security design considerations module 3 - training sample

28
© 2006 Extreme Networks, Inc. All rights reserved. Module 3 Security Design Considerations

Upload: content-rules-inc

Post on 20-Aug-2015

641 views

Category:

Education


1 download

TRANSCRIPT

© 2006 Extreme Networks, Inc. All rights reserved.

Module 3Security Design Considerations

© 2006 Extreme Networks, Inc. All rights reserved.

page 2

Description

This module provides an overview of the network vulnerabilities and security threats companies face today.

It reviews the factors that should be taken into consideration when designing a security solution.

It describes basic Sentriant CE150 network design configurations.

Finally, it lists the technical information needed before you install the Sentriant CE150.

© 2006 Extreme Networks, Inc. All rights reserved.

page 3

Objectives

Upon completion of this module the successful student will be able to:

• List the factors taken into consideration when designing a network security solution.

• Understand the network vulnerabilities that are addressed by the Sentriant CE150.

• Describe basic Sentriant CE150 network design configurations.

• Identify the technical information required before you install a Sentriant CE150 in a customer site.

© 2006 Extreme Networks, Inc. All rights reserved.

page 4

Traditional Defenses:Firewalls and IDS

Firewall

• Enforce access control policies between networks

• Determine which inside services may be available from outside and vice versa

• Provide a single “Choke point” where security audits may be performed

• Provide information about who has been “sniffing” around

Intrusion Detection Systems (IDS)

• Excellent at detecting many types of network attacks

© 2006 Extreme Networks, Inc. All rights reserved.

page 5

Firewall and IDS Limitations

Cannot protect from attacks that bypass it

• Internal attacks or unrestricted dial-outs

Cannot protect data that is traversing the network

• Financial data, corporate secrets, etc.

Cannot protect against data being “changed” as it moves across the network

Cannot stop any attacks that come from the inside

© 2006 Extreme Networks, Inc. All rights reserved.

page 6

Network Vulnerabilities

Unauthorized Access of Data in Motion

• Unauthorized monitoring – Network users believe the data they send over networks will be viewed only by the intended receiver.

• Unauthorized modification – A simple route traced between any two corporate networks may provide an opportunity for an intruder to inconspicuously modify data.

Common Inside Attacks

• Insider breaches – Employees, contractors and others with legitimate network access can easily bypass perimeter security to access sensitive data on the network.

• Man-in-the-middle attacks (also known as TCP Hijacking) – An attacker sniffs packets from the network, modifies them and inserts them back into the network.

• Port mirroring – Port mirroring is a method of monitoring network traffic that forwards a copy of each incoming and outgoing packet from one port of a network switch to another port where the packet can be studied.

© 2006 Extreme Networks, Inc. All rights reserved.

page 7

Mitigate Network Vulnerabilities: Inside the Perimeter

It is important to secure your data as it travels within your organization’s network.

• Insiders account for up to 50% of network security breaches.

A layered approach to network security provides the best defense possible.

This means that in addition to perimeter security e.g., firewall perimeter security, data traversing the internal network must also be secured.

The only way to protect data traversing internal networks is to encrypt it. Sentriant CE150 provides the ideal solution for

encrypting and safeguarding data in motion.

© 2006 Extreme Networks, Inc. All rights reserved.

page 8

Elements of a Comprehensive Security Solution

Physical protection

• Where are you?

User authentication

• Who are you?

Encryption

• Which information should be hidden?

Access control

• Which assets are you allowed to use?

Management

• What is going on within the network?

© 2006 Extreme Networks, Inc. All rights reserved.

page 9

Security Design ConsiderationsPerformance

• Security solutions cannot become bottlenecks on the network. Security appliances must provide low latency and high throughput.

User Transparency

• Security appliances should not require reconfiguration of routers, gateways, or end-user devices

Centralize management and administration

• Security solutions should provide centralized management and control, including: SNMP, MIB, audit and syslog

Regulatory compliance

• Security solutions must be able to support the every evolving Federal and State government regulations, e.g., HIPAA

Resiliency

• Security solutions must be available 7/24 with the ability to update security policies on the fly

© 2006 Extreme Networks, Inc. All rights reserved.

Review

3 Minutes

© 2006 Extreme Networks, Inc. All rights reserved.

page 11

Sentriant CE150Non-Router Network - Outbound

Non-Router Network Outbound traffic:

• This example explains the steps network equipment performs when sending data from a company site out to an external entity in a non-router environment.

Outbound Traffic

Layer2

Fiber backbone, Pt-Pt Wireless

Switch network

Switch Switch

Sentriant CE150 Sentriant CE150

© 2006 Extreme Networks, Inc. All rights reserved.

page 12

Sentriant CE150Non-Router Network - Inbound

Non-Router Network Inbound traffic:

• This example explains the steps network equipment performs when receiving data from an external entity into a company site in a non-router environment.

Inbound Traffic

Layer2

Fiber backbone, Pt-Pt Wireless

Switch network

Switch Switch

Sentriant CE150 Sentriant CE150

© 2006 Extreme Networks, Inc. All rights reserved.

page 13

Sentriant CE150Router WANs - Outbound

Router WAN/Backbone Outbound traffic:

• This example explains the steps network equipment performs when sending data from a company site out to an external entity in a router environment.

Outbound Traffic

Router

Internet

Router

SwitchSwitch

Sentriant CE150 Sentriant CE150

© 2006 Extreme Networks, Inc. All rights reserved.

page 14

Sentriant CE150Router WANs - Inbound

Router WAN/Backbone Inbound traffic:

• This example explains the steps network equipment performs when receiving data from an external entity into a company site in a router environment.

Inbound Traffic

Router

Internet

Router

SwitchSwitch

Sentriant CE150Sentriant CE150

© 2006 Extreme Networks, Inc. All rights reserved.

page 15

ResiliencyNon-VRRP Example

Dual active-path redundancy

• This example has two Sentriant CE150 appliances at each end of the connection creating two active paths between the locations.

Internet

Router

RouterRouter 1 Router 2

Sentriant CE150

Router

RouterA

C D

B

Sentriant CE150

© 2006 Extreme Networks, Inc. All rights reserved.

page 16

ResiliencyVRRP Example

Single active-path redundancy

• A pair of Sentriant CE150 appliances can be configured to form a virtual security gateway (VSG).

• One appliance is active and the other waits in a backup state

Virtual Router Redundancy Protocol

• Allows two security gateways (Sentriant CE150) to share one IP address

Internet

RouterRouter 1 Router 2

Sentriant CE150

RouterA

C D

B

Sentriant CE150

© 2006 Extreme Networks, Inc. All rights reserved.

Review

3 Minutes

© 2006 Extreme Networks, Inc. All rights reserved.

page 18

Configuration Planning WorksheetInterface Configuration

© 2006 Extreme Networks, Inc. All rights reserved.

page 19

Configuration Planning WorksheetManagement Access

© 2006 Extreme Networks, Inc. All rights reserved.

page 20

Configuration Planning WorksheetFTP Client

© 2006 Extreme Networks, Inc. All rights reserved.

page 21

Configuration Planning WorksheetNetwork Interoperability

© 2006 Extreme Networks, Inc. All rights reserved.

page 22

Configuration Planning Worksheet Manual Key Policies

© 2006 Extreme Networks, Inc. All rights reserved.

page 23

Configuration Planning Worksheet Negotiated IPSec

© 2006 Extreme Networks, Inc. All rights reserved.

page 24

Configuration Planning Worksheet Negotiated IPSec (cont’d)

© 2006 Extreme Networks, Inc. All rights reserved.

page 25

Configuration Planning Worksheet Discard and Clear Policy

© 2006 Extreme Networks, Inc. All rights reserved.

page 26

Summary

This module provided an overview of the network vulnerabilities and security threats companies face today.

The module also reviewed the factors that should be taken into consideration when designing a security solution.

It described basic Sentriant CE150 network design configurations.

And finally, it provided the technical information worksheets used to assist with the installation of the Sentriant CE150.

© 2006 Extreme Networks, Inc. All rights reserved.

page 27

Summary continued

You should now be able to:

• List the factors taken into consideration when designing a network security solution.

• Understand the network vulnerabilities that are addressed by the Sentriant CE150.

• It describe basic Sentriant CE150 network design configurations.

• Identify the technical information required before you install a Sentriant CE150 in a customer site.

© 2006 Extreme Networks, Inc. All rights reserved.

End of Module Review

5 Minutes