Notes10:1NetworkZoning - echadbourne/NET-330 GitHub Wiki

Reasons to segment a network

Reduce the size of broadcast domains
restrict unnecessary traffic crossing long distance and/or slow links
conserve public ip addresses with an organized NAT implementation
security

Security and network segmentation

what is one of the primary rules of information security?

Least privilege
Providing network access to servers/services introduces risk
therefore limit access to only those remote systems that need it

Least privilege for network access: risk matrix

Network-based defenses: Access Control

How is the system connected to the network?

Not connected to any network (stand-alone)?
- the best network defense
On a private network (not the internet)?
- highly secure environments (military, utility grid...) may run separate networks
On the internet?

Use network connections and routing devices to control access to a system

Network Defense Techniques

Technical Solutions

Network Address Translation (NAT)
Access Control Lists (ACLs)
Firewalls

Planning/layout solutions

Network zoning

Access Control

Network address translation

using private IP addresses internally and translating to "public" IPs when communicating on the Internet

Private IP addresses

10.0.0.0
192.168.0.0
172.16.0.0

Organizations use private addresses on the local network

Router translates private to public IPs and keeps track of translation in a table

Routers - devices that "route" traffic between different networks (think Post Office)

Can create routing rule to control which networks can communicate
Can create access control lists (ACLs) to drop certain types of traffic
- spoofed addresses
- certain protocols

Network Based defenses: Firewalls

Device that controls traffic in and out of a network based on ruleset

Layer 4 firewalls

Rules based on layer 3

IP addresses of both internal and external computers
- ex allow all external systems to 170.129(public).20.101
- Allow 153.104.15.6 to 170.129.118..112
- Allow 153.104.15.0/24 to 170.129.18.0/24
- Deny any to 170.129.15.0/24

And Layer 4 "Port Numbers"

Such as Port 80 (HTTP), 443(HTTPS), 3389(RDP)
- ex allow all external systems to 170.129.20.101 on port 80
- Allow 153.104.15.6:3389 to 170.129.118.112:3389
- Allow 153.104.15.0/24 to 170.129.18.0/24 on port 443
- Deny Any to 170.129.15.0/24 on port 3389

Layer 7 Application Firewalls

Newer firewalls, can inspect entire packet - including the data

Can set rules on layers 3 and 4 plus

Info in the data such as URLs
Particular applications, regardless of ports

Examples:

Allow port 80(HTTP) but block facebook
Allow port 80(HTTP) to 170.129.20.101 but block if URL contains "/admin.php"

Network Zoning

Designing networks to improve security by:

Placing systems with similar security requirements in "zones" protected by firewalls
These requirements can include:
- Services they run
- who accesses them
- who manages them
- operation criticality
- data they store/process
- regulatory requirements

Case study network

20,000+ node network managed by central team

two primary data centers with 1,000+ servers

Historical use of firewalls

perimeter firewalls with minimal ruleset to put in a few years ago
a few firewall protected vlans om data center for certain administrative and research system
other data center vlans a "hodge-podge" of administrative, academic, and research systems

Project Overview

Move all servers into security "zones" behind network firewalls

recognized best-practice (ISO, NIST, SANS, CSC)
hardware firewalls required by policy and regulations (PCI, FISMA)
asset-based as opposed to perimeter approach to network traffic flow policy

Goals

Place all data center servers behind hardware firewall

Simplify rulesets as much as possible

administrative access
services
user access

Quicker troubleshooting and incident response

Improve intrusion prevention and monitoring

Defense in depth

Firewall contexts

Context - Firewall contexts can be viewed as virtual firewalls on the same hardware

Reasons for configuring separate contexts include:

simplify rule sets while maintaining security requirements
isolate systems according to security requirements
comply with policy and regulator controls for isolation, monitoring, and logging

Planned Contexts

PCI: Systems processing credit cards
HIPAA: Systems processing/storing Protected Health Info (PHI)
ITS: Systems administered exclusively by central IT team
General: Systems administered by central IT, other IT, and/or vendors
Management: Systems used to manage network devices, building control or other embedded devices
Other possible:
- research projects
- professional schools (tuck business, thayer engineering)

VLAN groups

Grouping VLANS within context. These can include:

DMZ: VLANS with systems directly accessible by internal and or external users
Production: production systems only directly accessible by administrators and load balancers
dev/non-prod: development and/or non-production systems
- Firewall rule update testing
- allows different inbound, outbound and back-end rules
- policy requirement and best practice
- minimal impact for admins (different IP and checkbox on request)
DMZ and Production will have both public and private (10.x) VLANs

Access-Lists on Cisco

Access-lists provide basic firewall capabilities on cisco routers

Two types:

Standard
- Apply to source IP address or network only
- layer 3
extended
- apply to source and destination ip address and/or network
- can also create rule for TCP ports
- layer 3 and 4

Creating access lists

Two-step process

In global config mode - use ip access-list command to create list
Apply list to interface with ip access-group command
- interface config mode
- specify in or out
- does list apply to packets entering interface (in) or leaving interface (out)

Step 1: Extended and standard

Standard is: ip access-list standard [name of list]

Then rules: permit/deny [ip address] [wildcard mask]

Extended: ip access-list extended [name of list]

rules: permit/deny protocol [source ip] [wildcard mask] [dest ip] [wildcard mask] (port)