This document discusses network design, architecture, and IP address management principles to support system security and data protection. It advocates for network segmentation through security zones, classification of systems, and private IP addressing to limit lateral movement of threats. The document recommends dividing large networks into separate network domains with defined traffic rules between segments. Criteria-based segmentation and logical/physical isolation techniques can enhance performance and security by restricting access and propagation of faults across network segments.
DEFENSE IN DEPTH6IntroductionThe objective of this papLinaCovington707
DEFENSE IN DEPTH
6
Introduction
The objective of this paper is to visually display a defense in depth model and explain features that will encourage an overall layered defense tactic to strategically mitigate against potential threats. The network is comprised of a corporate site in Chicago where all servers are located to include: Web server, file server, print server, mail server, and ftp server. This connection to the Internet has a speed of 50mbps with 300 employees that have access to the Internet, as well as local and corporate resources. There is also one remote site that is 8 miles away with 20 employees that need access to all resources at corporate as well as an Internet connection with the limitation of 3mbps. In this design all network devices will be utilized to include: routers, switches, hubs, firewalls, VPN’s, and proxies. Along with the devices being displayed the interconnections between these devices will be shown, the end user (client) devices (desktops, laptops), and the Internet cloud, which will generically be shown to represent the network’s interface to the Internet.
In addition to the design this discussion will review the flow of data throughout the network to reveal security features that create that in depth design to protect any organization with similar requirements. I will first review the network diagram with physical features, locations, and Internet speeds; then discuss in depth, security features from each of the seven network domains (user, workstation, Local Area network (LAN), LAN-to-Wide Area Network (WAN), Remote Access, WAN, and Systems/Applications) and how they will be incorporated throughout the design and infrastructure of the network.
The objective is to implement these features to enforce the confidentiality, integrity, availability, privacy, authenticity, authorization, non-repudiation, and accounting. (Stewart, J. M., 2011).
Network Design, Data Flow, and Security Features
The network design features the corporate headquarters site in Chicago that includes within the Information Technical (IT) department is a database server, an FTP server, application server, web server, email server, print server, and 30 workstations. The database server utilizes role-based access features as well as two-factor authentication for server and user access (Common Access Card and username/password). The FTP server utilizes the TCP protocols and is within the internal network with additional firewall rules, routing policies that limit open ports, and internal training on how to locate potential threats for the IT department to monitor. The Webserver must be held in the DMZ to allow additional port access to utilize the Internet. The email and print servers are also located within the internal network.
Outside of the IT Department, this organization has six departments that are on three floors that include45 workstations and 5 printers per department. Each department is interconnected to corporate resources ...
Firewall is a device or set of instruments designed to permit or deny network transmissions based upon a set of rules and regulation is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass or during the sensitive data transmission. Distributed firewalls allow enforcement of security policies on a network without restricting its topology on an inside or outside point of view. Use of a policy language and centralized delegating its semantics to all members of the networks domain support application of firewall technology for organizations, which network devices communicate over insecure channels and still allow a logical separation of hosts in- and outside the trusted domain. We introduce the general concepts of such distributed firewalls, its requirements and implications and introduce its suitability to common threats on the Internet, as well as give a short discussion on contemporary implementations.
DEFENSE IN DEPTH6IntroductionThe objective of this papLinaCovington707
DEFENSE IN DEPTH
6
Introduction
The objective of this paper is to visually display a defense in depth model and explain features that will encourage an overall layered defense tactic to strategically mitigate against potential threats. The network is comprised of a corporate site in Chicago where all servers are located to include: Web server, file server, print server, mail server, and ftp server. This connection to the Internet has a speed of 50mbps with 300 employees that have access to the Internet, as well as local and corporate resources. There is also one remote site that is 8 miles away with 20 employees that need access to all resources at corporate as well as an Internet connection with the limitation of 3mbps. In this design all network devices will be utilized to include: routers, switches, hubs, firewalls, VPN’s, and proxies. Along with the devices being displayed the interconnections between these devices will be shown, the end user (client) devices (desktops, laptops), and the Internet cloud, which will generically be shown to represent the network’s interface to the Internet.
In addition to the design this discussion will review the flow of data throughout the network to reveal security features that create that in depth design to protect any organization with similar requirements. I will first review the network diagram with physical features, locations, and Internet speeds; then discuss in depth, security features from each of the seven network domains (user, workstation, Local Area network (LAN), LAN-to-Wide Area Network (WAN), Remote Access, WAN, and Systems/Applications) and how they will be incorporated throughout the design and infrastructure of the network.
The objective is to implement these features to enforce the confidentiality, integrity, availability, privacy, authenticity, authorization, non-repudiation, and accounting. (Stewart, J. M., 2011).
Network Design, Data Flow, and Security Features
The network design features the corporate headquarters site in Chicago that includes within the Information Technical (IT) department is a database server, an FTP server, application server, web server, email server, print server, and 30 workstations. The database server utilizes role-based access features as well as two-factor authentication for server and user access (Common Access Card and username/password). The FTP server utilizes the TCP protocols and is within the internal network with additional firewall rules, routing policies that limit open ports, and internal training on how to locate potential threats for the IT department to monitor. The Webserver must be held in the DMZ to allow additional port access to utilize the Internet. The email and print servers are also located within the internal network.
Outside of the IT Department, this organization has six departments that are on three floors that include45 workstations and 5 printers per department. Each department is interconnected to corporate resources ...
Firewall is a device or set of instruments designed to permit or deny network transmissions based upon a set of rules and regulation is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass or during the sensitive data transmission. Distributed firewalls allow enforcement of security policies on a network without restricting its topology on an inside or outside point of view. Use of a policy language and centralized delegating its semantics to all members of the networks domain support application of firewall technology for organizations, which network devices communicate over insecure channels and still allow a logical separation of hosts in- and outside the trusted domain. We introduce the general concepts of such distributed firewalls, its requirements and implications and introduce its suitability to common threats on the Internet, as well as give a short discussion on contemporary implementations.
How to minimize threats in your information system using network segregation? PECB
We will discuss the importance of network infrastructure and how we can minimize risks of attacks in our IT by segregating and segmenting our network infrastructure.
Main points that have been covered are:
• Why it’s always a primary target for attacks?
• What are the segmented networks?
• How can it be used?
Presenter:
Our presenter for this webinar is Mohamed Tawfik, who is a qualified Technocrat, and a seasoned IT/Telecom Professional having over 20 years of solid experience with multi-national corporate organizations planning, deployment, governance, audit and enforcing policy on Information Security Practice, while having in-depth knowledge of IT/Telecom Infrastructure and with a proven record of customer satisfaction.
Link of the recorded session published on YouTube:https://youtu.be/sKhihzgElH8
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
West Consulting Modular Design ProposalMichael BoddieNetwork.docxphilipnelson29183
West Consulting Modular Design Proposal
Michael Boddie
Network Design Associate
NTC/320
January 29, 2018
-Welcome-
1
Introduction
West Consulting Firm is a large company with 1000+ devices
The best Network design for West Consulting Firm is Hierarchical structure as proposed in the network summary document
Hierarchical network design is a three layer model.
West Consulting is a large organization as it currently have 1000 users and it intends to increase the number of users to 1500
The reason as to why the organization should opt for a hierarchical network design due to:
Better scalability
Better redundancy
Better performance
Batter management and troubleshooting
Better policy creating and scalability
2
Hierarchical Network Design
In each layer in the hierarchy provides specific functions which helps the network designer to select and optimize the right network hardware , features and software
The access layer provides user access to the organization network
The distribution layer provides policy-based connectivity
Core layer provides fast transport between the distribution switches
Access layer is where the switches are located which are then connected to the end users or computers
The distribution layer separates the access and the core layer. It in this layer where the policy of the network is defined
The core layer consists of the layer with the fastest, biggest, and the most expensive routers. This layer is considered to be the backbone of the organizational network. It is in this layer that routers are used to merge geographically separated network of the organization
3
Cisco Design Principles of a Hierarchical Structure
When designing hierarchical network structure there four design principles to consider which are:
Network diameter: This term is used to measure the number of devices
Bandwidth aggregation: This is the art of considering the specific bandwidth requirements
Redundancy: This is the practice of duplicating critical elements so as to achieve reliability (Thomadsen, 2005).
Network diameter is the first thing to consider when designing a hierarchical network structure. Network diameter is the number of gadgets or devices that a certain packet have to cross before it reaches its destination. This means that when designing west consulting network structure, the network designer must keep network diameter low.
Bandwidth aggregation: The designers of West Consulting firm network structure they must consider the bandwidth requirement for every party of the hierarchy. Link aggregation is said to allow multiple switch ports links to be combined. This in turn achieves a high throughput between the organizational switches
To ensure redundancy the network designer can double the network links
4
How Design a Hierarchical Network .
Advanced Security Management in Metro Ethernet NetworksIJNSA Journal
With the rapid increase in bandwidth and the introduction of advanced IP services including voice, high-speed internet access, and video/IPTV, consumers are more vulnerable to malicious users than ever. In recent years, roviding safe and sound networks and services have been the zenith priority for service providers and network carriers alike. Users are hesitant to subscribe to new services unless service providers guarantee secure connections. More importantly, government agencies of many countries have introduced legislations requiring service providers to keep track and records of owners of IP and MAC addresses at all time. In this paper, we first present an overview of Metro Ethernet (or Ethernet-To-The-Home/Business (ETTx)) and compare with various IP broadband access technologies including DSL, wireless and cable. We then outline major security concerns for Metro Ethernet networks including network and subscriber/end user security. Next we introduce state-of-the-art algorithms to prevent attackers from stealing any IP or MAC addresses. Our proposal is to use network management in conjunction with hardware features for security management to provide a secure and spoofing-free ETTx network. The key idea behind our proposal is to utilize network management to enforce strict (port, MAC, IP) binding in the access network to provide subscriber security. The paper then proposes an adaptive policy-based security controller to quickly identify suspected malicious users, temporarily isolate them without disconnecting them from the network or validating their contracts, and then carry the required analysis. The proposed controller identifies malicious users without compromising between accurate but lengthy traffic analysis and premature decision. It also provides the ability to make granular corrective actions that are adaptive to any defined network condition.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The Essential Components of Structured Cablinglibertyuae uae
Discover the key components of structured cabling and how they form the backbone of a reliable and efficient network infrastructure. Explore this guide now!
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A Deep Dive in the World of IT Networking (Part 2)Tuan Yang
For a successful career in Information Technology, a strong foundation of basic networking concepts is a must. Networking technology allows for the exchange of data between large and small information systems used primarily by various businesses.
Learn more about:
» OSI Model
» Networking Protocol
» TCP Model
» Networking and data security
How to minimize threats in your information system using network segregation? PECB
We will discuss the importance of network infrastructure and how we can minimize risks of attacks in our IT by segregating and segmenting our network infrastructure.
Main points that have been covered are:
• Why it’s always a primary target for attacks?
• What are the segmented networks?
• How can it be used?
Presenter:
Our presenter for this webinar is Mohamed Tawfik, who is a qualified Technocrat, and a seasoned IT/Telecom Professional having over 20 years of solid experience with multi-national corporate organizations planning, deployment, governance, audit and enforcing policy on Information Security Practice, while having in-depth knowledge of IT/Telecom Infrastructure and with a proven record of customer satisfaction.
Link of the recorded session published on YouTube:https://youtu.be/sKhihzgElH8
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
West Consulting Modular Design ProposalMichael BoddieNetwork.docxphilipnelson29183
West Consulting Modular Design Proposal
Michael Boddie
Network Design Associate
NTC/320
January 29, 2018
-Welcome-
1
Introduction
West Consulting Firm is a large company with 1000+ devices
The best Network design for West Consulting Firm is Hierarchical structure as proposed in the network summary document
Hierarchical network design is a three layer model.
West Consulting is a large organization as it currently have 1000 users and it intends to increase the number of users to 1500
The reason as to why the organization should opt for a hierarchical network design due to:
Better scalability
Better redundancy
Better performance
Batter management and troubleshooting
Better policy creating and scalability
2
Hierarchical Network Design
In each layer in the hierarchy provides specific functions which helps the network designer to select and optimize the right network hardware , features and software
The access layer provides user access to the organization network
The distribution layer provides policy-based connectivity
Core layer provides fast transport between the distribution switches
Access layer is where the switches are located which are then connected to the end users or computers
The distribution layer separates the access and the core layer. It in this layer where the policy of the network is defined
The core layer consists of the layer with the fastest, biggest, and the most expensive routers. This layer is considered to be the backbone of the organizational network. It is in this layer that routers are used to merge geographically separated network of the organization
3
Cisco Design Principles of a Hierarchical Structure
When designing hierarchical network structure there four design principles to consider which are:
Network diameter: This term is used to measure the number of devices
Bandwidth aggregation: This is the art of considering the specific bandwidth requirements
Redundancy: This is the practice of duplicating critical elements so as to achieve reliability (Thomadsen, 2005).
Network diameter is the first thing to consider when designing a hierarchical network structure. Network diameter is the number of gadgets or devices that a certain packet have to cross before it reaches its destination. This means that when designing west consulting network structure, the network designer must keep network diameter low.
Bandwidth aggregation: The designers of West Consulting firm network structure they must consider the bandwidth requirement for every party of the hierarchy. Link aggregation is said to allow multiple switch ports links to be combined. This in turn achieves a high throughput between the organizational switches
To ensure redundancy the network designer can double the network links
4
How Design a Hierarchical Network .
Advanced Security Management in Metro Ethernet NetworksIJNSA Journal
With the rapid increase in bandwidth and the introduction of advanced IP services including voice, high-speed internet access, and video/IPTV, consumers are more vulnerable to malicious users than ever. In recent years, roviding safe and sound networks and services have been the zenith priority for service providers and network carriers alike. Users are hesitant to subscribe to new services unless service providers guarantee secure connections. More importantly, government agencies of many countries have introduced legislations requiring service providers to keep track and records of owners of IP and MAC addresses at all time. In this paper, we first present an overview of Metro Ethernet (or Ethernet-To-The-Home/Business (ETTx)) and compare with various IP broadband access technologies including DSL, wireless and cable. We then outline major security concerns for Metro Ethernet networks including network and subscriber/end user security. Next we introduce state-of-the-art algorithms to prevent attackers from stealing any IP or MAC addresses. Our proposal is to use network management in conjunction with hardware features for security management to provide a secure and spoofing-free ETTx network. The key idea behind our proposal is to utilize network management to enforce strict (port, MAC, IP) binding in the access network to provide subscriber security. The paper then proposes an adaptive policy-based security controller to quickly identify suspected malicious users, temporarily isolate them without disconnecting them from the network or validating their contracts, and then carry the required analysis. The proposed controller identifies malicious users without compromising between accurate but lengthy traffic analysis and premature decision. It also provides the ability to make granular corrective actions that are adaptive to any defined network condition.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The Essential Components of Structured Cablinglibertyuae uae
Discover the key components of structured cabling and how they form the backbone of a reliable and efficient network infrastructure. Explore this guide now!
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A Deep Dive in the World of IT Networking (Part 2)Tuan Yang
For a successful career in Information Technology, a strong foundation of basic networking concepts is a must. Networking technology allows for the exchange of data between large and small information systems used primarily by various businesses.
Learn more about:
» OSI Model
» Networking Protocol
» TCP Model
» Networking and data security
Memorandum Of Association Constitution of Company.pptseri bangash
www.seribangash.com
A Memorandum of Association (MOA) is a legal document that outlines the fundamental principles and objectives upon which a company operates. It serves as the company's charter or constitution and defines the scope of its activities. Here's a detailed note on the MOA:
Contents of Memorandum of Association:
Name Clause: This clause states the name of the company, which should end with words like "Limited" or "Ltd." for a public limited company and "Private Limited" or "Pvt. Ltd." for a private limited company.
https://seribangash.com/article-of-association-is-legal-doc-of-company/
Registered Office Clause: It specifies the location where the company's registered office is situated. This office is where all official communications and notices are sent.
Objective Clause: This clause delineates the main objectives for which the company is formed. It's important to define these objectives clearly, as the company cannot undertake activities beyond those mentioned in this clause.
www.seribangash.com
Liability Clause: It outlines the extent of liability of the company's members. In the case of companies limited by shares, the liability of members is limited to the amount unpaid on their shares. For companies limited by guarantee, members' liability is limited to the amount they undertake to contribute if the company is wound up.
https://seribangash.com/promotors-is-person-conceived-formation-company/
Capital Clause: This clause specifies the authorized capital of the company, i.e., the maximum amount of share capital the company is authorized to issue. It also mentions the division of this capital into shares and their respective nominal value.
Association Clause: It simply states that the subscribers wish to form a company and agree to become members of it, in accordance with the terms of the MOA.
Importance of Memorandum of Association:
Legal Requirement: The MOA is a legal requirement for the formation of a company. It must be filed with the Registrar of Companies during the incorporation process.
Constitutional Document: It serves as the company's constitutional document, defining its scope, powers, and limitations.
Protection of Members: It protects the interests of the company's members by clearly defining the objectives and limiting their liability.
External Communication: It provides clarity to external parties, such as investors, creditors, and regulatory authorities, regarding the company's objectives and powers.
https://seribangash.com/difference-public-and-private-company-law/
Binding Authority: The company and its members are bound by the provisions of the MOA. Any action taken beyond its scope may be considered ultra vires (beyond the powers) of the company and therefore void.
Amendment of MOA:
While the MOA lays down the company's fundamental principles, it is not entirely immutable. It can be amended, but only under specific circumstances and in compliance with legal procedures. Amendments typically require shareholder
Attending a job Interview for B1 and B2 Englsih learnersErika906060
It is a sample of an interview for a business english class for pre-intermediate and intermediate english students with emphasis on the speking ability.
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxmy Pandit
Explore the world of the Taurus zodiac sign. Learn about their stability, determination, and appreciation for beauty. Discover how Taureans' grounded nature and hardworking mindset define their unique personality.
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Skye Residences | Extended Stay Residences Near Toronto Airportmarketingjdass
Experience unparalleled EXTENDED STAY and comfort at Skye Residences located just minutes from Toronto Airport. Discover sophisticated accommodations tailored for discerning travelers.
Website Link :
https://skyeresidences.com/
https://skyeresidences.com/about-us/
https://skyeresidences.com/gallery/
https://skyeresidences.com/rooms/
https://skyeresidences.com/near-by-attractions/
https://skyeresidences.com/commute/
https://skyeresidences.com/contact/
https://skyeresidences.com/queen-suite-with-sofa-bed/
https://skyeresidences.com/queen-suite-with-sofa-bed-and-balcony/
https://skyeresidences.com/queen-suite-with-sofa-bed-accessible/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-king-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed-accessible/
#Skye Residences Etobicoke, #Skye Residences Near Toronto Airport, #Skye Residences Toronto, #Skye Hotel Toronto, #Skye Hotel Near Toronto Airport, #Hotel Near Toronto Airport, #Near Toronto Airport Accommodation, #Suites Near Toronto Airport, #Etobicoke Suites Near Airport, #Hotel Near Toronto Pearson International Airport, #Toronto Airport Suite Rentals, #Pearson Airport Hotel Suites
1. 10.8.1.
10.8.2.
10.8.3.
10.8.4.
10.8.5.
10.8.6.
10.8.7.
10.8.8.
10.8.9.
10.8. Network Design, Architecture and IP Address Management
Objective
IP Address architecture, allocation and addressing schemes enable and support system security and data protection.
Context
Scope
This section includes discussion of the principles of separation and segregation as network design and network
architecture characteristics. It also discusses how IP addresses can be used to support these principles for improved
security of larger or multi-classification agency systems.
Background
The larger the network, the more difficult it is to protect. A large, unsegmented network presents a large attack
surface with greater susceptibility to the rapid spread and dissemination of system faults, weaknesses,
vulnerabilities and attacks. In a non-segmented network, traffic and applications generally have access to the
entire network. If a fault occurs or an attacker gains entry, the fault or attacker can move laterally through the
network causing disruption, network outages and enabling access to critical operational or classified data.
A large network is also more difficult to monitor and control. Segmenting the network limits an attacker’s ability to
move through the network by preventing lateral movement between zones. Segmentation also enhances the ability
to detect, monitor, control, isolate and correct faults.
A fundamental construct in the management of risk in networks is that of Trust Zones and Trust Boundaries. A Trust
Zone is a zoning construct based on levels of trust, classification, information asset value and essential information
security. A Trust Boundary is the interface between two or more Trust Zones. Trust Zones use the principles of
separation and segregation to manage sensitive information assets and ensure security policies are consistently
applied to all assets in a particular Trust Zone. Refer also to Section 22.1 – Cloud Computing and Section 22.2 –
Virtualisation.
Separation and Segregation
Separation and Segregation are determined by system function and the sensitivity of the data the system stores,
processes and transmits. One common example is placing systems that require a connection to the Internet into a
demilitarized zone (DMZ) that is separated and segregated (isolated) from more sensitive systems. Another example
is the use of compartments.
Separation and Segregation limits the ability of an intruder to exploit a vulnerability with the intent of elevating
privileges to gain access to more sensitive systems on the internal network. VLANs may be used to further separate
systems by controlling access and providing segregation thus giving additional protection.
Network segmentation is an effective strategy for protecting access to key data assets, and impeding the lateral
movement of system faults, threats and malicious activity. Segregation has the following benefits:
Enhanced performance: with fewer hosts per subnet, there is a reduced signalling and traffic overhead
allowing more bandwidth for data communication.
Improved security: with less signalling traffic going through all network segments, it is more difficult for an
attacker to analyse the addressing scheme and network structure. Failures in one segment are less likely to
propagate and more robust access control can be established and enforced.
Effective segregation also requires:
1 Version_3.5__January-2022__downloaded_Jul-2022
2. 10.8.10.
10.8.11.
10.8.13.
10.8.14.
10.8.15.
Specialised knowledge: networks may support many devices with complex policies and rule sets. Support staff
must be properly educated and trained to ensure the network segmentation is maintained.
Administrative effort: changes in infrastructure, such as new applications and new technologies, can extend the
time required to make changes and ensure the integrity of network segments.
Infrastructure Investment: segregation may require more equipment, new equipment with advanced
functionalities, or specific software to deal with multiple segments. These requirements should be considered
during budget planning.
ISO 27001 and ISO 27002 implementation recommendations for network segregation
These ISO Standards require the implementation of network segregation. In particular they recommend that groups
of information services, users, and information systems are segregated on networks. Specific recommendations are
summarised below:
Divide large networks into separate network domains (segments);
Consider physical and logical segregation;
Define domain perimeters;
Define traffic rules between domains;
Use authentication, encryption, and user-level network access control technologies;
Consider integration of the organisation’s network and segments with those of business partners.
The following structures and techniques should be considered:
Criteria-based segmentation: Pre-define rules to establish perimeters and create new segments in order to
reduce unnecessary redesign and future administrative overheads. Examples of criteria are trust level (e.g.,
external public segment, staff segment, server segment, database segment, suppliers segment, etc.),
organisational unit (e.g., Operations, Service Desk, Outreach, etc.), and combinations (e.g., external public
access).
Use of physical and logical segmentation: Depending upon the risk level identified in the risk assessment,
it may be necessary to use physically separated infrastructures to protect the organisation’s information and
assets (e.g., classified data flowing through a dedicated fibre), or you may use solutions based on logical
segmentation like Virtual Private Network (VPN).
Access rules for traffic flowing: Traffic between segments, including those of permitted external parties,
should be controlled according to the need to access information. Gateways should be configured based on
information classification and risk assessment. A specific case of access control applies to wireless networks,
since they have poor perimeter definition. The recommendation is to treat wireless communication as an
external connection until the traffic can reach a proper wired gateway before granting access to internal
network segments. Refer also to Chapter 19 – Gateway Security.
Network Design
Design Implementation
To assist in the implementation of separation and segregation as network design and architectural principles, the
following aspects should be considered:
Classification;
Security Zones;
IP Address Management;
Central Information Repository;
Private Use of Reserved Addresses;
Devices with Default IP Addresses; and
Connector types and cable colours.
Classification
Classified systems should, by definition, be segregated. This is particularly important where network elements have
access to compartments and compartmented data.
Ideally compartmented elements of systems should be segregated and separated from the main network. This may
2 Version_3.5__January-2022__downloaded_Jul-2022
3. 10.8.16.
10.8.17.
10.8.18.
10.8.19.
IPv4 Address Range Network IPv4 address
Block
Directed Broadcast IPv4
address
IPv4 Addresses
10.0.0.0 to
10.255.255.255
10.0.0.0/8 10.255.255.255 16,777,216
172.16.0.0 to
172.31.255.255
172.16.0.0/12 172.31.255.255 1,048,576
192.168.0.0 to
192.168.255.255
192.168.0.0/16 192.168.255.255 65,536
10.8.20.
10.8.21.
10.8.22.
10.8.23.
include the use of a reserved address space, monitored to detect violations or unauthorised attempts to connect to
compartments or to access compartmented data.
Security Zones
A security zone is a group of one or more physical or virtual firewall interfaces and the network segments connected
to the zone’s interfaces. Protection for each zone is individually specified and controlled so that each zone receives
the specific protections it requires according to classification, endorsement, compartment and sensitivity of data.
IP Address Management
The fundamental goal of an IP addressing scheme is to ensure network devices are uniquely addressed. IP Address
Schemes are a fundamental part of any network’s security architecture and should support network separation and
segregation. There are a number of techniques to assist in separating and segregating network elements. It is also
useful to consider how to segregate and control network traffic through:
Defined network perimeters and boundaries; and
Defined network traffic rules.
A well-structured IP addressing scheme promotes the ability to quickly identify node properties from an IP address
which assist in network management and fault finding and rectification.
Address Block Allocation
There are two main difficulties when assigning address blocks for types of devices. First is that over time there is
insufficient provision for additional devices and network growth. When the allocated address block is exhausted, the
addressing scheme is compromised (broken). The second is that you have a small number of devices in an address
block, but are running out of addresses in other parts of the network. If you “borrow” from a pre-assigned address
range, the addressing scheme is also compromised.
Internal IP address ranges are defined by the IETF. Commonly known as RFC 1918 addresses, the most recent RFC is
6761. These RFC’s define private IP address ranges which cannot be used for external (Internet) IP addressing.
Three address ranges (blocks) are defined:
IPv4 addresses are 32-bit binary addresses, divided into 4-Octets and normally represented in a decimal format. An
example of IPv4 address is 192.168.100.10. IPv6 addresses are so much larger than IPv4 addresses and impractical
to clearly represent in decimals. IPv6 addresses are usually represented in hexadecimal numbers, separated by a
colon. An example of an IPv6 address is 2001:0DB8:0000:0002:0022:2217:FF3B:118C. Private IPv6 addresses are
specified in RFC 4193
Private addressing is a means of distinguishing networks, assisting in separation and segregation.
Private use of reserved addresses
Some IP addresses have been reserved in IETF standards. Despite official warnings, some organisations use parts of
the reserved IP address space for their internal networks where address space is exhausted or poorly designed. This
creates conflicts with devices and signalling traffic protocols which can create network faults, anomalies and
network outages. This practice is strongly discouraged.
3 Version_3.5__January-2022__downloaded_Jul-2022
4. 10.8.24.
10.8.25.
10.8.26.
10.8.27.
10.8.28.
10.8.29.
10.8.30.
10.8.31.
10.8.32.
Title Publisher Source
Network Segmentation
and Segregation
ASD https://www.asd.gov.au/publ
ications/protect/network_se
gmentation_segregation.ht
m
10.8.33.
Devices which have default IP addresses
Some devices are supplied with default IP addresses. If using the IETF RFC 1918 addressing protocol (e.g. 10.0.x.x)
some devices may have been allocated the same (duplicate) IP address.
It is important to change default addresses to new addresses that conform with the addressing scheme selected for
the agency.
DHCP
In theory, there is only one network device that absolutely needs a true static address, the DHCP server. In practice,
it is preferable to assign address blocks to major groups of devices for control, fault isolation and security purposes.
Traditionally static devices are provided with a reserved address. These devices may include:
DCHP Server;
Gateway devices;
Firewalls;
Routers; and
Switches.
The majority of other devices can be allocated a DHCP address.
It is important to identify the essential device groups using a risk assessment, operational characteristics, level of
security, system classification and other relevant architectural features, business requirements and operational
constraints.
Connector Types and Cable Colours
Cable management is discussed in detail earlier in this chapter. In particular note the discussion (
10.1.4) of
Red/Black concepts which includes separation of electrical and electronic circuits, devices, equipment cables,
connectors and systems that transmit store or process national security information (Red) from non-national security
information (Black)
Wherever practical and possible, connectors for systems of different classifications should be distinct and be
selected to avoid accidental cross-connection of systems of different classifications. This can be achieved through
the use of colour and keyed connectors where the colour and keying is different for each classification level or
compartment (refer also to 10.1.30 and 10.6.6).
Central Information Repository
Creating a central repository of all the information on networks, IP addresses and devices, is critical to maintaining
control of the network. The challenge with traditional tools is that there are often specific tools for each category of
devices: one system to track virtual machines, one system to track wireless users, one system to track Windows
servers, one system to track Linux machines, etc.
A single repository where all the data relevant to networks, hosts, servers, dynamic clients, and virtual environments
can be tracked and synchronised is essential for larger networks. The ability to search across all this information
will enable network teams to quickly track changing network landscapes and rapidly troubleshoot issues as they
arise. In addition, business data related to a network resource helps bind together the logical network construct and
the reality of IT resources.
References
Further references can be found at:
Reference
4 Version_3.5__January-2022__downloaded_Jul-2022
5. Cisco on Cisco Best
Practices – Cisco IP
Addressing Policy
Cisco https://www.cisco.com/c/da
m/en_us/about/ciscoitatwor
k/downloads/ciscoitatwork/p
df/Cisco_IT_IP_Addressing_B
est_Practices.pdf
IP Addressing and
Subnetting for New
Users, Document ID:
13788
Cisco https://www.cisco.com/c/en/
us/support/docs/ip/routing-
information-protocol-
rip/13788-3.pdf
IP Addressing: IPv4
Addressing
Configuration Guide,
Cisco IOS Release 15S
Cisco https://www.cisco.com/c/en/
us/td/docs/ios-
xml/ios/ipaddr_ipv4/configur
ation/15-s/ipv4-15-s-
book.html
Introduction to Server
and Domain Isolation
Microsoft https://technet.microsoft.co
m/en-
us/library/cc725770(v=WS.
10).aspx
Information technology -
- Security techniques --
Information security
management systems --
Requirements
ISO
ISO
An Architecture for IP
Address Allocation with
CIDR
IETF
Address Allocation for
Private Internets
IETF
Observations on the use
of Components of the
Class A Address Space
within the Internet
IETF
Internet Registry IP
Allocation Guidelines
IETF
IPv4 Address Behaviour
Today
IETF
Security Architecture for
the Internet Protocol
IETF
IETF
ISO/IEC 27001:2013 https://www.iso.org/standar
d/54534.html
ISO/IEC 27002:2022 Information security,
cybersecurity and
privacy protection —
Information security
controls
https://www.iso.org/standar
d/75652.html
RFC 1518 https://datatracker.ietf.org/d
oc/html/rfc1518
RFC 1918 https://datatracker.ietf.org/d
oc/html/rfc1918
RFC 2036 https://datatracker.ietf.org/d
oc/html/rfc2036
RFC 2050 https://datatracker.ietf.org/d
oc/html/rfc2050
RFC 2101 https://datatracker.ietf.org/d
oc/html/rfc2101
RFC 2401 https://datatracker.ietf.org/d
oc/html/rfc2401
RFC 2663 IP Network Address
Translator (NAT)
Terminology and
Considerations
https://datatracker.ietf.org/d
oc/html/rfc2663
5 Version_3.5__January-2022__downloaded_Jul-2022
6. IETF
IETF
IETF
IETF
IETF
IETF
IETF
Deprecating Site Local
Addresses
IETF
Dynamic Configuration
of IPv4 Link-Local
Addresses
IETF
Embedding the
Rendezvous Point (RP)
Address in an IPv6
Multicast Address
IETF
Unique Local IPv6
Unicast Addresses
IETF
Classless Inter-domain
Routing (CIDR): The
Internet Address
Assignment and
Aggregation Plan
IETF
Intra-Site Automatic
Tunnel Addressing
Protocol (ISATAP)
IETF
IPv4 Address Blocks
Reserved for
Documentation
IETF
Tunnelling of Explicit
Congestion Notification
RFC 2894 Router Renumbering for
IPv6
https://datatracker.ietf.org/d
oc/html/rfc2894
RFC 3022 Traditional IP Network
Address Translator
(Traditional NAT)
https://datatracker.ietf.org/d
oc/html/rfc3022
RFC 3053 IPv6 Tunnel Broker https://datatracker.ietf.org/d
oc/html/rfc3053
RFC 3056 Connection of IPv6
Domains via IPv4 Clouds
https://datatracker.ietf.org/d
oc/html/rfc3056
RFC 3232 Assigned Numbers https://datatracker.ietf.org/d
oc/html/rfc3232
RFC 3260 New Terminology and
Clarifications for Diffserv
https://datatracker.ietf.org/d
oc/html/rfc3260
RFC 3330 Special-Use IPv4
Addresses" (superseded)
https://datatracker.ietf.org/d
oc/html/rfc3330
RFC 3879 https://datatracker.ietf.org/d
oc/html/rfc3879
RFC 3927 https://datatracker.ietf.org/d
oc/html/rfc3927
RFC 3956 https://datatracker.ietf.org/d
oc/html/rfc3956
RFC 4193 https://datatracker.ietf.org/d
oc/html/rfc4193
RFC 4632 https://datatracker.ietf.org/d
oc/html/rfc4632
RFC 5214 https://datatracker.ietf.org/d
oc/html/rfc5214
RFC 5737 https://datatracker.ietf.org/d
oc/html/rfc5737
RFC 6040 IETF https://datatracker.ietf.org/d
oc/html/rfc6040
6 Version_3.5__January-2022__downloaded_Jul-2022
7. IPv6 Addressing of
IPv4/IPv6 Translators
Teredo Extensions
IPv6 Node Requirements
Reserved IPv4 Prefix for
Shared Address Space
Special-Use Domain
Names
Special-Purpose IP
Address Registries
Updates to the IPv6
Multicast Addressing
Architecture
The NULL Authentication
Method
in the Internet Key
Exchange Protocol
Version 2 (IKEv2)
Label Switched Path
(LSP) and Pseudowire
(PW) Ping/Trace over
MPLS Networks Using
Entropy Labels (ELs)
Updates to the Special-
Purpose IP Address
Registries
IETF
10.8.34. Risk Assessment
10.8.34.R.01. Rationale
10.8.34.C.01. Control:
10.8.34.C.02. Control:
10.8.35. Security Architecture
10.8.35.R.01. Rationale
RFC 6052 IETF https://datatracker.ietf.org/d
oc/html/rfc6052
RFC 6081 IETF https://datatracker.ietf.org/d
oc/html/rfc6081
RFC 6434 IETF https://datatracker.ietf.org/d
oc/html/rfc6434
RFC 6598 IETF https://datatracker.ietf.org/d
oc/html/rfc6598
RFC 6761 IETF https://datatracker.ietf.org/d
oc/html/rfc6761
RFC 6890 IETF https://datatracker.ietf.org/d
oc/html/rfc6890
RFC 7371 IETF https://datatracker.ietf.org/d
oc/html/rfc7371
RFC 7619 IETF https://datatracker.ietf.org/d
oc/html/rfc7619
RFC 8012 IETF https://datatracker.ietf.org/d
oc/html/rfc8012
RFC 8190 https://datatracker.ietf.org/d
oc/html/rfc8190
Rationale & Controls
A risk assessment is a fundamental tool in the architecture and design of a network.
System Classification(s): All Classifications; Compliance: MUST [CID:5815]
Agencies MUST conduct and document a risk assessment before creating an architecture, and designing an
agency network.
System Classification(s): All Classifications; Compliance: MUST [CID:5816]
The principles of separation and segregation as well as the system classification MUST be incorporated into
the risk assessment.
7 Version_3.5__January-2022__downloaded_Jul-2022
8. 10.8.35.C.01. Control:
10.8.36. Identification of major classifications/categories of network segments
10.8.36.R.01. Rationale
10.8.36.R.02. Rationale
10.8.36.C.01. Control:
10.8.37. Visibility
10.8.37.R.01. Rationale
10.8.37.R.02. Rationale
10.8.37.C.01. Control:
10.8.38. Information Repository
10.8.38.R.01. Rationale
10.8.38.R.02. Rationale
10.8.38.R.03. Rationale
10.8.38.C.01. Control:
It is important that the principles of separation and segregation as well as the system classification are
incorporated into the overall security architecture to maximise design and operational efficiency and to
provide and support essential security to the network design.
System Classification(s): All Classifications; Compliance: MUST [CID:5820]
Security architectures MUST apply the principles of separation and segregation.
Identified in the risk assessment, it is essential that the classification of systems is clearly identified and is
apparent in all architecture and design elements and systems documentation.
Clear distinction of networks of different classifications is reinforced through the use of different IP
addressing schemes as well as the application of Red/Black, separation and segregation concepts and
principles. Refer also to section 10.1.
System Classification(s): All Classifications; Compliance: MUST [CID:5825]
The classification and other restrictions on the security and control of information MUST be clearly identified
for each part of the Agency network.
Clear identification and visibility of the classifications or category of a network segment is essential in
minimising accidental cross-connections, incident management and in limiting the propagation of errors
form one segment to others. This also assists in network maintenance and management.
Clear visual identification is supported by the use of IP addressing and cable colour schemes as well as the
use of different types of cable connectors for different network segments.
System Classification(s): All Classifications; Compliance: MUST [CID:5843]
Systems of different classifications MUST be visually distinct.
Clear documentation and records of changes to the architecture and construct of a network are essential in
change management, planning, design of network modifications, incident management and maintenance of
a strong security posture.
A single repository where all the data relevant to networks, hosts, servers, dynamic clients, and virtual
environments can be tracked and synchronised is essential for larger networks. The ability to search across
all this information will enable network teams to quickly track changing network landscapes and rapidly
troubleshoot issues as they arise.
The repository should also contain business data related to a network resource which helps manage
necessary changes and upgrades to a network in a fashion that appropriately allocates IT resources and
recognises business needs.
System Classification(s): All Classifications; Compliance: SHOULD [CID:5831]
An information repository, containing essential network information, change records and business
requirements SHOULD be established and maintained.
8 Version_3.5__January-2022__downloaded_Jul-2022