Table 15-9. Corporate Internet Module Devices
Device | Description |
---|
Dial-in server | Terminates analog connections and authenticates individual remote users |
DNS server | Serves as the authoritative external DNS server and relays internal requests to the Internet |
Edge router | Provides basic filtering and Layer 3 connectivity to the Internet |
File/web server | Provides public information about the organization |
Firewall | Provides network-level protection of resources, stateful filtering of traffic, granular security of remote users, and VPN connectivity for remote sites |
Layer 2 switch | Provides Layer 2 connectivity for devices and can also provide private VLAN support |
Mail server | Acts as a relay between the Internet and the intranet mail servers and provides content security of mail |
NIDS appliance | Provides Layer 4-to-Layer 7 monitoring of key network segments in the module |
VPN concentrator | Authenticates individual remote users and terminates their IPSec tunnels |
Table 15-10. Threats Against Corporate Internet Module Public Services and Threat Mitigation
Threat | Threat Mitigation |
---|
Application layer attacks | Mitigated by using host-based IPSs and NIDSs |
Denial of service | Mitigated by using CAR at the ISP edge and TCP setup controls at the firewall to limit exposure |
IP spoofing | Mitigated by using RFC 2827 and RFC 1918 filtering at ISP edge and edge router of the medium-sized network |
Network reconnaissance | Mitigated by using IDS protocols filtered to limit effectiveness |
Packet sniffers | Mitigated by using a switched infrastructure and host-based IPS to limit exposure |
Password attacks | Mitigated by limiting the services that are available to brute force; operating system and IDS can detect the threat |
Port redirection | Mitigated by using restrictive filtering and host-based IPS to limit attack |
Trust exploitation | Mitigated by using a restrictive trust model and private VLANs to limit trust-based attacks |
Unauthorized access | Mitigated by using filtering at the ISP, edge router, and corporate firewall |
Virus and Trojan-horse attacks | Mitigated by using host-based IPS, virus scanning at the host level, and content filtering on e-mail |
Table 15-13. Campus Module Devices
Device | Description |
---|
ACS | Provides authentication services to the network devices |
Corporate servers | Provides services to internal users such as e-mail, file, and printing services |
Layer 2 switch | Provides Layer 2 connectivity and supports private VLANs |
Layer 3 switch | Provides route and switch production and management traffic within the Campus module, provides distribution layer services to the building switches, and supports advanced services such as traffic filtering |
NIDS appliance | Provides Layer 4-to-Layer 7 monitoring of key network segments in the module |
NIDS host | Provides alarm aggregation for all NIDS devices in the network |
OTP server | Authenticates OTP information that is relayed from the ACS |
SNMP Management Host | Provides SNMP management for devices |
Syslog host(s) | Aggregates log information for firewall and NIDS hosts |
System admin host | Provides configuration, software, and content changes on devices |
User workstations | Provides data services to authorized users on the network |
Table 15-14. Threats Against a Campus Module and Threat Mitigation
Threat | Threat Mitigation |
---|
Application layer attacks | Mitigated by keeping operating systems, devices, and applications up to date with the latest security fixes and protected by host-based IPS |
IP spoofing | Mitigated by using RFC 2827 filtering to prevent source-address spoofing |
Packet sniffers | Mitigated by using a switched infrastructure to limit the effectiveness of sniffing |
Password attacks | Mitigated by using an ACS to enforce strong two-factor authentication for key applications |
Port redirection | Mitigated by using host-based IPSs to prevent port redirection agents from being installed |
Trust exploitation | Mitigated by using private VLANs to prevent hosts on the same subnet from communicating unless necessary |
Unauthorized access | Mitigated by using host-based IPS and application access control |
Virus and Trojan-horse applications | Mitigated by using host-based virus scanning |