Secure Network Design Document May 3, 2007 Authored by: Steven Puzio
TABLE OF CONTENTS I. Overview... 3 II. Company Information... 5 III. Wiring Closet Cabling and Design... 6 IV. Network Electronics Selection... 8 A. IDF... 8 B. MDF... 9 V. Security... 10 A. VLANs... 10 B. Firewall... 11 C. Network IPS... 12 D. Host IPS... 13 VII. Conclusion... 14 VIII. Network Diagram... 15 IX. References... 15 2 P age
I. Overview Identity Theft on the Rise. Phishing Attacks at an All Time High. Hackers Obtain Thousands of Credit Card Numbers. These titles are all too often blazoned across our newspapers and magazines. Computer networks exist to provide communication tools and shared information. Data is exchanged between Internet browsers, USB flash drives, email and instant messaging. The challenge is to provide a network that allows the user access to internal and Internet resources while maintaining current security technology. In the Internet age, closed networks are virtually non existent. The relationship with computers and the internet for most companies has come to the point of complete dependence. With this higher dependence on the computers and the internet it has brought about a paramount issue that all IT, information technology, managers are constantly trying to maintain, Security. With this increased dependence of the Internet, we have also seen an increase in the number of attacks that are occurring throughout the Internet as hackers attempt to exploit these new/seasoned users of the Internet. For a user of the Internet and computer their ability to identify the weaknesses in their security practices and the environment they are working is what a major factor that hackers will exploit. However, the job of the IT manager is to resolve all the possible vulnerabilities that are available in their system prior to them being exploited. Network security has three primary components: Protecting the data stored on a network from theft or malicious destruction 3 P age
Insuring optimum network performance by protecting network devices from programs that consume network resources Preventing network resources from being utilized by hackers to launch malicious attacks on other networks. Attacks on a technology infrastructure can come in the form of direct attacks aimed at penetrating Internet firewalls and denying access to network resources by hammering the network with outside traffic, or by using firewall weaknesses to extract or destroy data. The more common network security issues facing administrators come in the form of malicious programs that exploit software vulnerabilities and penetrate networks through email scripts and attachments, or simply through web browsing. Once these malicious programs are on the inside of a firewall, they are free to exploit operating system vulnerabilities in order to actively penetrate other machines on the network. In order to properly analyze the security, performance and integrity of a network, it is important to break down the network into key components and design the configurations and performance at each component level. 4 P age
II. Company Information The company that this network design has been designed for have the following criteria that were followed throughout the network design. Financial Services Company 150 500 employees with a single corporate location Data center is on site Application and Data availability is critical Data archiving and retrieval for 7 years is required by the government 5 P age
III. Wiring Closet Cabling and Design Data wiring closets are the backbone of networks today. It is the road that all data must traverse in order to get to the destination it is trying to reach. However, many IT managers have taken shortcuts in the installation of data cabling and closets that can affect the security and performance of many networks today. The data closets can be logically broken up into a Main Distribution center (MDF) and Intermediary Distribution center (IDF). There is always one MDF in a location, and if there is a distance restriction on Ethernet, there can be multiple IDF closets. IDF are created to allow the farthest data cables installed to not exceed 100 meters. The IDF closets must contain a cooling system that will be able to counteract the normal temperature increases due to regular building operation and also the heat created by the network electronics. The closet must be maintained to prevent the build up of dust and dirt that can pose a fire threat to the building if the network electronics overheated and caught fire. The closet must be completely secure and restricted to only authorized personal. If unknown users can access the network electronics, they can easily perform a password recovery technique that is usually posted on the manufacturer s website. The network electronics must be installed in a two or four post rack that is securing according to the manufacturer s recommendations. The data cabling to the desktops/workstation/laptops must be a minimum of Category 6 copper cabling to allow for the utilization of 10/100/1000Mbps networks. The copper data runs must be properly terminated to a patch panel that is labeled with the location of the end point for each of the data runs. The connection from the IDF closets to the MDF closets will 6 P age
be a Multi mode fiber connection that is terminated to a junction box for easier connections into the network electronics. Finally, any cabling that is required from the fiber patch panels and copper patch panels require cable management. Wire management allows for easier support, management, and prevents any data loss from bad/bent cables. 7 P age
IV. Network Electronics Selection A. IDF Closets The network electronic that are installed into each of the IDF closers must be Layer 2 of the OSI model capable. The switch should be able to support 48 10/100/1000Mbps with Power over Ethernet for each of the ports. In addition, two 10,000Mbps (10Gbps) fiber connections must be available to provide connectivity between the switches and between the MDF and the IDF closets. This high standard of requirements is to allow for a future proofing of the company s investment. The design of the network requires that if multiple switches are installed into the same closet, they need to be stacked/daisy chained. In this setup, the top switch will utilize one of its 10Gbps link to connect back to the MDF core switch. It will use its second 10Gbps link to connect to the next switch in the stack. The following switch would continue down the line in this daisy chain fashion until it reached the last switch. The last switch would then be required to connect its second 10Gbps back to the MDF core switch. This setup allows the stack of switches to have a redundant data connection back to the MDF in the event that the primary fiber connection failed. In addition, if one of the switches in the stack happens to fail, it will allow the remaining switches to continue operating and passing traffic with minimal down time. For the power system to the network electronics, a battery backup system is required to be able to sustain the operation of the switches for a minimum of 20 minutes or until the generator onsite is operational and is providing power for the building in the event of a power outage. The battery backup is also used to condition 8 P age
the network electronics for power spikes and from brown outs in which the network electronics are susceptible to damage. B. MDF Closet The MDF closets acts as a central hub to all of the fiber cables from the IDF closets. In addition, an MDF closet usually contains all of the servers that reside in the company. As a result, a highly available and fast, Layer 2/3 switch of the OSI model is required for the core of the network. This core switch requires enough 10Gbps ports to support two links to each IDF closet, two links to the switch stack located in the MDF closet, and also two ports for the server farm switches. This design will allow for all users on the network to have a high speed connection to the resources that they require the data on for analysis and update. Data cables that are run back to the MDF will not connect to the core switch, rather additional Layer 2 switches will be utilized to provide network connectivity for the users. In addition to the network connection, all of the security appliances that are going to be used will be housed in this location for ease of management and maintenance. Similar to the IDF closets there is a requirement that all of the network electronics in the MDF be connected to a battery backup system to sustain the operation of the switches for a minimum of 20 minutes or until the generator onsite is operational and is providing power for the building in the event of a power outage. The battery backup is also used to condition the network electronics for power spikes and from brown outs in which the network electronics are susceptible to damage. 9 P age
V. Security A. Virtual Local Area Networks (VLAN) In a typical LAN configuration users are grouped based on their location in relation to the hub/switch they are plugged into and how the cable is run to the wiring closet. This type of segmentation does not group users according to their workgroup association or need for bandwidth. A VLAN is a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users. Each switch port can be assigned to a VLAN. Ports in a VLAN share Broadcasts and ports that do not belong to that VLAN do not share these broadcasts, which improve the overall performance of the network. Communication between VLANs is provided by layer 2/3 core switch in the MDF. You can group these ports and users into communities of interest in a single switch or on connected switches. By grouping ports and users together across multiple switches, VLANs can span singlebuilding infrastructures, interconnected buildings, or even wide area networks (WANs). VLANs remove the physical constraints of workgroup communications. 10 P age
B. Firewall The Internet has made large amounts of information available to the average computer user at home, in business and in education. For many people, having access to this information is no longer just an advantage, it is essential. Yet connecting a private network to the Internet can expose critical or confidential data to malicious attack from anywhere in the world. Firewalls can protect both individual computers and corporate networks from hostile intrusion from the Internet, but must be understood to be used correctly. A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state. 11 P age
C. Network Intrusion Prevention System (NIPS) The most damaging threats today are worms and viruses. They have the greatest potential for network disruption. They are also the most difficult to protect against because they require manual action on the part of network administrators. These worms can exploit the weaknesses of computers that have not been patched on a home computer that a user brings in. As result, when the user brings in their computer to work, they begin to infect not only users in their own network, but also neighboring networks that are connected to the core switch. However, an inline network based defense system that is designed to accurately identify, classify, and stop malicious traffic, including worms, spyware, adware, network viruses, and application abuse, before they affect your business can be placed within the core, and allow it to filter all traffic traversing the network. 12 P age
D. Host Intrusion Prevention System (HIPS) Host IPS is a software program that resides on individual systems such as servers, workstations or notebooks. Traffic flowing into or out of that particular system is inspected and the behavior of the applications and operating system may be examined for indications of an attack. These host system specific programs or agents may protect just the operating system, or applications running on the host as well (such as web servers). When an attack is detected, the Host IPS software either blocks the attack at the Network Interface level, or issues commands to the application or operating system to stop the behavior initiated by the attack. For example, Buffer overflow attacks may be prevented by prohibiting the execution of the malicious program inserted into the address space exploited by the attack. Attempts to install back door programs via applications like Internet Explorer are blocked by intercepting and denying the write file command issued by IE. 13 P age
VII. Conclusion In the Internet age, closed networks are virtually non existent. Computer networks exist to provide communication tools and shared information. Data is exchanged between Internet browsers, USB flash drives, email and instant messaging. The challenge is to provide a network that allows the user access to internal and Internet resources while maintaining current security technology. Since networks beginnings, its initial goal was the sharing of information from one computer to another. With that goal in mind, no one could have envisioned the explosive growth that the Internet experienced in the beginning. Currently there are over one billion users that are currently utilizing the Internet throughout the world. This extreme growth over the years can be attributed to many things such as, shopping, online bill payments, Internet banking, research, recreation, and online learning. With the sheer size of the Internet, a user can find almost anything they can put into words, and even find some users that they can communicate with that are searching for the same thing. However, with the growth of the Internet usage has not run parallel with the general understanding of how the Internet works, the security pit falls, and the security best practices that a user should follow. It is the job of the Information Technology managers to protect the company electronics, and also to protect the users and the Intellectual property that resides with the company. 14 P age
VIII. Network Diagrams 15 P age
IX. References www.cisco.com for latest networking and security products www.iss.net for the latest network security products www.ieee.com for the latest standards that may apply to the design of the network www.nortel.com and www.hp.com for alternative manufacturers approach to networking 16 P age