* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Designing Converged Networks
Zero-configuration networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
Computer network wikipedia , lookup
Deep packet inspection wikipedia , lookup
Airborne Networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Spanning Tree Protocol wikipedia , lookup
Network tap wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Wireless security wikipedia , lookup
Designing for Pervasive Network Security Designing for Security • Our aim in this section will be to concentrate on how campus Networks can be designed to address some of the security overlays – Detailed security implementations and HP's Pervasive Network Security strategy available in the corresponding sessions • Key Security implementations in Enterprise Campus Networks – Device Management Security – VLAN centric design • Separate VLANs for management • Separate VLANs for Wireless clients – If using WLAN switching wireless users can be on separate VLANs • Map VLANs to Security zones and use firewalls/security appliances where appropriate – Authentication and Authorisation • Network Login 802.1X • AutoVLANs using 802.1X – Identifying and Controlling Rogue Applications VLAN Centric Design • VLANs provide security and traffic segmentation and are supported by Network Cards, switches, wireless access points, routers and security appliances • Use VLANs to segment network in logical groups or business functions • VLANs can be mapped to IP Subnets and are terminated by routers/Layer 3 switches • 802.1Q Tagging a standards based VLAN tagging mechanism • VLAN Deployment Guidelines – Use consistent naming and VLAN Tags for all VLANs across the network – Configure the correct VLAN Tags on both ends of switch-switch links – Configure all VLANs across all switches for complete user mobility across the campus – In resilient topologies ensure STP does inadvertently block VLANs between switches (use MSTP instead) – Ensure that Aggregated Links carry the correct VLAN tagging information – Create a separate management VLAN for all active devices Device Management Security • For networks concerned about the security of their active devices the following security capabilities should be considered – User Authentication for Device Management: Only authenticated users can access device management (RADIUS or Local) – Authorised manager access (Trusted IP): Only authorised IP addresses or subnets can gain management access – Device Management VLAN: Separate configurable VLAN/subnet for management – Selectable Device management options and encrypted management sessions: Enable/Disable TELNET, HTTP access and support for SSH, HTTPS etc. • A combination or all of these capabilities could be deployed to provide device protection for switches, routers and appliances Device Management VLAN • • A dedicated VLAN for management of active devices can be deployed for greater control The Device Management VLAN can span the entire campus using VLAN tagging Access to management can be in-band or out of band – • For inband access, use routing with ACLs or security appliances to control traffic to the management VLAN Considerations for Device Management VLAN – – – Ensure devices support configurable VID for management Campus wide management VLANs are more applicable in centralised Layer 3 topologies Device Management VLANs can also be localised within a wiring closet or a building for distributed L3 topologies VLAN10 VLAN20 Management VLAN VID=1 • VLAN30 VLAN40 VLAN50 VLAN60 Network Authentication and Authorisation • Why use 802.1X? – Users must authenticate before gaining access to network resources – All authorizations can be administered centrally – Accounts can be held ( who, when, where ) • Log files can record various session data, packet counts, session durations, user names. • Information can be used for billing – Security Auditing • Network Administrators can record who is accessing the network realtime – Management • Network Management applications can display user information • Clients can be dynamically tracked in real time using Network Management Network Login and wired VLANs • 802.1X Network Login can be associated with VLANs using the following methods • Static – Authenticated users assume the pre-configured VLAN membership of their connected port • Dynamic (AutoVLANs) – Authenticated users are dynamically placed in their corresponding VLAN based on RADIUS attributes • Non-authenticated users are either excluded or become members of a “guest” VLAN • Some devices such as telephones are automatically authenticated based on MAC address Auto VLAN and QoS Assignment using 802.1X User ID: Teacher PWD: @#$%^ Valid User VLAN ID: Teacher VLAN QoS Profile: Email LowP, Web LowP, guest Records Server HighP Guest VLAN Staff VLAN User ID: Teacher PWD: @#$%^ User ID: ? Pwd: ? Network Login and wireless VLANs • Wireless users can be placed dynamically in the appropriate VLAN using 802.1X Network Login and RADIUS (VLAN ID) • VLAN tagging on Ethernet port of Access point ensures that AP is aware of all configured VLANs • Wireless Access point will tunnel wireless user traffic on the appropriate tagged VLAN already configured on Ethernet port • Network Login based Wireless VLANs can deliver end to end mobility across wired and wireless media • Access Points also support multiple SSIDs that can be mapped to separate VLANs for greater level of security Auto VLAN Assignment using 802.1X with Wireless Access Points Valid User VLAN ID: Teacher VLAN User ID: Teacher PWD: @#$%^ Guest VLAN Staff VLAN User ID: Teacher PWD: @#$%^ User ID: ? Pwd: ? Mapping VLANs to Security Zones • • Map vulnerable VLANs (i.e. wireless, guest VLAN) to Security zones in security appliances/Firewalls for greater control If all VLANs are mapped to security zones then routing will be centralised by security appliance – May have performance implications • • • A combination of Layer 3 switching, ACLs and Security zones can provide greater protection without major performance compromises When multiple VLANs are mapped to a Security zone interVLAN routing within the security zone can be controlled by local Layer 3 switch Use routing policies or default routes for sending traffic to enforcement point WAN Security Zone LAN 1 Security Zone Policy Enforcement Point LAN 2 Security Zone Internet DMZ Wireless Security Zone Security Zones and VLANs Security Zone C Security Zone D Security Zone E Routed virtual interfaces VLAN1 VLAN2 VLAN10 VLAN3 Security Zone A VLAN11 VLAN12 Security Zone B Controlling Rogue Applications • • • • • Use QoS and Application Filtering to control rogue applications where they originate from: the Access Layer Using Network Management rogue users and applications can be identified quickly and corrective action taken Example: How Application Filtering and autoQoS assignment on the Switch 4400 could stop the proliferation of the W32.Blaster.Worm virus W32.Blaster.Worm virus exploits TCP:135 “DCOM RPC” and UDP:69 “TFTP” – Create a classifier on the 4400 for TCP:135 and UDP:69 – Create a QoS profile called Blaster and assign the previous classifiers and apply the discard service level – Enable 802.1X and AutoVLANs, autoQoS on the user ports – On the RADIUS server assign to all users the filter-id=Blaster attribute – Next time a user logs in to the network the Blaster profile will be applied on the switched port the user connects to Summary • Efficient Convergence Network Design is key to performance, business continuity and scalability • Multi-tiered hierarchical network design provides significant benefits in terms of scalability and fault tolerance • Business Continuity is delivered by introducing high availability capabilities across all network design layers • Campus Network Designs can be optimised to support Convergence applications by taking into account service performance parameters, traffic prioritisation and support for multicast • Pervasive Network security addresses multiple threats, at multiple network design areas and through a variety of mechanisms