CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Corporate Internet Module in Medium-Sized Networks

The Corporate Internet module provides internal users with connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity as well as traffic from traditional dial-in users.Chapter 13. This added complexity results from the addition of a specific VPN device for remote-access users' termination, the placement of NIDS sensors on key segments of the module, the provision of an edge router, and the facility to accommodate PSTN remote-user access in the design.

Figure 15-2. Medium-Sized Network Corporate Internet Module

Mitigating Threats in the Corporate Internet Module

The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. The expected threats on the public services segment and the mitigation actions to counter them are described in Table 15-3.

Table 15-3. Corporate Internet ModuleThreats Against Public Services and Threat Mitigation
Threat	Threat Mitigation
Application layer attacks	Mitigated by using host-based IPSs and NIDSs
DoS	Mitigated by using committed access rate (CAR) at the ISP edge and TCP setup controls at the firewall to limit exposure
IP spoofing	Mitigated by using RFC 2827 and RFC 1918 filtering at ISP edge and edge router of the medium-sized network
Network reconnaissance	Mitigated by using IDS; protocols are filtered to limit effectiveness
Packet sniffers	Mitigated by using a switched infrastructure and a host-based IPS to limit exposure
Password attacks	Mitigated by limiting the services that are available to brute force; the operating system and IDS can detect the threat
Port redirection	Mitigated by using restrictive filtering and a host-based IPS to limit attacks
Trust exploitation	Mitigated by using a restrictive trust model and private VLANs to limit trust-based attacks
Unauthorized access	Mitigated by using filtering at the ISP, edge router, and corporate firewalls
Virus and Trojan-horse attacks	Mitigated by using a host-based IPS, virus scanning at the host level, and content filtering on e-mail

The VPN services that are found within the Corporate Internet module of the medium-sized network design are also vulnerable to attack. The expected threats and mitigation actions for these services are described in Table 15-4.

Table 15-4. Corporate Internet ModuleThreats Against VPN Services and Threat Mitigation
Threat	Threat Mitigation
Man-in-the-middle attacks	Mitigated by encrypting remote traffic
Network topology discovery	Mitigated by using ACLs on the ingress router to limit access to the VPN concentrator and firewall and, if terminating VPN traffic, to Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) from the Internet
Packet sniffers	Mitigated by using a switched infrastructure to limit exposure
Password attacks	Mitigated by using one-time passwords (OTPs)
Unauthorized access	Mitigated by using firewall filtering and by preventing traffic on unauthorized ports

The threat-mitigation roles performed by the various devices that are found within the medium-sized corporate Internet module are shown in Figure 15-3.

Figure 15-3. Medium-Sized Network Corporate Internet Module Threat-Mitigation Roles

[View full size image]

Design Guidelines

The Corporate Internet module in the medium-sized network design consists of the following key devices, which have different functional roles within the design:

ISP router
Provides Internet connectivity
Edge router
Provides a demarcation point between the ISP and the network
Firewall
Provides stateful filtering and site-to-site VPN termination
Intrusion detection
Detects attacks from permitted firewall traffic
Remote-access VPN
Provides secure connectivity for remote users
Dial-in access users
Provides secure connectivity for remote users
Layer 2 switch
Provides Layer 2 connectivity
Inside router
Provides Layer 3 separation and routing between the Corporate Internet and Campus modules

The various roles that the preceding devices play can be broken down into the following more general areas, which are described in depth next:

Filtering and access control
Intrusion detection
Remote access
Layer 2 services
Layer 3 services

Filtering and Access Control

Within the medium-sized network design, the ISP router, the edge router, and the firewall provide filtering and access control of perimeter traffic. It is generally ideal to implement some form of security filtering on the perimeter traffic flow even before that traffic hits the firewall. Table 15-5 outlines the filter parameters that can be applied on the ISP and edge routers to restrict perimeter traffic flow, and the corresponding threat mitigation.

Table 15-5. Perimeter Traffic Flow Filtering
Filter Location	Flow	Filter Description	Mitigation
ISP router	Egress	The ISP rate-limits nonessential traffic that exceeds a predefined threshold	DDoS
ISP router	Egress	RFC 1918 and RFC 2827 filtering	IP spoofing
Edge router	Ingress	Coarse IP filtering for expected traffic	General attacks
Edge router	Ingress	RFC 1918 and RFC 2827 filtering	IP spoofingverifies ISP filtering
Edge router	Ingress	VPN- and firewall-specific traffic filtering	Unauthorized access

The primary function of the stateful firewall within the medium-sized network design is to provide connection-state enforcement and detailed filtering for sessions that are initiated through the firewall.

The firewall consists of two segmentsa public services segment and a remote-access segment. The firewall also acts as a termination point for site-to-site IPSec VPN tunnels for both production and management traffic from remote sites. Additionally, the advanced features within the software protect against TCP synchronization (TCP SYN) attacks on the publicly facing servers by controlling the limits on half-open sessions through the firewall.

With reference to the public services segment, the filtering of traffic should control not only the flow of traffic destined to specific addresses and ports on the public services segment but also the flow of traffic from the segment. This additional level of filtering prevents an attacker who may have compromised one of the public servers from using that server as a platform to launch further attacks on the network. For example, if an intruder has managed to circumvent the firewall and IDS security features on a public-facing DNS server, that server should be permitted only to reply to requests, not to originate a request. This prevents an intruder from using a compromised platform to launch additional attacks.

Finally, the use of private VLANs on the demilitarized zone (DMZ) switches prevents a compromised server from being used to attack other servers on the same segment. This type of vulnerability is not detectable by the firewall, so the implementation of private VLANs is especially important.

Intrusion Detection

Within the medium-sized network design, both host-based IPS and NIDS are used. The placement of a NIDS appliance on the public services segment provides the facility to detect attacks that have already been permitted by the firewall. Most commonly, these attacks are application layer attacks that are aimed at specific services. Because traffic at this point has been permitted through the firewall, the NIDS appliance should be configured to act in a restrictive mode for matched signatures.

Every server on the public services segment should be configured with a host-based IPS, which enables you to monitor any rogue activity at the operating system level. A host-based IPS can also be configured to monitor certain common server applications. Additionally, all public services applications, such as web, e-mail, and DNS services, should be hardened as much as possible so that any unnecessary responses cannot be used to assist an intruder in network reconnaissance.

The placement of a NIDS appliance on the segment between the inside interface of the firewall and the internal router provides for a final analysis of traffic that detects even the most determined of attacks. Traffic on this segment has already been filtered by the firewall and should consist only of these elements: responses to internally initiated requests, traffic from the remote-access segment, and traffic from selected ports of the public servers on the public services segment.

A typical example of an attack that might be encountered on this segment is one in which the attacker compromises one of the public servers on the public services segment. The attacker could then use the compromised server to launch further attacks against the internal network. Consequently, any response to an attack on this segment that is recognized should be more severe than on other segments in the network, because an attack here normally indicates that a server has been compromised. You should seriously consider implementing TCP resets or shunning in response to any detected attack.

Remote Access

Remote-access connectivity in the medium-sized network design is provided by the use of remote-access VPNs and traditional dial-in services. VPN connectivity is provided through the use of a VPN concentrator, whereas dial-in services are provided through the use of an access server.

By using a remote-access VPN concentrator, remote VPN users can be offered secure connectivity. When a remote user initiates a VPN session, the VPN concentrator authenticates the remote user's credentials by querying an access control server (ACS), located on the internal network, before allowing the remote user access to the network. This ACS can interact with a one-time password (OTP) server, if required, to validate the user's credentials.

After the user is authenticated, a specific IPSec policy can be sent from the VPN concentrator to the client to determine the characteristics of the remote connection. Characteristics such as the tunnel mode, encryption standards, and data-integrity standards to be used are passed in the IPSec policy. The following IPSec parameters are recommended in the SAFE medium-sized network design: no split tunneling (tunnel everything); use Triple Data Encryption Standard (3DES) for encryption; and use Secure Hash Algorithm/Hash-Based Message Authentication Code (SHA/HMAC) for data integrity. Finally, granular control over remote VPN users is achieved by placing the VPN concentrator in front of the firewall. By doing this, the VPN tunnels terminate in front of the firewall and thereby permit the filtering of these remote users as their traffic transits the firewall.

Traditional dial-in remote users are catered to within the medium-sized network design by the use of an ACS with built-in modems. User authentication is achieved by the use of the Challenge Handshake Authentication Protocol (CHAP) and, as in the remote-access VPN service, an ACS. Once authenticated, the users are allocated an IP address from an IP pool of addresses. As with the remote VPN users, you can achieve granular control of the dial-in users when the access server is placed on a separate segment, in front of the firewall, enabling you to apply appropriate filtering as dial-in user traffic transits the firewall.

Layer 2 Services

Layer 2 connectivity between devices in the Corporate Internet module is provided by the use of individual switches on each segment rather than a single switch using multiple VLANs. The placement of individual switches on each segment of the firewall allows for the physical separation of segments and helps to mitigate against a switch being compromised by misconfiguration. Each switch also provides private VLAN support, if required, for its corresponding segment.

Layer 3 Services

An inside router is placed in the medium-sized network design to provide Layer 3 separation and routing between the Corporate Internet and Campus modules. This router performs no filtering of any kind and provides a demarcation point between the routed intranet and the Corporate Internet module and, hence, the outside of the network. To mitigate against DoS attacks using routing updates, it is recommended that you use authenticated routing updates.

Design Alternatives

The Corporate Internet module discussed in the previous section can have a number of alternative designs, which are summarized in the following list and then explored in more detail:

The basic filtering of the edge router can be replaced with the advanced functionality of a Cisco IOS Firewall router
A NIDS appliance can be placed on the outside of the firewall
The inside router located between the firewall and the Campus module can be removed
A form of content inspection can be added, such as URL filtering

Replacing the basic filtering of the edge router with the advanced functionality of a Cisco IOS Firewall router provides not only general filtering but also a second stateful firewall within the design. Having two stateful firewalls provides more of a defense-in-depth approach to security within the module.

Placing a NIDS appliance on the outside of the firewall enables you to monitor the types of attacks the network is experiencing and the effectiveness of the ISP and edge filters. Because this configuration has the potential to generate a high number of alarms, you must carefully set up the IDS and filtering parameters. You should consider setting up a separate monitoring station to report these events so that you don't miss legitimate alarms from other segments.