super_si

Bit of a dilema here. Doing a uni assignment there are four buildings. 2 of which has sensative data. So needs secure access.

I was thinking of having a flat switched layer 2 network. If i changed to a layer 3 routed and subnet. In theroy a packets will be sent where they are supposed to etc so would be secure?

or am i missing the point........

cheers

Si

ozzy

In theory yes. You could have multiple subnets and keep the routing table closed so that devices in one network couldn't forward packets to another. This obviously would stop a valid device from accessing the remote network. To get around this, you could use Access Control Lists on the routers to manage traffic and only allow access from certain devices or port numbers.

It can differentiate what traffic is valid or not though. e.g. you could open port 80 from a single MAC or IP address, but it would allow all traffic on that port regardless if it was secure or not.

You could use a firewall to handle the low-level security and some application filter to handle application access.

Depends how secure you want it to be and what communication is required between secure and unsecure networks. Most secure would be to keep them physically seperate, but that's not always practical.

Stefan

BazH

VLANS?

ozzy

Yep VLAN's would segments networks on different ports of a network switch. You can then allow access from certain machines/ports/MAC addresses to the other VLAN.

I would still argue that a firewall device is much easier to manage and maintain though.

Stefan

super_si

Yeah never even considerd a firewall!! I guess VLans and firewall could be used.

If i use Vlans Ive no real need for Subnets have i? Same job in effect???

Si

David_Wallis

VLANS are seperate subnets on the same switch / cabling (or at least the ones ive used are)

Fibre to the desktop is also an option if you want secure transmission of data.

Personally I would have a seperate subnet per building. (depending on links between buildings but then.. this could get complicated for a uni assignment!)

super_si

Do you mean direct fibre from the switch -> desktop or Edge device/passport or server.

David_Wallis

Forget core switches / edge device/passport or server.

Communication between server and core switch would be secure due to them being in a secure comms room

Quite simply dont use UTP to the Desk, Use Fibre and connect it to whatever wherever you like, as long as the other end is secure. iyswim.

David

Jeff Wiltshire

If at all possible try and maintain the physical networking the same as the logical netowork. VLAN tagging is not a secure protocol and it is theoritically possible to alter the VLAN tag on a packet which would then bypass any security system based on VLANs.

Also you should be looking for core Intrusion Prevention Devices as well as Stateful inspection firewalling.

Have a look at www.tippingpoint.com for more on IPS

super_si

Thank i will have a look. Trouble is with it being a uni assignment i have to backup everything i say with references and statements.


Thanks

Si

stevencotton

You think that's bad, when you get a full time job you may have to do it for real!

David_Wallis

psml @ steven

Chris L

Sooo true Steve

Si - I too would go with the firewall / IPS approach for the data security. The days of saying 'oh that's TCP port 80 - that'll be OK' are long gone.

Speaking from the point-of-view of someone who has just slogged their way through (and passed ) the CISSP training course, don't disregard physical building security (you can find out some more details from ISC ). You could also consider encrypting all traffic. Securing data using 802.1x maybe an option too - I know of at least two of my customers seriously looking at this for their LANs.

So many options - you might get a few brownie points for thinking a little outside the obvious with some of these though!

Chris

super_si

On a network, where would you place IPS(s)? .Dont suppose theres any decent sites that take appart VLans and how the tags can be changed would support my argument for using the ISP

Researching 802.1x, seems to be associated with wireless communication. Does it work on a fibre/ethernet network?

Si

Chris L

Si

802.1x is a standard way of transmitting EAP (Extensible Authentication Protocol) over wired or wireless LANs. The weakness of WEP has meant that the adoption of more security in a wireless environment is a big priority for many people. This has led to the common view that 802.1x is a wireless standard only - it isn't. Do a search on 802.1x and LAN environments - you'll find loads of whitepapers and explanations.

IPS placement really depends on the size and type of the network and what kind of access there is to the network. If the buildings had some form of external access (i.e. to another LAN or maybe the Internet), then many people place an IPS on the outside of the firewall.

In this case, I think you would be looking at network based IPS that would monitor all traffic on a segment (normally via a mirrored port on a switch). You could also consider specific host based IPS for individual machines. These tend to analyse log files etc. Again, there is loads of info out there on this kind of stuff. A quick search on Goole should bring bacl loads of sites.

markr1963

Not wishing to hijack the thread so, Chris, YHPM

Mark

Dazza's-STi

Just a word of warning... If you need securty VLANS ARE NOT the only answer... VlANS were not designed as a security mechansim... Its quite easy for me to build packets and breach your security and or sniff the network with VLANs set...Example... Just did this whilst analysing a *** site with VOIP phones... secure data out of the back of the phone... the phone on VLAN 200 the data on the Native VLAN none VOIP... from the back of the phones (data) i can see the traffic on the voice VLAN... You would normaly not expect this! and goes to show all is not as it seems...
Although VLANs can be used as step to securing the network it is not the only step to take... a culmination of things are required... 802.1x, sticky mac and access lists being for starters...

Minefield subject... Hats off to the CSSIP guys... its as bad as the CISCO stuff...

the MOD security analysts are very god at this stuff as you'd expect and keep us on our toes a bit!

this message will self destuct in 20 seconds...

Dazza

Amended b4 the official secrets act watchers start...

CoobyS

Cisco advises against VLAN as security mechanism.

IPSEC all the way.

PS - its CISSP!

Dazza's-STi

Soz topeing Horror!

Agree with IPSEC all the way... too right!

Actualy Cisco advice that using VLANS as part of a security stratagy... it isn't a problem, and that so long as everything is tied down correctly it is very effective... this however is not normaly done and so its securty risk... as i siad VLAN's shouldn't be the only answer... as I've seen some places do...

extract from CISCO securty white paper...

Conclusion

The security of VLAN technology has proven to be far more reliable than its detractors had hoped for and only user misconfiguration or improper use of features have been pointed out as ways to undermine its robustness.

The most serious mistake that a user can make is to underestimate the importance of the Data Link layer, and of VLANs in particular, in the sophisticated architecture of switched networks. It should not be forgotten that the OSI stack is only as robust as its weakest link, and that therefore an equal amount of attention should be paid to any of its layers so as to make sure that its entire structure is sound

Dazza

Security isn't my specialst subject so...

Chris L

Just been having another think about this.

Take a look at Cisco Secure Agent (CSA), Cisco Secure Trust (CST) and Network Access Control (NAC) on the LAN. Obviously this is aimed at Cisco sites.

NAC will allow you to create temp vlan's on a single port on a switch to isolate a client because it does not match your security policy i.e access rights, latest av, pers firewall, ms patches etc. and then isolate them from the main lan until they get patched remotely. It also allows you to control access acording to security policies. You can then give very specific access to specific resources once the client has been authorised. This will give you a very granular level of control and access. Great audit trails aswell, which is also an important consideration.

If I think of anything else, I'll post it up

Chris

super_si

Thanks chris if its ok by you can you check the paper i write before submitting

check im not talking bollox

Jeff Wiltshire

There is a whole host of other things that you need to do / can do like restricting your core switches to specific MAC addresses on each port. Using Cisco CNR to manage your DHCP scopes to ensure that only devices you want to have on your network get IP addresses....

The classic is for a laptop which has a Virus to be attached to the Corporate LAN....you suddenly find out that a lot of machines are not patched or don't have the latest AV software.

The other real risk today is USB data pens....how do you stop them being used to take data from your network.

You will also need to say something about backup tapes. Typically these are left lying around and it would be trival to restore the data from a backup tape (this is what they are mean't for after all) and thus breach your security. There are products like cryptostore which encrypt the data on the tapes.

Password policy ....think pass phrases rather than passwords, it's much more difficult (even impossible) to use a dictionary attack against a phrase like "hello world this is me" but something like "H3ll0w0rld" is significantly easier to attack. Think about using Biometrics to authenticate (not identifiy) or another form of 2 part authentication.

At the end of the day it's all about risk and how you mitigate that risk.