Overclockers Australia Forums - View Single Post

stalin · 1st August 2008, 9:27 PM

I will start with layers. Levels of Security relates to the layers of protection you can provide. The more you have the better your security (generally).

With more and more layers of security however, initial costs, and more importantly management costs increase.

The number of layers you have really is dependant on the risks your business faces. To explain what layers are in the context of GGP's question lets look at a sample business.

1,000 users that deal with sensitive information (data classification, is again another topic, and something that needs to be done before designing control systems). They wish to setup a new network to protect themselves from outside threats and to protect that information going out.

Layer 1 - Router

Your router should be the SINGLE entry point to your network, connect it to your fiber, DSL, Frame etc. Your router should support ACL's to block bulk traffic, BOGON etc.

Layer 2 - Firewall External

After your router you get a straight IP feed into your firewall (Cisco ASA, Checkpoint, Linux IPtables etc) your firewall will do the bulk of your protection and this is where your restrictive access is applied.
- All inbound access is disabled by default
- All outbound access is disabled by default
Take blocked traffic internal and external and log it to a log system.
No traffic from the net should be permitted directly into your internal network, all should pass through a server in the DMZ
People tend to think that firewalls are all you need, but firewalls just limit the exposure, but they still leave you very much exposed, firewalls are just things full of holes, every hole is a method of attack.

Layer 2.5 - Layer 7 Filtering/IPS

Your firewall might do this (eg Checkpoint AI) which ensures the traffic going through is as expected. It prevents people sending 'weirdo' traffic to your web server, or mail server, it makes it conform to the correct protocol's this removes many attack types.
If your firewall doesn't do it, or even if it does, you might like to put a seperate device in. Log to your log system.

Layer 3/4 - DMZ + Host Protection

Instead of having internet traffic have direct access to internal systems, do it via proxies. Put your DNS servers, Mail Relay's, HTTP/FTP proxy servers in the DMZ. This way your servers have to validate and accept the specific traffic. On these servers you have your AV, Anti-Spam. This AV and additional sanity checking is another layer. You can run things like mod_security to to reverse proxy filtering for your web servers. So you have an apache box infront other another apache/iis box doing pre-filtering. The AV vendors etc should be Brand X. Ideally you protect IIS with Apache/Squid and Apache with something like Squid or another different product.

Treat everything in your DMZ as hostile, don't use standard passwords etc on DMZ hosts. DMZ hosts are your dirty boxes, don't trust them. Don't have anything in your DMZ talk back to your internal network unless you can help it. ie don't have a web host out there, and your Oracle DB in your internal network.
Run Host Intrusion detection, or other decent logs and again send them to your log system.

While not another layer as such, Honeypots are another option inside your DMZ. Put a host or 2 that look tasty, easy to hack or with weak passwords. Have high logging on real systems (and good monitoring) or use honeyd or something similar. You REALLY don't want your honeypot to become a legitimet tool to attack your systems with. This is where the next level helps as well.

This is a big field and can do with additional explaination if people want it..

Layer 5 - Switch ACL's

Switch ACL's between your DMZ hosts, or IPSec restrictions, or Private VLAN's. The reason you want this, is if one host in the DMZ is compromised, they are restricted in what else they can access. You can have a Switch with Virtual Firewall's on it, this can work but is probably overkill for many. All you really want to do is stop/slow peoples attack, or make it too hard for them to go someplace else. Log dropped traffic, this helps you pinpoint missconfiguration and possible attacks. Make sure that traffic coming from your honey pot is all dropped and alerted.

If your network is big enough, use MPLS.. but for 1000 people its unlikely you would do MPLS VPN's within your DMZ.

Layer 6 - Firewall DMZ

You then need to firewall the traffic coming from your DMZ into your internal network. If they get through the other controls, you don't want them having full access into your internal network. Consult vendor doco, or just log traffic to see what you need to let through.
Take blocked traffic internal and external and log it to a log system.
- All inbound access is disabled by default
- All outbound access is disabled by default
This firewall should be a different vendor to the first firewall, again if you can afford it and the device supports it, use layer 7 filters (in particular RPC *aargh*) and IPS modules to help ensure the traffic is true. You should have a different vendor to the first firewall... why? So that if the latest IOS exploit got them through the external ASA, and the 6500 Cat with IOS.. it WONT get them through the Checkpoint.

Layer 7 - Core Switch

Well done you finally made it to the core of your internal network... where you should have VLAN's or MPLS VPN's to seperate traffic. Your core switch should have IDS modules and firewall modules (or ACL's) to again filter traffic. Its not feasible for most places to filter all workstation traffic, so what you generally do is create a few server VLAN's and apply ACL's in and out of that VLAN.
Client VLAN's should have ACL's to prevent inter-VLAN traffic. Why does Bob in accounts need to see Fred in Finances local PC? He doesn't, so don't let him.

Layer 7.5 - Traffic Analysis

Logging denied traffic on core switches is excessive for most people. If it concerns you look at Lancome and use Netflow to determine traffic patterns, it allows you to pick up worm traffic internal to your network etc intergration with other systems allow it to act as a network wide IDS without the massive overheads of whole network IDS.

Layer 8++ - Local PC

AV Brand A which is different to your DMZ AV. Minimal local access rights and all the other million things that to on to secure client systems.
Again log information on the local systems, and local internal servers to your log system.

You will notice from all of this that at every level you log 'bad stuff' what this does is help you perform reactive analysis and detective work. Which is great for forensic analysis if you need it, but it doesnt protect information confidentiality. However with the latest bunch of SIEM systems (Sentinel) all of these logs previously only ever a reactive scenario can be used in a near real time preventative protection system. These to me are the new 'next best thing' and add a new layer to a standard network architecture.

1st August 2008, 9:27 PM	#12
stalin (Taking a Break) Join Date: Jun 2001 Location: On the move Posts: 4,584	Network Design - Layers of Security I will start with layers. Levels of Security relates to the layers of protection you can provide. The more you have the better your security (generally). With more and more layers of security however, initial costs, and more importantly management costs increase. The number of layers you have really is dependant on the risks your business faces. To explain what layers are in the context of GGP's question lets look at a sample business. 1,000 users that deal with sensitive information (data classification, is again another topic, and something that needs to be done before designing control systems). They wish to setup a new network to protect themselves from outside threats and to protect that information going out. Layer 1 - Router Your router should be the SINGLE entry point to your network, connect it to your fiber, DSL, Frame etc. Your router should support ACL's to block bulk traffic, BOGON etc. Layer 2 - Firewall External After your router you get a straight IP feed into your firewall (Cisco ASA, Checkpoint, Linux IPtables etc) your firewall will do the bulk of your protection and this is where your restrictive access is applied. - All inbound access is disabled by default - All outbound access is disabled by default Take blocked traffic internal and external and log it to a log system. No traffic from the net should be permitted directly into your internal network, all should pass through a server in the DMZ People tend to think that firewalls are all you need, but firewalls just limit the exposure, but they still leave you very much exposed, firewalls are just things full of holes, every hole is a method of attack. Layer 2.5 - Layer 7 Filtering/IPS Your firewall might do this (eg Checkpoint AI) which ensures the traffic going through is as expected. It prevents people sending 'weirdo' traffic to your web server, or mail server, it makes it conform to the correct protocol's this removes many attack types. If your firewall doesn't do it, or even if it does, you might like to put a seperate device in. Log to your log system. Layer 3/4 - DMZ + Host Protection Instead of having internet traffic have direct access to internal systems, do it via proxies. Put your DNS servers, Mail Relay's, HTTP/FTP proxy servers in the DMZ. This way your servers have to validate and accept the specific traffic. On these servers you have your AV, Anti-Spam. This AV and additional sanity checking is another layer. You can run things like mod_security to to reverse proxy filtering for your web servers. So you have an apache box infront other another apache/iis box doing pre-filtering. The AV vendors etc should be Brand X. Ideally you protect IIS with Apache/Squid and Apache with something like Squid or another different product. Treat everything in your DMZ as hostile, don't use standard passwords etc on DMZ hosts. DMZ hosts are your dirty boxes, don't trust them. Don't have anything in your DMZ talk back to your internal network unless you can help it. ie don't have a web host out there, and your Oracle DB in your internal network. Run Host Intrusion detection, or other decent logs and again send them to your log system. While not another layer as such, Honeypots are another option inside your DMZ. Put a host or 2 that look tasty, easy to hack or with weak passwords. Have high logging on real systems (and good monitoring) or use honeyd or something similar. You REALLY don't want your honeypot to become a legitimet tool to attack your systems with. This is where the next level helps as well. This is a big field and can do with additional explaination if people want it.. Layer 5 - Switch ACL's Switch ACL's between your DMZ hosts, or IPSec restrictions, or Private VLAN's. The reason you want this, is if one host in the DMZ is compromised, they are restricted in what else they can access. You can have a Switch with Virtual Firewall's on it, this can work but is probably overkill for many. All you really want to do is stop/slow peoples attack, or make it too hard for them to go someplace else. Log dropped traffic, this helps you pinpoint missconfiguration and possible attacks. Make sure that traffic coming from your honey pot is all dropped and alerted. If your network is big enough, use MPLS.. but for 1000 people its unlikely you would do MPLS VPN's within your DMZ. Layer 6 - Firewall DMZ You then need to firewall the traffic coming from your DMZ into your internal network. If they get through the other controls, you don't want them having full access into your internal network. Consult vendor doco, or just log traffic to see what you need to let through. Take blocked traffic internal and external and log it to a log system. - All inbound access is disabled by default - All outbound access is disabled by default This firewall should be a different vendor to the first firewall, again if you can afford it and the device supports it, use layer 7 filters (in particular RPC aargh) and IPS modules to help ensure the traffic is true. You should have a different vendor to the first firewall... why? So that if the latest IOS exploit got them through the external ASA, and the 6500 Cat with IOS.. it WONT get them through the Checkpoint. Layer 7 - Core Switch Well done you finally made it to the core of your internal network... where you should have VLAN's or MPLS VPN's to seperate traffic. Your core switch should have IDS modules and firewall modules (or ACL's) to again filter traffic. Its not feasible for most places to filter all workstation traffic, so what you generally do is create a few server VLAN's and apply ACL's in and out of that VLAN. Client VLAN's should have ACL's to prevent inter-VLAN traffic. Why does Bob in accounts need to see Fred in Finances local PC? He doesn't, so don't let him. Layer 7.5 - Traffic Analysis Logging denied traffic on core switches is excessive for most people. If it concerns you look at Lancome and use Netflow to determine traffic patterns, it allows you to pick up worm traffic internal to your network etc intergration with other systems allow it to act as a network wide IDS without the massive overheads of whole network IDS. Layer 8++ - Local PC AV Brand A which is different to your DMZ AV. Minimal local access rights and all the other million things that to on to secure client systems. Again log information on the local systems, and local internal servers to your log system. You will notice from all of this that at every level you log 'bad stuff' what this does is help you perform reactive analysis and detective work. Which is great for forensic analysis if you need it, but it doesnt protect information confidentiality. However with the latest bunch of SIEM systems (Sentinel) all of these logs previously only ever a reactive scenario can be used in a near real time preventative protection system. These to me are the new 'next best thing' and add a new layer to a standard network architecture.