Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security Design Considerations Module 3 - Training Sample

547

Published on

Sample of training materials produced by Content Rules Inc. for Extreme Networks.

Sample of training materials produced by Content Rules Inc. for Extreme Networks.

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
547
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Module 3 Security Design Considerations © 2006 Extreme Networks, Inc. All rights reserved.
  • 2. Description This module provides an overview of the network vulnerabilities and security threats companies face today. It reviews the factors that should be taken into consideration when designing a security solution. It describes basic Sentriant CE150 network design configurations. Finally, it lists the technical information needed before you install the Sentriant CE150. page 2 © 2006 Extreme Networks, Inc. All rights reserved.
  • 3. Objectives Upon completion of this module the successful student will be able to: • List the factors taken into consideration when designing a network security solution. • Understand the network vulnerabilities that are addressed by the Sentriant CE150. • Describe basic Sentriant CE150 network design configurations. • Identify the technical information required before you install a Sentriant CE150 in a customer site. page 3 © 2006 Extreme Networks, Inc. All rights reserved.
  • 4. Traditional Defenses: Firewalls and IDS Firewall • Enforce access control policies between networks • Determine which inside services may be available from outside and vice versa • Provide a single “Choke point” where security audits may be performed • Provide information about who has been “sniffing” around Intrusion Detection Systems (IDS) • Excellent at detecting many types of network attacks page 4 © 2006 Extreme Networks, Inc. All rights reserved.
  • 5. Firewall and IDS Limitations Cannot protect from attacks that bypass it • Internal attacks or unrestricted dial-outs Cannot protect data that is traversing the network • Financial data, corporate secrets, etc. Cannot protect against data being “changed” as it moves across the network Cannot stop any attacks that come from the inside page 5 © 2006 Extreme Networks, Inc. All rights reserved.
  • 6. Network Vulnerabilities Unauthorized Access of Data in Motion • Unauthorized monitoring – Network users believe the data they send over networks will be viewed only by the intended receiver. • Unauthorized modification – A simple route traced between any two corporate networks may provide an opportunity for an intruder to inconspicuously modify data. Common Inside Attacks • Insider breaches – Employees, contractors and others with legitimate network access can easily bypass perimeter security to access sensitive data on the network. • Man-in-the-middle attacks (also known as TCP Hijacking) – An attacker sniffs packets from the network, modifies them and inserts them back into the network. • Port mirroring – Port mirroring is a method of monitoring network page 6 traffic that forwards a copy of each incoming and outgoing packet from one port of a network switch to another port where the packet can be studied. © 2006 Extreme Networks, Inc. All rights reserved.
  • 7. Mitigate Network Vulnerabilities: Inside the Perimeter It is important to secure your data as it travels within your organization’s network. • Insiders account for up to 50% of network security breaches. A layered approach to network security provides the best defense possible. This means that in addition to perimeter security e.g., firewall perimeter security, data traversing the internal network must also be secured. page 7 The only way to protect data traversing internal networks is to encrypt it. Sentriant CE150 provides the ideal solution for encrypting and safeguarding data in motion. © 2006 Extreme Networks, Inc. All rights reserved.
  • 8. Elements of a Comprehensive Security Solution Physical protection • Where are you? User authentication • Who are you? Encryption • Which information should be hidden? Access control • Which assets are you allowed to use? page 8 Management • What is going on within the network? © 2006 Extreme Networks, Inc. All rights reserved.
  • 9. Security Design Considerations Performance • Security solutions cannot become bottlenecks on the network. Security appliances must provide low latency and high throughput. User Transparency • Security appliances should not require reconfiguration of routers, gateways, or end-user devices Centralize management and administration • Security solutions should provide centralized management and control, including: SNMP, MIB, audit and syslog Regulatory compliance • Security solutions must be able to support the every evolving Federal and State government regulations, e.g., HIPAA Resiliency • Security solutions must be available 7/24 with the ability to update page 9 security policies on the fly © 2006 Extreme Networks, Inc. All rights reserved.
  • 10. Review 3 Minutes © 2006 Extreme Networks, Inc. All rights reserved.
  • 11. Sentriant CE150 Non-Router Network - Outbound Switch Switch Fiber backbone, Pt-Pt Wireless Switch network Sentriant CE150 Sentriant CE150 Layer 2 Outbound Traffic Non-Router Network Outbound traffic: • This example explains the steps network equipment performs when sending data from a company site out to an external entity in a nonrouter environment. page 11 © 2006 Extreme Networks, Inc. All rights reserved.
  • 12. Sentriant CE150 Non-Router Network - Inbound Switch Switch Fiber backbone, Pt-Pt Wireless Switch network Sentriant CE150 Sentriant CE150 Layer 2 Inbound Traffic Non-Router Network Inbound traffic: • This example explains the steps network equipment performs when receiving data from an external entity into a company site in a nonrouter environment. page 12 © 2006 Extreme Networks, Inc. All rights reserved.
  • 13. Sentriant CE150 Router WANs - Outbound Switch Switch Router Router Sentriant CE150 Sentriant CE150 Internet Outbound Traffic Router WAN/Backbone Outbound traffic: • This example explains the steps network equipment performs when sending data from a company site out to an external entity in a router environment. page 13 © 2006 Extreme Networks, Inc. All rights reserved.
  • 14. Sentriant CE150 Router WANs - Inbound Switch Switch Router Router Sentriant CE150 Sentriant CE150 Internet Inbound Traffic Router WAN/Backbone Inbound traffic: • This example explains the steps network equipment performs when receiving data from an external entity into a company site in a router environment. page 14 © 2006 Extreme Networks, Inc. All rights reserved.
  • 15. Resiliency Non-VRRP Example Router 1 Router A Sentriant CE150 C Router Router 2 Sentriant CE150 Internet Router B Router D Dual active-path redundancy • This example has two Sentriant CE150 appliances at each end of the connection creating two active paths between the locations. page 15 © 2006 Extreme Networks, Inc. All rights reserved.
  • 16. Resiliency VRRP Example Router 1 A Router Sentriant CE150 Router Internet C B Router 2 Sentriant CE150 D Single active-path redundancy • A pair of Sentriant CE150 appliances can be configured to form a virtual security gateway (VSG). • One appliance is active and the other waits in a backup state Virtual Router Redundancy Protocol • Allows two security gateways (Sentriant CE150) to share one IP address page 16 © 2006 Extreme Networks, Inc. All rights reserved.
  • 17. Review 3 Minutes © 2006 Extreme Networks, Inc. All rights reserved.
  • 18. Configuration Planning Worksheet Interface Configuration page 18 © 2006 Extreme Networks, Inc. All rights reserved.
  • 19. Configuration Planning Worksheet Management Access page 19 © 2006 Extreme Networks, Inc. All rights reserved.
  • 20. Configuration Planning Worksheet FTP Client page 20 © 2006 Extreme Networks, Inc. All rights reserved.
  • 21. Configuration Planning Worksheet Network Interoperability page 21 © 2006 Extreme Networks, Inc. All rights reserved.
  • 22. Configuration Planning Worksheet Manual Key Policies page 22 © 2006 Extreme Networks, Inc. All rights reserved.
  • 23. Configuration Planning Worksheet Negotiated IPSec page 23 © 2006 Extreme Networks, Inc. All rights reserved.
  • 24. Configuration Planning Worksheet Negotiated IPSec (cont’d) page 24 © 2006 Extreme Networks, Inc. All rights reserved.
  • 25. Configuration Planning Worksheet Discard and Clear Policy page 25 © 2006 Extreme Networks, Inc. All rights reserved.
  • 26. Summary This module provided an overview of the network vulnerabilities and security threats companies face today. The module also reviewed the factors that should be taken into consideration when designing a security solution. It described basic Sentriant CE150 network design configurations. And finally, it provided the technical information worksheets used to assist with the installation of the Sentriant CE150. page 26 © 2006 Extreme Networks, Inc. All rights reserved.
  • 27. Summary continued You should now be able to: • List the factors taken into consideration when designing a network security solution. • Understand the network vulnerabilities that are addressed by the Sentriant CE150. • It describe basic Sentriant CE150 network design configurations. • Identify the technical information required before you install a Sentriant CE150 in a customer site. page 27 © 2006 Extreme Networks, Inc. All rights reserved.
  • 28. End of Module Review 5 Minutes © 2006 Extreme Networks, Inc. All rights reserved.

×