SlideShare a Scribd company logo

Secure Network Design

Download as PPT, PDF
Conferencias FIST
Conferencias FIST
Technology
1 of 36
Secure Network Design Jose David Garcia
Index 1. Diagram Legend 2. Layered Network Design 1. Access Layer 2. Distribution Layer 3. Core Layer 3. High Availability and Load Balancing 4. Modular Network Design 1. Management Block 1. Out of Band Management 2. In Band Management 2. Server Block 3. Wan Block 4. Internet Block
Diagram Legend Terminal Network Intrusion Server NIDS Detection System Router Firewall Host Intrusion Switch HIDS Detection System Server Multilayer Virtual Private VPN Switch Network Management Load Console Balancer CC Crypto Cluster Remote User
Switch Block 1 Switch Block 2 IDS IDS CC IDS Management Wan Block Block IDS IDS IDS Server Block VPN VPN VPN VPN Internet Block IDS
Access Layer Switch Block 1 Switch Block 2 Management Wan Block Block Server Block VPN Internet Block
Characteristics • Low Cost per port • High port density • Uplink to higher layers • Layer 2 Services
Security Design •Identity based network services •Vlan and Pvlan segregation •Rate Limiting •Management encryption •Physical isolation
Best Practices • Ports without need to Trunk should be set to OFF rather than AUTO • Limit each port to a limited number of MAC addresses (5) • Configure Storm Broadcast control • Turn off Telnet and limit SNMP access to the Switches • Logging to external server
Distribution Layer Switch Block 1 Switch Block 2 Managem Wan Block ent Block Server Block VPN Internet Block
Characteristics • Aggregation of Access Layer Devices • High layer 3 throughput • Robust layer 3 functionality • Security • Media Translation • QoS
Security •Access Control List •Span ports for IDS •Physical isolation
Best practices • Turn off unneeded services • Disable all unused ports • Limit the Mac addresses on a port to known MAC adressess when possible (no trunking ports) • For trunking ports use a dedicated VLAN identifier • Eliminate native vlans for 802.1q trunks • Turn off Telnet and limit SNMP access to the Switches • Logging to external server
Core Layer Switch Block 1 Switch Block 2 Managem Wan Block ent Block Server Block VPN Internet Block
Characteristics • No Expensive Layer 3 Processing • Very High Throughput • No unnecessary packet manipulation • Resiliency • High Availability
Security • Physical isolation
Best practices • Disable all unused ports • Limit the Mac addresses on a port to known MAC adressess when possible • Turn off Telnet and limit SNMP access to the Switches • Logging to external server
High Availability Load Balancing
Management Block NIDS NIDS HIDS
Key Devices • Firewalls • NIDS and HIDS • IDS Hosts • Syslog Hosts • SNMP Management Hosts • Cisco Works, HP Open View • System Admin Host
Out Band Management • Preferred method of management • Isolated from production network • Physical Isolation
In Band Management • Only management traffic • Different address space than Production Network • NAT • Encryption (IpSec, SSH, SSL) • Firewall Security + IDS
Best Practices • Only use In band Management when necessary. • PVLAN segregation among hosts in management block. • Periodic log revision • Configuration base-line establishment • Periodic base-line checking
Threats Mitigated • Only use In band Management • Unauthorised Access when necessary. • Man in the middle attacks • PVLAN segregation among hosts • Network reconnaissance in management block. • Periodic log revision • Packet sniffing • Configuration base-line • Compromised host hoping establishment • Hacking attempts going unnoticed • Periodic base-line checking
Server Block NIDS NIDS HIDS NIDS
Key Devices • Firewalls • NIDS and HIDS • NTP Server • TACACS+ Server • Certificate server • Secur-ID Server (Strong authentication) • Corporate Servers • Call Manager • DNS Servers • E-Mail Servers • Etc…
Best Practices • Firewall and NIDS implementation • PVLAN Isolation for each Server • Host Based IDS on each Server • Service redundancy • Backup Policy • Logging to an external server in the mangement module • Version Control
Threats Mitigated • Firewall and NIDS • Unauthorized Access implementation • Ip Spoofing • Host Based IDS on each • Application Layer Attacks Server • Trust Exploitation • PVLAN Isolation for each • Compromised host hoping Server • Service redundancy • Packet Sniffing • Logging to an external • DoS server in the mangement • Hacking attempts going module unnoticed • Backup Policy • Lost Data • Version Control
WAN Block CC NIDS
Key Devices • Firewalls • NIDS • Crypto Clusters • Routers
Best Practices • Data encryption • Access List implementation • High Availability thru different providers
Threats mitigated • Data encryption • Data theft • Man in the middle • Access List attack implementation • IP spoofing • High Availability thru • Unauthorized access different providers • DoS
Internet Block HIDS HIDS NIDS VPN VPN VPN VPN
Key Elements • Firewalls • HIDS and NIDS • VPN Concentrator • HTTP Servers • DNS Servers
Best Practices • Security policy with ISP to mitigate DDoS • Private VLAN Isolation among Servers • No corporate Servers at this point • High Availability thru diferent ISP • VPN for Remote user Access
Threats Mitigated • Security policy with ISP • IP Spoofing • Private VLAN Isolation among • Packet Sniffing Servers • Firewall, NIDS and HIDS • Compromised host hoping implementation • Hacking attempts going • High Availability thru diferent unnoticed ISP • VPN for Remote user Access • DDoS attacks • No corporate Servers at this point • Unauthorized Access
THE END

Recommended

TCP IP Addressing
TCP IP AddressingTCP IP Addressing
TCP IP AddressingRitul Sonania
 
Network Design and Security Best Practices
Network Design and Security Best PracticesNetwork Design and Security Best Practices
Network Design and Security Best PracticesMike Sherwood
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01Irsandi Hasan
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Securityyousef emami
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!Niasta Learning
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 

Recommended

TCP IP Addressing
TCP IP AddressingTCP IP Addressing
TCP IP AddressingRitul Sonania
 
Network Design and Security Best Practices
Network Design and Security Best PracticesNetwork Design and Security Best Practices
Network Design and Security Best PracticesMike Sherwood
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01Irsandi Hasan
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Securityyousef emami
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!Niasta Learning
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1Nil Menon
 
CCNA 4 Hierarchical Network Design
CCNA 4 Hierarchical Network DesignCCNA 4 Hierarchical Network Design
CCNA 4 Hierarchical Network DesignJonathan Alvarado Covarrubias
 
Ip Addressing Basics
Ip Addressing BasicsIp Addressing Basics
Ip Addressing Basicstmavroidis
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Wireless LAN Security by Arpit Bhatia
Wireless LAN Security by Arpit BhatiaWireless LAN Security by Arpit Bhatia
Wireless LAN Security by Arpit BhatiaArpit Bhatia
 
LAN Security
LAN Security LAN Security
LAN Security Syed Ubaid Ali Jafri
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Subnetting
SubnettingSubnetting
SubnettingGichelle Amon
 
Module 5 Wireless Network Design Considerations
Module 5 Wireless Network Design ConsiderationsModule 5 Wireless Network Design Considerations
Module 5 Wireless Network Design Considerationsnikshaikh786
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
 
Network proposal ppt
Network proposal pptNetwork proposal ppt
Network proposal pptFrankNitty II
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnettingIGZ Software house
 
IP NETWORKING AND IP SUBNET MASKING
IP NETWORKING AND IP SUBNET MASKING IP NETWORKING AND IP SUBNET MASKING
IP NETWORKING AND IP SUBNET MASKING AYESHA JAVED
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate TrainingNCS Computech Ltd.
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Securitykentquirk
 
Packet tracer
Packet tracerPacket tracer
Packet tracerImdad Ullah
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus networkAalap Tripathy
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN securityRajan Kumar
 
Scalable networking in Apache CloudStack
Scalable networking in Apache CloudStackScalable networking in Apache CloudStack
Scalable networking in Apache CloudStackChiradeep Vittal
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-12012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1tcloudcomputing-tw
 

More Related Content

What's hot

CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1Nil Menon
 
Ip Addressing Basics
Ip Addressing BasicsIp Addressing Basics
Ip Addressing Basicstmavroidis
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Wireless LAN Security by Arpit Bhatia
Wireless LAN Security by Arpit BhatiaWireless LAN Security by Arpit Bhatia
Wireless LAN Security by Arpit BhatiaArpit Bhatia
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Module 5 Wireless Network Design Considerations
Module 5 Wireless Network Design ConsiderationsModule 5 Wireless Network Design Considerations
Module 5 Wireless Network Design Considerationsnikshaikh786
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
 
Network proposal ppt
Network proposal pptNetwork proposal ppt
Network proposal pptFrankNitty II
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
IP NETWORKING AND IP SUBNET MASKING
IP NETWORKING AND IP SUBNET MASKING IP NETWORKING AND IP SUBNET MASKING
IP NETWORKING AND IP SUBNET MASKING AYESHA JAVED
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Securitykentquirk
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus networkAalap Tripathy
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN securityRajan Kumar
 

What's hot (20)

CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
 
CCNA 4 Hierarchical Network Design
CCNA 4 Hierarchical Network DesignCCNA 4 Hierarchical Network Design
CCNA 4 Hierarchical Network Design
 
Ip Addressing Basics
Ip Addressing BasicsIp Addressing Basics
Ip Addressing Basics
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Wireless LAN Security by Arpit Bhatia
Wireless LAN Security by Arpit BhatiaWireless LAN Security by Arpit Bhatia
Wireless LAN Security by Arpit Bhatia
 
LAN Security
LAN Security LAN Security
LAN Security
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system ppt
 
Subnetting
SubnettingSubnetting
Subnetting
 
Module 5 Wireless Network Design Considerations
Module 5 Wireless Network Design ConsiderationsModule 5 Wireless Network Design Considerations
Module 5 Wireless Network Design Considerations
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network Intuitive
 
Network proposal ppt
Network proposal pptNetwork proposal ppt
Network proposal ppt
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnetting
 
IP NETWORKING AND IP SUBNET MASKING
IP NETWORKING AND IP SUBNET MASKING IP NETWORKING AND IP SUBNET MASKING
IP NETWORKING AND IP SUBNET MASKING
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
 
Packet tracer
Packet tracerPacket tracer
Packet tracer
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN security
 

Similar to Secure Network Design

Scalable networking in Apache CloudStack
Scalable networking in Apache CloudStackScalable networking in Apache CloudStack
Scalable networking in Apache CloudStackChiradeep Vittal
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-12012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1tcloudcomputing-tw
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
What is cloud computing
What is cloud computingWhat is cloud computing
What is cloud computingBrian Bullard
 
Hyper-V 3.0 Overview
Hyper-V 3.0 OverviewHyper-V 3.0 Overview
Hyper-V 3.0 OverviewTudor Damian
 
Tudor Damian - Hyper-V 3.0 overview
Tudor Damian - Hyper-V 3.0 overviewTudor Damian - Hyper-V 3.0 overview
Tudor Damian - Hyper-V 3.0 overviewITCamp
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyRuby Meditation
 
Don't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't ScaleDon't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't ScaleReal-Time Innovations (RTI)
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2rayborg
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructurelaurabeckcahoon
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
 
Cloud stack overview
Cloud stack overviewCloud stack overview
Cloud stack overviewgavin_lee
 
Clavister security for virtualized environment
Clavister security for virtualized environmentClavister security for virtualized environment
Clavister security for virtualized environmentnicolasotira
 
Quantum - The Network Mechanics
Quantum - The Network MechanicsQuantum - The Network Mechanics
Quantum - The Network MechanicsKiran Murari
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
 
20N2012- Is there any danger or risk in Green?
20N2012- Is there any danger or risk in Green?20N2012- Is there any danger or risk in Green?
20N2012- Is there any danger or risk in Green?Oya Şanlı
 

Similar to Secure Network Design (20)

Scalable networking in Apache CloudStack
Scalable networking in Apache CloudStackScalable networking in Apache CloudStack
Scalable networking in Apache CloudStack
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-12012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
 
CloudStack Architecture
CloudStack ArchitectureCloudStack Architecture
CloudStack Architecture
 
What is cloud computing
What is cloud computingWhat is cloud computing
What is cloud computing
 
Hyper-V 3.0 Overview
Hyper-V 3.0 OverviewHyper-V 3.0 Overview
Hyper-V 3.0 Overview
 
Tudor Damian - Hyper-V 3.0 overview
Tudor Damian - Hyper-V 3.0 overviewTudor Damian - Hyper-V 3.0 overview
Tudor Damian - Hyper-V 3.0 overview
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander Obozinskiy
 
Don't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't ScaleDon't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't Scale
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructure
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX
 
Cloud stack overview
Cloud stack overviewCloud stack overview
Cloud stack overview
 
Clavister security for virtualized environment
Clavister security for virtualized environmentClavister security for virtualized environment
Clavister security for virtualized environment
 
Quantum - The Network Mechanics
Quantum - The Network MechanicsQuantum - The Network Mechanics
Quantum - The Network Mechanics
 
OpenStack Quantum
OpenStack QuantumOpenStack Quantum
OpenStack Quantum
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
 
20N2012- Is there any danger or risk in Green?
20N2012- Is there any danger or risk in Green?20N2012- Is there any danger or risk in Green?
20N2012- Is there any danger or risk in Green?
 
firewalls
firewallsfirewalls
firewalls
 
BrownBag - vCloud Networking
BrownBag - vCloud NetworkingBrownBag - vCloud Networking
BrownBag - vCloud Networking
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Secure Network Design

  • 1. Secure Network Design Jose David Garcia
  • 2. Index 1. Diagram Legend 2. Layered Network Design 1. Access Layer 2. Distribution Layer 3. Core Layer 3. High Availability and Load Balancing 4. Modular Network Design 1. Management Block 1. Out of Band Management 2. In Band Management 2. Server Block 3. Wan Block 4. Internet Block
  • 3. Diagram Legend Terminal Network Intrusion Server NIDS Detection System Router Firewall Host Intrusion Switch HIDS Detection System Server Multilayer Virtual Private VPN Switch Network Management Load Console Balancer CC Crypto Cluster Remote User
  • 4. Switch Block 1 Switch Block 2 IDS IDS CC IDS Management Wan Block Block IDS IDS IDS Server Block VPN VPN VPN VPN Internet Block IDS
  • 5. Access Layer Switch Block 1 Switch Block 2 Management Wan Block Block Server Block VPN Internet Block
  • 6. Characteristics • Low Cost per port • High port density • Uplink to higher layers • Layer 2 Services
  • 7. Security Design •Identity based network services •Vlan and Pvlan segregation •Rate Limiting •Management encryption •Physical isolation
  • 8. Best Practices • Ports without need to Trunk should be set to OFF rather than AUTO • Limit each port to a limited number of MAC addresses (5) • Configure Storm Broadcast control • Turn off Telnet and limit SNMP access to the Switches • Logging to external server
  • 9. Distribution Layer Switch Block 1 Switch Block 2 Managem Wan Block ent Block Server Block VPN Internet Block
  • 10. Characteristics • Aggregation of Access Layer Devices • High layer 3 throughput • Robust layer 3 functionality • Security • Media Translation • QoS
  • 11. Security •Access Control List •Span ports for IDS •Physical isolation
  • 12. Best practices • Turn off unneeded services • Disable all unused ports • Limit the Mac addresses on a port to known MAC adressess when possible (no trunking ports) • For trunking ports use a dedicated VLAN identifier • Eliminate native vlans for 802.1q trunks • Turn off Telnet and limit SNMP access to the Switches • Logging to external server
  • 13. Core Layer Switch Block 1 Switch Block 2 Managem Wan Block ent Block Server Block VPN Internet Block
  • 14. Characteristics • No Expensive Layer 3 Processing • Very High Throughput • No unnecessary packet manipulation • Resiliency • High Availability
  • 16. Best practices • Disable all unused ports • Limit the Mac addresses on a port to known MAC adressess when possible • Turn off Telnet and limit SNMP access to the Switches • Logging to external server
  • 19. Key Devices • Firewalls • NIDS and HIDS • IDS Hosts • Syslog Hosts • SNMP Management Hosts • Cisco Works, HP Open View • System Admin Host
  • 20. Out Band Management • Preferred method of management • Isolated from production network • Physical Isolation
  • 21. In Band Management • Only management traffic • Different address space than Production Network • NAT • Encryption (IpSec, SSH, SSL) • Firewall Security + IDS
  • 22. Best Practices • Only use In band Management when necessary. • PVLAN segregation among hosts in management block. • Periodic log revision • Configuration base-line establishment • Periodic base-line checking
  • 23. Threats Mitigated • Only use In band Management • Unauthorised Access when necessary. • Man in the middle attacks • PVLAN segregation among hosts • Network reconnaissance in management block. • Periodic log revision • Packet sniffing • Configuration base-line • Compromised host hoping establishment • Hacking attempts going unnoticed • Periodic base-line checking
  • 24. Server Block NIDS NIDS HIDS NIDS
  • 25. Key Devices • Firewalls • NIDS and HIDS • NTP Server • TACACS+ Server • Certificate server • Secur-ID Server (Strong authentication) • Corporate Servers • Call Manager • DNS Servers • E-Mail Servers • Etc…
  • 26. Best Practices • Firewall and NIDS implementation • PVLAN Isolation for each Server • Host Based IDS on each Server • Service redundancy • Backup Policy • Logging to an external server in the mangement module • Version Control
  • 27. Threats Mitigated • Firewall and NIDS • Unauthorized Access implementation • Ip Spoofing • Host Based IDS on each • Application Layer Attacks Server • Trust Exploitation • PVLAN Isolation for each • Compromised host hoping Server • Service redundancy • Packet Sniffing • Logging to an external • DoS server in the mangement • Hacking attempts going module unnoticed • Backup Policy • Lost Data • Version Control
  • 28. WAN Block CC NIDS
  • 29. Key Devices • Firewalls • NIDS • Crypto Clusters • Routers
  • 30. Best Practices • Data encryption • Access List implementation • High Availability thru different providers
  • 31. Threats mitigated • Data encryption • Data theft • Man in the middle • Access List attack implementation • IP spoofing • High Availability thru • Unauthorized access different providers • DoS
  • 32. Internet Block HIDS HIDS NIDS VPN VPN VPN VPN
  • 33. Key Elements • Firewalls • HIDS and NIDS • VPN Concentrator • HTTP Servers • DNS Servers
  • 34. Best Practices • Security policy with ISP to mitigate DDoS • Private VLAN Isolation among Servers • No corporate Servers at this point • High Availability thru diferent ISP • VPN for Remote user Access
  • 35. Threats Mitigated • Security policy with ISP • IP Spoofing • Private VLAN Isolation among • Packet Sniffing Servers • Firewall, NIDS and HIDS • Compromised host hoping implementation • Hacking attempts going • High Availability thru diferent unnoticed ISP • VPN for Remote user Access • DDoS attacks • No corporate Servers at this point • Unauthorized Access