The Enterprise Campus Layer
The enterprise campus is the heart of the overall blueprint and is shown in Figure 18-3. The Enterprise Campus module contains the following components:
- Management module
- Building module
- Building Distribution module
- Core module
- Server module
- Edge Distribution module
Figure 18-3. SAFE Enterprise Campus
[View full size image]

The Management Module
As its name implies, the Management module is designed to provide secure management of all devices and hosts within the larger blueprint design. All logging and reporting information flow from the devices in the other modules to the management hosts, while software updates, configurations, and other similar content flow to these devices from the management hosts.The enterprise Management module has two network segments. These segments are separated by a Cisco IOS firewall that acts as both a firewall and a VPN termination point. The segment outside the firewall connects to all the devices that require management. Inside the firewall are the management hosts. Each host runs a copy of host intrusion prevention software to protect the host against attack from the network and from malicious activity that may possibly be done by a user on the host locally. In addition to the management hosts, this segment contains the Cisco IOS routers that are functioning in the role of terminal servers for access to other network device console ports. The external interface of the firewall provides for limited Internet access and for access to secure, in-band management traffic and select IPSec-protected traffic from various hosts.The management network utilizes an out-of-band network for secure access to devices. By using such a network, the administrator is assured of a secure connection to network devices and servers. Additionally, for systems that cannot be accessed through the use of the out-of-band network, management connections are established using encrypted, secure connections such as IPSec, SSH, or SSL.Because the Management module provides administrative access to nearly all other hosts within the network, it is an attractive target for an attacker. In addition to access to other hosts, this module contains configuration information and software loads that may be of interest to an attacker. To mitigate threats to this module, configure access control on the router/firewall that provides in-band connectivity to the rest of the network. Host intrusion prevention systems are deployed on all hosts in this module, along with a network intrusion detection system (IDS). Logging is carefully monitored and analyzed to identify incoming attacks.
Mitigating Threats in the Management Module
Table 18-2 shows the expected threats and mitigation techniques for the Management module.
Threat | Threat Mitigation |
---|---|
Unauthorized access | Filtering at the firewall controls traffic in both directions. |
Man-in-the-middle attacks | Traffic isolation in an out-of-band network (or secured through the use of IPSec) mitigates man-in-the-middle attacks. |
Network reconnaissance | Management traffic is isolated to the out-of-band network or secured through encryption, reducing the risk of information being gathered through interception. |
Password attacks | The access-control server allows for strong two-factor authentication across the network. |
IP spoofing | The firewall prevents IP spoofing in either direction. |
Packet sniffers | The switched infrastructure limits the risks of sniffing. |
Trust exploitation | Private VLANs prevent compromised devices from masquerading as management hosts. |
Design Guidelines for the Management Module
Table 18-3 describes the devices in the Management module and the role each device plays.
Cisco IOS Router/Firewall
The primary role of the Cisco IOS router/firewall in the Management module is to filter traffic from the rest of the enterprise blueprint modules. The Cisco IOS router/firewall allows for syslog information back to the syslog management hosts, and Telnet, SNMP, and SSH if these protocols are initiated from the inside of the Management module.
Layer 2 Switches
Layer 2 switches provide end-user systems within the Management module. Private VLANs are implemented on these switches to help reduce the risk of trust-exploitation attacks.
NIDS Appliance
Intrusion detection within the Management module is provided by a single NIDS appliance. Both the management and monitoring interfaces of the NIDS appliance are attached to the Layer 2 switch directly behind the router/firewall protecting the management hosts. This enables the NIDS appliance to monitor the traffic coming into and going out of the Management module. The monitoring port is configured to mirror all network traffic from all VLANs that require monitoring. This appliance provides detection and analysis of attacks that originate from within the Campus module and for external attacks that get past the firewall. These attacks could result from the compromise of a workstation with an unauthorized dial-in modem, attacks from disgruntled employees or viruses and worms, or attacks from an internal workstation that has been compromised by an outside user.
Terminal Server
The terminal servers are Cisco IOS routers that use reverse Telnet to provide access to the console of other network devices throughout the blueprint. This provides for secure, out-of-band communication with routers, firewalls, switches, and other network devices in the design. Additionally, access to the console port provides for access to the ROM monitor mode of these devices, in case a problem arises that requires "near-physical" access.
Management Hosts
The network intrusion detection appliances and the host IDS installed on the corporate servers are managed through the IDS management host listed in Table 4-1. This host provides for alarm aggregation and analysis for all IDS devices throughout the Campus module and the Corporate Internet module.Other management hosts in the enterprise Management module include the following:
- A syslog host for the aggregation of firewall, router, and network IDS logs.
- Alarm aggregation and NIDs configuration, provided by the IDS Director. Additionally, this host provides for configuration and monitoring of host-based IPS deployed throughout the blueprint.
- An access-control server for authentication services to network devices such as network access servers.
- OTP server for authorization of one-time password authentication relayed from the access-control server.
- A sysadmin host for configuration, software, and content changes on network devices.
- The capture of SNMP traps and the monitoring of the health of network devices throughout the blueprint, provided by the SNMP management and monitoring host.
Design Alternative for the Management Module
Where complete out-of-band management is not possible, in-band management is required. WHEN in-band management is the only solution, it is necessary to use IPSec, SSH, SSL, or any other encrypted and authenticated transport. In these cases, additional security measures should be carried out on the end devices and through the use of passwords, strong community strings, cryptographic keys, and access lists to control communications to the management services. As an alternative to the Cisco IOS router/firewall at the edge of the Management module, you can use a dedicated firewall.
Building Module
The Building module is defined as the portion of the network blueprint that contains the end-user systems; telephones, printers, and other network connected devices; and the Layer 2 access devices associated with those network-connected devices. The primary goal of the Building module is to provide end users with access to services.
Mitigating Threats in the Building Module
Table 18-4 shows the expected threats and mitigation techniques for the Building module.
Threat | Threat Mitigation |
---|---|
Packet sniffers | The switched infrastructure limits the risks of sniffing. |
Virus and Trojan horse applications | Host-based virus scanning and the implementation of host-based IPS mitigate most viruses and Trojan horse applications. |
Design Guidelines for the Building Module
End-user systems represent the largest percentage of network-connected devices in any given network, and applying a consistent network security policy on these devices is a daunting challenge. These devices typically are connected to Layer 2 access switches, which have little, if any, capability of Layer 3 access control. These Layer 2 switches should meet the security guidelines outlined in the switch security axiom discussed in Chapter 3, "SAFE Design Concepts." In addition, the end-user systems should have, at the minimum, host-based antivirus-scanning software deployed and, if necessary, a host-based IPS.Table 18-5 describes Building module devices and the role each device plays.
Building Distribution Module
The Building Distribution module provides distribution services to the switches in the Building module. These services include but are not limited to packet routing, quality of service (QoS), and access control. The switches in this module should conform to the security guidelines described in the "Switches Are Targets" section of Chapter 3. This module provides the first line of defense against internally originated attacks.
Mitigating Threats in the Building Distribution Module
Table 18-6 shows the expected threats and mitigation techniques for the Building Distribution module.
Threat | Threat Mitigation |
---|---|
Unauthorized access | Layer 3 filtering of specific subnets limits the attacks against Server module resources. |
IP spoofing | Spoofing attempts are prevented through the implementation of RFC 2827 filtering. |
Packet sniffers | The switched infrastructure limits the risks of sniffing. |
Design Guidelines for the Building Distribution Module
The switches are chosen so that they provide wire rate filtering of traffic for access control and the use of Layer 3 switching. This access control can prevent unwanted access to sensitive data by unauthorized individuals and can provide antispoofing capabilities within the network infrastructure. Additionally, the Building Distribution module provides for isolation of VoIP traffic by defining dedicated voice VLANs that route voice traffic to the CallManager. This prevents sniffing of voice communications and provides effective application of appropriate QoS to ensure smooth voice communication.The key device in the Building Distribution module is the Layer 3 switch. Layer 3 switches provide for Layer 2 switch aggregation before the core, and also services such as filtering, routing QoS, CAR, and VLAN definition.
Design Alternatives for the Building Distribution Module Designs
The Building Distribution module can be combined with the Core module described in the next section to produce a "collapsed core" design. This can be done based on the overall size of the network being considered.
Core Module
The primary purpose of the Core module is to route and switch traffic as quickly as possible from one network to another. No traffic filtering is done within this module. To protect the switches, follow the guidelines described in the "Switches Are Targets" section of Chapter 3. There are no alternative designs to the Core module in the SAFE blueprint.The key device in the Core module is the Layer 3 switch, which routes and switches traffic from one network module to another. The primary threat in the Core module is the possibility of packet sniffing. However, this threat is mitigated through the use of a switched infrastructure.
Server Module
The Server module provides application services to end users and other systems within the blueprint. Because of the nature of the Server module responsibilities, it often gets overlooked in terms of security. However, the servers within this module represent some of the most valuable targets to an attacker.
Mitigating Threats in the Server Module
Table 18-7 shows the expected threats and mitigation techniques for the Server module.
Threat | Threat Mitigation |
---|---|
Unauthorized access | This is mitigated through the use of access-control measures and host-based IPS. |
Application layer attacks | This is mitigated by keeping up-to-date with the latest security patches for each operating system, application, and device, and by using host-based IPS. |
IP spoofing | Spoofing attempts are prevented by implementing RFC 2827 filtering. |
Packet sniffers | The switched infrastructure limits the risks of sniffing. |
Trust exploitation | Use explicit trust arrangements and private VLANs to prevent hosts on the same subnet from communicating unless this is necessary. |
Port redirection | Host-based IPS prevents installation port redirection software agents. |
Design Guidelines for the Server Module
The systems within this module might have access to multiple VLANs and might contain valuable information such as account names and passwords. Access control to this module might not be as granular in other modules because the nature of some of the applications found here. Because of this, NIDS, host-based IPS, private VLANs, and good system administration practices should be used in conjunction with access control. The NIDS should focus on attack-sensitive traffic, including but not limited to SMTP, Telnet, FTP, and WWW. The primary benefit of using an integrated NIDS inside the module switching fabric is the capability to see traffic across all VLANs within the module.Table 18-8 outlines the key devices used in the Server module and the functions of each.
Key Device | Functions |
---|---|
Layer 3 switches | Provide Layer 3 services such as filters, QoS, VLANs, and private VLANs to the servers. Also provide for traffic inspection through the use of integrated NIDS. |
CallManager | Provides IP telephony services and call routing. |
Corporate and departmental servers | Provide services such as SMTP, WWW, POP, file and print services, and DNS to corporate users. |
Design Alternatives for the Server Module
You can collapse the Server module into the Core module, if necessary. Additionally, you can install more than one IDS blade in the module switches to help scale the IDS traffic inspection. Finally, if necessary, you can isolate servers within the module through the use of a stateful firewall.
Edge Distribution Module
The Edge Distribution module aggregates connectivity from the various modules in the enterprise edge layer and routes this traffic into the core. Additionally, this module provides for filtering capabilities of this traffic. The module that is closest in function to the Edge Distribution module is the Building Distribution module, discussed earlier.
Mitigating Threats in the Edge Distribution Module
Table 18-9 shows the expected threats and mitigation techniques for the Edge Distribution module.
Threat | Threat Mitigation |
---|---|
Unauthorized access | Control over which subnets can reach areas within the campus is achieved through traffic filtering. |
IP spoofing | Locally initiated spoofing attacks are limited by RFC 2827. |
Network reconnaissance | Traffic filters limit nonessential traffic from entering the campus. |
Packet sniffers | The switched infrastructure limits the risks of sniffing. |
Design Guidelines for the Edge Distribution Module
Layer 3 switches in the Edge Distribution module provide for traffic aggregation before the enterprise edge layer and also advanced services. Layer 3 switching for high performance, along with access control for filtering traffic, provides for a last line of defense against attacks aimed at the Campus module from the enterprise edge. Some attacks mitigated here include IP spoofing and route injection.
Design Alternative for the Edge Distribution Module
As with the Server and Building Distribution modules, you can collapse the Edge Distribution module into the Core module, if necessary. You can place NIDS in this module (as was done in the Server module), if desired, by using line cards in the switches.