Saturday, 22 November 2014

Logical Network Sections

The Three Sections of the Networks

We're almost through the theory and into some real configuration, but first we need to define the three key areas of our networks that need defending. And no it's not the typical, internal, DMZ, outside structure we will be talking about here, instead we're dividing the network up into three logical areas.

  • Management: This is the area where we control our devices, for example using SSH to connect to a router or firewall
  • Control: The networks and protocols which devices use to control the traffic flow. For exampe, routing protocols and information that is shared between routers would exist in this section.
  • Data: The area where all the data flows across the networks, it is essentially anything that doesn't fit into the two previous categories.

These sections all link together in certain ways, but for the most part we like to keep them separate. However there are certain obvious examples where they will have an effect on each other; if a routing protocol fails (control) then nothing in the data section will be able to move as the devices won't know where to send it.

Management Section

We must first be able to manage a device before we can use it to forward or block traffic for us. In order to do this we must ensure that the management of the device is secure so that it cannot be accessed by rogue users to subvert our traffic.

  • Enforce password policy, such as a minimum length and password rotation policy
  • Role-based access, ensuring that only those users who require access have got it, and that each user is only given as much control as they require to perform their task.
  • AAA (authentication, authorisation and accounting), ensuring that each user is authenticated, authorised and an audit log is kept of access.
  • Use NTP to keep an accurate time on each device
  • Use encrypted SNMP (Simple Network Management Protocol).
  • Lock down the networks able to manage the device
  • Be very careful with syslog as it is sent in cleartext. Encryption is a difficult one to enforce due to the size of the data, but ensuring a separate VLAN or separate physical network even is used.

Control Section

One of the common ways for a network device to be abused is when it gets overloaded. When a device receives a packet which needs to be forwarded it keeps a copy of the route in its cache so that it doesn't need to expend as many CPU cycles next time that route comes up. However when the traffic is destined for the device itself, it must go through the logical process of identifying and verifying that the traffic is allowed each time. This can make it open to overloading if it has to spend all its CPU cycle just in the control section.

  • CoPP or Control Plane Policing. Policing the traffic destined for the device itself, for example a threshold can be set for this traffic, and excess traffic is ignored.
  • CPPr or Control Plane Protection. A more detailed classification of traffic than CoPP, and might allow us for example to set exceptions to the rate limiting above for important packets such as packets with time-to-live (TTL) options that are near expiration. In this case we might limit SSH traffic to a certain level, but allow routing protocol information to flow unimpeded.
  • Routing protocol authentication. This allows us to authenticate the devices which are providing routing information to us, and stop rogue devices from subverting our network.

Data Section

This is where we will spend most of our time, and most of us think about when we think of network security. Locking down the data so that it only goes to who it is meant to go and doesn't get intercepted on the way. We also employ techniques to proactively monitor the data section to ensure that there is no unauthorised access.

  • Access Control Lists (ACLs). Filtering traffic based on a set of parameters, for example only letting SSH traffic to a certain port, or only allowing inbound traffic from the internet to your web server on https.
  • IOS firewall support. Zone-based firewall on IOS, more details later.
  • IOS IPS. Using signatures to look for malicious traffic, the router can prevent the packets from traversing the network.
  • TCP intercept. Checking the number of partially-formed TCP sessions and intercepting on behalf of the receiving device. Can be used to mitigate DoS attacks and SYN floods.
  • Unicast Reverse Path Forwarding (uRPF). Verifying that the source address of a packet matches the direction with which came from, this can be used to prevent IP spoofing.

Most of these techniques live at layers 3 and 4 of the OSI network model, but we can also employ some various other tools to help secure our network even further.

  • Switch port-security. To protect against MAC address flooding and content-addressable memory (CAM) overflow attacks. If a switch's memory becomes overloaded it may lead to it broadcasting packets to all ports in the VLAN, potentially allowing an attacker to eavesdrop.
  • Dynamic Host Control Protocol (DHCP) snooping, to prevent unwanted DHCP servers from dispensing malicious gateway information.
  • Dynamic ARP Inspection (DAI). Protects against Address Resolution Protocol (ARP) spoofing and ARP poisoning.
  • IP source guard, verifies that IP spoofing is not occurring on devices attached to that switch.

That gives you a brief overview of topics we will spend a lot more time on later, and something to think about when we are configuring our devices.

More soon
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)