Secure Network Design                Jose David Garcia
Index1.    Diagram Legend2.    Layered Network Design     1.   Access Layer     2.   Distribution Layer     3.   Core Laye...
Diagram Legend                 Terminal            Network Intrusion                 Server       NIDS                    ...
Switch Block 1             Switch Block 2    IDS         IDS                                                              ...
Access Layer                Switch Block 1   Switch Block 2Management                                          Wan BlockBl...
Characteristics•   Low Cost per port•   High port density•   Uplink to higher layers•   Layer 2 Services
Security Design•Identity based network services•Vlan and Pvlan segregation•Rate Limiting•Management encryption•Physical is...
Best Practices• Ports without need to Trunk should be set to  OFF rather than AUTO• Limit each port to a limited number of...
Distribution Layer                Switch Block 1   Switch Block 2Managem                                             Wan B...
Characteristics•   Aggregation of Access Layer Devices•   High layer 3 throughput•   Robust layer 3 functionality•   Secur...
Security•Access Control List•Span ports for IDS•Physical isolation
Best practices• Turn off unneeded services• Disable all unused ports• Limit the Mac addresses on a port to known MAC  adre...
Core Layer                Switch Block 1   Switch Block 2Managem                                             Wan Blockent ...
Characteristics•   No Expensive Layer 3 Processing•   Very High Throughput•   No unnecessary packet manipulation•   Resili...
Security• Physical isolation
Best practices• Disable all unused ports• Limit the Mac addresses on a port to known  MAC adressess when possible• Turn of...
High AvailabilityLoad Balancing
Management Block NIDS          NIDS               HIDS
Key Devices•   Firewalls•   NIDS and HIDS•   IDS Hosts•   Syslog Hosts•   SNMP Management Hosts•   Cisco Works, HP Open Vi...
Out Band Management• Preferred method of management• Isolated from production network• Physical Isolation
In Band Management• Only management traffic• Different address space than Production  Network• NAT• Encryption (IpSec, SSH...
Best Practices• Only use In band Management when  necessary.• PVLAN segregation among hosts in  management block.• Periodi...
Threats Mitigated• Only use In band Management     •   Unauthorised Access   when necessary.                              ...
Server Block       NIDS            NIDSHIDS                NIDS
Key Devices•   Firewalls•   NIDS and HIDS•   NTP Server•   TACACS+ Server•   Certificate server•   Secur-ID Server (Strong...
Best Practices• Firewall and NIDS implementation• PVLAN Isolation for each Server• Host Based IDS on each Server• Service ...
Threats Mitigated• Firewall and NIDS          • Unauthorized Access  implementation             • Ip Spoofing• Host Based ...
WAN Block          CC   NIDS
Key Devices•   Firewalls•   NIDS•   Crypto Clusters•   Routers
Best Practices• Data encryption• Access List implementation• High Availability thru different providers
Threats mitigated• Data encryption          • Data theft                           • Man in the middle• Access List       ...
Internet BlockHIDS                            HIDS                         NIDS       VPN   VPN   VPN   VPN
Key Elements•   Firewalls•   HIDS and NIDS•   VPN Concentrator•   HTTP Servers•   DNS Servers
Best Practices•   Security policy with ISP to mitigate DDoS•   Private VLAN Isolation among Servers•   No corporate Server...
Threats Mitigated•   Security policy with ISP             •   IP Spoofing•   Private VLAN Isolation among                 ...
THE END
Upcoming SlideShare
Loading in...5
×

Secure Network Design

344

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
344
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure Network Design

  1. 1. Secure Network Design Jose David Garcia
  2. 2. Index1. Diagram Legend2. Layered Network Design 1. Access Layer 2. Distribution Layer 3. Core Layer3. High Availability and Load Balancing4. Modular Network Design 1. Management Block 1. Out of Band Management 2. In Band Management 2. Server Block 3. Wan Block 4. Internet Block
  3. 3. Diagram Legend Terminal Network Intrusion Server NIDS Detection SystemRouter Firewall Host Intrusion Switch HIDS Detection System ServerMultilayer Virtual Private VPNSwitch Network ManagementLoad ConsoleBalancer CC Crypto Cluster Remote User
  4. 4. Switch Block 1 Switch Block 2 IDS IDS CC IDSManagement Wan BlockBlock IDS IDS IDS Server Block VPN VPN VPN VPN Internet Block IDS
  5. 5. Access Layer Switch Block 1 Switch Block 2Management Wan BlockBlock Server Block VPN Internet Block
  6. 6. Characteristics• Low Cost per port• High port density• Uplink to higher layers• Layer 2 Services
  7. 7. Security Design•Identity based network services•Vlan and Pvlan segregation•Rate Limiting•Management encryption•Physical isolation
  8. 8. Best Practices• Ports without need to Trunk should be set to OFF rather than AUTO• Limit each port to a limited number of MAC addresses (5)• Configure Storm Broadcast control• Turn off Telnet and limit SNMP access to the Switches• Logging to external server
  9. 9. Distribution Layer Switch Block 1 Switch Block 2Managem Wan Blockent Block Server Block VPN Internet Block
  10. 10. Characteristics• Aggregation of Access Layer Devices• High layer 3 throughput• Robust layer 3 functionality• Security• Media Translation• QoS
  11. 11. Security•Access Control List•Span ports for IDS•Physical isolation
  12. 12. Best practices• Turn off unneeded services• Disable all unused ports• Limit the Mac addresses on a port to known MAC adressess when possible (no trunking ports)• For trunking ports use a dedicated VLAN identifier• Eliminate native vlans for 802.1q trunks• Turn off Telnet and limit SNMP access to the Switches• Logging to external server
  13. 13. Core Layer Switch Block 1 Switch Block 2Managem Wan Blockent Block Server Block VPN Internet Block
  14. 14. Characteristics• No Expensive Layer 3 Processing• Very High Throughput• No unnecessary packet manipulation• Resiliency• High Availability
  15. 15. Security• Physical isolation
  16. 16. Best practices• Disable all unused ports• Limit the Mac addresses on a port to known MAC adressess when possible• Turn off Telnet and limit SNMP access to the Switches• Logging to external server
  17. 17. High AvailabilityLoad Balancing
  18. 18. Management Block NIDS NIDS HIDS
  19. 19. Key Devices• Firewalls• NIDS and HIDS• IDS Hosts• Syslog Hosts• SNMP Management Hosts• Cisco Works, HP Open View• System Admin Host
  20. 20. Out Band Management• Preferred method of management• Isolated from production network• Physical Isolation
  21. 21. In Band Management• Only management traffic• Different address space than Production Network• NAT• Encryption (IpSec, SSH, SSL)• Firewall Security + IDS
  22. 22. Best Practices• Only use In band Management when necessary.• PVLAN segregation among hosts in management block.• Periodic log revision• Configuration base-line establishment• Periodic base-line checking
  23. 23. Threats Mitigated• Only use In band Management • Unauthorised Access when necessary. • Man in the middle attacks• PVLAN segregation among hosts • Network reconnaissance in management block.• Periodic log revision • Packet sniffing• Configuration base-line • Compromised host hoping establishment • Hacking attempts going unnoticed• Periodic base-line checking
  24. 24. Server Block NIDS NIDSHIDS NIDS
  25. 25. Key Devices• Firewalls• NIDS and HIDS• NTP Server• TACACS+ Server• Certificate server• Secur-ID Server (Strong authentication)• Corporate Servers• Call Manager• DNS Servers• E-Mail Servers• Etc…
  26. 26. Best Practices• Firewall and NIDS implementation• PVLAN Isolation for each Server• Host Based IDS on each Server• Service redundancy• Backup Policy• Logging to an external server in the mangement module• Version Control
  27. 27. Threats Mitigated• Firewall and NIDS • Unauthorized Access implementation • Ip Spoofing• Host Based IDS on each • Application Layer Attacks Server • Trust Exploitation• PVLAN Isolation for each • Compromised host hoping Server• Service redundancy • Packet Sniffing• Logging to an external • DoS server in the mangement • Hacking attempts going module unnoticed• Backup Policy • Lost Data• Version Control
  28. 28. WAN Block CC NIDS
  29. 29. Key Devices• Firewalls• NIDS• Crypto Clusters• Routers
  30. 30. Best Practices• Data encryption• Access List implementation• High Availability thru different providers
  31. 31. Threats mitigated• Data encryption • Data theft • Man in the middle• Access List attack implementation • IP spoofing• High Availability thru • Unauthorized access different providers • DoS
  32. 32. Internet BlockHIDS HIDS NIDS VPN VPN VPN VPN
  33. 33. Key Elements• Firewalls• HIDS and NIDS• VPN Concentrator• HTTP Servers• DNS Servers
  34. 34. Best Practices• Security policy with ISP to mitigate DDoS• Private VLAN Isolation among Servers• No corporate Servers at this point• High Availability thru diferent ISP• VPN for Remote user Access
  35. 35. Threats Mitigated• Security policy with ISP • IP Spoofing• Private VLAN Isolation among • Packet Sniffing Servers• Firewall, NIDS and HIDS • Compromised host hoping implementation • Hacking attempts going• High Availability thru diferent unnoticed ISP• VPN for Remote user Access • DDoS attacks• No corporate Servers at this point • Unauthorized Access
  36. 36. THE END
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×