Designing for Pervasive Network Security

Designing for Security

• Our aim in this section will be to concentrate on how campus Networks can be designed to address some of the security overlays– Detailed security implementations and HP's Pervasive Network

Security strategy available in the corresponding sessions

• Key Security implementations in Enterprise Campus Networks– Device Management Security– VLAN centric design

• Separate VLANs for management• Separate VLANs for Wireless clients

– If using WLAN switching wireless users can be on separate VLANs• Map VLANs to Security zones and use firewalls/security appliances where

appropriate– Authentication and Authorisation

• Network Login 802.1X• AutoVLANs using 802.1X

– Identifying and Controlling Rogue Applications

VLAN Centric Design

• VLANs provide security and traffic segmentation and are supported by Network Cards, switches, wireless access points, routers and security appliances

• Use VLANs to segment network in logical groups or business functions

• VLANs can be mapped to IP Subnets and are terminated by routers/Layer 3 switches

• 802.1Q Tagging a standards based VLAN tagging mechanism• VLAN Deployment Guidelines

– Use consistent naming and VLAN Tags for all VLANs across the network– Configure the correct VLAN Tags on both ends of switch-switch links– Configure all VLANs across all switches for complete user mobility across the

campus– In resilient topologies ensure STP does inadvertently block VLANs between

switches (use MSTP instead)– Ensure that Aggregated Links carry the correct VLAN tagging information– Create a separate management VLAN for all active devices

Device Management Security

• For networks concerned about the security of their active devices the following security capabilities should be considered– User Authentication for Device Management: Only authenticated users

can access device management (RADIUS or Local) – Authorised manager access (Trusted IP): Only authorised IP addresses or

subnets can gain management access– Device Management VLAN: Separate configurable VLAN/subnet for

management– Selectable Device management options and encrypted management

sessions: Enable/Disable TELNET, HTTP access and support for SSH, HTTPS etc.

• A combination or all of these capabilities could be deployed to provide device protection for switches, routers and appliances

Device Management VLAN

• A dedicated VLAN for management of active devices can be deployed for greater control

• The Device Management VLAN can span the entire campus using VLAN tagging

• Access to management can be in-band or out of band– For inband access, use routing with ACLs or

security appliances to control traffic to the management VLAN

• Considerations for Device Management VLAN– Ensure devices support configurable VID for

management– Campus wide management VLANs are more

applicable in centralised Layer 3 topologies– Device Management VLANs can also be

localised within a wiring closet or a building for distributed L3 topologies

Man

agem

ent V

LA

N

VID

=1

VLAN50

VLAN10

VLAN20

VLAN30

VLAN40

VLAN60

Network Authentication and Authorisation

• Why use 802.1X?– Users must authenticate before gaining access to network resources– All authorizations can be administered centrally– Accounts can be held ( who, when, where )

• Log files can record various session data, packet counts, session durations, user names.

• Information can be used for billing– Security Auditing

• Network Administrators can record who is accessing the network real-time

– Management• Network Management applications can display user information• Clients can be dynamically tracked in real time using Network

Management

Network Login and wired VLANs

• 802.1X Network Login can be associated with VLANs using the following methods

• Static– Authenticated users assume the pre-configured VLAN membership

of their connected port

• Dynamic (AutoVLANs)– Authenticated users are dynamically placed in their corresponding

VLAN based on RADIUS attributes

• Non-authenticated users are either excluded or become members of a “guest” VLAN

• Some devices such as telephones are automatically authenticated based on MAC address

Auto VLAN and QoS Assignment using 802.1X

GuestVLAN

User ID: ?Pwd: ?

User ID: TeacherPWD: @#$%^

User ID: TeacherPWD: @#$%^

Valid UserVLAN ID: Teacher VLANQoS Profile: Email LowP, Web LowP, guest Records

Server HighP

StaffVLAN

Network Login and wireless VLANs

• Wireless users can be placed dynamically in the appropriate VLAN using 802.1X Network Login and RADIUS (VLAN ID)

• VLAN tagging on Ethernet port of Access point ensures that AP is aware of all configured VLANs

• Wireless Access point will tunnel wireless user traffic on the appropriate tagged VLAN already configured on Ethernet port

• Network Login based Wireless VLANs can deliver end to end mobility across wired and wireless media

• Access Points also support multiple SSIDs that can be mapped to separate VLANs for greater level of security

Auto VLAN Assignment using 802.1X with Wireless Access Points

GuestVLAN

StaffVLAN

User ID: ?Pwd: ?

User ID: TeacherPWD: @#$%^

User ID: TeacherPWD: @#$%^

Valid UserVLAN ID: Teacher VLAN

Mapping VLANs to Security Zones

• Map vulnerable VLANs (i.e. wireless, guest VLAN) to Security zones in security appliances/Firewalls for greater control

• If all VLANs are mapped to security zones then routing will be centralised by security appliance– May have performance implications

• A combination of Layer 3 switching, ACLs and Security zones can provide greater protection without major performance compromises

• When multiple VLANs are mapped to a Security zone interVLAN routing within the security zone can be controlled by local Layer 3 switch

• Use routing policies or default routes for sending traffic to enforcement point

LAN 1Security Zone

WAN Security Zone

Internet DMZ

LAN 2Security Zone

Wireless Security Zone

Policy Enforcement Point

Security Zones and VLANs

VLAN1

VLAN2 VLAN3

Security Zone A

VLAN10

VLAN11 VLAN12

Security Zone B

Routed virtual interfaces

Security Zone C

Security Zone D

Security Zone E

Controlling Rogue Applications

• Use QoS and Application Filtering to control rogue applications where they originate from: the Access Layer

• Using Network Management rogue users and applications can be identified quickly and corrective action taken

• Example:

• How Application Filtering and autoQoS assignment on the Switch 4400 could stop the proliferation of the W32.Blaster.Worm virus

• W32.Blaster.Worm virus exploits TCP:135 “DCOM RPC” and UDP:69 “TFTP”– Create a classifier on the 4400 for TCP:135 and UDP:69– Create a QoS profile called Blaster and assign the previous classifiers and apply

the discard service level– Enable 802.1X and AutoVLANs, autoQoS on the user ports– On the RADIUS server assign to all users the filter-id=Blaster attribute– Next time a user logs in to the network the Blaster profile will be applied on the

switched port the user connects to

Summary

• Efficient Convergence Network Design is key to performance, business continuity and scalability

• Multi-tiered hierarchical network design provides significant benefits in terms of scalability and fault tolerance

• Business Continuity is delivered by introducing high availability capabilities across all network design layers

• Campus Network Designs can be optimised to support Convergence applications by taking into account service performance parameters, traffic prioritisation and support for multicast

• Pervasive Network security addresses multiple threats, at multiple network design areas and through a variety of mechanisms