NET-403_final
How to deploy and
secure a 40,000
d t k inode network in
under 40 days
Mark Townsend
Enterasys Networks
04/24/09 | Session ID: NET-403|
Session Classification: Intermediate
Agenda
Mission
Setting the StageSetting the Stage
A ti !Action!
Epilogue
2
...
How to deploy and
secure a 40,000
d t k inode network in
under 40 days
Mark Townsend
Enterasys Networks
04/24/09 | Session ID: NET-403|
Session Classification: Intermediate
Agenda
Mission
Setting the StageSetting the Stage
A ti !Action!
Epilogue
2
Mission:Mission:
Simple, Stable, Secure
• Leverage best practices design
• No proprietary configurations or hardware
• Not afraid to leverage new technology
4
SettingSetting
the Stage:
Key Technologies
• Network Access Control
R l b d t l– Role-based access controls
• Security Information & Event Management
C l i– Correlation
• Virtualization
– Availability / DR
6
What the NAC?
Hold access
• Evaluate identity
• Evaluate compliance
Network policiesNetwork policies
• Assign a VLAN
7
What the NAC?
Accept ‘everyone’
MAC b d th ti ti• MAC based authentication
• Location awareness
• Overrides for media end-points
(e.g. VoIP)
Network policies
Enables role based access controls• Enables role-based access controls
8
Role Based Access Controls (RBAC)
• ANSI INCITS 359-2004
• NIST Project pages:• NIST Project pages:
http://csrc.nist.gov/groups/SNS/rbac/
9
Role Based Access Controls (RBAC)
Apply communication patterns to network policies
10
Monitoring & Correlation
• Leverage wide array
of data sourcesof data sources
– NetFlow, IDS, network management
• Correlate information• Correlate information
to actionable data
– Event/Source/Target/Source Locationg
• Integrate NAC data
– Provide end-point context toProvide end point context to
security feeds
11
Action! :Action! :
What Are We Building?
• Big network – lots of users!Big network lots of users!
• Open connectivity
N t b !• New team members!
13
Team Building
• Experts recruited
• Teams created based
on expertise
• Focused meetings
• Collaboration!
14
Network
Characterize devices – build templatesSimple
S bl D l t k li iStable Deploy network access policies
Secure Assign key monitor points
15
Device Templates
Master device-type configuration
t l t 2 4 li t 101 it tset vlan create 2-4
set vlan name 2 Enterprise
set vlan name 3 Guest
set vlan name 4 Remediation
set vlan egress 2 ge.1.1,41-48
set vlan egress 3 ge.1.1,41-48
set vlan egress 4 ge.1.1,41-48
set vlan dynamicegress 1-4 e
!
access-list 101 permit t
access-list 102 permit t
route-map 101 pe
match ip add
set next-hop
route-map 101 pe
16
Approaches to Policy Control
Allow all communications D ll i ti
Open Closed
Allow all communications
• Deny specific
Benefit
Deny all communications
• Allow specific
B fitBenefit
• Easy to deploy
• Fewer helpdesk calls
Benefit
• Secure
• Predictable
Negative
• Lesser security for simplicity
Negative
• Increased Helpdesk calls
• Potential increase in risk
Increased Helpdesk calls
• Really need to know your clients
and their communication needs
“Clients Can’t Be Servers”
Standard network filter policy for access layer
• Restrict server protocols
• Map media protocols to QoS
Enforce policy at edge port
Deny DHCP S
Deny DNS S
Deny OSPFX
X R
Allow DCHP C
Allow DNS C
X R
18
RBAC Exceptions
“Special” access requirements
E ti t t d & i i d i tiException to expected & provisioned communications
examples
Hi-Def
video conferencing
Private network link
video conferencing
19
Example RBAC Exceptions
X R
X
X R
X R
X
X R X
X
X
R
R
20
Big Pipes: Large Threat Potential
• Heavy in-bound scan activity
• Distributed Denial of Service (DDoS)
• MY-SQL buffer overflow (alive & well)
• Worm infected internal hosts (accident)
• Policy violations• Policy violations
• Internal scan activity
21
Intrusion Detection AND Correlation
22
Intrusion Detection AND Correlation
• Reduced Events
65 illi t t f h d d tt k– 65 million events to a few hundred attackers
• Mitigated several infected systems
– Event and source location (port) correlation in seconds
• Lunch hour is an interesting hourg
– Amazing what you learn when they think nobody is watching
23
Visibility
Unregistered NOC media device and DHCP
not configured on device
DHCP not configured on device
Using static IP not valid for network
24
Virtualization
• All servers that were not appliances were
installed in VMWare environmentinstalled in VMWare environment
– ESX environment in core NOC and backup NOC
– VMotion allowed services to be always availabley
• NAC coordinated access for virtual machines
25
Epilogue:Epilogue:
Application: What We’ve Learned
1. Capacity planning
Pl f i t i i th f t b 10• Plan for intensive scanning – then factor by 10
2. RBAC must be easy to understandy
• Policies must be intuitive and expected results communicated
• Troubleshooting tools/procedures need to be adapted for
t k RBACnetwork RBAC
3. Beer fixes many things, people make it happen!3. Beer fixes many things, people make it happen!
27
Apply!
• Evaluate your environment for RBAC
St t ith li i ti t l f th d– Start with eliminating common server protocols from the edge
• Evaluate how your equipment provides visibility• Evaluate how your equipment provides visibility
– Netflow, sFlow, endpoint location (by various identity markers)
• Evaluate stability
Virtualization to enable DR– Virtualization to enable DR
– Stored device templates
28
Questions?Questions?
markt
enterasys commarkt enterasys com
本文档为【NET-403_final】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。