEP key that is
also configured on the access point
64 or 128-bit key (or passphrase)

WEP encrypts the data using the RC4 stream cipher

method
Infamous for being crackable

AAB2014 40
WEP ALTERNATIVES
Vendor enhancements to WEP
Temporal Key Integrity Protocol (TKIP)
Every frame has a new and unique WEP key

Advanced Encryption Standard (AES)

IEEE 802.11i
Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance
Realistic parts of IEEE 802.11i now!

AAB2014 41
EXTENSIBLE AUTHENTICATION
PROTOCOL (EAP)
With 802.1X and EAP, devices take on one of three
roles:
The supplicant resides on the wireless LAN client
The authenticator resides on the access point
An authentication server resides on a RADIUS server

AAB2014 42
EAP (CONTINUED)
An EAP supplicant on the client obtains credentials
from the user, which could be a user ID and
password
The credentials are passed by the authenticator to
the server and a session key is developed
Periodically the client must reauthenticate to
maintain network connectivity
Reauthentication generates a new, dynamic WEP
key

AAB2014 43
CISCOS LIGHTWEIGHT
EAP (LEAP)
Standard EAP plus mutual authentication
The user and the access point must authenticate

Used on Cisco and other vendors products

AAB2014 44
OTHER EAPS
EAP-Transport Layer Security (EAP-TLS) was developed by
Microsoft
Requires certificates for clients and servers.

Protected EAP (PEAP) is supported by Cisco, Microsoft,

and RSA Security
Uses a certificate for the client to authenticate the RADIUS server
The server uses a username and password to authenticate the
client

EAP-MD5 has no key management features or dynamic

key generation
Uses challenge text like basic WEP authentication
Authentication is handled by RADIUS server

AAB2014 45
VPN SOFTWARE ON
WIRELESS CLIENTS
Safest way to do wireless networking for corporations
Wireless client requires VPN software
Connects to VPN concentrator at HQ
Creates a tunnel for sending all traffic
VPN security provides:
User authentication
Strong encryption of data
Data integrity

AAB2014 46
VPN
Extends a private network across a public network., i.e internet.
It is created by establishing a virtual point-to-point connection
through the use of dedicated connections , virtual tunneling
protocols or traffic encryptions.
Advantage of having VPN- data send and receive across shared or
public networks as it if were directly connected to the private
network and get the benefit from the private network security ,
management policies and functionality.

AAB2014 47
EXAMPLE -VPN

Ref: wiki AAB2014 48

SECURITY MECHANISM ON
VPN
only allowed authenticate user to use it
provide security via tunneling protocols and via security
procedures such as encryption.
The VPN security model provides:
Confidentiality attacker only see the encrypted data
Sender authentication to prevent unauthorized users from
accessing the VPN
Message integrity to detect any instances of tampering with
transmitted messages

AAB2014 49
REFERENCES
1. SANS institute InfoSec Reading Room.
2. google/images

AAB2014 50