Secure Network Design Dewey, Cheetem, and Howe DC

1
Secure Network DesignDewey, Cheetem, and Howe
(DCH), LLP

• Richard Elwell

2
Organizational Overview

• Mid-sized local accounting firm
• Service provided
• Financial Audit
• Tax preparation
• Financial planning
• Privately owned (6 partners)

3
Organizational Overview

• Privately owned clients
• Banking
• Manufacturing
• Construction
• Plan to start doing work for public companies.

4
Organizational Overview

• Stakeholders
• Partners
• Employees
• Clients

5
Current Network Design
6
Current Network Design

• All machines have anti-virus
• No Spam filtering
• No remote access
• Accountants use laptops

7
Current Network Design

• Multi-story shared office building
• Open access during business hours
• Key card access after hours
• Power, heating and cooling from the building
• Emergency generators
• Separate climate controls for server room
• Additional access controls to server room

8
Legal and Regulatory Requirements

• Sarbanes-Oxley Act of 2002
• Reaction to Enron, World Com, etc.
• Establish independence of auditors
• Enron paid Arthur Andersen 25 million for audit
  services, 27 million for consulting services
• Section 404 describes management's responsibility
  for building internal controls around the
  safeguarding of assets related to the timely
  detection of unauthorized acquisition, use or
  disposition of an entity's assets that could have
  a material effect on the financial statements.

9
Threats and Vulnerabilities

• Data compromise
• Sarbanes-Oxley compliance
• Virus/Trojan/malware infections
• Lost time due to Spam
• Power loss
• External Threats
• Business Continuity / Disaster Recovery

10
Policies

• Security Policy
• Acceptable Use of Company Resources Policy

11
Policies

• Security Policy
• Employees responsibility to protect data
• Data classification guidelines
• Public
• No special handling required
• Client confidential
• Must be encrypted in transfer
• Must have need to know to access
• Firm confidential
• Partner permission required to disclose
• Must have need to know to access

12
Policies

• Security Policy (cont)
• Technical Security Requirements
• Devices should be hardened
• Only approved software
• Anti-virus
• Servers and network equipment physically secured
• Mobile devices
• Host firewall
• No unencrypted client data
• Regular backups, stored offsite, tested monthly

13
Policies

• Acceptable use of company resources
• Business decision
• Reflect the overall culture and values of the
  firm
• Partners expectations of the employees

14
Proposed Edge Design

• Redundant internet routers in active/standby
  configuration (HSRP)
• Redundant stateful firewalls in active/standby
  configuration (VRRP)
• Strong egress filtering (http/https only)
• Any other traffic on a case by case basis

15
Proposed Edge Design

• 2 DMZs each host in private vlan
• Customer DMZ houses http servers
• Only http (TCP 80) and https (TCP 443) from the
  internet
• No outbound access from DMZ to internet
• Access from DMZ to internal network
• Ports required for http servers to communicate
  with application servers
• Syslog and SNMP for management
• Access from internal to DMZ as needed

16
Proposed Edge Design

• Utility DMZ
• External DNS and SMTP gateways
• Only DNS (UDP-53) and SMTP (TCP-25) from the
  internet
• Only DNS and SMTP allowed out to the internet
• Only SMTP, syslog, and SNMP allowed from DMZ into
  internal network
• Access from internal to DMZ as needed

17
Proposed Edge Design

• SMTP gateways 2 in HA configuration
• Anti-spam
• Anti-virus
• Sarbanes-Oxley compliance
• Only listening on TCP 25 and TCP 443

18
Proposed Edge Design

• HTTP servers 2 in HA configuration
• TCP 80 and TCP 443
• TCP 22 (SSH) for management and only from
  internal network
• DNS 2 in HA configuration
• UDP 53
• TCP 22

19
Proposed Edge Design

• Remote Access IPSEC VPN
• Software VPN client
• Use LAN user id/password for authentication
• No split tunneling
• Possible contractual issues

20
Proposed Distribution/Core Design

• Four domains of trust
• Accounting, HR, IT support, other support
• Created using different vlans and subnets for
  each domain, and ACLs on the core routers
• Dedicated servers will be within the appropriate
  domain of trust
• Shared servers (internal DNS, dhcp, etc) in a
  separate domain that is accessible by all users

21
Proposed Distribution/Core Design

• Device Identity
• IP addresses
• Rogue devices
• All devices will have host anti-virus
• Mobile devices
• Host firewalls
• File system encryption
• User identity
• User ids and passwords

22
Proposed Distribution/Core Design

• UPS for servers and critical network equipment
• Wireless in training room
• Insecure
• Only access to VPN gateway
• Users will use VPN
• Network management using SSH and HTTPS.
• Network devices will send SNMP traps and syslog
  to a management server on the internal network.

23
Migration Strategy

• 3 Phases
• Phase 1
• Redundant routers
• Redundant firewalls
• New core switches
• Vlans and domains of trust established
• Connect old L2 switches to new core switches

24
Migration Strategy
25
Migration Strategy

• Phase 2
• Implement domains of trust
• Move user devices to new core switches
• Move dedicated servers into new core switches
• Move shared servers to new core switches
• Disconnect old L2 switches

26
Migration Strategy
27
Migration Strategy

• Phase 3
• DNS servers
• SMTP gateways
• HTTP servers
• VPN concentrator
• Wireless access point

28
Final Design
29
Disaster Recovery

• Offsite backups
• Copies of application installation media
• Contracts in place to lease server space and user
  devices
• Users connect via VPN

30
Questions

• Why is a pair of stateful firewalls in a HA
  configuration better than a router with an acl?
• The stateful firewalls only allow traffic if it
  matches a firewall rule or is part of a
  connection that matches a firewall rule. A
  router with an acl blindly passes traffic that
  matches the acl with no notion of state and is
  less secure. The pair of firewalls also provides
  high availability.

31
Questions

• Why should disaster recovery and business
  continuity plans be part of secure network
  design?
• The main goals of security are to ensure
  confidentiality, integrity, and availability of
  company data. Lack of disaster planning is a
  huge threat to availability.