Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to...
-
Upload
caleb-hudson -
Category
Documents
-
view
216 -
download
3
Transcript of Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to...
![Page 1: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/1.jpg)
Designing for Pervasive Network Security
![Page 2: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/2.jpg)
Designing for Security
• Our aim in this section will be to concentrate on how campus Networks can be designed to address some of the security overlays– Detailed security implementations and HP's Pervasive Network
Security strategy available in the corresponding sessions
• Key Security implementations in Enterprise Campus Networks– Device Management Security– VLAN centric design
• Separate VLANs for management• Separate VLANs for Wireless clients
– If using WLAN switching wireless users can be on separate VLANs• Map VLANs to Security zones and use firewalls/security appliances where
appropriate– Authentication and Authorisation
• Network Login 802.1X• AutoVLANs using 802.1X
– Identifying and Controlling Rogue Applications
![Page 3: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/3.jpg)
VLAN Centric Design
• VLANs provide security and traffic segmentation and are supported by Network Cards, switches, wireless access points, routers and security appliances
• Use VLANs to segment network in logical groups or business functions
• VLANs can be mapped to IP Subnets and are terminated by routers/Layer 3 switches
• 802.1Q Tagging a standards based VLAN tagging mechanism• VLAN Deployment Guidelines
– Use consistent naming and VLAN Tags for all VLANs across the network– Configure the correct VLAN Tags on both ends of switch-switch links– Configure all VLANs across all switches for complete user mobility across the
campus– In resilient topologies ensure STP does inadvertently block VLANs between
switches (use MSTP instead)– Ensure that Aggregated Links carry the correct VLAN tagging information– Create a separate management VLAN for all active devices
![Page 4: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/4.jpg)
Device Management Security
• For networks concerned about the security of their active devices the following security capabilities should be considered– User Authentication for Device Management: Only authenticated users
can access device management (RADIUS or Local) – Authorised manager access (Trusted IP): Only authorised IP addresses or
subnets can gain management access– Device Management VLAN: Separate configurable VLAN/subnet for
management– Selectable Device management options and encrypted management
sessions: Enable/Disable TELNET, HTTP access and support for SSH, HTTPS etc.
• A combination or all of these capabilities could be deployed to provide device protection for switches, routers and appliances
![Page 5: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/5.jpg)
Device Management VLAN
• A dedicated VLAN for management of active devices can be deployed for greater control
• The Device Management VLAN can span the entire campus using VLAN tagging
• Access to management can be in-band or out of band– For inband access, use routing with ACLs or
security appliances to control traffic to the management VLAN
• Considerations for Device Management VLAN– Ensure devices support configurable VID for
management– Campus wide management VLANs are more
applicable in centralised Layer 3 topologies– Device Management VLANs can also be
localised within a wiring closet or a building for distributed L3 topologies
Man
agem
ent V
LA
N
VID
=1
VLAN50
VLAN10
VLAN20
VLAN30
VLAN40
VLAN60
![Page 6: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/6.jpg)
Network Authentication and Authorisation
• Why use 802.1X?– Users must authenticate before gaining access to network resources– All authorizations can be administered centrally– Accounts can be held ( who, when, where )
• Log files can record various session data, packet counts, session durations, user names.
• Information can be used for billing– Security Auditing
• Network Administrators can record who is accessing the network real-time
– Management• Network Management applications can display user information• Clients can be dynamically tracked in real time using Network
Management
![Page 7: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/7.jpg)
Network Login and wired VLANs
• 802.1X Network Login can be associated with VLANs using the following methods
• Static– Authenticated users assume the pre-configured VLAN membership
of their connected port
• Dynamic (AutoVLANs)– Authenticated users are dynamically placed in their corresponding
VLAN based on RADIUS attributes
• Non-authenticated users are either excluded or become members of a “guest” VLAN
• Some devices such as telephones are automatically authenticated based on MAC address
![Page 8: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/8.jpg)
Auto VLAN and QoS Assignment using 802.1X
GuestVLAN
User ID: ?Pwd: ?
User ID: TeacherPWD: @#$%^
User ID: TeacherPWD: @#$%^
Valid UserVLAN ID: Teacher VLANQoS Profile: Email LowP, Web LowP, guest Records
Server HighP
StaffVLAN
![Page 9: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/9.jpg)
Network Login and wireless VLANs
• Wireless users can be placed dynamically in the appropriate VLAN using 802.1X Network Login and RADIUS (VLAN ID)
• VLAN tagging on Ethernet port of Access point ensures that AP is aware of all configured VLANs
• Wireless Access point will tunnel wireless user traffic on the appropriate tagged VLAN already configured on Ethernet port
• Network Login based Wireless VLANs can deliver end to end mobility across wired and wireless media
• Access Points also support multiple SSIDs that can be mapped to separate VLANs for greater level of security
![Page 10: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/10.jpg)
Auto VLAN Assignment using 802.1X with Wireless Access Points
GuestVLAN
StaffVLAN
User ID: ?Pwd: ?
User ID: TeacherPWD: @#$%^
User ID: TeacherPWD: @#$%^
Valid UserVLAN ID: Teacher VLAN
![Page 11: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/11.jpg)
Mapping VLANs to Security Zones
• Map vulnerable VLANs (i.e. wireless, guest VLAN) to Security zones in security appliances/Firewalls for greater control
• If all VLANs are mapped to security zones then routing will be centralised by security appliance– May have performance implications
• A combination of Layer 3 switching, ACLs and Security zones can provide greater protection without major performance compromises
• When multiple VLANs are mapped to a Security zone interVLAN routing within the security zone can be controlled by local Layer 3 switch
• Use routing policies or default routes for sending traffic to enforcement point
LAN 1Security Zone
WAN Security Zone
Internet DMZ
LAN 2Security Zone
Wireless Security Zone
Policy Enforcement Point
![Page 12: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/12.jpg)
Security Zones and VLANs
VLAN1
VLAN2 VLAN3
Security Zone A
VLAN10
VLAN11 VLAN12
Security Zone B
Routed virtual interfaces
Security Zone C
Security Zone D
Security Zone E
![Page 13: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/13.jpg)
Controlling Rogue Applications
• Use QoS and Application Filtering to control rogue applications where they originate from: the Access Layer
• Using Network Management rogue users and applications can be identified quickly and corrective action taken
• Example:
• How Application Filtering and autoQoS assignment on the Switch 4400 could stop the proliferation of the W32.Blaster.Worm virus
• W32.Blaster.Worm virus exploits TCP:135 “DCOM RPC” and UDP:69 “TFTP”– Create a classifier on the 4400 for TCP:135 and UDP:69– Create a QoS profile called Blaster and assign the previous classifiers and apply
the discard service level– Enable 802.1X and AutoVLANs, autoQoS on the user ports– On the RADIUS server assign to all users the filter-id=Blaster attribute– Next time a user logs in to the network the Blaster profile will be applied on the
switched port the user connects to
![Page 14: Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.](https://reader036.fdocuments.in/reader036/viewer/2022082805/55142043550346e7488b5785/html5/thumbnails/14.jpg)
Summary
• Efficient Convergence Network Design is key to performance, business continuity and scalability
• Multi-tiered hierarchical network design provides significant benefits in terms of scalability and fault tolerance
• Business Continuity is delivered by introducing high availability capabilities across all network design layers
• Campus Network Designs can be optimised to support Convergence applications by taking into account service performance parameters, traffic prioritisation and support for multicast
• Pervasive Network security addresses multiple threats, at multiple network design areas and through a variety of mechanisms