Network security
#1
Scooby Regular
Thread Starter
Join Date: Feb 2002
Location: Lurkin Somewhere
Posts: 7,951
Likes: 0
Received 0 Likes
on
0 Posts
Network security
Bit of a dilema here. Doing a uni assignment there are four buildings. 2 of which has sensative data. So needs secure access.
I was thinking of having a flat switched layer 2 network. If i changed to a layer 3 routed and subnet. In theroy a packets will be sent where they are supposed to etc so would be secure?
or am i missing the point........
cheers
Si
I was thinking of having a flat switched layer 2 network. If i changed to a layer 3 routed and subnet. In theroy a packets will be sent where they are supposed to etc so would be secure?
or am i missing the point........
cheers
Si
#2
Scooby Regular
In theory yes. You could have multiple subnets and keep the routing table closed so that devices in one network couldn't forward packets to another. This obviously would stop a valid device from accessing the remote network. To get around this, you could use Access Control Lists on the routers to manage traffic and only allow access from certain devices or port numbers.
It can differentiate what traffic is valid or not though. e.g. you could open port 80 from a single MAC or IP address, but it would allow all traffic on that port regardless if it was secure or not.
You could use a firewall to handle the low-level security and some application filter to handle application access.
Depends how secure you want it to be and what communication is required between secure and unsecure networks. Most secure would be to keep them physically seperate, but that's not always practical.
Stefan
It can differentiate what traffic is valid or not though. e.g. you could open port 80 from a single MAC or IP address, but it would allow all traffic on that port regardless if it was secure or not.
You could use a firewall to handle the low-level security and some application filter to handle application access.
Depends how secure you want it to be and what communication is required between secure and unsecure networks. Most secure would be to keep them physically seperate, but that's not always practical.
Stefan
#4
Scooby Regular
Yep VLAN's would segments networks on different ports of a network switch. You can then allow access from certain machines/ports/MAC addresses to the other VLAN.
I would still argue that a firewall device is much easier to manage and maintain though.
Stefan
I would still argue that a firewall device is much easier to manage and maintain though.
Stefan
#5
Scooby Regular
Thread Starter
Join Date: Feb 2002
Location: Lurkin Somewhere
Posts: 7,951
Likes: 0
Received 0 Likes
on
0 Posts
Yeah never even considerd a firewall!! I guess VLans and firewall could be used.
If i use Vlans Ive no real need for Subnets have i? Same job in effect???
Si
If i use Vlans Ive no real need for Subnets have i? Same job in effect???
Si
#6
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
VLANS are seperate subnets on the same switch / cabling (or at least the ones ive used are)
Fibre to the desktop is also an option if you want secure transmission of data.
Personally I would have a seperate subnet per building. (depending on links between buildings but then.. this could get complicated for a uni assignment!)
Fibre to the desktop is also an option if you want secure transmission of data.
Personally I would have a seperate subnet per building. (depending on links between buildings but then.. this could get complicated for a uni assignment!)
Trending Topics
#8
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Forget core switches / edge device/passport or server.
Communication between server and core switch would be secure due to them being in a secure comms room
Quite simply dont use UTP to the Desk, Use Fibre and connect it to whatever wherever you like, as long as the other end is secure. iyswim.
David
Communication between server and core switch would be secure due to them being in a secure comms room
Quite simply dont use UTP to the Desk, Use Fibre and connect it to whatever wherever you like, as long as the other end is secure. iyswim.
David
#9
Scooby Regular
If at all possible try and maintain the physical networking the same as the logical netowork. VLAN tagging is not a secure protocol and it is theoritically possible to alter the VLAN tag on a packet which would then bypass any security system based on VLANs.
Also you should be looking for core Intrusion Prevention Devices as well as Stateful inspection firewalling.
Have a look at www.tippingpoint.com for more on IPS
Also you should be looking for core Intrusion Prevention Devices as well as Stateful inspection firewalling.
Have a look at www.tippingpoint.com for more on IPS
#10
Scooby Regular
Thread Starter
Join Date: Feb 2002
Location: Lurkin Somewhere
Posts: 7,951
Likes: 0
Received 0 Likes
on
0 Posts
Thank i will have a look. Trouble is with it being a uni assignment i have to backup everything i say with references and statements.
Thanks
Si
Thanks
Si
#11
Scooby Regular
Originally Posted by super_si
Trouble is with it being a uni assignment i have to backup everything i say with references and statements.
#13
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Sooo true Steve
Si - I too would go with the firewall / IPS approach for the data security. The days of saying 'oh that's TCP port 80 - that'll be OK' are long gone.
Speaking from the point-of-view of someone who has just slogged their way through (and passed ) the CISSP training course, don't disregard physical building security (you can find out some more details from ISC ). You could also consider encrypting all traffic. Securing data using 802.1x maybe an option too - I know of at least two of my customers seriously looking at this for their LANs.
So many options - you might get a few brownie points for thinking a little outside the obvious with some of these though!
Chris
Si - I too would go with the firewall / IPS approach for the data security. The days of saying 'oh that's TCP port 80 - that'll be OK' are long gone.
Speaking from the point-of-view of someone who has just slogged their way through (and passed ) the CISSP training course, don't disregard physical building security (you can find out some more details from ISC ). You could also consider encrypting all traffic. Securing data using 802.1x maybe an option too - I know of at least two of my customers seriously looking at this for their LANs.
So many options - you might get a few brownie points for thinking a little outside the obvious with some of these though!
Chris
#14
Scooby Regular
Thread Starter
Join Date: Feb 2002
Location: Lurkin Somewhere
Posts: 7,951
Likes: 0
Received 0 Likes
on
0 Posts
On a network, where would you place IPS(s)? .Dont suppose theres any decent sites that take appart VLans and how the tags can be changed would support my argument for using the ISP
Researching 802.1x, seems to be associated with wireless communication. Does it work on a fibre/ethernet network?
Si
Researching 802.1x, seems to be associated with wireless communication. Does it work on a fibre/ethernet network?
Si
Last edited by super_si; 07 December 2004 at 08:40 AM.
#15
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Si
802.1x is a standard way of transmitting EAP (Extensible Authentication Protocol) over wired or wireless LANs. The weakness of WEP has meant that the adoption of more security in a wireless environment is a big priority for many people. This has led to the common view that 802.1x is a wireless standard only - it isn't. Do a search on 802.1x and LAN environments - you'll find loads of whitepapers and explanations.
IPS placement really depends on the size and type of the network and what kind of access there is to the network. If the buildings had some form of external access (i.e. to another LAN or maybe the Internet), then many people place an IPS on the outside of the firewall.
In this case, I think you would be looking at network based IPS that would monitor all traffic on a segment (normally via a mirrored port on a switch). You could also consider specific host based IPS for individual machines. These tend to analyse log files etc. Again, there is loads of info out there on this kind of stuff. A quick search on Goole should bring bacl loads of sites.
802.1x is a standard way of transmitting EAP (Extensible Authentication Protocol) over wired or wireless LANs. The weakness of WEP has meant that the adoption of more security in a wireless environment is a big priority for many people. This has led to the common view that 802.1x is a wireless standard only - it isn't. Do a search on 802.1x and LAN environments - you'll find loads of whitepapers and explanations.
IPS placement really depends on the size and type of the network and what kind of access there is to the network. If the buildings had some form of external access (i.e. to another LAN or maybe the Internet), then many people place an IPS on the outside of the firewall.
In this case, I think you would be looking at network based IPS that would monitor all traffic on a segment (normally via a mirrored port on a switch). You could also consider specific host based IPS for individual machines. These tend to analyse log files etc. Again, there is loads of info out there on this kind of stuff. A quick search on Goole should bring bacl loads of sites.
Last edited by Chris L; 07 December 2004 at 11:25 AM.
#16
Scooby Regular
Join Date: Jun 2002
Location: Perth, Western Australia
Posts: 1,866
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Chris L
...Speaking from the point-of-view of someone who has just slogged their way through (and passed ) the CISSP training course...
Mark
#17
Scooby Regular
Join Date: Jun 2003
Location: Some say he has frost on his helmet...
Posts: 2,970
Likes: 0
Received 0 Likes
on
0 Posts
Just a word of warning... If you need securty VLANS ARE NOT the only answer... VlANS were not designed as a security mechansim... Its quite easy for me to build packets and breach your security and or sniff the network with VLANs set...Example... Just did this whilst analysing a *** site with VOIP phones... secure data out of the back of the phone... the phone on VLAN 200 the data on the Native VLAN none VOIP... from the back of the phones (data) i can see the traffic on the voice VLAN... You would normaly not expect this! and goes to show all is not as it seems...
Although VLANs can be used as step to securing the network it is not the only step to take... a culmination of things are required... 802.1x, sticky mac and access lists being for starters...
Minefield subject... Hats off to the CSSIP guys... its as bad as the CISCO stuff...
the MOD security analysts are very god at this stuff as you'd expect and keep us on our toes a bit!
this message will self destuct in 20 seconds...
Dazza
Amended b4 the official secrets act watchers start...
Although VLANs can be used as step to securing the network it is not the only step to take... a culmination of things are required... 802.1x, sticky mac and access lists being for starters...
Minefield subject... Hats off to the CSSIP guys... its as bad as the CISCO stuff...
the MOD security analysts are very god at this stuff as you'd expect and keep us on our toes a bit!
this message will self destuct in 20 seconds...
Dazza
Amended b4 the official secrets act watchers start...
Last edited by Dazza's-STi; 07 December 2004 at 03:52 PM.
#19
Scooby Regular
Join Date: Jun 2003
Location: Some say he has frost on his helmet...
Posts: 2,970
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by CoobyS
Cisco advises against VLAN as security mechanism.
IPSEC all the way.
PS - its CISSP!
IPSEC all the way.
PS - its CISSP!
Agree with IPSEC all the way... too right!
Actualy Cisco advice that using VLANS as part of a security stratagy... it isn't a problem, and that so long as everything is tied down correctly it is very effective... this however is not normaly done and so its securty risk... as i siad VLAN's shouldn't be the only answer... as I've seen some places do...
extract from CISCO securty white paper...
Conclusion
The security of VLAN technology has proven to be far more reliable than its detractors had hoped for and only user misconfiguration or improper use of features have been pointed out as ways to undermine its robustness.
The most serious mistake that a user can make is to underestimate the importance of the Data Link layer, and of VLANs in particular, in the sophisticated architecture of switched networks. It should not be forgotten that the OSI stack is only as robust as its weakest link, and that therefore an equal amount of attention should be paid to any of its layers so as to make sure that its entire structure is sound
Dazza
Security isn't my specialst subject so...
#20
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Just been having another think about this.
Take a look at Cisco Secure Agent (CSA), Cisco Secure Trust (CST) and Network Access Control (NAC) on the LAN. Obviously this is aimed at Cisco sites.
NAC will allow you to create temp vlan's on a single port on a switch to isolate a client because it does not match your security policy i.e access rights, latest av, pers firewall, ms patches etc. and then isolate them from the main lan until they get patched remotely. It also allows you to control access acording to security policies. You can then give very specific access to specific resources once the client has been authorised. This will give you a very granular level of control and access. Great audit trails aswell, which is also an important consideration.
If I think of anything else, I'll post it up
Chris
Take a look at Cisco Secure Agent (CSA), Cisco Secure Trust (CST) and Network Access Control (NAC) on the LAN. Obviously this is aimed at Cisco sites.
NAC will allow you to create temp vlan's on a single port on a switch to isolate a client because it does not match your security policy i.e access rights, latest av, pers firewall, ms patches etc. and then isolate them from the main lan until they get patched remotely. It also allows you to control access acording to security policies. You can then give very specific access to specific resources once the client has been authorised. This will give you a very granular level of control and access. Great audit trails aswell, which is also an important consideration.
If I think of anything else, I'll post it up
Chris
#22
Scooby Regular
There is a whole host of other things that you need to do / can do like restricting your core switches to specific MAC addresses on each port. Using Cisco CNR to manage your DHCP scopes to ensure that only devices you want to have on your network get IP addresses....
The classic is for a laptop which has a Virus to be attached to the Corporate LAN....you suddenly find out that a lot of machines are not patched or don't have the latest AV software.
The other real risk today is USB data pens....how do you stop them being used to take data from your network.
You will also need to say something about backup tapes. Typically these are left lying around and it would be trival to restore the data from a backup tape (this is what they are mean't for after all) and thus breach your security. There are products like cryptostore which encrypt the data on the tapes.
Password policy ....think pass phrases rather than passwords, it's much more difficult (even impossible) to use a dictionary attack against a phrase like "hello world this is me" but something like "H3ll0w0rld" is significantly easier to attack. Think about using Biometrics to authenticate (not identifiy) or another form of 2 part authentication.
At the end of the day it's all about risk and how you mitigate that risk.
The classic is for a laptop which has a Virus to be attached to the Corporate LAN....you suddenly find out that a lot of machines are not patched or don't have the latest AV software.
The other real risk today is USB data pens....how do you stop them being used to take data from your network.
You will also need to say something about backup tapes. Typically these are left lying around and it would be trival to restore the data from a backup tape (this is what they are mean't for after all) and thus breach your security. There are products like cryptostore which encrypt the data on the tapes.
Password policy ....think pass phrases rather than passwords, it's much more difficult (even impossible) to use a dictionary attack against a phrase like "hello world this is me" but something like "H3ll0w0rld" is significantly easier to attack. Think about using Biometrics to authenticate (not identifiy) or another form of 2 part authentication.
At the end of the day it's all about risk and how you mitigate that risk.
Thread
Thread Starter
Forum
Replies
Last Post
The Joshua Tree
Computer & Technology Related
30
28 September 2015 02:43 PM