Secure Network Analysis Essentials with Case Studies
Slide Presentation with Article
|AUTHOR:||Bill Chadwick, Cisco|
|DESCRIPTION:||Overview of essential information when performing a security analysis of networks. Includes two (2) case studies as examples.|
If a network is to provide security services, the infrastructure of that network itself needs to be secure. This concept borrows directly from operating system security, where the term "Trusted Computing Base" is used to specify an operating system that properly enforces its security policy only if it is itself resistant to attacks. This is a simple rule, which is valid with any security system and is therefore of paramount importance in network security. Though specialized security devices, such as firewalls, might be designed to be resistant to attacks, many network devices are not. Moreover, most common network devices come pre-configured with settings that might not be desirable when a certain level of network security needs to be provided.
In general, the design of a secure network infrastructure revolves around three areas, which should provide a "Network Trusted Computing Base" to an organization.
Making devices resistant to attacks that are targeting devices themselves as hosts: This is commonly called network device "hardening," and it applies guidelines from host security to network devices.
Providing at least baseline security features to traffic,controlled by those devices: In environments with high security requirements, devices might be configured with extremely tight traffic handling policies, which might be unmanageable in a classic commercial environment.
Managing the devices securely: This are involves secure operational procedures, such as change control, and consistent provisioning and echnical aspects, such as secure management protocols or out-of-band management networks.
Several general guidelines apply to any network infrastructure security analysis.
Assess risks when the complete picture of the network has een established. There are too many examples where the lack of proper inventory-keeping has caused grave consequences for network security.
Mapping tools are useful, but they encourage a black-box approach, where the mapper does not necessarily know whether the mapping has reached every device of the network. A combination of discovery techniques, including human knowledge and physical inspection, is necessary.
When analyzing network management, do not focus only on the technology. The practices of the management personnel might negate the use of security technology.
It is hard to implement infrastructure security in a single pass across a large network. Divide the process in several stages—begin by addressing the most important issues and proceed according to the implementation plan.
Case Study #1
This case study illustrates a specific problem that needed to be solved in an open university environment. The LAN,administrators noticed several failures of the access layer in their switched LAN,,which might have been caused by a station attacking network devices. An anonymous,student claimed responsibility, and the administrators decided to review their,device security policies.
A network audit has shown that the,access layer ports were configured without any special security settings,,enabling any station to send raw frames of any kind to adjacent switches. As,this was most likely the cause of the problem, port-level security settings, were implemented (PortFast, root guard, and so on.)
Case Study #2
This case study illustrates a common case of configuration control. A large business is concerned about the consistency of its network device configurations, as outsourced partners did most of the deployment. From the security perspective, there was no documented procedure to deploy routers securely, which has resulted in very different initial configurations across the WAN devices.
The requirement of secure initial settings was identified, and the analysis of the network provided input to decide on the level of security and required services on network devices. As a result, templates were created, and their use was enforced at new device deployment. Also, the network management team was trained on best practices for