Module 11: Designing Security for Network Perimeters
Overview Creating a Security Plan for the Perimeter of a Network Creating a Design for Security of Network Perimeters
Lesson 1: Creating a Security Plan for the Perimeter of a Network MSF and Security of Network Perimeters Defense in Depth and Security of Network Perimeters Resources to Protect with Network Perimeters Security STRIDE Threat Model and Security of Network Perimeters
MSF and Security of Network Perimeters The MSF envisioning and planning phases help you to: Decide which locations your plan will help to protect Ensure that appropriate countermeasures are applied Identify your perimeter points. These can include: Direct Internet connections Dedicated WAN links Perimeter Networks VPN client computers Applications Wireless connections Decide which locations your plan will help to protect Ensure that appropriate countermeasures are applied Identify your perimeter points. These can include: Direct Internet connections Dedicated WAN links Perimeter Networks VPN client computers Applications Wireless connections Plan Envision
Defense in Depth and Security of Network Perimeters Policies, Procedures, and Awareness Physical Security Internal Network Application Host Data Perimeter
Resources to Protect with Network Perimeters Security AttackerThreatExample External Information disclosure An attacker runs a series of port scans on a network and creates a network diagram and vulnerability list. The attacker uses this information to systematically attack the network. Internal Denial of service An employee opens an from an external Web-based account that contains a new worm virus. The virus infects the internal network from inside the perimeter.
STRIDE Threat Model and Security of Network Perimeters Exposure of account information Spoofing Unauthorized access to data Tampering Unmanaged VPN client computers Repudiation Forgotten connections to the Internet Information disclosure worms Denial of service Unauthorized Web servers Elevation of privilege
Lesson 2: Creating a Design for Security of Network Perimeters Methods for Securing Network Perimeters Process for Designing Secure Perimeter Networks Methods for Securing Perimeter Networks Guidelines for Protecting Computers on the Perimeter
Methods for Securing Network Perimeters TypeDescription Bastion host Three-pronged configuration Back-to-back configuration
When designing secure screened subnets, determine: The services that you must provide How each service communicates with systems How each service authenticates users How you will manage each service How you will monitor and audit each service How you will configure firewall and router rules to secure the network The services that you must provide How each service communicates with systems How each service authenticates users How you will manage each service How you will monitor and audit each service How you will configure firewall and router rules to secure the network Process for Designing Secure Perimeter Networks
Implement the following security mechanisms on routers and firewalls: Methods for Securing Perimeter Networks Packet filtering Routing rules Stateful packet inspection Application gateway Server publishing User-based authentication Intrusion detection Packet filtering Routing rules Stateful packet inspection Application gateway Server publishing User-based authentication Intrusion detection
For traveling computers or traveling users, follow these guidelines: Use and maintain antivirus software Use personal firewall applications Do not persistently store passwords Consider preventing third-party applications Educate users about security Use and maintain antivirus software Use personal firewall applications Do not persistently store passwords Consider preventing third-party applications Educate users about security Guidelines for Protecting Computers on the Perimeter
Lab: Designing Security for Network Perimeters Exercise 1 Identifying Potential Perimeter Network Vulnerabilities Exercise 2 Implementing Countermeasures