Secure Network Design Document

Similar documents
Chapter 9. Firewalls

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

COMPUTER NETWORK SECURITY

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Chapter 1 B: Exploring the Network

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

INTRODUCTION TO ICT.

CISNTWK-440. Chapter 5 Network Defenses

2. INTRUDER DETECTION SYSTEMS

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Symantec Client Security. Integrated protection for network and remote clients.

Wired internetworking devices. Unit objectives Differentiate between basic internetworking devices Identify specialized internetworking devices

CIH

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Chapter 10: Planning and Cabling Networks

Chapter 4. Network Security. Part I

Securing Access to Network Devices

MIS5206-Section Protecting Information Assets-Exam 1

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Keys to a more secure data environment

Chapter 11: Networks

Cisco IOS Inline Intrusion Prevention System (IPS)

Cisco ASA 5500 Series IPS Solution

5. Execute the attack and obtain unauthorized access to the system.

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

CCNA Discovery 4.0 Designing and Supporting Computer Networks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Understanding VLANs. Existing Shared LAN Configurations CHAPTER

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

Chapter 11: It s a Network. Introduction to Networking

Chapter 10: Security and Ethical Challenges of E-Business

A Review Paper on Network Security Attacks and Defences

Activating Intrusion Prevention Service

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Information Security at the IEA DPC. IEA General Assembly October 10 12, 2011 Malahide, Ireland

CyberP3i Course Module Series

New Product: Cisco Catalyst 2950 Series Fast Ethernet Desktop Switches

WHITE PAPER: IRONSHIELD BEST PRACTICES MANAGEMENT VLANS

5 IT security hot topics How safe are you?

Networking interview questions

Huawei NIP2000/5000 Intrusion Prevention System

Sun Mgt Bonus Lab 11: Auto-Tagging in PAN-OS 8.X

Symantec Network Security 7100 Series

Juniper Virtual Chassis Technology: A Short Tutorial

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Designing a Reliable Industrial Ethernet Network

Training UNIFIED SECURITY. Signature based packet analysis

Information System Security. Nguyen Ho Minh Duc, M.Sc

ClearPath OS 2200 System LAN Security Overview. White paper

Future-ready security for small and mid-size enterprises

The Threaded Case Study

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Broadband Internet Access Disclosure

MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.

Technology in Action. Chapter Topics. Participation Question. Participation Question 8/17/11. Chapter 7 Networking: Connecting Computing Devices

Designing a Reliable Industrial Ethernet Network

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

CS System Security 2nd-Half Semester Review

Coordinated Threat Control

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

CCNA R&S: Introduction to Networks. Chapter 11: It s a Network

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Appendix B Networks, Routing, and Firewall Basics

The Top 6 WAF Essentials to Achieve Application Security Efficacy

1. Which network design consideration would be more important to a large corporation than to a small business?

Information Security Controls Policy

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Enterprise D/DoS Mitigation Solution offering

Campus Network Design

Computer Network Vulnerabilities

CompTIA Security+ (2008 Edition) Exam

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Web Cash Fraud Prevention Best Practices

716 West Ave Austin, TX USA

Design your network to aid forensics investigation

CompTIA Network+ Study Guide Table of Contents

Choosing the Right. Ethernet Solution. How to Make the Best Choice for Your Business

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

ITEC 3800 Data Communication and Network. Introducing Networks

Infrastructure Security Overview

Security Solutions. Overview. Business Needs

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

Cisco SR 520-T1 Secure Router

Quick Heal Total Security

Securing the Converged Enterprise, Part I

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Security Audit What Why

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Cisco Network Admission Control (NAC) Solution

Transcription:

Secure Network Design Document May 3, 2007 Authored by: Steven Puzio

TABLE OF CONTENTS I. Overview... 3 II. Company Information... 5 III. Wiring Closet Cabling and Design... 6 IV. Network Electronics Selection... 8 A. IDF... 8 B. MDF... 9 V. Security... 10 A. VLANs... 10 B. Firewall... 11 C. Network IPS... 12 D. Host IPS... 13 VII. Conclusion... 14 VIII. Network Diagram... 15 IX. References... 15 2 P age

I. Overview Identity Theft on the Rise. Phishing Attacks at an All Time High. Hackers Obtain Thousands of Credit Card Numbers. These titles are all too often blazoned across our newspapers and magazines. Computer networks exist to provide communication tools and shared information. Data is exchanged between Internet browsers, USB flash drives, email and instant messaging. The challenge is to provide a network that allows the user access to internal and Internet resources while maintaining current security technology. In the Internet age, closed networks are virtually non existent. The relationship with computers and the internet for most companies has come to the point of complete dependence. With this higher dependence on the computers and the internet it has brought about a paramount issue that all IT, information technology, managers are constantly trying to maintain, Security. With this increased dependence of the Internet, we have also seen an increase in the number of attacks that are occurring throughout the Internet as hackers attempt to exploit these new/seasoned users of the Internet. For a user of the Internet and computer their ability to identify the weaknesses in their security practices and the environment they are working is what a major factor that hackers will exploit. However, the job of the IT manager is to resolve all the possible vulnerabilities that are available in their system prior to them being exploited. Network security has three primary components: Protecting the data stored on a network from theft or malicious destruction 3 P age

Insuring optimum network performance by protecting network devices from programs that consume network resources Preventing network resources from being utilized by hackers to launch malicious attacks on other networks. Attacks on a technology infrastructure can come in the form of direct attacks aimed at penetrating Internet firewalls and denying access to network resources by hammering the network with outside traffic, or by using firewall weaknesses to extract or destroy data. The more common network security issues facing administrators come in the form of malicious programs that exploit software vulnerabilities and penetrate networks through email scripts and attachments, or simply through web browsing. Once these malicious programs are on the inside of a firewall, they are free to exploit operating system vulnerabilities in order to actively penetrate other machines on the network. In order to properly analyze the security, performance and integrity of a network, it is important to break down the network into key components and design the configurations and performance at each component level. 4 P age

II. Company Information The company that this network design has been designed for have the following criteria that were followed throughout the network design. Financial Services Company 150 500 employees with a single corporate location Data center is on site Application and Data availability is critical Data archiving and retrieval for 7 years is required by the government 5 P age

III. Wiring Closet Cabling and Design Data wiring closets are the backbone of networks today. It is the road that all data must traverse in order to get to the destination it is trying to reach. However, many IT managers have taken shortcuts in the installation of data cabling and closets that can affect the security and performance of many networks today. The data closets can be logically broken up into a Main Distribution center (MDF) and Intermediary Distribution center (IDF). There is always one MDF in a location, and if there is a distance restriction on Ethernet, there can be multiple IDF closets. IDF are created to allow the farthest data cables installed to not exceed 100 meters. The IDF closets must contain a cooling system that will be able to counteract the normal temperature increases due to regular building operation and also the heat created by the network electronics. The closet must be maintained to prevent the build up of dust and dirt that can pose a fire threat to the building if the network electronics overheated and caught fire. The closet must be completely secure and restricted to only authorized personal. If unknown users can access the network electronics, they can easily perform a password recovery technique that is usually posted on the manufacturer s website. The network electronics must be installed in a two or four post rack that is securing according to the manufacturer s recommendations. The data cabling to the desktops/workstation/laptops must be a minimum of Category 6 copper cabling to allow for the utilization of 10/100/1000Mbps networks. The copper data runs must be properly terminated to a patch panel that is labeled with the location of the end point for each of the data runs. The connection from the IDF closets to the MDF closets will 6 P age

be a Multi mode fiber connection that is terminated to a junction box for easier connections into the network electronics. Finally, any cabling that is required from the fiber patch panels and copper patch panels require cable management. Wire management allows for easier support, management, and prevents any data loss from bad/bent cables. 7 P age

IV. Network Electronics Selection A. IDF Closets The network electronic that are installed into each of the IDF closers must be Layer 2 of the OSI model capable. The switch should be able to support 48 10/100/1000Mbps with Power over Ethernet for each of the ports. In addition, two 10,000Mbps (10Gbps) fiber connections must be available to provide connectivity between the switches and between the MDF and the IDF closets. This high standard of requirements is to allow for a future proofing of the company s investment. The design of the network requires that if multiple switches are installed into the same closet, they need to be stacked/daisy chained. In this setup, the top switch will utilize one of its 10Gbps link to connect back to the MDF core switch. It will use its second 10Gbps link to connect to the next switch in the stack. The following switch would continue down the line in this daisy chain fashion until it reached the last switch. The last switch would then be required to connect its second 10Gbps back to the MDF core switch. This setup allows the stack of switches to have a redundant data connection back to the MDF in the event that the primary fiber connection failed. In addition, if one of the switches in the stack happens to fail, it will allow the remaining switches to continue operating and passing traffic with minimal down time. For the power system to the network electronics, a battery backup system is required to be able to sustain the operation of the switches for a minimum of 20 minutes or until the generator onsite is operational and is providing power for the building in the event of a power outage. The battery backup is also used to condition 8 P age

the network electronics for power spikes and from brown outs in which the network electronics are susceptible to damage. B. MDF Closet The MDF closets acts as a central hub to all of the fiber cables from the IDF closets. In addition, an MDF closet usually contains all of the servers that reside in the company. As a result, a highly available and fast, Layer 2/3 switch of the OSI model is required for the core of the network. This core switch requires enough 10Gbps ports to support two links to each IDF closet, two links to the switch stack located in the MDF closet, and also two ports for the server farm switches. This design will allow for all users on the network to have a high speed connection to the resources that they require the data on for analysis and update. Data cables that are run back to the MDF will not connect to the core switch, rather additional Layer 2 switches will be utilized to provide network connectivity for the users. In addition to the network connection, all of the security appliances that are going to be used will be housed in this location for ease of management and maintenance. Similar to the IDF closets there is a requirement that all of the network electronics in the MDF be connected to a battery backup system to sustain the operation of the switches for a minimum of 20 minutes or until the generator onsite is operational and is providing power for the building in the event of a power outage. The battery backup is also used to condition the network electronics for power spikes and from brown outs in which the network electronics are susceptible to damage. 9 P age

V. Security A. Virtual Local Area Networks (VLAN) In a typical LAN configuration users are grouped based on their location in relation to the hub/switch they are plugged into and how the cable is run to the wiring closet. This type of segmentation does not group users according to their workgroup association or need for bandwidth. A VLAN is a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users. Each switch port can be assigned to a VLAN. Ports in a VLAN share Broadcasts and ports that do not belong to that VLAN do not share these broadcasts, which improve the overall performance of the network. Communication between VLANs is provided by layer 2/3 core switch in the MDF. You can group these ports and users into communities of interest in a single switch or on connected switches. By grouping ports and users together across multiple switches, VLANs can span singlebuilding infrastructures, interconnected buildings, or even wide area networks (WANs). VLANs remove the physical constraints of workgroup communications. 10 P age

B. Firewall The Internet has made large amounts of information available to the average computer user at home, in business and in education. For many people, having access to this information is no longer just an advantage, it is essential. Yet connecting a private network to the Internet can expose critical or confidential data to malicious attack from anywhere in the world. Firewalls can protect both individual computers and corporate networks from hostile intrusion from the Internet, but must be understood to be used correctly. A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state. 11 P age

C. Network Intrusion Prevention System (NIPS) The most damaging threats today are worms and viruses. They have the greatest potential for network disruption. They are also the most difficult to protect against because they require manual action on the part of network administrators. These worms can exploit the weaknesses of computers that have not been patched on a home computer that a user brings in. As result, when the user brings in their computer to work, they begin to infect not only users in their own network, but also neighboring networks that are connected to the core switch. However, an inline network based defense system that is designed to accurately identify, classify, and stop malicious traffic, including worms, spyware, adware, network viruses, and application abuse, before they affect your business can be placed within the core, and allow it to filter all traffic traversing the network. 12 P age

D. Host Intrusion Prevention System (HIPS) Host IPS is a software program that resides on individual systems such as servers, workstations or notebooks. Traffic flowing into or out of that particular system is inspected and the behavior of the applications and operating system may be examined for indications of an attack. These host system specific programs or agents may protect just the operating system, or applications running on the host as well (such as web servers). When an attack is detected, the Host IPS software either blocks the attack at the Network Interface level, or issues commands to the application or operating system to stop the behavior initiated by the attack. For example, Buffer overflow attacks may be prevented by prohibiting the execution of the malicious program inserted into the address space exploited by the attack. Attempts to install back door programs via applications like Internet Explorer are blocked by intercepting and denying the write file command issued by IE. 13 P age

VII. Conclusion In the Internet age, closed networks are virtually non existent. Computer networks exist to provide communication tools and shared information. Data is exchanged between Internet browsers, USB flash drives, email and instant messaging. The challenge is to provide a network that allows the user access to internal and Internet resources while maintaining current security technology. Since networks beginnings, its initial goal was the sharing of information from one computer to another. With that goal in mind, no one could have envisioned the explosive growth that the Internet experienced in the beginning. Currently there are over one billion users that are currently utilizing the Internet throughout the world. This extreme growth over the years can be attributed to many things such as, shopping, online bill payments, Internet banking, research, recreation, and online learning. With the sheer size of the Internet, a user can find almost anything they can put into words, and even find some users that they can communicate with that are searching for the same thing. However, with the growth of the Internet usage has not run parallel with the general understanding of how the Internet works, the security pit falls, and the security best practices that a user should follow. It is the job of the Information Technology managers to protect the company electronics, and also to protect the users and the Intellectual property that resides with the company. 14 P age

VIII. Network Diagrams 15 P age

IX. References www.cisco.com for latest networking and security products www.iss.net for the latest network security products www.ieee.com for the latest standards that may apply to the design of the network www.nortel.com and www.hp.com for alternative manufacturers approach to networking 16 P age

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback