Más contenido relacionado
La actualidad más candente (20)
Similar a Security Design Considerations Module 3 - Training Sample (20)
Más de Content Rules, Inc. (20)
Security Design Considerations Module 3 - Training Sample
- 2. Description
This module provides an overview of the network
vulnerabilities and security threats companies face
today.
It reviews the factors that should be taken into
consideration when designing a security solution.
It describes basic Sentriant CE150 network design
configurations.
Finally, it lists the technical information needed
before you install the Sentriant CE150.
page 2
© 2006 Extreme Networks, Inc. All rights reserved.
- 3. Objectives
Upon completion of this module the successful
student will be able to:
• List the factors taken into consideration when designing a
network security solution.
• Understand the network vulnerabilities that are addressed
by the Sentriant CE150.
• Describe basic Sentriant CE150 network design
configurations.
• Identify the technical information required before you install
a Sentriant CE150 in a customer site.
page 3
© 2006 Extreme Networks, Inc. All rights reserved.
- 4. Traditional Defenses:
Firewalls and IDS
Firewall
• Enforce access control policies between networks
• Determine which inside services may be available from
outside and vice versa
• Provide a single “Choke point” where security audits may be
performed
• Provide information about who has been “sniffing” around
Intrusion Detection Systems (IDS)
• Excellent at detecting many types of network attacks
page 4
© 2006 Extreme Networks, Inc. All rights reserved.
- 5. Firewall and IDS Limitations
Cannot protect from attacks that bypass it
• Internal attacks or unrestricted dial-outs
Cannot protect data that is traversing the network
• Financial data, corporate secrets, etc.
Cannot protect against data being “changed” as it
moves across the network
Cannot stop any attacks that come from the inside
page 5
© 2006 Extreme Networks, Inc. All rights reserved.
- 6. Network Vulnerabilities
Unauthorized Access of Data in Motion
• Unauthorized monitoring – Network users believe the data they
send over networks will be viewed only by the intended receiver.
• Unauthorized modification – A simple route traced between any two
corporate networks may provide an opportunity for an intruder to
inconspicuously modify data.
Common Inside Attacks
• Insider breaches – Employees, contractors and others with
legitimate network access can easily bypass perimeter security to
access sensitive data on the network.
• Man-in-the-middle attacks (also known as TCP Hijacking) – An
attacker sniffs packets from the network, modifies them and inserts
them back into the network.
• Port mirroring – Port mirroring is a method of monitoring network
page 6
traffic that forwards a copy of each incoming and outgoing packet
from one port of a network switch to another port where the packet
can be studied.
© 2006 Extreme Networks, Inc. All rights reserved.
- 7. Mitigate Network Vulnerabilities:
Inside the Perimeter
It is important to secure your data as it travels within
your organization’s network.
• Insiders account for up to 50% of network security breaches.
A layered approach to network security provides the
best defense possible.
This means that in addition to perimeter security e.g.,
firewall perimeter security, data traversing the internal
network must also be secured.
page 7
The only way to protect data traversing internal networks is
to encrypt it. Sentriant CE150 provides the ideal solution for
encrypting and safeguarding data in motion.
© 2006 Extreme Networks, Inc. All rights reserved.
- 8. Elements of a Comprehensive
Security Solution
Physical protection
• Where are you?
User authentication
• Who are you?
Encryption
• Which information should be hidden?
Access control
• Which assets are you allowed to use?
page 8
Management
• What is going on within the network?
© 2006 Extreme Networks, Inc. All rights reserved.
- 9. Security Design Considerations
Performance
• Security solutions cannot become bottlenecks on the network.
Security appliances must provide low latency and high throughput.
User Transparency
• Security appliances should not require reconfiguration of routers,
gateways, or end-user devices
Centralize management and administration
• Security solutions should provide centralized management and
control, including: SNMP, MIB, audit and syslog
Regulatory compliance
• Security solutions must be able to support the every evolving
Federal and State government regulations, e.g., HIPAA
Resiliency
• Security solutions must be available 7/24 with the ability to update
page 9
security policies on the fly
© 2006 Extreme Networks, Inc. All rights reserved.
- 11. Sentriant CE150
Non-Router Network - Outbound
Switch
Switch
Fiber backbone,
Pt-Pt Wireless
Switch network
Sentriant CE150
Sentriant CE150
Layer
2
Outbound Traffic
Non-Router Network Outbound traffic:
• This example explains the steps network equipment performs when
sending data from a company site out to an external entity in a nonrouter environment.
page 11
© 2006 Extreme Networks, Inc. All rights reserved.
- 12. Sentriant CE150
Non-Router Network - Inbound
Switch
Switch
Fiber backbone,
Pt-Pt Wireless
Switch network
Sentriant CE150
Sentriant CE150
Layer
2
Inbound Traffic
Non-Router Network Inbound traffic:
• This example explains the steps network equipment performs when
receiving data from an external entity into a company site in a nonrouter environment.
page 12
© 2006 Extreme Networks, Inc. All rights reserved.
- 13. Sentriant CE150
Router WANs - Outbound
Switch
Switch
Router
Router
Sentriant CE150
Sentriant CE150
Internet
Outbound Traffic
Router WAN/Backbone Outbound traffic:
• This example explains the steps network equipment performs when
sending data from a company site out to an external entity in a
router environment.
page 13
© 2006 Extreme Networks, Inc. All rights reserved.
- 14. Sentriant CE150
Router WANs - Inbound
Switch
Switch
Router
Router
Sentriant CE150
Sentriant CE150
Internet
Inbound Traffic
Router WAN/Backbone Inbound traffic:
• This example explains the steps network equipment performs when
receiving data from an external entity into a company site in a
router environment.
page 14
© 2006 Extreme Networks, Inc. All rights reserved.
- 15. Resiliency
Non-VRRP Example
Router 1
Router
A
Sentriant CE150
C
Router
Router 2
Sentriant CE150
Internet
Router
B
Router
D
Dual active-path redundancy
• This example has two Sentriant CE150 appliances at each end of
the connection creating two active paths between the locations.
page 15
© 2006 Extreme Networks, Inc. All rights reserved.
- 16. Resiliency
VRRP Example
Router 1
A
Router
Sentriant CE150
Router
Internet
C
B
Router 2
Sentriant CE150
D
Single active-path redundancy
• A pair of Sentriant CE150 appliances can be configured to form a virtual
security gateway (VSG).
• One appliance is active and the other waits in a backup state
Virtual Router Redundancy Protocol
• Allows two security gateways (Sentriant CE150) to share one IP address
page 16
© 2006 Extreme Networks, Inc. All rights reserved.
- 26. Summary
This module provided an overview of the network vulnerabilities
and security threats companies face today.
The module also reviewed the factors that should be taken into
consideration when designing a security solution.
It described basic Sentriant CE150 network design
configurations.
And finally, it provided the technical information worksheets
used to assist with the installation of the Sentriant CE150.
page 26
© 2006 Extreme Networks, Inc. All rights reserved.
- 27. Summary continued
You should now be able to:
• List the factors taken into consideration when designing a
network security solution.
• Understand the network vulnerabilities that are addressed
by the Sentriant CE150.
• It describe basic Sentriant CE150 network design
configurations.
• Identify the technical information required before you install
a Sentriant CE150 in a customer site.
page 27
© 2006 Extreme Networks, Inc. All rights reserved.
- 28. End of Module Review
5 Minutes
© 2006 Extreme Networks, Inc. All rights reserved.