Notes 10‐1 - LPouliot/Junior-Spring-NET-330-01-Network-Design GitHub Wiki

Network Zoning, Segmentation and Isolation for Security

Reasons to Segment a Network

Reduce size of Broadcast Domains

Restrict unnecessary traffic crossing long distance and/or slow links

Conserve Public IP addresses with an organized NAT implementation

Security!

Security and Network Segmentation

What is one of the primary rules of information security:

Least Privilege

Providing network access to servers/services introduces risk – therefore

Limit access to only those remote systems that need it

Least Privilege for Network Access:

Risk Matrix

image

Network-based Defenses: Access Control

How is the system connected to the network?

  • Not connected to any network (stand-alone)?

    • The best network defense ☺

  • On a private network (not the Internet)?

    • Highly secure environments (military, utility grid…) may run separate networks
    • On the Internet?

  • Use network connections and routing devices to control access to a system

Network Defense Techniques

Technical Solutions

  • Network Address Translation (NAT)
  • Access Control Lists (ACLs)
  • Firewalls

Planning/Layout Solutions

  • Network Zoning

Network-based Defenses: Access Control

Network Address Translation:

  • Using private IP addresses internally and translating to “public” IP’s when communicating on Internet

Private IP Addresses

  • 10.0.0.0
  • 192.168.0.0
  • 172.16.0.0

Organizations use private addresses on the local network

Router translates private to public IP’s and keeps track of translation in a table.

Access Control-NAT

image

Network-based Defenses: Access Control

Routers- devices that “route” traffic between different networks (think Post Office)

  • Can create routing rule to control which networks can communicate.
  • Can create Access Control Lists (ACLs) to drop certain types of traffic
    • Spoofed addresses
    • Certain protocols

Network-based Defenses: Firewalls

Device that controls traffic in and out of a network based on ruleset

image

Layer 4 Firewalls

Rules based on Layer 3:

  • P Addresses of both internal and external computers

e.g. allow all external systems to 170.129 (Public).20.101

Allow 153.104.15.6 to 170.129 (Public).118.112

Allow 153.104.15.0/24 to 170.129 (Public).18.0/24

Deny Any to 170.129 (Public).15.0/24

And Layer 4 “Port Numbers”

  • Such as Port 80 (HTTP), 443 (HTTPS), 3389 (RDP)

e.g. allow all external systems to 170.129 (Public).20.101 on port 80

Allow 153.104.15.6:3389 to 170.129 (Public).118.112:3389

Allow 153.104.15.0/24 to 170.129 (Public).18.0/24 on port 443

Deny Any to 170.129 (Public).15.0/24 on port 3389

Layer 7 – Application Firewalls

Newer Firewalls

Can inspect entire packet – including the data

Can set rules on layers 3 and 4 plus:

  • Info in the data such as URLs
  • Particular applications, regardless of port

Examples:

  • Allow port 80 (HTTP) but block Facebook
  • Allow port 80 (HTTP) to 170.129 (Public).20.101 but block if URL contains “/admin.php”

Network Zoning

Designing networks to improve security by:

  • Placing systems with similar security requirements in “zones” protected by firewalls

  • These requirements can include:

Services they run

Who accesses them

Who manages them

Operational criticality

Data they store/process

Regulatory requirements

Case-Study Network

20,000+ node network managed by central team

Two primary data centers with 1,000+ servers

Historical use of firewalls

  • Perimeter firewalls with minimal ruleset put in place a few years ago
  • A few firewall protected VLANs in Data Center for certain administrative and research systems
  • Other data center VLANs a “hodge-podge” of administrative, academic, and research systems

Network Zoning Project - Overview

Move all servers into security “zones” behind network firewalls

  • Recognized best-practice (ISO, NIST, SANS CSC)
  • Hardware firewalls required by policy and regulations (PCI, FISMA)

Asset-based as opposed to perimeter approach to network traffic flow policy

Network Zoning Goals

Place all data center servers behind hardware firewall

Simplify rulesets as much as possible:

  • Administrative access
  • Services
  • User access

Quicker troubleshooting and incident response

Improve intrusion prevention and monitoring

Defense-in-depth

Firewall Contexts

Context: Firewall contexts can be viewed as “virtual” firewalls on the same hardware.

Reasons for configuring separate contexts include:

  • Simplify rule sets while maintaining security requirements
  • Isolate systems according to security requirements
  • Comply with policy and regulatory controls for isolation, monitoring, and logging

Planned Contexts

PCI: Systems processing credit cards

HIPAA: Systems processing/storing Protected Health Info (PHI)

ITS: Systems administered exclusively by central IT team

General: Systems administered by central IT, other IT, and/or vendors

Management: Systems used to manage network devices, building control, or other embedded devices

Other possible:

  • Research projects
  • Professional Schools (Tuck Business, Thayer Engineering)

VLAN Groups

Grouping of VLANs within a context. These can include:

  • DMZ: VLANS with systems directly accessible by Internal and/or External users.

  • Production: Production systems only directly accessible by administrators and load balancers.

  • Dev/Non-prod: Development and/or non-production systems

Grouping of VLANs within a context. These can include:

  • DMZ and Production will have both Public and Private (10.x) VLANs

  • Dev/Non-prod:

    • Firewall rule update testing
    • Allows different inbound, outbound and back-end rules
    • Policy requirement and best practice
    • Minimal impact for admins (different IP and checkbox on request)

Example Context and VLAN Table

image

image

Access-Lists on Cisco

Access-lists provide basic firewall capabilities on Cisco Routers.

Two types:

  • Standard:

Apply to source IP address or Network Only.

Layer 3

  • Extended:

Apply to source and destination IP address and/or network

Can also create rule for TCP Ports

Layer 3 and 4

Creating Access Lists

Two-Step Process

In global config mode – use ip access-list command to create list

Apply list to interface with ip access-group command

  • Interface config mode
  • Specify in or out
  • Does list apply to packets entering interface (in) or leaving interface (out)

Step 1 – Extended and Standard

Standard is: ip access-list standard name_of_list

  • Then rules: permit/deny ip_address wildcard_mask

Extended: ip access-list extended name_of_list

  • Rules: permit/deny protocol source_ip wc_mask dst_ip wc_mask (port)

Standard ACL Example

1] Create ACL:

device(config)# ip access-list standard Net1
device(config-std-nacl-Net1)# deny host 10.157.22.26 
device(config-std-nacl-Net1)# deny 10.16.4.0 0.0.0.255
device(config-std-nacl-Net1)# permit any

2] Apply to interface

device(config)# int eth 1/1 
device(config-if-e10000-1/1)# ip access-group Net1 in

Extended ACL Example

1] Create Access List:

(config)# ip access-list extended MYACL
(config-nacl-myacl)# deny tcp host 10.0.0.2 host 10.0.1.2 eq 80 
(config-nacl-myacl)# deny tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 23 
(config-nacl-myacl)# permit ip any any

2] Apply to Interface

(config)# interface fastEthernet 0/0 
(config-if)# ip access-group MYACL in

Access-list Gotchas

Rules applied in order – top to bottom

_Hidden “Deny all” by default: _

  • When access lists are applied to an interface, a default “deny all all” is applied at the bottom
  • _So, must apply a “permit any” at the end of your list if appropriate

Regular ACLs cannot be reordered: Must delete and recreate if order is messed up

Watch your INs/OUTs: Think of the packet flow. IN is entering the interface, OUT is leaving the interface