لطفا منتظر باشید ...
Campus Module in Medium-Sized Networks
The Campus module of the medium-sized network design provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 and Layer 3 functionality that is required by the network.Chapter 13. The new features that appear in the medium-sized network Campus module are a Layer 3 switch and a NIDS sensor.
Figure 15-4. Medium-Sized Network Campus Module
Mitigating Threats in the Campus Module
Expected threats against the Campus module and the mitigation actions to counter them are described in Table 15-7.
| Threat | Threat Mitigation |
|---|---|
| Application layer attacks | Mitigated by keeping operating systems, devices, and applications up to date with the latest security fixes and protected by host-based IPSs |
| IP spoofing | Mitigated by using RFC 2827 filtering to prevent source-address spoofing |
| Packet sniffers | Mitigated by using a switched infrastructure to limit the effectiveness of sniffing |
| Password attacks | Mitigated by using an ACS to enforce strong two-factor authentication for key applications |
| Port redirection | Mitigated by using host-based IPSs to prevent port redirection agents from being installed |
| Trust exploitation | Mitigated by using private VLANs to prevent hosts on the same subnet from communicating unless necessary |
| Unauthorized access | Mitigated by using host-based IPS and application access control |
| Virus and Trojan-horse applications | Mitigated by using host-based virus scanning |
Figure 15-5. Medium-Sized Network Campus Module Threat-Mitigation Roles
Design Guidelines
The medium-sized network Campus module consists of several key devices that provide the necessary Layer 2 and Layer 3 connectivity and other functional requirements of the corporate campus network. The functionality and connectivity are provided by the following devices:
- Core switch
- Access switches
- IDSs
Core Switch
The main purpose of the campus core switch is to provide the following services:
- Routing and switching for management and production data
- Distribution layer services for the building access switches
- Corporate and management server connectivity
- Traffic filtering
The Campus module uses a Layer 3 core switch in preference to a Layer 2 core switch for four reasons:
- The use of multiple VLANs has been implemented in the design, allowing the corporate servers, management servers, user connectivity functions, WAN module, and Corporate Internet module to all reside on individual VLANs.
- By using separate VLANs with access control, inter-VLAN traffic filtering can be introduced, which can mitigate the chance of users on one VLAN accessing confidential information on another VLAN of the network. For example, a network that contains administration, engineering, finance, and sales departments might segment off the finance server to a specific VLAN and filter access to it, ensuring that only finance staff have access. For performance reasons, it is important that this access control be implemented on a hardware platform that can deliver filtered traffic at near-wire rates. This setup generally dictates the use of Layer 3 switching, as opposed to more traditional dedicated routing devices.
- To mitigate against trust-exploitation attacks and address spoofing, private VLANs and RFC 2827 filtering should be used on the corporate user and corporate server VLANs.
- Extensive filtering should be used on the management VLAN to control the flow of management traffic between both local devices and devices located at remote sites. Both Layer 3 and Layer 4 access control should be implemented to restrict traffic flow between managed hosts and the management servers. This filtering should only permit the specific management protocols and services that are required between the managed device and management server.
Access Switches
The role of the access or building switches within the Campus module is to provide Layer 2 connectivity to corporate users.Because users generally do not require direct host-to-host communication, private VLANs are implemented on the access switches to mitigate against trust-exploitation attacks. To mitigate against virus attacks, host-based virus scanning is implemented on user workstations.
Intrusion Detection in the Campus Module
The medium-sized network Campus module supports both host-based IPS and NIDS. A host-based IPS is used on each of the corporate intranet and management servers, and a single NIDS appliance is connected to the core switch. The switch port that connects the NIDS appliance is configured as a monitoring port, which can be used to mirror all VLAN traffic that requires monitoring within the switch. Generally, though, few attacks should be detected by this NIDS appliance because it is looking for potential attacks originating from within the Campus module itself.
Design Alternatives
The Campus module discussed in the previous section can have the following alternative designs:
- If the medium-sized network is small enough, the access or building switches can be removed. The removed Layer 2 functionality is then provided by connecting the devices directly to the core switch. Any private VLAN configuration that is lost with the removal of the access switches is offered by the core switch and still mitigates against trust-exploitation attacks.
- The external NIDS appliance can be replaced by an integrated IDS module that fits into the core switch. This configuration option offers increased performance benefits because the IDS appliance sits directly on the backplane of the switch.
If performance is not an issue, it is possible to replace the Layer 3 switch with a Layer 2 switch and provide inter-VLAN routing by use of an external router.
