This document outlines a secure network design with layered security. It proposes a modular design with separate blocks for management, servers, WAN access, and the internet. Each block utilizes devices like firewalls, intrusion detection systems, and load balancers for security. Key recommendations include network segmentation, access controls, encryption, logging, and redundancy to mitigate threats.

1. Secure Network Design
Jose David Garcia

2. Index
1. Diagram Legend
2. Layered Network Design
1. Access Layer
2. Distribution Layer
3. Core Layer
3. High Availability and Load Balancing
4. Modular Network Design
1. Management Block
1. Out of Band Management
2. In Band Management
2. Server Block
3. Wan Block
4. Internet Block

3. Diagram Legend
Terminal Network Intrusion
Server NIDS
Detection System
Router
Firewall Host Intrusion
Switch HIDS
Detection System
Server
Multilayer Virtual Private
VPN
Switch Network
Management
Load
Console
Balancer CC Crypto Cluster
Remote
User

4. Switch Block 1 Switch Block 2
IDS IDS
CC
IDS
Management Wan Block
Block IDS IDS
IDS
Server Block
VPN VPN VPN VPN Internet Block
IDS

5. Access Layer
Switch Block 1 Switch Block 2
Management Wan Block
Block
Server Block VPN
Internet Block

6. Characteristics
• Low Cost per port
• High port density
• Uplink to higher layers
• Layer 2 Services

7. Security Design
•Identity based network services
•Vlan and Pvlan segregation
•Rate Limiting
•Management encryption
•Physical isolation

8. Best Practices
• Ports without need to Trunk should be set to
OFF rather than AUTO
• Limit each port to a limited number of MAC
addresses (5)
• Configure Storm Broadcast control
• Turn off Telnet and limit SNMP access to the
Switches
• Logging to external server

9. Distribution Layer
Switch Block 1 Switch Block 2
Managem Wan Block
ent Block
Server Block VPN
Internet Block

10. Characteristics
• Aggregation of Access Layer Devices
• High layer 3 throughput
• Robust layer 3 functionality
• Security
• Media Translation
• QoS

11. Security
•Access Control List
•Span ports for IDS
•Physical isolation

12. Best practices
• Turn off unneeded services
• Disable all unused ports
• Limit the Mac addresses on a port to known MAC
adressess when possible (no trunking ports)
• For trunking ports use a dedicated VLAN identifier
• Eliminate native vlans for 802.1q trunks
• Turn off Telnet and limit SNMP access to the
Switches
• Logging to external server

13. Core Layer
Switch Block 1 Switch Block 2
Managem Wan Block
ent Block
Server Block VPN
Internet Block

14. Characteristics
• No Expensive Layer 3 Processing
• Very High Throughput
• No unnecessary packet manipulation
• Resiliency
• High Availability

15. Security
• Physical isolation

16. Best practices
• Disable all unused ports
• Limit the Mac addresses on a port to known
MAC adressess when possible
• Turn off Telnet and limit SNMP access to the
Switches
• Logging to external server

17. High Availability
Load Balancing

18. Management Block
NIDS NIDS
HIDS

19. Key Devices
• Firewalls
• NIDS and HIDS
• IDS Hosts
• Syslog Hosts
• SNMP Management Hosts
• Cisco Works, HP Open View
• System Admin Host

20. Out Band Management
• Preferred method of management
• Isolated from production network
• Physical Isolation

21. In Band Management
• Only management traffic
• Different address space than Production
Network
• NAT
• Encryption (IpSec, SSH, SSL)
• Firewall Security + IDS

22. Best Practices
• Only use In band Management when
necessary.
• PVLAN segregation among hosts in
management block.
• Periodic log revision
• Configuration base-line establishment
• Periodic base-line checking

23. Threats Mitigated
• Only use In band Management • Unauthorised Access
when necessary.
• Man in the middle attacks
• PVLAN segregation among hosts
• Network reconnaissance
in management block.
• Periodic log revision • Packet sniffing
• Configuration base-line • Compromised host hoping
establishment
• Hacking attempts going unnoticed
• Periodic base-line checking

24. Server Block
NIDS NIDS
HIDS
NIDS

25. Key Devices
• Firewalls
• NIDS and HIDS
• NTP Server
• TACACS+ Server
• Certificate server
• Secur-ID Server (Strong authentication)
• Corporate Servers
• Call Manager
• DNS Servers
• E-Mail Servers
• Etc…

26. Best Practices
• Firewall and NIDS implementation
• PVLAN Isolation for each Server
• Host Based IDS on each Server
• Service redundancy
• Backup Policy
• Logging to an external server in the
mangement module
• Version Control

27. Threats Mitigated
• Firewall and NIDS • Unauthorized Access
implementation • Ip Spoofing
• Host Based IDS on each • Application Layer Attacks
Server
• Trust Exploitation
• PVLAN Isolation for each
• Compromised host hoping
Server
• Service redundancy • Packet Sniffing
• Logging to an external • DoS
server in the mangement • Hacking attempts going
module unnoticed
• Backup Policy • Lost Data
• Version Control

28. WAN Block
CC
NIDS

29. Key Devices
• Firewalls
• NIDS
• Crypto Clusters
• Routers

30. Best Practices
• Data encryption
• Access List implementation
• High Availability thru different providers

31. Threats mitigated
• Data encryption • Data theft
• Man in the middle
• Access List
attack
implementation
• IP spoofing
• High Availability thru
• Unauthorized access
different providers • DoS

32. Internet Block
HIDS HIDS
NIDS
VPN VPN VPN VPN

33. Key Elements
• Firewalls
• HIDS and NIDS
• VPN Concentrator
• HTTP Servers
• DNS Servers

34. Best Practices
• Security policy with ISP to mitigate DDoS
• Private VLAN Isolation among Servers
• No corporate Servers at this point
• High Availability thru diferent ISP
• VPN for Remote user Access

35. Threats Mitigated
• Security policy with ISP • IP Spoofing
• Private VLAN Isolation among
• Packet Sniffing
Servers
• Firewall, NIDS and HIDS • Compromised host hoping
implementation
• Hacking attempts going
• High Availability thru diferent
unnoticed
ISP
• VPN for Remote user Access • DDoS attacks
• No corporate Servers at this point • Unauthorized Access

36. THE END