2. Index
1. Diagram Legend
2. Layered Network Design
1. Access Layer
2. Distribution Layer
3. Core Layer
3. High Availability and Load Balancing
4. Modular Network Design
1. Management Block
1. Out of Band Management
2. In Band Management
2. Server Block
3. Wan Block
4. Internet Block
3. Diagram Legend
Terminal Network Intrusion
Server NIDS
Detection System
Router
Firewall Host Intrusion
Switch HIDS
Detection System
Server
Multilayer Virtual Private
VPN
Switch Network
Management
Load
Console
Balancer CC Crypto Cluster
Remote
User
4. Switch Block 1 Switch Block 2
IDS IDS
CC
IDS
Management Wan Block
Block IDS IDS
IDS
Server Block
VPN VPN VPN VPN Internet Block
IDS
5. Access Layer
Switch Block 1 Switch Block 2
Management Wan Block
Block
Server Block VPN
Internet Block
6. Characteristics
• Low Cost per port
• High port density
• Uplink to higher layers
• Layer 2 Services
7. Security Design
•Identity based network services
•Vlan and Pvlan segregation
•Rate Limiting
•Management encryption
•Physical isolation
8. Best Practices
• Ports without need to Trunk should be set to
OFF rather than AUTO
• Limit each port to a limited number of MAC
addresses (5)
• Configure Storm Broadcast control
• Turn off Telnet and limit SNMP access to the
Switches
• Logging to external server
9. Distribution Layer
Switch Block 1 Switch Block 2
Managem Wan Block
ent Block
Server Block VPN
Internet Block
10. Characteristics
• Aggregation of Access Layer Devices
• High layer 3 throughput
• Robust layer 3 functionality
• Security
• Media Translation
• QoS
12. Best practices
• Turn off unneeded services
• Disable all unused ports
• Limit the Mac addresses on a port to known MAC
adressess when possible (no trunking ports)
• For trunking ports use a dedicated VLAN identifier
• Eliminate native vlans for 802.1q trunks
• Turn off Telnet and limit SNMP access to the
Switches
• Logging to external server
13. Core Layer
Switch Block 1 Switch Block 2
Managem Wan Block
ent Block
Server Block VPN
Internet Block
14. Characteristics
• No Expensive Layer 3 Processing
• Very High Throughput
• No unnecessary packet manipulation
• Resiliency
• High Availability
16. Best practices
• Disable all unused ports
• Limit the Mac addresses on a port to known
MAC adressess when possible
• Turn off Telnet and limit SNMP access to the
Switches
• Logging to external server
19. Key Devices
• Firewalls
• NIDS and HIDS
• IDS Hosts
• Syslog Hosts
• SNMP Management Hosts
• Cisco Works, HP Open View
• System Admin Host
20. Out Band Management
• Preferred method of management
• Isolated from production network
• Physical Isolation
21. In Band Management
• Only management traffic
• Different address space than Production
Network
• NAT
• Encryption (IpSec, SSH, SSL)
• Firewall Security + IDS
22. Best Practices
• Only use In band Management when
necessary.
• PVLAN segregation among hosts in
management block.
• Periodic log revision
• Configuration base-line establishment
• Periodic base-line checking
23. Threats Mitigated
• Only use In band Management • Unauthorised Access
when necessary.
• Man in the middle attacks
• PVLAN segregation among hosts
• Network reconnaissance
in management block.
• Periodic log revision • Packet sniffing
• Configuration base-line • Compromised host hoping
establishment
• Hacking attempts going unnoticed
• Periodic base-line checking
25. Key Devices
• Firewalls
• NIDS and HIDS
• NTP Server
• TACACS+ Server
• Certificate server
• Secur-ID Server (Strong authentication)
• Corporate Servers
• Call Manager
• DNS Servers
• E-Mail Servers
• Etc…
26. Best Practices
• Firewall and NIDS implementation
• PVLAN Isolation for each Server
• Host Based IDS on each Server
• Service redundancy
• Backup Policy
• Logging to an external server in the
mangement module
• Version Control
27. Threats Mitigated
• Firewall and NIDS • Unauthorized Access
implementation • Ip Spoofing
• Host Based IDS on each • Application Layer Attacks
Server
• Trust Exploitation
• PVLAN Isolation for each
• Compromised host hoping
Server
• Service redundancy • Packet Sniffing
• Logging to an external • DoS
server in the mangement • Hacking attempts going
module unnoticed
• Backup Policy • Lost Data
• Version Control
30. Best Practices
• Data encryption
• Access List implementation
• High Availability thru different providers
31. Threats mitigated
• Data encryption • Data theft
• Man in the middle
• Access List
attack
implementation
• IP spoofing
• High Availability thru
• Unauthorized access
different providers • DoS
33. Key Elements
• Firewalls
• HIDS and NIDS
• VPN Concentrator
• HTTP Servers
• DNS Servers
34. Best Practices
• Security policy with ISP to mitigate DDoS
• Private VLAN Isolation among Servers
• No corporate Servers at this point
• High Availability thru diferent ISP
• VPN for Remote user Access
35. Threats Mitigated
• Security policy with ISP • IP Spoofing
• Private VLAN Isolation among
• Packet Sniffing
Servers
• Firewall, NIDS and HIDS • Compromised host hoping
implementation
• Hacking attempts going
• High Availability thru diferent
unnoticed
ISP
• VPN for Remote user Access • DDoS attacks
• No corporate Servers at this point • Unauthorized Access