Secure Network Design

Secure Network Design

Jose David Garcia

Index

1. Diagram Legend2. Layered Network Design

1. Access Layer2. Distribution Layer3. Core Layer

3. High Availability and Load Balancing4. Modular Network Design

1. Management Block1. Out of Band Management2. In Band Management

2. Server Block3. Wan Block4. Internet Block

Diagram Legend

CC

NIDS

HIDS

VPN

Router

Switch

Multilayer Switch

Load Balancer

Terminal Server

Firewall

Server

Management Console

Remote User

Network Intrusion Detection System

Host Intrusion Detection System

Virtual Private Network

Crypto Cluster

Switch Block 1 Switch Block 2

Internet Block

Wan Block

Server Block

Management Block

C C

IDS

VPN

IDS

VPN VPN VPN

IDSIDS

IDS

IDSIDS

Access LayerSwitch Block 1 Switch Block 2

VPN

Internet Block

Wan Block

Server Block

Management Block

Characteristics

• Low Cost per port

• High port density

• Uplink to higher layers

• Layer 2 Services

Security Design

•Identity based network services

•Vlan and Pvlan segregation

•Rate Limiting

•Management encryption

•Physical isolation

Best Practices

• Ports without need to Trunk should be set to OFF rather than AUTO

• Limit each port to a limited number of MAC addresses (5)

• Configure Storm Broadcast control

• Turn off Telnet and limit SNMP access to the Switches

• Logging to external server

Distribution LayerSwitch Block 1 Switch Block 2

VPN

Internet Block

Wan Block

Server Block

Management Block

Characteristics

• Aggregation of Access Layer Devices

• High layer 3 throughput

• Robust layer 3 functionality

• Security

• Media Translation

• QoS

Security

•Access Control List

•Span ports for IDS

•Physical isolation

Best practices

• Turn off unneeded services• Disable all unused ports• Limit the Mac addresses on a port to known MAC

adressess when possible (no trunking ports)• For trunking ports use a dedicated VLAN identifier• Eliminate native vlans for 802.1q trunks• Turn off Telnet and limit SNMP access to the

Switches• Logging to external server

Core LayerSwitch Block 1 Switch Block 2

VPN

Internet Block

Wan Block

Server Block

Management Block

Characteristics

• No Expensive Layer 3 Processing

• Very High Throughput

• No unnecessary packet manipulation

• Resiliency

• High Availability

Security

• Physical isolation

Best practices

• Disable all unused ports

• Limit the Mac addresses on a port to known MAC adressess when possible

• Turn off Telnet and limit SNMP access to the Switches

• Logging to external server

High AvailabilityLoad Balancing

HIDS

Management Block

NIDSNIDS

Key Devices

• Firewalls

• NIDS and HIDS

• IDS Hosts

• Syslog Hosts

• SNMP Management Hosts

• Cisco Works, HP Open View

• System Admin Host

Out Band Management

• Preferred method of management

• Isolated from production network

• Physical Isolation

In Band Management

• Only management traffic

• Different address space than Production Network

• NAT

• Encryption (IpSec, SSH, SSL)

• Firewall Security + IDS

Best Practices

• Only use In band Management when necessary.

• PVLAN segregation among hosts in management block.

• Periodic log revision

• Configuration base-line establishment

• Periodic base-line checking

Threats Mitigated

• Only use In band Management

when necessary.

• PVLAN segregation among hosts

in management block.

• Periodic log revision

• Configuration base-line

establishment

• Periodic base-line checking

• Unauthorised Access

• Man in the middle attacks

• Network reconnaissance

• Packet sniffing

• Compromised host hoping

• Hacking attempts going unnoticed

Server Block

NIDS

NIDS

NIDS

HIDS

Key Devices

• Firewalls• NIDS and HIDS• NTP Server• TACACS+ Server• Certificate server• Secur-ID Server (Strong authentication)• Corporate Servers• Call Manager• DNS Servers• E-Mail Servers• Etc…

Best Practices

• Firewall and NIDS implementation• PVLAN Isolation for each Server• Host Based IDS on each Server• Service redundancy• Backup Policy• Logging to an external server in the

mangement module• Version Control

Threats Mitigated

• Firewall and NIDS implementation

• Host Based IDS on each Server

• PVLAN Isolation for each Server

• Service redundancy• Logging to an external

server in the mangement module

• Backup Policy• Version Control

• Unauthorized Access• Ip Spoofing• Application Layer Attacks• Trust Exploitation• Compromised host hoping• Packet Sniffing• DoS• Hacking attempts going

unnoticed• Lost Data

WAN Block

C C

NIDS

Key Devices

• Firewalls

• NIDS

• Crypto Clusters

• Routers

Best Practices

• Data encryption

• Access List implementation

• High Availability thru different providers

Threats mitigated

• Data encryption

• Access List

implementation

• High Availability thru

different providers

• Data theft

• Man in the middle

attack

• IP spoofing

• Unauthorized access

• DoS

Internet Block

VPNVPN VPN VPN

NIDS

HIDS HIDS

Key Elements

• Firewalls

• HIDS and NIDS

• VPN Concentrator

• HTTP Servers

• DNS Servers

Best Practices

• Security policy with ISP to mitigate DDoS

• Private VLAN Isolation among Servers

• No corporate Servers at this point

• High Availability thru diferent ISP

• VPN for Remote user Access

Threats Mitigated

• Security policy with ISP

• Private VLAN Isolation among

Servers

• Firewall, NIDS and HIDS

implementation

• High Availability thru diferent

ISP

• VPN for Remote user Access

• No corporate Servers at this point

• IP Spoofing

• Packet Sniffing

• Compromised host hoping

• Hacking attempts going

unnoticed

• DDoS attacks

• Unauthorized Access

THE END