Secure Network Design PDF
Document Details
Uploaded by ResponsiveUvarovite8435
Marymount University
Tags
Related
Summary
This document provides an overview of secure network design, touching upon topics like network segmentation, zero trust frameworks, firewall types, and VPN technologies useful in a professional setting.
Full Transcript
Secure Network Design Network Segmentation Overview Definition and Purpose: Network segmentation, or zoning, involves partitioning a network into segments to create security zones, enhancing security and managing access effectively. Types of Security Zones: Trusted Zone: Contains sensitive re...
Secure Network Design Network Segmentation Overview Definition and Purpose: Network segmentation, or zoning, involves partitioning a network into segments to create security zones, enhancing security and managing access effectively. Types of Security Zones: Trusted Zone: Contains sensitive resources, accessible only by authorized users (e.g., a private LAN). Untrusted Zone: External network with the lowest trust level (e.g., the Internet). Demilitarized Zone (DMZ): Intermediate zone protecting the trusted network from untrusted traffic (e.g., web servers). Management Tools: Jump Server: A controlled access point for managing resources across different security zones, typically used by administrators to ensure secure management practices. Zero Trust Framework Overview Concept and Need: Zero trust is a security model that assumes both internal and external threats exist, requiring continuous authentication and authorization for all users and devices, irrespective of their network location. Core Principles: - The network is considered compromised. - Trust is not based on device location. - Every access request is authenticated and authorized. - Security policies are dynamic and derived from multiple data sources. Network Components: Control Plane: Manages authentication, authorization, and policy enforcement (includes policy engine, trust engine, and data stores). Data Plane: Enforces security policies and controls access to protected resources through a policy enforcement point (PEP). Firewalls: Types and Security Appliances Overview Definition and Purpose: A firewall is a network device or software that controls traffic based on rules, separating trusted internal networks from untrusted external networks (e.g., the Internet). Types of Firewalls: Stateless Firewall: Filters packets based solely on header information without tracking traffic flows. Uses Access Control Lists (ACLs) for decision-making. Stateful Firewall: Monitors active connections and tracks the state of network traffic, allowing packets belonging to established sessions. Network Security Appliances: Unified Threat Management (UTM): Combines multiple security functions (e.g., firewall, intrusion detection, malware protection) into a single device for simplified management. Next-Generation Firewall (NGFW): Enhances traditional firewall capabilities with deep packet inspection, application-level controls, and real-time threat intelligence integration. Firewalls: Host-based, virtual, and application Firewalls: Essential for controlling network traffic, either on virtual machines, individual hosts, or specific applications. Virtual firewalls operate inside virtual environments, controlling traffic via bridge or hypervisor modes. Host-based firewalls are software running on individual hosts, managing their traffic. Application firewalls, especially Web Application Firewalls (WAFs), focus on application-level traffic, protecting against attacks like SQL injection. NAT Gateway: Provides internet access to hosts in private networks by masking their private IP addresses with a single public IP. It adds an extra layer of security. Web Filtering: Protects organizations by blocking malicious or inappropriate web content: DNS Filtering stops access to entire domains. URL Filtering blocks access to specific URLs. Content Filtering analyzes content to block risky or unwanted data, with automation based on predefined categories. Network intrusion detection and prevention systems (NIDS/NIPS) IDS Types: - NIDS (Network-based Intrusion Detection System) monitors network traffic for malicious activity. HIDS (Host- based IDS) focuses on protecting individual hosts. NIPS (Network-based Intrusion Prevention System): - not only detects but actively blocks threats in real-time. Deployment modes: - Inline mode is active at the network edge, allowing real-time attack blocking. - Passive mode monitors network traffic without directly interacting, useful for analysis but cannot prevent attacks. Detection Methods: - Signature-based detection identifies threats using pre-defined attack signatures but struggles with new attacks (e.g., zero-day threats). - Anomaly-based detection builds a model of normal behavior and flags deviations, which can lead to false positives. - Behavior-based detection focuses on abnormal actions by processes (e.g., scanning multiple ports). - Heuristic-based detection is adaptive and updates its signatures dynamically, making it useful for detecting new threats. VPN: Virtual Private Network Enables private communication over public networks, ensuring confidentiality. Site-to-Site VPN is often used to connect different locations within the same organization, like connecting a branch office to HQ. Client-to-Site VPN allows individual remote users to securely connect to a network (e.g., remote work). Tunneling Modes: Full Tunnel encrypts all traffic and is more secure but slower due to encryption overhead. Split Tunnel only encrypts private traffic, allowing other traffic (like accessing public websites) to bypass the VPN. It's faster but less secure. VPN Protocols: SSL/TLS (Secure Sockets Layer/Transport Layer Security) ensures secure communication over the web (e.g., HTTPS), used in SSL VPNs. IPSec secures data at the network layer, commonly used for site-to-site connections. L2TP (Layer 2 Tunneling Protocol) is often paired with IPSec for secure tunneling at the data link layer. Port Security - Port Security involves protecting data link layer (OSI Layer 2) traffic on devices like switches, firewalls, and routers. - Common port security methods include: - Port Disablement: Disabling unused ports to prevent unauthorized devices from connecting. - MAC Filtering: Allowing only specific MAC addresses to connect to a port. However, this is not fully secure as MAC addresses can be spoofed. - IEEE 802.1X: Requires devices to authenticate before accessing the network via a port. Network Loop Prevention - Network loops occur when there is more than one path between two endpoints at Layer 2. This causes broadcast storms due to repeated rebroadcasting of packets. - Broadcast storm prevention methods include disabling ports and limiting broadcast traffic. - Bridge Protocol Data Unit (BPDU): Switches exchange BPDU packets to detect loops and prevent them using the Spanning Tree Protocol (STP). DHCP Snooping - DHCP Snooping is a Layer 2 control mechanism that prevents unauthorized DHCP servers (rogue servers) from providing network configuration to clients. - Trusted Ports: Receive traffic from legitimate DHCP servers. - Untrusted Ports: Block rogue DHCP traffic. - Attacks Prevented by DHCP Snooping: - DHCP Spoofing: Redirects client traffic by providing forged DHCP responses. - DHCP Starvation: Depletes the DHCP server's IP address pool, preventing legitimate clients from connecting (a form of DoS attack). Load Balancing Load balancing involves distributing network or application traffic across multiple servers to improve capacity, reliability, and performance. It can be implemented using either hardware or software and typically operates at the transport layer (Layer 4) or application layer (Layer 7). For example, a web server load balancer distributes HTTP and HTTPS traffic to multiple web servers using a virtual IP address and port numbers. Session Persistence (Sticky Session) This is a feature where a load balancer ensures a client’s requests are directed to the same server during a session. This helps improve user experience and reduce latency. Modes of Operation Active/active: Both load balancers work together to distribute traffic. This mode increases capacity and redundancy but comes at a higher cost. Active/passive: A primary load balancer is active, and a secondary load balancer is on standby. The passive load balancer takes over when the active one fails, ensuring uninterrupted service. This is commonly used for disaster recovery. Load Balancer Scheduling Algorithms Least connection: Distributes traffic to the server with the fewest active connections. Least response time: Considers both the fewest active connections and the lowest response time. Round robin: Sequentially distributes traffic across all servers. IP hash: Routes traffic based on the client’s IP address. Data Center Traffic Data center traffic is classified into two segments based on the direction of data flow: East-west traffic: Refers to the internal data traffic between components (e.g., servers, routers) within the same data center or between data centers in the same security zone. For example, traffic between servers in a LAN. North-south traffic: Involves data that enters (southbound traffic) or leaves (northbound traffic) a data center. This traffic crosses security zones and includes web requests or data uploads. Intranet and Extranet Intranet: A private, secure network accessible only by an organization’s authorized internal users. It is typically used for internal communication, such as employee directories or timesheet management. The public cannot access the intranet. Extranet: A controlled network that provides external partners, vendors, or customers with limited access to an organization's intranet. It enables external parties to securely access specific internal data. For example, a supply chain partner may access the retailer's purchasing needs via the extranet. Intranet VS Extranet
