CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Tebyan

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید











  • The Enterprise Campus Layer


    The enterprise campus is the heart of the overall blueprint and is shown in Figure 18-3. The Enterprise Campus module contains the following components:

    • Management module

    • Building module

    • Building Distribution module

    • Core module

    • Server module

    • Edge Distribution module


    Figure 18-3. SAFE Enterprise Campus

    [View full size image]

    Each of these modules, in turn, provides specific functionality and security within the overall SAFE Enterprise blueprint and is discussed in greater detail in the following sections.

    The Management Module


    As its name implies, the Management module is designed to provide secure management of all devices and hosts within the larger blueprint design. All logging and reporting information flow from the devices in the other modules to the management hosts, while software updates, configurations, and other similar content flow to these devices from the management hosts.

    The enterprise Management module has two network segments. These segments are separated by a Cisco IOS firewall that acts as both a firewall and a VPN termination point. The segment outside the firewall connects to all the devices that require management. Inside the firewall are the management hosts. Each host runs a copy of host intrusion prevention software to protect the host against attack from the network and from malicious activity that may possibly be done by a user on the host locally. In addition to the management hosts, this segment contains the Cisco IOS routers that are functioning in the role of terminal servers for access to other network device console ports. The external interface of the firewall provides for limited Internet access and for access to secure, in-band management traffic and select IPSec-protected traffic from various hosts.

    The management network utilizes an out-of-band network for secure access to devices. By using such a network, the administrator is assured of a secure connection to network devices and servers. Additionally, for systems that cannot be accessed through the use of the out-of-band network, management connections are established using encrypted, secure connections such as IPSec, SSH, or SSL.

    Because the Management module provides administrative access to nearly all other hosts within the network, it is an attractive target for an attacker. In addition to access to other hosts, this module contains configuration information and software loads that may be of interest to an attacker. To mitigate threats to this module, configure access control on the router/firewall that provides in-band connectivity to the rest of the network. Host intrusion prevention systems are deployed on all hosts in this module, along with a network intrusion detection system (IDS). Logging is carefully monitored and analyzed to identify incoming attacks.

    Mitigating Threats in the Management Module

    Table 18-2 shows the expected threats and mitigation techniques for the Management module.

    Table 18-2. Mitigating Threats in the Management Module

    Threat

    Threat Mitigation

    Unauthorized access

    Filtering at the firewall controls traffic in both directions.

    Man-in-the-middle attacks

    Traffic isolation in an out-of-band network (or secured through the use of IPSec) mitigates man-in-the-middle attacks.

    Network reconnaissance

    Management traffic is isolated to the out-of-band network or secured through encryption, reducing the risk of information being gathered through interception.

    Password attacks

    The access-control server allows for strong two-factor authentication across the network.

    IP spoofing

    The firewall prevents IP spoofing in either direction.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Trust exploitation

    Private VLANs prevent compromised devices from masquerading as management hosts.

    Design Guidelines for the Management Module

    Table 18-3 describes the devices in the Management module and the role each device plays.

    Table 18-3. Key Devices in Management Module

    Key Device

    Functions

    Cisco IOS router/firewall

    Provides encrypted network access to the end devices. Also filters traffic inbound to the Management module.

    One-time password (OTP) Server

    Authorizes OTP information relayed from the access-control server.

    Access-control server

    Provides one-time, two-factor authentication services to the network devices.

    Syslog hosts

    Aggregate log information for the firewall and the NIDS devices.

    Management host(s)

    Provides for configuration, software, and content changes on network devices, along with IPS on other network-management hosts.

    NIDS Director

    Provides alarm aggregation and analysis for all NIDS appliances throughout the Campus and Corporate Internet modules.

    Layer 2 switches

    Include support for private VLANs.

    NIDS appliance

    Provides deep packet inspection of traffic within the module.

    Terminal server

    Provides access to the console port of other network devices.

    Network-monitoring host

    Provides SNMP management and monitoring of network devices.

    The next sections describe the most common key devices in more detail.

    Cisco IOS Router/Firewall

    The primary role of the Cisco IOS router/firewall in the Management module is to filter traffic from the rest of the enterprise blueprint modules. The Cisco IOS router/firewall allows for syslog information back to the syslog management hosts, and Telnet, SNMP, and SSH if these protocols are initiated from the inside of the Management module.

    Layer 2 Switches

    Layer 2 switches provide end-user systems within the Management module. Private VLANs are implemented on these switches to help reduce the risk of trust-exploitation attacks.

    NIDS Appliance

    Intrusion detection within the Management module is provided by a single NIDS appliance. Both the management and monitoring interfaces of the NIDS appliance are attached to the Layer 2 switch directly behind the router/firewall protecting the management hosts. This enables the NIDS appliance to monitor the traffic coming into and going out of the Management module. The monitoring port is configured to mirror all network traffic from all VLANs that require monitoring. This appliance provides detection and analysis of attacks that originate from within the Campus module and for external attacks that get past the firewall. These attacks could result from the compromise of a workstation with an unauthorized dial-in modem, attacks from disgruntled employees or viruses and worms, or attacks from an internal workstation that has been compromised by an outside user.

    Terminal Server

    The terminal servers are Cisco IOS routers that use reverse Telnet to provide access to the console of other network devices throughout the blueprint. This provides for secure, out-of-band communication with routers, firewalls, switches, and other network devices in the design. Additionally, access to the console port provides for access to the ROM monitor mode of these devices, in case a problem arises that requires "near-physical" access.

    Management Hosts

    The network intrusion detection appliances and the host IDS installed on the corporate servers are managed through the IDS management host listed in Table 4-1. This host provides for alarm aggregation and analysis for all IDS devices throughout the Campus module and the Corporate Internet module.

    Other management hosts in the enterprise Management module include the following:

    • A syslog host for the aggregation of firewall, router, and network IDS logs.

    • Alarm aggregation and NIDs configuration, provided by the IDS Director. Additionally, this host provides for configuration and monitoring of host-based IPS deployed throughout the blueprint.

    • An access-control server for authentication services to network devices such as network access servers.

    • OTP server for authorization of one-time password authentication relayed from the access-control server.

    • A sysadmin host for configuration, software, and content changes on network devices.

    • The capture of SNMP traps and the monitoring of the health of network devices throughout the blueprint, provided by the SNMP management and monitoring host.


    Design Alternative for the Management Module

    Where complete out-of-band management is not possible, in-band management is required. WHEN in-band management is the only solution, it is necessary to use IPSec, SSH, SSL, or any other encrypted and authenticated transport. In these cases, additional security measures should be carried out on the end devices and through the use of passwords, strong community strings, cryptographic keys, and access lists to control communications to the management services. As an alternative to the Cisco IOS router/firewall at the edge of the Management module, you can use a dedicated firewall.

    Building Module


    The Building module is defined as the portion of the network blueprint that contains the end-user systems; telephones, printers, and other network connected devices; and the Layer 2 access devices associated with those network-connected devices. The primary goal of the Building module is to provide end users with access to services.

    Mitigating Threats in the Building Module

    Table 18-4 shows the expected threats and mitigation techniques for the Building module.

    Table 18-4. Mitigating Threats in the Building Module

    Threat

    Threat Mitigation

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Virus and Trojan horse applications

    Host-based virus scanning and the implementation of host-based IPS mitigate most viruses and Trojan horse applications.

    Design Guidelines for the Building Module

    End-user systems represent the largest percentage of network-connected devices in any given network, and applying a consistent network security policy on these devices is a daunting challenge. These devices typically are connected to Layer 2 access switches, which have little, if any, capability of Layer 3 access control. These Layer 2 switches should meet the security guidelines outlined in the switch security axiom discussed in Chapter 3, "SAFE Design Concepts." In addition, the end-user systems should have, at the minimum, host-based antivirus-scanning software deployed and, if necessary, a host-based IPS.

    Table 18-5 describes Building module devices and the role each device plays.

    Table 18-5. Key Devices in Building Module

    Key Device

    Functions

    Layer 2 switches

    Provide for Layer 2 connectivity to end-user systems and IP telephones.

    IP phones

    Provide IP telephony services to end users.

    User workstations

    Provide data services to users.

    Building Distribution Module


    The Building Distribution module provides distribution services to the switches in the Building module. These services include but are not limited to packet routing, quality of service (QoS), and access control. The switches in this module should conform to the security guidelines described in the "Switches Are Targets" section of Chapter 3. This module provides the first line of defense against internally originated attacks.

    Mitigating Threats in the Building Distribution Module

    Table 18-6 shows the expected threats and mitigation techniques for the Building Distribution module.

    Table 18-6. Mitigating Threats in the Building Distribution Module

    Threat

    Threat Mitigation

    Unauthorized access

    Layer 3 filtering of specific subnets limits the attacks against Server module resources.

    IP spoofing

    Spoofing attempts are prevented through the implementation of RFC 2827 filtering.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Design Guidelines for the Building Distribution Module

    The switches are chosen so that they provide wire rate filtering of traffic for access control and the use of Layer 3 switching. This access control can prevent unwanted access to sensitive data by unauthorized individuals and can provide antispoofing capabilities within the network infrastructure. Additionally, the Building Distribution module provides for isolation of VoIP traffic by defining dedicated voice VLANs that route voice traffic to the CallManager. This prevents sniffing of voice communications and provides effective application of appropriate QoS to ensure smooth voice communication.

    The key device in the Building Distribution module is the Layer 3 switch. Layer 3 switches provide for Layer 2 switch aggregation before the core, and also services such as filtering, routing QoS, CAR, and VLAN definition.

    Design Alternatives for the Building Distribution Module Designs

    The Building Distribution module can be combined with the Core module described in the next section to produce a "collapsed core" design. This can be done based on the overall size of the network being considered.

    Core Module


    The primary purpose of the Core module is to route and switch traffic as quickly as possible from one network to another. No traffic filtering is done within this module. To protect the switches, follow the guidelines described in the "Switches Are Targets" section of Chapter 3. There are no alternative designs to the Core module in the SAFE blueprint.

    The key device in the Core module is the Layer 3 switch, which routes and switches traffic from one network module to another. The primary threat in the Core module is the possibility of packet sniffing. However, this threat is mitigated through the use of a switched infrastructure.

    Server Module


    The Server module provides application services to end users and other systems within the blueprint. Because of the nature of the Server module responsibilities, it often gets overlooked in terms of security. However, the servers within this module represent some of the most valuable targets to an attacker.

    Mitigating Threats in the Server Module

    Table 18-7 shows the expected threats and mitigation techniques for the Server module.

    Table 18-7. Threats Mitigated in Server Module

    Threat

    Threat Mitigation

    Unauthorized access

    This is mitigated through the use of access-control measures and host-based IPS.

    Application layer attacks

    This is mitigated by keeping up-to-date with the latest security patches for each operating system, application, and device, and by using host-based IPS.

    IP spoofing

    Spoofing attempts are prevented by implementing RFC 2827 filtering.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Trust exploitation

    Use explicit trust arrangements and private VLANs to prevent hosts on the same subnet from communicating unless this is necessary.

    Port redirection

    Host-based IPS prevents installation port redirection software agents.

    Design Guidelines for the Server Module

    The systems within this module might have access to multiple VLANs and might contain valuable information such as account names and passwords. Access control to this module might not be as granular in other modules because the nature of some of the applications found here. Because of this, NIDS, host-based IPS, private VLANs, and good system administration practices should be used in conjunction with access control. The NIDS should focus on attack-sensitive traffic, including but not limited to SMTP, Telnet, FTP, and WWW. The primary benefit of using an integrated NIDS inside the module switching fabric is the capability to see traffic across all VLANs within the module.

    Table 18-8 outlines the key devices used in the Server module and the functions of each.

    Table 18-8. Key Devices in Server Module

    Key Device

    Functions

    Layer 3 switches

    Provide Layer 3 services such as filters, QoS, VLANs, and private VLANs to the servers. Also provide for traffic inspection through the use of integrated NIDS.

    CallManager

    Provides IP telephony services and call routing.

    Corporate and departmental servers

    Provide services such as SMTP, WWW, POP, file and print services, and DNS to corporate users.

    Design Alternatives for the Server Module

    You can collapse the Server module into the Core module, if necessary. Additionally, you can install more than one IDS blade in the module switches to help scale the IDS traffic inspection. Finally, if necessary, you can isolate servers within the module through the use of a stateful firewall.

    Edge Distribution Module


    The Edge Distribution module aggregates connectivity from the various modules in the enterprise edge layer and routes this traffic into the core. Additionally, this module provides for filtering capabilities of this traffic. The module that is closest in function to the Edge Distribution module is the Building Distribution module, discussed earlier.

    Mitigating Threats in the Edge Distribution Module

    Table 18-9 shows the expected threats and mitigation techniques for the Edge Distribution module.

    Table 18-9. Threats Mitigated in the Edge Distribution Module

    Threat

    Threat Mitigation

    Unauthorized access

    Control over which subnets can reach areas within the campus is achieved through traffic filtering.

    IP spoofing

    Locally initiated spoofing attacks are limited by RFC 2827.

    Network reconnaissance

    Traffic filters limit nonessential traffic from entering the campus.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Design Guidelines for the Edge Distribution Module

    Layer 3 switches in the Edge Distribution module provide for traffic aggregation before the enterprise edge layer and also advanced services. Layer 3 switching for high performance, along with access control for filtering traffic, provides for a last line of defense against attacks aimed at the Campus module from the enterprise edge. Some attacks mitigated here include IP spoofing and route injection.

    Design Alternative for the Edge Distribution Module

    As with the Server and Building Distribution modules, you can collapse the Edge Distribution module into the Core module, if necessary. You can place NIDS in this module (as was done in the Server module), if desired, by using line cards in the switches.


  • / 290