PACE-IT, Security+1.3: Secure Network Design Elements and Components

Secure network design elements and components.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.


– Defense in depth.

– Elements and components of network design.

PACE-IT.

Defense in depth.Secure network design elements and components.

Defense in depth.

Due to the complexity of modern networks, malicious attackers have multiple avenues that they can use to breach network security.

This same complexity also allows for security to be placed in multiple areas using different methods.By placing security at different levels and in different places, network administrators can increase the overall security posture of a network. This concept is known as defense in depth. Security should not just be placed in a single spot, as this creates a single point of failure. Security should be emplaced at multiple layers of the network, using a diversity of methods, in order to create an effectively hardened network.


Just as when peeling an onion, once one layer of security is stripped away, the attacker should find another layer waiting underneath.

Elements and components of network design.Secure network design elements and components.

Elements and components of network design.

– Demilitarized zone (DMZ).» The DMZ is a specific area (zone) created—usually

between two firewalls—that allows outside access to network resources (e.g., a Web server), while the internal network remains protected from outside traffic.

• The external facing router allows specific outside traffic into the DMZ, while the internal router prevents that same outside traffic from entering the internal network.

– Network address translation (NAT).» NAT is a technique used to allow private IP addresses to

be routed across, or through, an untrusted public network.

• The NAT device—usually a router—assigns a public routable IP address to a device that is requesting outside access.

» NAT has the added benefit of protecting the internal private network.

• The private network’s IP addressing scheme is hidden from untrusted networks by the NAT enabled router.



– Network access control (NAC).» NAC is a method of controlling who and what gains

access to a wired or wireless network.• In most cases, NAC uses a combination of credentials

based security (e.g., 802.1x) and some form of posture assessment for a device attempting to log on to the network.

» A posture assessment considers the state of the requesting device. The device must meet a set of minimum standards before it is allowed access to the network.

• Common device assessments include the type of device, operating system, patch level of the operating system, the presence of anti-malware software and how up to date it is.

– Virtualization.» Virtualization is the process of creating virtual

resources instead of actual resources.• Hardware, operating systems, and complete networks

can be virtualized.» A security advantage to virtualization is that, if the

virtual resource is compromised, it can easily be taken down, recovered, fixed, and then brought back online.



– Subnetting.» Subnetting is the logical division of a network—a single

block of IP addresses—into discrete separate networks.• Can be done to match the physical structure of the

network (e.g., the network only requires enough addresses for 100 nodes, not 254).

• Can be done to increase the security of the network by segmenting resources by needs and security level.

– Segmentation of resources.» Security can be increased by segmenting a network

based on resources and security needs through the implementation of virtual local area networks (VLANs).

• The segmentation can be done based on user groups (e.g., a VLAN for the sales department and another one for human resources).

• The segmentation can be done based on resource type (e.g., a VLAN for file servers and another one for Web servers).

• Commonly, segmentation is accomplished with a combination.

» The use of VLANs supports a more secure, layered approach in the network design.



In modern networks, it is not uncommon to need to allow remote access to local network resources.

Remote workers often need to access resources that are located on the main business network. This requires the use of remote access technology in order for it to happen in a secure manner.Remote access can occur using telephony technology (e.g., dial-up) or through the use of a virtual private network (VPN). In all cases, secure protocols and methods should be used in order to ensure the security of the local network. For example, one of the forms of Extensible Authentication Protocol (EAP) should be used when allowing remote access.


What was covered.Secure network design elements and components.

The complexity of modern networks means that there are different avenues that attackers can use to breach a network’s security. Defense in depth involves placing security at many different layers of a network. By placing security at different layers and by using different security methods, even if the outer security is breached, the inner security remains in place.

Topic

Defense in depth.

Summary

Defense in depth can be implemented in multiple ways, including adding a DMZ, using NAT, implementing NAC, using virtualization, employing subnetting and segmentation, and requiring remote access technology.


THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.

PACE-IT, Security+1.3: Secure Network Design Elements and Components

Education

Transcript of PACE-IT, Security+1.3: Secure Network Design Elements and Components