Wednesday, May 27, 2009

Core Network Security: A Seldom Used Bag-O-Tricks

Walk into 9 out of 10 organizations, ask them what security controls they have built INTO the network and you'll get responses like:

"We have 800 VLANs."

"We turn off ports in conference rooms."

"Who are you, and how did you get in my office?"

It really doesn't matter what core network vendor you've chosen (Cisco, Brocade, Juniper). You can drink any Kool-Aid you want and still have an arsenal of great core network security features or techniques at your disposal. These include: Dynamic ARP Inspection, DHCP Snooping, Identity Based Network Services (or any other name you want to give an 802.1x + Certificate Authority + RADIUS solution), Infrastructure Protection Access-Lists (iACLs), Router Neighbor Authentication, etc. The list is very long, most have been around for years, and many times we see NONE of them in place at organizations big or small.

Why not? Are they that hard to implement? Not really. They require planning, a critiqued design, and a phased implementation.

We forget that the network CONTROLS TRAFFIC. If you can stop malicious traffic through the system that is controlling the transport of data, you've leveraged a powerful system that most organizations naively think should only provide speed and performance. We also forget that the network can be sliced and diced for a thousand different purposes; when was the last time you had a VLAN design discussion that was solely focused on grouping systems based off risk and criticality to the business? Probably never, unless you're currently working on PCI network segmentation.

Ask these questions the next time you're in a network design meeting:

- How are we going to prevent unauthorized access to the network? Better yet, who's authorized and who's NOT authorized?
- How are we going to protect our internal core network from attack; as in, taking over specific networking services or performing covert man-in-the-middle attacks? (Hint: go play with Yersinia)
- How do we stop someone from plugging in a rogue DHCP server?
- How will we protect one VLAN from another? (They don't form shields around themselves, promise!)
- How will we protect our network from reconnaisance? (Someone sitting on your network, passively mapping everything!)
- How will we SECURELY and STRATEGICALLY manage our network devices? (Think: Out-of-Band, management ACL's, secure protocols, SNMP restrictions)

Even though the following links are from Cisco, you can apply most of the techniques across any major core networking vendor (sorry Netgear). Have a look...you'll find that most of the options found within aren't even discussed or mentioned by Sales Engineers or Professional Service firms that are looking to help you implement a network design. Demand it from them! Or better yet, design it yourself and learn a lot.

Cisco's SAFE Blueprint (Updated recently!)

www.cisco.com/go/safe
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html

Dynamic ARP Inspection (DAI)

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html

DHCP Snooping

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html

Identity Based Networking Services (IBNS)

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html

1 comment:

dre said...

The Cisco Validated Design program offers two levels of secure network design principles in the same way that CIS (cisecurity.org) provides two levels of benchmarks (minimal and advanced).
http://cisco.com/go/cvd

The ITU-T also specifies X.805, which Cisco based their "Security Assessment, Validation, and Execution" (SAVE) framework on. Very little is written about it, but it seems useful for threat-modeling and risk analysis activities. See more here http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200710.html