Presentation is loading. Please wait.

Presentation is loading. Please wait.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Similar presentations

Presentation on theme: "Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed."— Presentation transcript:

1 Designing for Pervasive Network Security

2 Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed to address some of the security overlays – Detailed security implementations and HP's Pervasive Network Security strategy available in the corresponding sessions Key Security implementations in Enterprise Campus Networks – Device Management Security – VLAN centric design Separate VLANs for management Separate VLANs for Wireless clients – If using WLAN switching wireless users can be on separate VLANs Map VLANs to Security zones and use firewalls/security appliances where appropriate – Authentication and Authorisation Network Login 802.1X AutoVLANs using 802.1X – Identifying and Controlling Rogue Applications

3 VLAN Centric Design VLANs provide security and traffic segmentation and are supported by Network Cards, switches, wireless access points, routers and security appliances Use VLANs to segment network in logical groups or business functions VLANs can be mapped to IP Subnets and are terminated by routers/Layer 3 switches 802.1Q Tagging a standards based VLAN tagging mechanism VLAN Deployment Guidelines – Use consistent naming and VLAN Tags for all VLANs across the network – Configure the correct VLAN Tags on both ends of switch-switch links – Configure all VLANs across all switches for complete user mobility across the campus – In resilient topologies ensure STP does inadvertently block VLANs between switches (use MSTP instead) – Ensure that Aggregated Links carry the correct VLAN tagging information – Create a separate management VLAN for all active devices

4 Device Management Security For networks concerned about the security of their active devices the following security capabilities should be considered – User Authentication for Device Management: Only authenticated users can access device management (RADIUS or Local) – Authorised manager access (Trusted IP): Only authorised IP addresses or subnets can gain management access – Device Management VLAN: Separate configurable VLAN/subnet for management – Selectable Device management options and encrypted management sessions: Enable/Disable TELNET, HTTP access and support for SSH, HTTPS etc. A combination or all of these capabilities could be deployed to provide device protection for switches, routers and appliances

5 Device Management VLAN A dedicated VLAN for management of active devices can be deployed for greater control The Device Management VLAN can span the entire campus using VLAN tagging Access to management can be in-band or out of band – For inband access, use routing with ACLs or security appliances to control traffic to the management VLAN Considerations for Device Management VLAN – Ensure devices support configurable VID for management – Campus wide management VLANs are more applicable in centralised Layer 3 topologies – Device Management VLANs can also be localised within a wiring closet or a building for distributed L3 topologies Management VLAN VID=1 VLAN50 VLAN10 VLAN20 VLAN30 VLAN40 VLAN60

6 Network Authentication and Authorisation Why use 802.1X? – Users must authenticate before gaining access to network resources – All authorizations can be administered centrally – Accounts can be held ( who, when, where ) Log files can record various session data, packet counts, session durations, user names. Information can be used for billing – Security Auditing Network Administrators can record who is accessing the network real- time – Management Network Management applications can display user information Clients can be dynamically tracked in real time using Network Management

7 Network Login and wired VLANs 802.1X Network Login can be associated with VLANs using the following methods Static – Authenticated users assume the pre-configured VLAN membership of their connected port Dynamic (AutoVLANs) – Authenticated users are dynamically placed in their corresponding VLAN based on RADIUS attributes Non-authenticated users are either excluded or become members of a guest VLAN Some devices such as telephones are automatically authenticated based on MAC address

8 Auto VLAN and QoS Assignment using 802.1X Guest VLAN User ID: ? Pwd: ? User ID: Teacher User ID: Teacher Valid User VLAN ID: Teacher VLAN QoS Profile: LowP, Web LowP, guest Records Server HighP Staff VLAN

9 Network Login and wireless VLANs Wireless users can be placed dynamically in the appropriate VLAN using 802.1X Network Login and RADIUS (VLAN ID) VLAN tagging on Ethernet port of Access point ensures that AP is aware of all configured VLANs Wireless Access point will tunnel wireless user traffic on the appropriate tagged VLAN already configured on Ethernet port Network Login based Wireless VLANs can deliver end to end mobility across wired and wireless media Access Points also support multiple SSIDs that can be mapped to separate VLANs for greater level of security

10 Auto VLAN Assignment using 802.1X with Wireless Access Points Guest VLAN Staff VLAN User ID: ? Pwd: ? User ID: Teacher User ID: Teacher Valid User VLAN ID: Teacher VLAN

11 Mapping VLANs to Security Zones Map vulnerable VLANs (i.e. wireless, guest VLAN) to Security zones in security appliances/Firewalls for greater control If all VLANs are mapped to security zones then routing will be centralised by security appliance – May have performance implications A combination of Layer 3 switching, ACLs and Security zones can provide greater protection without major performance compromises When multiple VLANs are mapped to a Security zone interVLAN routing within the security zone can be controlled by local Layer 3 switch Use routing policies or default routes for sending traffic to enforcement point LAN 1 Security Zone WAN Security Zone Internet DMZ LAN 2 Security Zone Wireless Security Zone Policy Enforcement Point

12 Security Zones and VLANs VLAN1 VLAN2VLAN3 Security Zone A VLAN10 VLAN11VLAN12 Security Zone B Routed virtual interfaces Security Zone C Security Zone D Security Zone E

13 Controlling Rogue Applications Use QoS and Application Filtering to control rogue applications where they originate from: the Access Layer Using Network Management rogue users and applications can be identified quickly and corrective action taken Example: How Application Filtering and autoQoS assignment on the Switch 4400 could stop the proliferation of the W32.Blaster.Worm virus W32.Blaster.Worm virus exploits TCP:135 DCOM RPC and UDP:69 TFTP – Create a classifier on the 4400 for TCP:135 and UDP:69 – Create a QoS profile called Blaster and assign the previous classifiers and apply the discard service level – Enable 802.1X and AutoVLANs, autoQoS on the user ports – On the RADIUS server assign to all users the filter-id=Blaster attribute – Next time a user logs in to the network the Blaster profile will be applied on the switched port the user connects to

14 Summary Efficient Convergence Network Design is key to performance, business continuity and scalability Multi-tiered hierarchical network design provides significant benefits in terms of scalability and fault tolerance Business Continuity is delivered by introducing high availability capabilities across all network design layers Campus Network Designs can be optimised to support Convergence applications by taking into account service performance parameters, traffic prioritisation and support for multicast Pervasive Network security addresses multiple threats, at multiple network design areas and through a variety of mechanisms

Download ppt "Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed."

Similar presentations

Ads by Google