Lesson 11 SAFE Enterprise Network Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

Enterprise Network Design Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Campus Enterprise EdgeISP Edge Management Server Building Distribution Building Edge Distribution E-Commerce Corporate Internet VPN/ Remote Access WAN ISP B ISP A PSTN Frame/ATM Core SAFE Enterprise Network Block Diagram

Enterprise Network Campus © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Campus Management ModuleBuilding Module (Users) Edge Distribution Module Internal Server Department Cisco Call Manager Corporate Server Server Module OTP Server ACS Network Monitoring CiscoWorks VPN/Security Management Solution Syslog 1 Syslog 2 System Admin Term Server (Cisco IOS) To E-Commerce Module To Corporate Internet Module To VPN/Remote Access Module To WAN Module Building Distribution Module Core Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Management Module OTP Server ACS Network Monitoring CiscoWorks VPN/Security Management Solution Syslog 1 Syslog2 System Admin The following are key devices: SNMP management host NIDS host Syslog host ACS OTP server System admin host NIDS appliance Cisco IOS Firewall Layer 2 switch To All Device Console Ports Term Server (Cisco IOS) Encrypted In-Band Network Management Out-of-Band Network Management Enterprise Network Campus Management Module Components and Key Devices

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The following threats can be expected: Unauthorized access: Cisco IOS Firewall Man-in-the-middle attacks: Private network Network reconnaissance: Private network Password attacks: ACS IP spoofing: Cisco IOS Firewall Packet sniffers: Switched infrastructure Trust exploitation: PVLANs Campus Management Module: Expected Threats and Mitigation Roles

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Management Module Term Server (Cisco IOS) = Cisco Security Agent Out-of-Band Network Management To All Device Console Ports Encrypted In- Band Network Management Two-factor authentication AAA services Read-only SNMP Network log data SSH Protocol where possible; configuration and content management Out-of-band configuration management PVLANs Stateful packet filtering; IPSec termination for management Comprehensive Layer 4–7 analysis OTP Server ACS Network Monitoring CiscoWorks VPN/Security Management Solution Syslog 1 Syslog 2 System Admin Enterprise Network Attack Mitigation Roles for Campus Management Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Campus Management Module: Design Guidelines and Alternatives The following are guidelines and alternatives: Out-of-band management architecture provides the highest levels of security. Use encryption technology for in-band management. Management subnets have an address space that is separate from the rest of the production network. Cisco IOS routers acting as terminal servers and a dedicated management network segment provide configuration management for devices in the network.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v PVLANs, Cisco IOS Firewall, OTPs, HIDSs, and NIDSs are some technologies that are used to mitigate threats to the Management module. Each device is configured with a read-only SNMP string. Aggregation and analysis of syslog information is critical to the proper management of a network. Alternatives include: Using IPSec, SSH Protocol, and SSL when in-band management is required. Using a dedicated firewall as opposed to a router with firewall functionality if the throughput requirements in the Management module are high. Campus Management Module: Design Guidelines and Alternatives (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Campus Core Module Key Devices Key Device: Layer 3 Switch To Server Module To Building Distribution Module To Edge Distribution Module To Edge Distribution Module Core Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Campus Core Module: Expected Threats and Mitigation Roles You can expect the following threats: Packet sniffers: A switched infrastructure DDoS attacks: Cisco Express Forwarding and Unicast RPF

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Campus Core Module: Design Guidelines The following are recommended guidelines: Implement switch security Follow standard implementation guidelines

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Campus Building Distribution Module Key Device: Layer 3 Switch To Core Module To Building Access Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v To Core Module To Building Access Module Unauthorized access: Layer 3 filtering IP spoofing: RFC 2827 Packet sniffers: Switched infrastructure Inter-subnet filtering RFC 2827 filtering Building Distribution Module: Expected Threats and Mitigation Roles

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Building Distribution Module: Design Guidelines and Alternatives The following are guidelines and available alternatives for the Building Distribution module: Switch security Intrusion detection not implemented in this module PVLANs Layer 3 switching Subnet isolation for VoIP traffic Distribution layer combined with core layer

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Campus Building Access Module Key devices: Layer 2 switch User workstation IP phone Building Access Module (Users) To Building Distribution Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Building Access Module: Expected Threats and Mitigation Roles Packet sniffers: Switched infrastructure and default VLAN Virus and Trojan horse applications: HIPS and virus scanning ARP cache poisoning: Layer 2 ARP IP spoofing: IP source guard Root kit, worm, and zero-day attacks: HIPS

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Building Access Module: Design Guidelines The following are guidelines: Implement switch security Scan workstations for host-based virus

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Campus Server Module Key devices: Layer 3 switch Cisco Call Manager Corporate and department servers server Internal Department Server Cisco Call Manager Corporate Server Server Module To Core Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Server Module: Expected Threats and Mitigation Roles Threats and mitigation: Unauthorized access: HIDS or HIPS and ACS Application-layer attacks: HIDS or HIPS IP spoofing: RFC 2827 Packet sniffers: Switched infrastructure Trust exploitation: PVLANs Port redirection, root kit, virus, worm, and zero-day attacks: HIDS or HIPS Cisco Call Manager Corporate Server Server Module NIDS for server attacks PVLANs for server connections RFC 2827 filtering To Core Module Host intrusion protection or prevention system Internal Department Server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Server Module: Design Guidelines and Alternatives The following are guidelines and available alternatives for the Server module: Using an NIDS with either an HIDS or HIPS, PVLANs, and access control provides a much more comprehensive response to attacks. The switch-based NIDS was chosen because of its ability to look only at interesting traffic across all VLANs as defined by the security policy. Combine the Server module with the Core module. For critical systems such as the IP Telephony Cisco Call Manager or an accounting database, the alternative is to separate these hosts from the rest of the module with a stateful firewall.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Campus Edge Distribution Module Key Device: Layer 3 Switch Edge Distribution Module To E-Commerce Module To Corporate Internet Module To VPN/Remote Access Module To WAN Module To Core Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Edge Distribution Module: Expected Threats and Mitigation Roles Threats and mitigation: Unauthorized access: ACLs IP spoofing: RFC 2827 Network reconnaissance: Filtering Packet sniffers: Switched infrastructure Edge Distribution Module To E-Commerce Module To Corporate Internet Module To VPN/Remote Access Module To WAN Module To Core Module Layer 3 access control RFC 2827 filtering

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Edge Distribution Module: Design Guidelines and Alternatives The following are guidelines and available alternatives for the Edge Distribution module: Employ access control to filter traffic. Alternatives involve combining the Edge Distribution module with the Core module. Use IDS line cards in the Layer 3 switches.

Enterprise Network Edge © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Edge The following are modules in the Enterprise Network Edge: Corporate Internet module VPN and Remote Access module WAN module E-Commerce module Enterprise Edge E-Commerce Corporate Internet VPN/ Remote Access WAN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module To Edge Distribution Module To VPN/Remote Access module DNS URL Filtering Web/FTPSMTP ISP A Module ISP B Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module Key Devices The following are key devices: Servers –SMTP –DNS –FTP/HTTP –URL filtering Firewall NIDS

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module: Expected Threats and Mitigation Roles Unauthorized access: ACL Application-layer attacks: NIDS and either HIDS or HIPS Virus and Trojan horse attacks: HIDS or HIPS Password attacks: IDS DoS attacks: Rate limiting IP spoofing: RFC 2827 and 1918 Packet sniffers: A switched infrastructure and either HIDS or HIPS Network reconnaissance: IDS Trust exploitation: PVLANs Port redirection: Filtering and either HIDS or HIPS

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module: Design Guidelines and Alternatives The following are guidelines and available alternatives: Rate limits, RFC 2827, and RFC 1918 filtering at the egress of the ISP router Rate limits, RFC 2827, and RFC 1918 filtering at the ingress of the first router on the enterprise network Filtering on the interface connected to the VPN module, configured to allow only IPSec traffic to cross and only when originating from and sent to authorized peers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module: Design Guidelines and Alternatives (Cont.) Configuration guidelines for NIDS monitoring include: Public side of the firewall Public services segment Inside interface of the firewall

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module: Design Guidelines and Alternatives (Cont.) Additional configuration guidelines for the Corporate Internet module include: Connection state enforcement and detailed filtering on the firewall PVLANs to prevent a compromised public server from attacking other servers on the same segment URL filtering device for content inspection

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module: Design Guidelines and Alternatives (Cont.) DNS locked down to respond only to desired commands SMTP server includes mail content inspection HIDS or HIPS for each of the servers Alternatives include: The NIDS appliances might not be required in front of the firewall. Eliminate the router between the firewall and the Edge Distribution module if Layer 3 edge distribution switches are employed.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Edge VPN and Remote Access Module VPN/Remote Access Module To Edge Distribution Module To Internet via the Corporate Internet Module Traditional Dial Access Servers Site-to-Site VPN PSTN Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Edge VPN and Remote Access Module Key Devices The following are key devices: VPN Concentrator VPN router Dial-in server Firewall NIDS appliance

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Network topology discovery: IPSec traffic only Password attacks: OTP authentication Unauthorized access: Firewall Man-in-the-middle attacks: Encryption Packet sniffers: Switched infrastructure VPN and Remote Access Module: Expected Threats and Mitigation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v VPN and Remote Access Module: Design Guidelines and Alternatives The following are guidelines and available alternatives: Three separate external user services are as follows: –Remote access VPN –Dial-in access –Site-to-site VPN Design guidelines for remote access VPN traffic are: –Corporate Internet module access routers filter all VPN traffic. –SAFE suggests using IPsec as tunneling and security protocol. –Connect the VPN Concentrator to the ACS on the management subnet via its management interface. –Prevent users from enabling split tunneling by forcing users to access the Internet via the corporate connection. –Achieve secure management of this service by pushing all IPSec and security parameters to remote users from the central site.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design guidelines for dial-in access users are: –Use access routers with built-in modems to terminate dial-in access. –Use three-way CHAP to authenticate dial-in users. –Use AAA and OTP servers to authenticate and provide passwords. Design guidelines for site-to-site VPN traffic are: –VPN traffic consists of GRE tunnels protected by an IPSec protocol in transport mode using ESP. –GRE is used to provide a full-service routed link that will carry multiprotocol, routing protocol, and multicast traffic. –3DES and SHA HMAC are used for IKE and IPSec parameters to provide maximum security with little effect on performance. VPN and Remote Access Module: Design Guidelines and Alternatives (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design guidelines for rest the of the module are as follows: –Traffic from the three services is aggregated by the firewall onto one private interface. –Firewalls provide an auditing point for all VPN traffic and an enforcement point for NIDS threat response. –A pair of NIDS appliances is positioned at the public side and a pair is positioned behind the firewall. –Alternatives involve various VPN and authentication technologies. –Add Layer 3 switches as a routing distribution layer to increase the scalability of the VPN solution. VPN and Remote Access Module: Design Guidelines and Alternatives (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Edge WAN Module Key Device: Cisco IOS Router To Edge Distribution Module WAN Module Frame Relay/ ATM Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v WAN Module: Expected Threats and Mitigation Roles The following are expected threats and the mitigation of those threats: IP spoofing: Layer 3 filtering Unauthorized access: ACLs Layer 3 access control To Edge Distribution Module WAN Module Frame Relay/ ATM Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v WAN Module: Design Guidelines The following are guidelines: Security is provided by using Cisco IOS security features. Encrypt highly confidential traffic on WAN links if you are concerned about information privacy.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Edge E-Commerce Module E-Commerce Module To Edge Distribution Module ISP A Module Database ServersApplication ServersWeb Servers ISP B Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network Edge E-Commerce Module Key Devices The following are key devices: Servers –Web –Database –Application Firewall NIDS appliance Layer 3 switch with IDS module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v E-Commerce Module: Expected Threats and Mitigation Roles Unauthorized access: ACL Application-layer attacks: IDS DoS attacks: ISP filtering and rate limiting IP spoofing: RFC 2827 and RFC 1918 Packet sniffers: Switched infrastructure and either HIDS or HIPS Network reconnaissance: Restrict ICMP Trust exploitation: Firewall Port redirection: HIDS or HIPS and firewall filtering

© 2005 Cisco Systems, Inc. All rights reserved. CSI v E-Commerce Module: Design Guidelines and Alternatives The following are guidelines and available alternatives: Resilient firewalls provide protection for three levels of servers: web, application, and database. The ISP should implement rate limiting. Recommended firewall configurations for this module are as follows: –Only three specific communication paths are allowed to servers. –Use RFC 1918 and RFC 2827 filtering. –Routing protocol updates are allowed. The user session runs over HTTP and SSL. Communication paths between the various layers should be encrypted, transactional, and highly authenticated.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v E-Commerce Module: Design Guidelines and Alternatives (Cont.) Use NIDS and either HIDS or HIPS solutions. Layer 3 switch does network processing, provides verification filtering, and provides built-in IDS monitoring. Use PVLANs. Use out-of-band management throughout the module. Alternatives include: Co-locating the entire system at an ISP. Considering the use of additional and multiple firewall types.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary The enterprise comprises two functional areas: Enterprise Campus and Enterprise Edge. The Enterprise Campus has six modules: –Management module –Core module –Building Distribution module –Building module –Server module –Edge Distribution module The Enterprise Edge has four modules: –Corporate Internet module –VPN and Remote Access module –WAN module –E-Commerce module The design process is often a series of trade-offs. Some of these trade-offs are made at the module level, whereas others are made at the component level.