Introduction and Edge Security Traffic Design

Table of Contents

Securing the Network Perimeter .................................................................................................... 2

Lesson Outline ................................................................................................................................. 3

Source Documents for Security Measures ..................................................................................... 4

Edge Security Traffic Design ............................................................................................................ 6

Defining the Network Edge ............................................................................................................. 7

Perimeter Devices Cannot Hide ...................................................................................................... 8

Perimeter Implementations .......................................................................................................... 10

Malicious Traffic Denied by IPS/Firewall ...................................................................................... 12

Notices .......................................................................................................................................... 14

Page 1 of 14

Securing the Network Perimeter

© 2010 Carnegie Mellon University

Securing theNetwork Perimeter

**001 Joe Mayes: All right, we're going to look at securing the network perimeter. And when we look at securing the network perimeter, one of the first things we'll do is define what we mean by 'perimeter'. Because the answer may be a little surprising to you. So let's pay attention and see where we go.

Page 2 of 14

Lesson Outline

3

Lesson Outline

Edge Security Traffic Design

Blocking DoS/DDoS Traffic

Specialized Access Control Lists

Routers and Firewalls

Securing Routing Protocols

Securing Traffic Prioritization

Securing Against SPOF

**003 Okay, Lesson Outline. We're going to look at edge security traffic; blocking Denial of Services; special ACLs. If you've had Access Control List training, or whether you've done it in Linux or whether you've done it in Cisco or something else, there's some specialized access controls you may not have seen before. And we're going to look at routers and firewalls; specifically firewalls running in routers. There's firewall software you can run in routers and reasons to use it. And we're going to look at securing routing protocols. An area that I think is going to be more and more of a problem as time goes on, and that's traffic prioritization and

Page 3 of 14

securing that, so people don't misuse quality of service, class of service and traffic priorities. And then securing again SPOFs, S-P-O-F, which is a-- anybody know? Student: Single point of failure. Joe Mayes: I'm sorry, I couldn't hear you. Student: Single point of failure. Joe Mayes: Correct, perfect, yes securing single points of failure.

Source Documents for Security Measures

4

Source Documents for Security Measures

Router and switch security documents• NSA Router and Security Guide• NIST SP 800-41r1

Network security using defense in depth• NIST SP 800-27• NIST SP 800-39• NIST SP 800-53• DHS External Report #INL/EXT-06-11478• NSA Report: Defense in Depth

http://www.nsa.gov/ia/_files/support/defenseindepth.pdf

U.S. Government directives• HSPD 7 and the Trusted Internet Connection (TIC) initiative

**004 So there are some source documents

Page 4 of 14

here. NSA put out a good Router and Security Guide. They've up-reved it a couple of times. It's like 306 pages. So if you really want to get into the details of it, that's a good PDF to download. NIST has a bunch of pubs on security, depending on whether you're looking at router and switch security on their own, or the concept of defense-in-depth, which we'll look at as we go through this report. There's a defense-in-depth report there done by INL-- do you see that?- - the "DHS External Report INL." That's Idaho National Labs and they did a good report on defense-in- depth practices. And then U.S. Government; HSPD 7 and the Trusted Internet Connection Initiative. The whole concept of a trusted internet connection, or a TIC, is perimeter security and perimeter security requirements. So it's difficult to actually find chapter and verse on every little detail you should do for perimeter security. But these are all documents that say perimeter security is important, and various aspects of perimeter security that are important. So you end up having to look at this in total, to try to understand where to go.

Page 5 of 14

Edge Security Traffic Design

5

Edge Security Traffic Design

**005 So Edge Security for Traffic Design. The first question is what's the edge?

Page 6 of 14

Defining the Network Edge

6

Defining the Network EdgeBetween your network and external networks

• The last device between the internal network and an untrusted network such as the Internet

Between different security levels within your own network• Enforces security rules within your environment

IPSVPN

Firewall

Web Server

Email Server DNS

Hosts

Perimeter

Internet

**006 And it used to be pretty easy. Everybody had one big subnet, one big broadcast environment and one router, and you only had one edge; it was between you and the internet. Anymore now, we have multiple edges. We have an edge-- if we separate servers from workstations, then we've got two different security environments. If we have a DMZ, that's a security environment. If we have partner networks, that's a security environment. VPNs, wireless, the internet, all those things create perimeters. And you can put qvarying levels of security between

Page 7 of 14

any of those enclaves, or any of those perimeters, depending on the importance of protecting one from another. So there is not one network edge, not one network boundary. All these places are security boundaries, and we have to decide how much security we want, depending on which boundary we're looking at.

Perimeter Devices Cannot Hide

7

Perimeter Devices Cannot Hide

Perimeter devices, be definition, are a barrier between security levels.

For Internet connections• Loss of perimeter services means loss of Internet access• Perimeter services depend on availability of Provider• Provider may have some control over perimeter devices

— May dictate to youo Hardwareo Layer 2 protocolso Routing protocolso Available bandwidth

**007 And the one question you get, or the one issue you have with perimeter devices, is perimeter devices got no place to hide. They are the boundary facing device. Right? If I want to

Page 8 of 14

hide my Active Directory servers, I can put them inside the firewall. But I can't hide the firewall from the internet because the firewall's job is to face the internet. So those devices don't hide. Then at this level we're going to look at internet connections. Right? If you lose the perimeter device, and the device is facing the internet, then you've lost access to the internet. The router is down, the firewall's down. Perimeter services may depend on availability of the provider, if it's internet. Maybe when the network goes down it's not my firewall that went down, or my router that went down, maybe it's the T1 that went down; maybe it's the provider end that went down. And you may also find that you don't have total control over what you use. You're going to be told, for the most part, what protocol you're going to use to connect to the provider. You may be told, or may have negotiated an agreement for what speed you're going to get. They may dictate hardware to you. They may dictate protocols to you. They may have a maximum bandwidth; all kinds of issues that may be beyond your control. Because really you're connecting your network to theirs, and who's bigger, you or them? In most cases them. Now the federal government actually has some networks that are larger

Page 9 of 14

than some of the ISPs servicing them. But in most cases it's going to be that the provider is bigger than the entity that connects.

Perimeter Implementations

8

Perimeter ImplementationsSingle Router Approach

A single router connects the internal LAN to the Internet. All security policies are configured on this device.

Defense-in-depth ApproachPasses everything through to the firewall. A set of rules determines what traffic the router will allow or deny.

DMZ ApproachThe DMZ is set up between two routers. Most traffic filtering left to the firewall.

LAN 1192.168.2.0

Router 1 (R1)

Internet

LAN 1192.168.2.0

R1Internet

Firewall

LAN 1192.168.2.0

R1Internet

R2Firewall

DMZ

**008 So what do you do with that perimeter? You can have a single router approach or a single device approach, where we've got inside, outside and the router's responsible for everything: connectivity, security, control, monitoring, the whole enchilada. Or you may have a defense-in-depth approach. And the defense-in-depth approach says I'm going to have a router and a firewall, and I can put some controls on the

Page 10 of 14

router and some controls on the firewall. And I can go another step further and say I'm going to have a DMZ approach, and the DMZ approach says I'm going to have routers performing some functions, I'm going to have a firewall performing some functions, and I'm going to cut the network up into not just the inside and outside, but into varying levels of security, which we call demilitarized zones. So I can have one or more DMZs. Traditionally the drawing looks like an up, down, sideways with a single DMZ. But there's no reason to limit yourself to one DMZ. You can have multiple DMZs. And best practices for things like eCommerce environments set up multiple DMZs by default. They might have a web server in a web DMZ. That might talk to an application server that's in a separate DMZ. So web traffic gets passed to the application server. The application server then queries a database server which might be in a third DMZ. And the concept is to keep somebody from being able to get to the web server, and from the web server reaching the database, by putting enough roadblocks in between, and enough defense-in- depth, that there's too many defenses to knock down, to get you from the web server to the database server.

Page 11 of 14

Malicious Traffic Denied by IPS/Firewall

9

Malicious Traffic Denied by IPS/Firewall

Facing an ISP• Routers sometimes are required to perform as firewalls or IPS.

— Serial, ATM, SONET, MPLS or other specialized inputs face the ISP— BGP4 is the required routing protocol— Extensive QoS rules required at perimeter

Inside your network• Routers, Layer 3 switches and firewalls all can provide security

Firewall and IDS functions can be performed in software or as hardware modules.

**009 So malicious traffic can be denied by the IPS or firewall. Sometimes routers are required to perform as firewalls or IPS, depending on your environment. Or, as part of defense- in-depth, there may be some things you stop at the router, and other things you stop at the firewall; and we'll see that in a moment. If you have Serial, ATM, SONET, MPLS or other specialized input, any of those types of connections are going to need a router up front. Because very few firewalls, if any, will take a T1 card, for instance. Even if you want to use a firewall into your network, if you're connected with a

Page 12 of 14

T1, you're probably going to have a router in front of it, because the router has to catch the T1, convert it to Ethernet, and then pass it back to the firewall. Inside your network you're going to have routers, you're going to have Layer 3 switches. And you can have internal firewalls. We already talked about the Army and Army Reserve having firewalls between each other. Cisco, for instance, makes a lot of money selling a blade-based firewall, which is a firewall that goes right in its core routers, the 6500 core switch routers. You can have firewall blades in there and protect subnets from subnets, with a firewall, right in the middle of your network.

Page 13 of 14

Notices

Notices

© 2016 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 14 of 14