IS 3423 Secure Network Design - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

IS 3423 Secure Network Design

Description:

... require authenticated access? ... on outbound traffic and reverse the process on the ... Access point enables a port for passing ONLY EAP packets ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 38
Provided by: alanandj
Category:

less

Transcript and Presenter's Notes

Title: IS 3423 Secure Network Design


1
IS 3423Secure Network Design
  • Chapter Twelve
  • Securing VPN, wireless, and VoIP Networks

2
Designing a Secure VPN Methodology
  • Dependent upon your security policies
  • Need to understand what you are trying to protect
    and from what.

3
For Case
  • Review the questions on the next two slides. Are
    they relevant for your case???????

4
Questions to be Answered
  • Do I want to authenticate users, devices, or
    both?
  • What applications require authenticated access?
  • Will a specific authenticated entity have
    restricted, or full access to the network(s)?
  • How will access control be provided?
  • What needs to kept confidential?
  • Do I encrypt point-to-point
  • How will confidentiality be provided?
  • How may different users need to be supported?
  • Will I need NAT?
  • Are there any routing considerations?
  • Should the VPN be available 24/7? Are short
    downtimes OK?
  • Where are the potential points of infrastructure
    attacks?

5
Next set of questions to be answered
  • What technology do I use to authenticate the
    devices, users, applications?
  • What technologies are under potential
    consideration for other security services?
  • How difficult is the configuration of a
    particular technology?
  • What are the maintenance and management issues?
  • Are there multiple mechanisms that may accomplish
    similar security services?
  • What are the security versus usability and
    implementation tradeoffs?

6
Identity
  • Combination of authentication and access control
  • Authentication is not always coupled with access
    control

7
Authentication
  • What do you want to authenticate, and what
    technology will you use?
  • Device authentication All VPN-related security
    protocols were designed with the inherent belief
    that devices need to be authenticated.
  • User authentication for network access - often a
    critical component
  • User authentication for application access some
    mandate authentication

8
Authentication
  • Device always required in VPNs
  • User for network
  • Access VPN require
  • Intranet VPN probably not (already
    authenticated to access the n/w)
  • User for applications where required by
    application

9
Device Authentication Methods
  • Usually a combination of IP address or host name
    in conjunction with some other credential to
    authenticate each other.
  • Types
  • Statically configured password not very secure,
    needs to be changed frequently
  • Public key cryptography more secure, requires
    more overhead
  • Digital signature more scalable
  • Kerberos authentication if already use a
    Kerberos infrastructure, go with it. Otherwise,
    stick with digital signatures because they are
    more prevalent

10
Addressing
  • DHCP allocate a specific pool of addresses to
    the VPN devices simplifies access control and
    authentication issues
  • NAT if in conjunction with IPsec, do Nat
    followed by IPsec on outbound traffic and reverse
    the process on the receiving end again map to a
    unique address range

11
User Authentication Methods
  • What individuals use to identify themselves, and
    what credentials they supply
  • Credential static p/w, one-time p/w, Kerberos
    token, or public key
  • Not all vendors support the same user
    authentication methods

12
Application Authentication Methods
  • Generally based on user name and p/w

13
Authentication Considerations
  • What do you want authenticated user, device
    and/or application?
  • What technology is required?
  • What protocols are appropriate? Refer to Table
    3-1 (p. 146) and Table 12-2 (p. 586
  • Control device and user certificate enrollment

14
Access Control
  • Once authenticated, can you access everything?
  • Need to protect critical resources
  • Can filter via MAC source address, IP source
    address, IP destination address, protocol type,
    protocol source port number, or protocol
    destination port number
  • When filtering
  • Filter via users on specific subnets
  • Use port number filtering to allow specific VPN
    tunnel traffic refer to Table 12-3 Common VPN
    protocols and port numbers

15
Caveat Regarding IP Address and Port Numbers
  • IP addresses and port numbers may change during
    L2TP tunnel negotiations to accommodate load
    balancing and QoS
  • IPsec tunnel mode may result in IP address changes

16
Integrity
  • Verify data has not changed in transit
  • If change IP, assure that IP not a part of the
    integrity check

17
Confidentiality
  • Secure VPNs generally imply encryption
  • Encrypt everything except in cases of limited
    processing power

18
Availability
  • Always want minimum downtime
  • Need redundancy, but dont go overboard
    increases cost and decreases performance

19
Audit
  • Need to determine that VPN is properly configured
  • VERIFY procedures backup, encryption, etc.

20
Figure 12-1 Small Corporate VPN
  • VPN for remote branch and telecommuters
    combined access and intranet VPN

21
Fig. 12-2 Large Corporate VPN Scenario
  • For remote offices, telecommuters, personnel who
    travel, and 3rd party stakeholders
  • Probably requires more sophisticated
    authentication

22
Wireless Networks
  • Apply same kind of design methodologies as with
    VPN networks
  • May actually be a part of a remote access VPN

23
Identity
  • Combination of authentication and access control
  • Generally, follow 802.1x standard

24
801.1X Standard
  • Applied EAP (Extensible Authentication Protocol)
    to both wired and wireless LAN media
  • Supports multiple authentication methods token
    cards, Kerberos, one-time passwords,
    certificates, public key
  • Client device attempts to communicate with an
    authenticator (802.11 access point)
  • Access point enables a port for passing ONLY EAP
    packets from client to an authentication server
    located on the access point
  • Once authenticated, client allowed to pass other
    types of traffic (HTTP, DHCP, etc.)

25
Access Control
  • Apply filtering, as above

26
Integrity
  • WEP Wired Equivalent Privacy or TKIP Temporal
    Key Integrity Protocol
  • WEP has an easily exploited algorithm
  • TKIP is an improvement over WEP
  • Enhanced encryption, integrity check

27
Confidentiality
  • TKIP, possibly in conjunction with IPsec

28
Availability
  • Again, want minimal downtime
  • Need strong signal and quick access to an AP

29
Audit
  • Same as above assure proper configuration and
    verify procedures

30
VoIP Networks
  • Similar to VPN and wireless in regard to design
    methodologies
  • Security of VoIP still under development

31
Identity
  • Most IP phones only have device authentication

32
Access Control
  • Firewalls need to be able to recognize voice
    traffic

33
Integrity
  • Utilizes hashed passwords

34
Confidentiality
  • Encryption/decryption at each hop can be VERY
    problematic

35
Availability
  • Same as above

36
Audit
  • Same as above

37
Chapter 12 Review Questions
  • Explain the purpose of a design methodology.
    What questions need to be asked (and answered) in
    order to create a proper design?
  • Discuss the design methodology approach to
    designing a secure VPN address the following
    identity, access control, confidentiality,
    availability, and audit.
  • Do the same for wireless networks and VoIP
  • Compare and contrast various protocols as they
    relate to user, application, and device
    authentication as shown on Table 3-1 and 12-2
  • What is the purpose of the 802.1X standard?
    Briefly describe it.
Write a Comment
User Comments (0)
About PowerShow.com