Hello, and Welcome! To network security design.
Nearly everyone, especially nowadays, would absolutely agree that network security is an extremely important part of your overall network design. Though, many times engineers simply don’t know where to start. They may think just having a firewall at the perimeter and some anti-virus software on the workstations is enough.
Cisco has coined the term ‘defense in depth’. What this means is applying layers and layers of security; so there isn’t any one major point of failure. Just like our redundancy design in network equipment, our security should be highly redundant, so if any one piece is breached then there’s just another road block right in front of them.
What this translates to in practical terms is that we now have firewalls everywhere. Not only at your perimeter but at security boundaries within your network. We have security at the client access so if someone managed to physically intrude into the building they’d still run into problem accessing the network. We employ physical security for our network devices to prevent a bad actor from bringing us down. We use intrusion prevention and detection, to block or warn of suspicious layer 7 traffic.
All of these systems, and others, add up to give us defense in depth and hopefully will cause a hacker to move on to an easier target. So let’s take a look and get started.
- If someone has physical access, they can bring you down
- Safeguards exist, like secure boot-config and secure boot-image
Client Access Security
- 802.1x implemented in a wired network authenticates a device before allowing access to the port
- WPA2 is the modern wireless security measure, soon to be superseded
- Stateful firewalls are ubiquitous, allowing a trusted network to access untrusted
- Intrusion prevention and detection devices are highly recommended
Now I’ve split up the types of security into 3 groups; these are not provided by Cisco but feel like a nice way to organize them with regards to network security. Mind you these are not all inclusive for organizational data security which would include managerial policy and data leak protection, so on, we’re just talking about network security here. At the physical level, if someone has access to your device and the console port on it, usually they can do just about anything they want.
At best they can reboot or change the config register and bring down your network. At worst they might be able to change your configuration to redirect confidential traffic to snoop on later. Network closets should be locked and secured; often times the physical security of devices is simply overlooked in smaller or medium businesses. In Cisco routers there’s a feature called secure boot-set, which includes the secure boot-config and secure boot-image commands. These commands hide away your IOS image and startup config in such a way that you’re unable to see or edit them remotely. This doesn’t help much though if someone goes and pulls your flash card from your router.
Moving down to the client-access level; this is security put in place at switchports where end devices plug into, and on wireless where staff devices connect. At the switchport a fantastic security measure is 802.1x using EAP, or extensible authentication protocol. This feature splits up a switchport into 2 virtual ports, 1 only allowing authentication information and the other allowing general traffic throughput. The port is locked down and doesn’t allow any traffic until the user or device is successfully authenticated. Now the reason why I said user or device, is that you can set this up so that a username and password is provided to log in, or using certificate based authentication with identity certificates installed on the computer. I’ve seen this in a few circumstances and it’s really cool; makes it so Greg who usually brings in his personal laptop to play with over lunch can’t connect his malware infested machine into your network. Similarly with wireless, the 802.1x implementation is with WPA2; which as of mid 2019 is soon to be superseded by WPA3 due to several security vulnerabilities that have been discovered.
Now what we’re really most interested in is network security. At the network level you mostly have firewalls and intrusion prevention or intrusion detection devices. Generally if anyone says the word ‘firewall’ they mean a stateful firewall. This is a device who’s primary job is to allow some trusted network to access some untrusted network, and not allowing the untrusted network to get in. This is done with a state table in the firewall. When the trusted network initiates traffic outbound, the firewall makes a note of the IP port pair to allow the return traffic, much like a reflexive access list. Now it usually gets a little more fancy, inspecting the layer 4 data to watch for TCP flags to know when the connection is closed and things like that.
What’s become much more popular as the technology has become more affordable and feature rich is intrusion prevention and detection systems. These operate in 1 of three ways, signature based, policy based, or anomaly based. The most common implementation is probably signature based as this has the most amount of coverage with the least number of false positives. Intrusion detection does just what it sounds like, it detects threats, but doesn’t do anything about them except perhaps generate a log item. Intrusion prevention though can take actions like blocking the traffic, blocking the source IP for a certain period of time, allowing the traffic but sanitizing the payload, etc.
As I mentioned previously, stateful firewalls are generally intended to allow a trusted network to access an untrusted network and not the other way around. We can poke holes in the firewall, to allow specific inbound traffic, say if you’re hosting a web server or mail server, or if you need to allow specific traffic between two security zones like between database servers and web servers. Firewalls typically perform inspection up to layer 4, but next generation firewalls, NGFW, perform deep packet inspection, looking at the layer 7 data.
The firewall can operate in 2 different modes, routed mode, or transparent. Routed mode is what we all are familiar with and it makes sense, it’s just another router that’s selectively making routing decisions. Transparent mode, Cisco likes to call a ‘bump in the wire’, is where the firewall acts as an inline filter and does not break up the broadcast domain. So it’s like a switch that will selectively forward traffic based on policy. It’s great in some regards because you can filter traffic without anyone even knowing the firewall is there, say if you have servers in the same subnet but only want to allow certain protocol to communicate between them. Almost always though you’ll find and be using firewalls in routed mode.