Overclock.net › Forums › Software, Programming and Coding › Networking & Security › A guide to a properly deployed a network with security in mind.
New Posts  All Forums:Forum Nav:

A guide to a properly deployed a network with security in mind.

post #1 of 12
Thread Starter 
This guide is to help address many questions I have seen within this section. I have seen a lot of questions of how do you set up security or how should I set up my network.

A little about myself, I am a Networking Professional with roughly 15 years of experience. 10 years of that working also in the security field, from Information Assurance, Security Design, Certification and Accreditation. I currently hold a CISSP https://www.isc2.org/cissp/default.aspx, CCNP, CCIP and have passed the CCIE (R&S) written http://www.cisco.com/web/learning/le...aths_home.html. I have worked with and still work with Fortune 500 companies and other Gov Agencies in the fore mentioned roles.

Lets get some terminology out of the way so we are all on the same sheet of music per say. These terms are some of the Networking basics, many will already know them others may not.

What is are Switches and Routers? Well that is sort of a trick question there are two flavors. The first commonly known as a Layer 2 device (The Data Link Layer in the OSI model), also known as a Workgroup Switch. It is designed to move a frame from one system to another system based on a table built on MAC addresses. Layer 2 switches DO NOT break up broadcast domains. The Layer 2 switch must forward broadcast frames to all ports. Almost all home network or unmanaged switches are Layer 2. Although managed Layer 2 switches can have multiple VLANs, they can not route the traffic from one VLAN to another.
The other commonly known switch is a Layer 3 switch (The Network Layer in the OSI model). These switches are always managed devices and will route traffic similar to Full Routers. I know, I know, you’re asking, “what is the difference between the two?†Well in the professional environment a Layer 3 switch has higher port density and normally has fewer Routing Protocols available if any. Although companies call home based routers, routers, to me I see them as nothing more than a Layer 3 switch, with the majority having wireless technology built into them. I have yet to see a Home Router with Routing Protocols such as OSPF, EIGRP, IS-IS, or BGP. Professional grade Routers have special types of interfaces normally to accommodate different type of connections or circuits. The include but are not limited to, Ethernet, Serial, V.35, and HSSI.
All Layer 3 devices breakup broadcast domains, can route between VLANs and have simple ACLs.
Hold on what is an ACL, I thought they were only on Firewalls? An Access Control List will deny or allow specific traffic from on area to another. Think of it as a traffic light. Green you can go, Red stop, unless your in the D.C. area. :-P The simplest ACLs are typically on Routers and are based on IP address or IP Subnet. If ACLs on a Layer 3 device is a traffic light, ACLs on a Firewall are like a traffic cop with a breathalyzer. Firewall ACLs look further into the packet and can allow or deny traffic based not only by IP, but also by port (Port 21 Deny, or FTP Deny) or protocol (TCP or UDP). Like a router a firewall can route traffic from one VLAN to another VLAN.

Now that we have some of the Networking basics out of the way lets start to delve into security. First of all, security is not a single application or device. It is an overall concept of how to make sure your devices are secure yet functional for your environment.

As you can see in the diagram below, there are multiple devices and many of these can be interchanged with newer technology. The principles work equally well in both the professional environment as well as the home environment. The primary areas of focus differ slightly between the two environments and have different budgetary constraints.

Although there are multiple Firewalls out there and different kinds, each one has a specific function. I will not go into each vendor, hardware or software as there are far too many to list or go into detail about. The important thing people should take from this is each type is really needed to help provide the most secure environment as possible.

Lets start with what should be connected once you have received a connection from your ISP. Many ISPs still only provide a modem, some require that you have to get your own, yet others will provide a modem/router combo. Regardless this is where the ISP point of DEMARC is, they will not support anything beyond this device.

In the Diagram you see I have listed a Security Appliance, this should be a Network Firewall, other names commonly associated with these are Perimeter Firewalls, NextGen Firewalls, or UTM’s (Universal Threat Management). Note the later 2, NextGen and UTM are essentially the same. These devices normally bring together Firewalls, IPS, Web-Content Filtering together, many also add in Anti-spam for Mail and Anti-virus. This should NOT be your only protection device. Many companies market and sell these premade, or another option could be take your old computer, (EXAMPLES many out there) Untangle http://www.untangle.com or FreeBSD ipfw(8) http://www.freebsd.org/where.html on it. There you go you have a Security Appliance.

I saw someone asking for help because his friend kept hacking his system last week. Having a Security Appliance would have resolved this issue by putting in a block from inbound initiated connections from his friends IP.

Further in the diagram you see computers/laptops with HBSS. What is a HBSS? Host Based Security Systems is the Firewall or Internet Security suite, as well as Anti-virus, and Intrusion Detection/Protection System on a specific computer or host. Many companies offer then and are not limited to the following. To name just a few vendors that offer HBSS Symantic End-point Protection, Kaspersky, or AVG. I do not advocate one over the other as they change in performance constantly. Some are yearly subscription based others are free. The thing to note is many will work with additional Anti-malware and Anti-spyware. One piece of software will never catch everything. Also to note most malware and spyware is either brought down to the local system from web activity or email, either as attachments or embedded. You may ask what do I personally use, well I use a combination of 4 different vendors.

Referring back to the diagram you see I have located a NAS via a secure VLAN. This VLAN should house your common storage or critical storage. The VLAN should be locked down not only by IP allowing only your trusted computers to access it but also by port and protocol. In other words if the NAS only needs port 443, deny all other ports. This helps protect the NAS in the event one of your trusted computers were compromised and tries to access the NAS on a different port or protocol.

Finally you will notice a Guest VLAN. There are multiple reasons for having a Guest VLAN, LAN parties for mmorpg’s, Family from out of town to name just a few. The placement of this VLAN is a best practices as the Security Appliance would prevent the Untrusted devices within a secure bubble limiting access to your trusted devices. But my friends will be connecting via wireless. Well 3 ways to approach this; 1 get a secondary wireless device that will allow them to connect, 2 Have the Security Appliance provide wireless connectivity also (there are a few out there and are normally about $500+), or 3 the unrecommended, least secure way have them connect into the trusted VLAN. I would not recommend the later and if all else fails would spend $20 on a cheap switch for the Guest VLAN and tell them to bring their cables.

I hope this answers a lot of the questions out there.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #2 of 12
Very good read and nice info. This makes me feel like i'm still wide open to attack. Must do further research. Thanks bratas +rep
My CM sniper
(14 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k 4.8ghz @ 1.4v. ASRock Z68 EXTREME4 GEN3 EVGA gtx470 SC GSKILL SNIPER DDR3 1600 2X4 9.9.9.24 
Hard DriveOptical DriveOSMonitor
CRUCIAL 64GB SSD 1-VR300 4X F3 1TB SAMSUNG 22X SATA DVD BURNER WINDOWZ 7 64BIT 23'' ACER P235H WS 
KeyboardPowerCaseMouse
LOGITECH G15 V 2007 CORSAIR TX750 CM STORM SNIPER/ MODDED OCZ DOMINATRIX 
Mouse PadAudio
ALL OVER THE TABLE ON BOARD 
  hide details  
Reply
My CM sniper
(14 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k 4.8ghz @ 1.4v. ASRock Z68 EXTREME4 GEN3 EVGA gtx470 SC GSKILL SNIPER DDR3 1600 2X4 9.9.9.24 
Hard DriveOptical DriveOSMonitor
CRUCIAL 64GB SSD 1-VR300 4X F3 1TB SAMSUNG 22X SATA DVD BURNER WINDOWZ 7 64BIT 23'' ACER P235H WS 
KeyboardPowerCaseMouse
LOGITECH G15 V 2007 CORSAIR TX750 CM STORM SNIPER/ MODDED OCZ DOMINATRIX 
Mouse PadAudio
ALL OVER THE TABLE ON BOARD 
  hide details  
Reply
post #3 of 12
n/m
Edited by thefreeaccount - 3/2/11 at 8:59pm
post #4 of 12
Thread Starter 
WOW, JUST WOW!!! Do you go around screaming the world is Flat too???

Quote:
Originally Posted by thefreeaccount View Post
Terrible advice. By adding lots of unnecessary complexity to your network, you've vastly increased the chances that a security flaw will be present somewhere - either a flaw in the software you've installed or - more likely - a configuration error.
Just about every security architect will fall on the floor laughing at your ignorance. Why don't you start here. http://arctecgroup.net/pdf/ArctecSec...eBlueprint.pdf Once you have finished reading that, I can lead you to the next source. I can probably find millions of them.

Quote:
Originally Posted by thefreeaccount View Post
The first piece of dedicated security hardware you install must always be a passive sensor, because that tells you when and how you've been attacked. A dedicated firewall without a sensor is useless because you will never know whether the firewall has been effective. If you don't measure before you act, you're just practicing a form of religion.

Note: I'm not saying that you shouldn't use untangle. Untangle is useful for many things. Just don't install it because you think a dedicated firewall will make you more secure. The main purpose of a firewall is to protect trusted portions of your network from untrusted users, anyway.
Do you even know what your talking about? Did you even read my post or did you just completely overlook what I said about NextGen Firewalls/UTMs? Again I guess everyone needs to learn at some point, start with this http://searchsecurity.techtarget.com...anagement.html then you can go to http://en.wikipedia.org/wiki/Unified_threat_management Further more what you stated about needing a sensor. For older technology, in order to place that sensor you would need to have a Layer 2 device prior and after the firewall. Those Layer 2 switches would have to have span ports which your sensors would plug into. That is alot more complex and is not normally recommended in SoHo environments.

Quote:
Originally Posted by thefreeaccount View Post
Most attacks do not require an inbound connection. It's more likely that instead of getting his PC rooted from clicking on an infected e-mail, he'd be getting his entire network rooted because the password for his untangle was 'beiber4eva' (with ultra-secure 4096 key length, no doubt).

OTOH, if he had a sensor he'd be able to that when his PC was rooted, he was reading e-mail, and that traffic matching the signature of a common trojan was detected, to a PC he now knows is his friend's. With knowledge, he can improve his security and prevent future attacks.
While true most threats come via malware, I referenced a specific case. The incident I reference, the guy knew it was from an outside attack and was being hacked. Reference http://www.overclock.net/networking-...need-help.html

This thread was created to provide help and assistance to people that have some Networking and Security background, but still was unclear on how a defense in depth approach should be undertaken. Based on your comments and ignorance, it is neither helpful and spreads misinformation.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #5 of 12
n/m
Edited by thefreeaccount - 3/2/11 at 9:00pm
post #6 of 12
Guide is a bit beyond the scope of any home requirements and will likely just confuse people not that well versed with networking.
Quote:
I saw someone asking for help because his friend kept hacking his system last week. Having a Security Appliance would have resolved this issue by putting in a block from inbound initiated connections from his friends IP.
The simple fact of being behind PAT would indicate that either the user explicitly forwarded traffic to target box or launched some sort of malware from within the LAN. It's really hard to save someone from complete PEBKAC issues.
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #7 of 12
I apologize for crapping on your thread. There was some good information in it. I have had some problems with IT "security experts" in the past who I felt were not competant and this has made me NUTS.
post #8 of 12
I think this should be made a sticky.... +REP!!
WKS04
(16 items)
 
WORK_PC
(13 items)
 
LAP03
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 D0 (HT on) @3.6 GHz Asus P6T nVidia 250 6 GB OCZ Gold 
Hard DriveOptical DriveCoolingOS
250 GB SATA CD DVD RW RASA RS360 Ubuntu 10.04 (W7U x64 as alternate boot) 
MonitorMonitorKeyboardPower
LG 19" (L194WS) LCD HP 15" LCD QWERTY (Logitech) High Power Plus 850W modular 
CaseMouseMouse PadAudio
Jeantech Phong2 Trackball (Logitech) n/a Hitachi AX-M5 
CPUMotherboardGraphicsRAM
Q8400 Dell Optiplex 780 GT430 4 GB 
Hard DriveOptical DriveOSMonitor
250 GB Yes W7 Pro (x86 - with Linux x64 VM) 2 x 24" Dell 
KeyboardPowerCaseMouse
Dell Yeah, got one of those... Dell Logitech Trackball 
Mouse Pad
N/A 
CPUMotherboardGraphicsRAM
T5670 (Core2Duo) HP on-board 4 GB 
Hard DriveOptical DriveOSMonitor
250 GB CD DVD RW W7 Ultimate (x86) 17" 
KeyboardPowerCaseMouse
QWERTY on-board Laptop touchpad 
  hide details  
Reply
WKS04
(16 items)
 
WORK_PC
(13 items)
 
LAP03
(13 items)
 
CPUMotherboardGraphicsRAM
i7 920 D0 (HT on) @3.6 GHz Asus P6T nVidia 250 6 GB OCZ Gold 
Hard DriveOptical DriveCoolingOS
250 GB SATA CD DVD RW RASA RS360 Ubuntu 10.04 (W7U x64 as alternate boot) 
MonitorMonitorKeyboardPower
LG 19" (L194WS) LCD HP 15" LCD QWERTY (Logitech) High Power Plus 850W modular 
CaseMouseMouse PadAudio
Jeantech Phong2 Trackball (Logitech) n/a Hitachi AX-M5 
CPUMotherboardGraphicsRAM
Q8400 Dell Optiplex 780 GT430 4 GB 
Hard DriveOptical DriveOSMonitor
250 GB Yes W7 Pro (x86 - with Linux x64 VM) 2 x 24" Dell 
KeyboardPowerCaseMouse
Dell Yeah, got one of those... Dell Logitech Trackball 
Mouse Pad
N/A 
CPUMotherboardGraphicsRAM
T5670 (Core2Duo) HP on-board 4 GB 
Hard DriveOptical DriveOSMonitor
250 GB CD DVD RW W7 Ultimate (x86) 17" 
KeyboardPowerCaseMouse
QWERTY on-board Laptop touchpad 
  hide details  
Reply
post #9 of 12
Perhaps a small addition to your post, here's two brilliant IPS/IDS systems you can use for the security appliance role:

PFSense - Based on OpenBSD, pretty easy to configure, and light on the hardware
Astaro Security Gateway - Simply VERY good, free for home use, but heavier on the hardware (512-1 GB RAM minimum).
    
CPUMotherboardGraphicsRAM
Q6600 SLACR @ 3.6 GHz Asus P5E Deluxe MSI 6950 2 GB + 9800GT (PhysX) 4 GB White Lake DDR2-800 
Hard DriveOptical DriveOSMonitor
Hitachi 500 GB Sata iHas 120 Windows 7 Pro x64 u2711 (27", 2560x1440, H-IPS) 
KeyboardPowerCaseMouse
Generic Dell Combat Power 750W Aerotech PGS Bx-500 Logitech Rx300 
Mouse Pad
Desk 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Q6600 SLACR @ 3.6 GHz Asus P5E Deluxe MSI 6950 2 GB + 9800GT (PhysX) 4 GB White Lake DDR2-800 
Hard DriveOptical DriveOSMonitor
Hitachi 500 GB Sata iHas 120 Windows 7 Pro x64 u2711 (27", 2560x1440, H-IPS) 
KeyboardPowerCaseMouse
Generic Dell Combat Power 750W Aerotech PGS Bx-500 Logitech Rx300 
Mouse Pad
Desk 
  hide details  
Reply
post #10 of 12
Thread Starter 
Quote:
Originally Posted by citruspers View Post
Perhaps a small addition to your post, here's two brilliant IPS/IDS systems you can use for the security appliance role:

PFSense - Based on OpenBSD, pretty easy to configure, and light on the hardware
Astaro Security Gateway - Simply VERY good, free for home use, but heavier on the hardware (512-1 GB RAM minimum).
The best appliance would be an UTM as it has the IPS built in. There are too many vendors to list. I just listed a couple as an example.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › A guide to a properly deployed a network with security in mind.