How to take control of network infrastructure. Chapter three Network security Part three
This article is the fifth in a series of articles "How to take control of network infrastructure." The contents of all articles in the series and links can be found here .
This part will focus on Campus security audits (Office) & Remote access VPN segments.
')
It may seem that the design of an office network is simple.
Indeed, we take L2 / L3 switches, connect them together. Next, we make an elementary configuration of wilan, default gateways, we raise simple routing, connect WiFi controllers, access points, install and configure ASA for remote access, rejoice that it all worked. In principle, as I wrote in one of the previous articles in this cycle, I can design and configure an office network to “work somehow”, can almost every student who has listened (and mastered) two semesters of a course on a telecom.
But the more you learn, the less elementary this task begins to seem. For me personally, this topic, the theme of office network design, does not seem simple at all, and in this article I will try to explain why.
In short, you need to take into account quite a few factors. Often these factors are in conflict with each other and you have to look for a reasonable compromise.
This uncertainty is the main difficulty. So, speaking of security, we have a triangle with three vertices: security, convenience for employees, the price of the solution.
And every time you have to find a compromise between these three.
As an example of architecture for these two segments, I, as in previous articles, recommend the Cisco SAFE model: Enterprise Campus , Enterprise Internet Edge .
These are somewhat outdated documents. I cite them here, because fundamentally the schemes and approach have not changed, but I like the presentation more than in the new documentation .
Without encouraging you to use Cisco solutions, I still find it useful to carefully study this design.
This article, as usual, in no way claiming to be complete, is rather an addition to this information.
At the end of the article, we will analyze the design of the Cisco SAFE for the office in terms of the concepts outlined here.
The design of an office network, of course, must meet the general requirements, which were discussed here in the chapter “Criteria for assessing the quality of design”. In addition to price and security, which we intend to discuss in this article, there are still three criteria that we must take into account when designing (or when making changes):
Much of what has been discussed for data centers is also fair for the office.
But still, the office segment has its own specifics, which is critical from a security point of view. The essence of this specificity is that this segment is created to provide network services to employees (as well as partners and guests) of the company, and, as a result, at the topmost level of problem consideration we have two tasks:
And this is only one side of the problem (or rather one vertex of the triangle). On the other side is the convenience of the user and the price of the applied solutions.
Let's start by looking at what the user expects from a modern office network.
Here is how I think “network amenities” for an office user:
All this applies to both employees and guests (or partners), and this is the task of the company's engineers, based on authorization, to differentiate access for different groups of users.
Let's take a closer look at each of these aspects.
It is about the opportunity to work and use all the necessary company resources from anywhere in the world (of course, where the Internet is available).
This fully applies to the office. This is convenient when from anywhere in the office you have the opportunity to continue working, for example, to receive mail, to communicate in a corporate messenger, to be available for a video call ... Thus, this allows you, on the one hand, to solve some issues through "live" communication (for example, to participate in rallies), and on the other hand, to be always online, keep abreast of and quickly solve some urgent high-priority tasks. It is very convenient and, indeed, improves the quality of communications.
This is achieved by the correct design of the WiFi network.
I wish mobility was not limited to office only.
To enable work from home (or any other place with accessible Internet), a VPN connection is used. At the same time, it is desirable that employees do not feel the difference between working from home and remote work, which implies the presence of the same access. We will discuss how to organize this a bit later in the chapter “A single centralized system of authentication and authorization”.
This task should be solved together with other technical departments.
The ideal situation is when the user needs to authenticate only once, and after that he gets access to all necessary resources.
Providing easy access without compromising security can significantly improve work efficiency and reduce the stress level of your colleagues.
The Internet is not only entertainment, but also a set of services that can be very useful for work. There are also purely psychological factors. A modern person through the Internet with many virtual threads is connected with other people, and, in my opinion, there is nothing bad if he continues to feel this connection even during work.
From the point of view of loss of time, there is nothing terrible if an employee, for example, has Skype running, and he will spend 5 minutes talking with a loved one if necessary.
Does this mean that the Internet should always be available, does this mean that employees can open access to all resources and not control them in any way?
No, it does not mean, of course. The level of openness of the Internet can be different for different companies - from complete closeness to complete openness. We will discuss ways to control traffic later in the sections on protection.
It is convenient when, for example, you have the opportunity to continue to use all of your usual means of communication and at work. There is no difficulty in technically realizing this. For this you need WiFi and a guest wilan.
It is also good if you can use the operating system you are used to. But, in my observation, usually, it is allowed only to managers, administrators and developers.
The data transfer rate is technically made up of many factors. And the speed of your connection port is usually not the most important of them. Slow operation of the application is not always associated with network problems, but now we are only interested in the network part. The most common problem of "slowing down" the local network is associated with packet loss. This usually occurs when there is a bottleneck effect or L1 (OSI) problems. Less often, with some designs (for example, when the firewall acts as the default gateway on your subnets and thus all traffic goes through it), the performance of the equipment may not be enough.
Therefore, when choosing equipment and architecture, you need to correlate the speed of end ports, trunks and equipment performance.
We looked at one vertex of the triangle, now let's consider how we can provide security.
So, of course, usually, our desire (or rather, the desire of our leadership) is to achieve the impossible, namely, to provide maximum convenience with maximum security and minimum price.
Let's look at what methods we have to provide protection.
For the office, I would highlight the following:
Next, we dwell a little more on each of these aspects.
IT world is changing very quickly. Literally over the past 10 years, the emergence of new technologies and products has led to a major revision of the concepts of security. Ten years ago, from a security point of view, we segmented the network into a trust, dmz and untrust zone, and the so-called “perimeter defense” was applied, where there were 2 lines of defense: untrust -> dmz and dmz -> trust. Also, protection is usually limited to access lists based on L3 / L4 (OSI) headers (IP, TCP / UDP ports, TCP flags). Everything related to higher levels, including L7, was left at the mercy of the OS and protection products installed on the final hosts.
Now the situation has changed dramatically. The modern concept of zero trust is based on the fact that it is no longer possible to consider internal systems, that is, inside the perimeter, the systems are trusted, and the concept of perimeter itself has become blurred.
In addition to connecting to the Internet, we also have
What does the Zero Trust approach look like in practice?
Ideally, only the traffic that is required should be allowed, and if we are talking about the ideal, then the control should be not only at the L3 / L4 level, but at the application level.
If, for example, you have the opportunity to pass all traffic through the firewall, then you can try to get closer to the ideal. But this approach can significantly reduce the total bandwidth of your network, and besides, filtering by application does not always work well.
When controlling traffic on a router or L3 switch (using standard ACLs), you encounter other problems:
In the article in the section on data centers, we considered the following methods of protection.
In the case of the office, the situation is similar, but the priorities are slightly different. Office availability (availabilty) is usually not as critical as in the case of a data center, while the probability of “internal” malicious traffic is much higher.
Therefore, the following methods of protection for this segment become critical:
Although all of these protection methods, with the exception of application firewalling, have traditionally been and continue to be solved on end hosts (for example, installing antivirus programs) and using proxy, modern NGFW also provide these services.
Security equipment vendors strive to create comprehensive protection, so along with protection on the local box, various cloud technologies and end-point protection / EPP are offered. So, for example, from the Gartner Magic Quadrant (Gartner Magic Quadrant) for 2018, we see that Palo Alto and Cisco have their own EPP (PA: Traps, Cisco: AMP), but they are not among the leaders.
The inclusion of these protections (usually through the purchase of licenses) on the firewall is, of course, not mandatory (you can go the traditional way), but it has some advantages:
The basic idea is simple - to “see” what is happening on your network, both in real time and historical data.
I would divide this “vision” into two groups:
Group one: what your monitoring system usually provides you.
Group Two: security related information.
In this security chapter, we are interested in the second part.
Some modern firewalls (from my Palo Alto practice) provide a good level of visibility. But, of course, the traffic that interests you should go through this firewall (in this case, you have the ability to block traffic) or mirror the firewall (used only for monitoring and analysis), and you must have licenses to enable all these services. .
There is, of course, an alternative path, or rather a traditional path, for example,
You can combine these two approaches, complementing the missing functions or duplicating them to increase the likelihood of detecting an attack.
Which approach to choose?
It strongly depends on the qualifications and preferences of your team.
And there, and there are pros and cons.
Unified centralized authentication and authorization system
With a good design, mobility, which we discussed in this article, assumes that you have the same access, working from the office or from home, from the airport, from a cafe or any other point (with the limitations that we discussed above). It would seem, what's the problem?
In order to better understand the complexity of this task, let's consider a typical design.
With the possibility of a remote connection, we get the risk of allowing not only an employee of the company to the network, but also all the malicious software that is most likely present on his computer (for example, home), and moreover, through this software we may open our network to the attacker using this host as a proxy.
It is reasonable for a remotely connected host to apply the same security requirements as a host located in the office.
This includes the “correct” version of the OS, anti-virus, anti-spyware, and firewall software and updates. Usually, this feature exists on the VPN gateway (for ASA, see, for example, here ).
It is also wise to apply the same methods of analyzing and blocking traffic (see “High level of protection”), which, in accordance with your security policy, applies to office traffic.
It is reasonable to proceed from the assumption that now your office network is not limited to an office building and the hosts located in it.
In principle, this is a conversation about the third vertex of our triangle - about the price.
Let's look at a hypothetical example.
Is this example exaggerated? The next chapter will answer this question.
If you are on your network, you do not see anything of the article reviewed in this article, then this is the norm
For each case, you need to find a reasonable compromise between convenience, price and security. Often NGFW is not even required in your office, L7 protection on the firewall is not required. Enough to provide a good level of visibility and alerts, and this can be done using open source products, for example. Yes, your reaction to the attack will not be instant, but the main thing is that you will see it, and if you have the right processes in your department, you will be able to quickly neutralize it.
And let me remind you that according to the intention of the cycle of these articles, you are not engaged in designing a network, you are just trying to improve what you got.
Pay attention to this red square, with which I have allocated a place in the diagram from the SAFE Secure Campus Architecture Guide that I would like to discuss here.
This is one of the key places of architecture and one of the most important uncertainties.
From conventional designs, I see only 4 possible uses of the firewall with this connection:
From the description of the streams in the document, we see that all the traffic goes through the firewall, that is, in accordance with the design of Cisco, the fourth option disappears.
Let's first consider the first two options.
With these options, all traffic goes through the firewall.
Now we look at the data sheet , we look at the Cisco GPL and see that if we want the total bandwidth for our office to have at least 10 to 20 gigabits, then we should buy the 4K version.
From the GPL, we see that for the HA Bundle with Threat Defense, the price, depending on the model (4110 - 4150), varies from ~ 0.5 - 2.5 million dollars.
That is, our design begins to resemble the previous example.
Does this mean that this design is wrong?
No, it does not mean.Cisco provides you with the best possible protection based on the product line it has. But this does not mean that it is a “mast-doo” for you.
In principle, this is a common question that arises when designing an office or a data center, and this only means that you need to look for a compromise.
For example, not all traffic is allowed through the firewall, and in this case, the third option seems pretty nice to me, or (see the previous section), you may not need Threat Defense or you don't need a firewall at all in this network segment, and you just need to passive monitoring with the use of paid (not expensive) or open source solutions, or firewall is needed, but another vendor.
Usually there is always this uncertainty and there is no definite answer as to which solution is best for you.
This is the complexity and beauty of this task.
This part will focus on Campus security audits (Office) & Remote access VPN segments.
')
It may seem that the design of an office network is simple.
Indeed, we take L2 / L3 switches, connect them together. Next, we make an elementary configuration of wilan, default gateways, we raise simple routing, connect WiFi controllers, access points, install and configure ASA for remote access, rejoice that it all worked. In principle, as I wrote in one of the previous articles in this cycle, I can design and configure an office network to “work somehow”, can almost every student who has listened (and mastered) two semesters of a course on a telecom.
But the more you learn, the less elementary this task begins to seem. For me personally, this topic, the theme of office network design, does not seem simple at all, and in this article I will try to explain why.
In short, you need to take into account quite a few factors. Often these factors are in conflict with each other and you have to look for a reasonable compromise.
This uncertainty is the main difficulty. So, speaking of security, we have a triangle with three vertices: security, convenience for employees, the price of the solution.
And every time you have to find a compromise between these three.
Architecture
As an example of architecture for these two segments, I, as in previous articles, recommend the Cisco SAFE model: Enterprise Campus , Enterprise Internet Edge .
These are somewhat outdated documents. I cite them here, because fundamentally the schemes and approach have not changed, but I like the presentation more than in the new documentation .
Without encouraging you to use Cisco solutions, I still find it useful to carefully study this design.
This article, as usual, in no way claiming to be complete, is rather an addition to this information.
At the end of the article, we will analyze the design of the Cisco SAFE for the office in terms of the concepts outlined here.
General principles
The design of an office network, of course, must meet the general requirements, which were discussed here in the chapter “Criteria for assessing the quality of design”. In addition to price and security, which we intend to discuss in this article, there are still three criteria that we must take into account when designing (or when making changes):
- scalability
- managability
- availability
Much of what has been discussed for data centers is also fair for the office.
But still, the office segment has its own specifics, which is critical from a security point of view. The essence of this specificity is that this segment is created to provide network services to employees (as well as partners and guests) of the company, and, as a result, at the topmost level of problem consideration we have two tasks:
- protect company resources from malicious actions that may come from employees (guests, partners) and from the software they use. This also includes protection from unauthorized connection to the network.
- protect the systems and data of the users themselves
And this is only one side of the problem (or rather one vertex of the triangle). On the other side is the convenience of the user and the price of the applied solutions.
Let's start by looking at what the user expects from a modern office network.
Facilities
Here is how I think “network amenities” for an office user:
- Mobility
- The ability to use the entire spectrum of familiar devices and operating systems
- Easy access to all necessary company resources
- Availability of Internet resources, including various cloud services
- "Quick work" network
All this applies to both employees and guests (or partners), and this is the task of the company's engineers, based on authorization, to differentiate access for different groups of users.
Let's take a closer look at each of these aspects.
Mobility
It is about the opportunity to work and use all the necessary company resources from anywhere in the world (of course, where the Internet is available).
This fully applies to the office. This is convenient when from anywhere in the office you have the opportunity to continue working, for example, to receive mail, to communicate in a corporate messenger, to be available for a video call ... Thus, this allows you, on the one hand, to solve some issues through "live" communication (for example, to participate in rallies), and on the other hand, to be always online, keep abreast of and quickly solve some urgent high-priority tasks. It is very convenient and, indeed, improves the quality of communications.
This is achieved by the correct design of the WiFi network.
Comment
Here the question usually arises, is it enough to use only WiFi? Does this mean that you can stop using the Ethernet ports in the office? If we are talking only about users, and not about servers, which, nevertheless, it is reasonable to connect with an ordinary Ethernet port, then the general answer is: yes, you can restrict yourself to WiFi. But there are nuances.
There are important user groups that require a separate approach. These are, of course, administrators. In principle, the WiFi connection is less reliable (in terms of traffic loss) and less speedy than a normal Ethernet port. This can be significant for administrators. In addition, network administrators, for example, in principle, can have their own dedicated Ethernet network for out-of-band connectivity.
Perhaps there are other groups / departments in your company for which these factors are also important.
There is another important point - telephony. Perhaps for some reason you do not want to use Wireless VoIP and want to use IP phones with a normal Ethernet connection.
In general, in those companies in which I worked, there was usually the possibility of both a WiFi connection and an Ethernet port.
I wish mobility was not limited to office only.
To enable work from home (or any other place with accessible Internet), a VPN connection is used. At the same time, it is desirable that employees do not feel the difference between working from home and remote work, which implies the presence of the same access. We will discuss how to organize this a bit later in the chapter “A single centralized system of authentication and authorization”.
Comment
Most likely, you will not be able to fully provide the same quality of services for remote work, which you have in the office. Let's assume that you use the Cisco ASA 5520 as a VPN gateway. According to the data sheet, this device can “digest” only 225 Mbps of VPN traffic. That is, of course, in terms of bandwidth, a VPN connection is very different from working from the office. Also, if for some reason, delay, loss, jitter (for example, you want to use office IP telephony) for your network services are essential, you also will not get the same quality as if you were in the office. Therefore, speaking of mobility, we must remember the possible limitations.
Easy access to all company resources
This task should be solved together with other technical departments.
The ideal situation is when the user needs to authenticate only once, and after that he gets access to all necessary resources.
Providing easy access without compromising security can significantly improve work efficiency and reduce the stress level of your colleagues.
Remark 1
Convenience of access is not only about how many times you have to enter a password. If, for example, in accordance with your security policy, to connect from the office to the data center, you must first connect to the VPN gateway, and you lose access to office resources, this is also very, very inconvenient.
Remark 2
There are services (for example, access to network equipment), where we usually have our dedicated AAA servers and this is the norm when in this case you have to authenticate several times.
Availability of Internet resources
The Internet is not only entertainment, but also a set of services that can be very useful for work. There are also purely psychological factors. A modern person through the Internet with many virtual threads is connected with other people, and, in my opinion, there is nothing bad if he continues to feel this connection even during work.
From the point of view of loss of time, there is nothing terrible if an employee, for example, has Skype running, and he will spend 5 minutes talking with a loved one if necessary.
Does this mean that the Internet should always be available, does this mean that employees can open access to all resources and not control them in any way?
No, it does not mean, of course. The level of openness of the Internet can be different for different companies - from complete closeness to complete openness. We will discuss ways to control traffic later in the sections on protection.
The ability to use the full range of familiar devices
It is convenient when, for example, you have the opportunity to continue to use all of your usual means of communication and at work. There is no difficulty in technically realizing this. For this you need WiFi and a guest wilan.
It is also good if you can use the operating system you are used to. But, in my observation, usually, it is allowed only to managers, administrators and developers.
Example
You can, of course, follow the path of restrictions, prohibit remote access, prohibit connections from mobile devices, restrict all static Ethernet connections, restrict Internet access, withdraw cell phones and gadgets at the gateway without fail ... and some organizations with elevated security requirements, and perhaps in some cases this may be justified, but ... agree that it looks like an attempt to stop the progress in a single organization. Of course, I would like to combine the possibilities offered by modern technologies with an adequate level of security.
"Quick work" network
The data transfer rate is technically made up of many factors. And the speed of your connection port is usually not the most important of them. Slow operation of the application is not always associated with network problems, but now we are only interested in the network part. The most common problem of "slowing down" the local network is associated with packet loss. This usually occurs when there is a bottleneck effect or L1 (OSI) problems. Less often, with some designs (for example, when the firewall acts as the default gateway on your subnets and thus all traffic goes through it), the performance of the equipment may not be enough.
Therefore, when choosing equipment and architecture, you need to correlate the speed of end ports, trunks and equipment performance.
Example
Suppose you are using switches with 1 gigabit ports as switches for the access level. Between themselves, they are connected via Etherchannel 2 x 10 gigabits. As the default gateway, you use a firewall with gigabit ports, to connect which to the L2 office network you use 2 gigabit ports integrated into an Etherchannel.
This architecture is quite convenient in terms of functionality, since all traffic passes through the firewall, and you can comfortably manage access policies, and apply complex traffic control algorithms and prevent possible attacks (see later), but from a capacity and performance point of view, this design certainly has potential problems. For example, 2 hosts that download data (at a port speed of 1 gigabit) can completely download 2 gigabit connectivity to the firewall, and thus lead to degradation of the service for the entire office segment.
We looked at one vertex of the triangle, now let's consider how we can provide security.
Means of protection
So, of course, usually, our desire (or rather, the desire of our leadership) is to achieve the impossible, namely, to provide maximum convenience with maximum security and minimum price.
Let's look at what methods we have to provide protection.
For the office, I would highlight the following:
- zero trust design approach
- high level of protection
- network visibility
- unified centralized authentication and authorization system
- host checking
Next, we dwell a little more on each of these aspects.
Zero trust
IT world is changing very quickly. Literally over the past 10 years, the emergence of new technologies and products has led to a major revision of the concepts of security. Ten years ago, from a security point of view, we segmented the network into a trust, dmz and untrust zone, and the so-called “perimeter defense” was applied, where there were 2 lines of defense: untrust -> dmz and dmz -> trust. Also, protection is usually limited to access lists based on L3 / L4 (OSI) headers (IP, TCP / UDP ports, TCP flags). Everything related to higher levels, including L7, was left at the mercy of the OS and protection products installed on the final hosts.
Now the situation has changed dramatically. The modern concept of zero trust is based on the fact that it is no longer possible to consider internal systems, that is, inside the perimeter, the systems are trusted, and the concept of perimeter itself has become blurred.
In addition to connecting to the Internet, we also have
- remote access VPN users
- various personal gadgets brought by laptops connected via office wifi
- other (branch) offices
- cloud infrastructure integration
What does the Zero Trust approach look like in practice?
Ideally, only the traffic that is required should be allowed, and if we are talking about the ideal, then the control should be not only at the L3 / L4 level, but at the application level.
If, for example, you have the opportunity to pass all traffic through the firewall, then you can try to get closer to the ideal. But this approach can significantly reduce the total bandwidth of your network, and besides, filtering by application does not always work well.
When controlling traffic on a router or L3 switch (using standard ACLs), you encounter other problems:
- This is only L3 / L4 filtering. Nothing prevents an attacker from using permitted ports (for example, TCP 80) for his application (not http)
- difficult ACL management (difficult to analyze ACL)
- this is not a statefull firewall, that is, you need to explicitly allow reverse traffic
- in the case of switches, you are usually quite rigidly limited by the size of the TCAM, which, if you use the “only allow what you need” approach, can quickly become a problem
Comment
Speaking about reverse traffic, we must remember that we have the following opportunity (Cisco)
permit tcp any any established
But we must understand that this line is equivalent to two lines:
permit tcp any any ack
permit tcp any any rst
Which means that even if there was no initial TCP segment with a SYN flag (that is, a TCP session did not even start to be established), this ACL will miss the packet with the ACK flag, which an attacker can use to transfer data.
That is, this line in no way turns your router or L3 switch into a statefull firewall.
High level of protection
In the article in the section on data centers, we considered the following methods of protection.
- stateful firewalling (default)
- ddos / dos protection
- application firewalling
- threat prevention (antivirus, anti-spyware, and vulnerability)
- URL filtering
- data filtering (content filtering)
- file blocking (file types blocking)
In the case of the office, the situation is similar, but the priorities are slightly different. Office availability (availabilty) is usually not as critical as in the case of a data center, while the probability of “internal” malicious traffic is much higher.
Therefore, the following methods of protection for this segment become critical:
- application firewalling
- threat prevention (anti-virus, anti-spyware, and vulnerability)
- URL filtering
- data filtering (content filtering)
- file blocking (file types blocking)
Although all of these protection methods, with the exception of application firewalling, have traditionally been and continue to be solved on end hosts (for example, installing antivirus programs) and using proxy, modern NGFW also provide these services.
Security equipment vendors strive to create comprehensive protection, so along with protection on the local box, various cloud technologies and end-point protection / EPP are offered. So, for example, from the Gartner Magic Quadrant (Gartner Magic Quadrant) for 2018, we see that Palo Alto and Cisco have their own EPP (PA: Traps, Cisco: AMP), but they are not among the leaders.
The inclusion of these protections (usually through the purchase of licenses) on the firewall is, of course, not mandatory (you can go the traditional way), but it has some advantages:
- in this case, a single point of application of protection methods appears, which improves visibility (see the next topic).
- if there is an unprotected device in your network, then it still falls under the “umbrella” of firewall protection
- using protection on the firewall in conjunction with protection on the end hosts, we increase the probability of detecting malicious traffic. For example, using threat prevention on local hosts and on the firewall increases the likelihood of detection (assuming, of course, that these solutions are based on different software products)
Comment
If, for example, you use Kaspersky as an antivirus on both the firewall and on the end hosts, then this, of course, will not greatly increase your chances of preventing a virus attack on your network.
Network visibility
The basic idea is simple - to “see” what is happening on your network, both in real time and historical data.
I would divide this “vision” into two groups:
Group one: what your monitoring system usually provides you.
- equipment loading
- loading channels
- memory usage
- disk usage
- change routing table
- link status
- availability of equipment (or hosts)
- ...
Group Two: security related information.
- various statistics (for example, by applications, by URL traffic, which types of data were downloaded, user data)
- what was blocked by security policies and for what reason, namely
- prohibited application
- prohibited based on ip / protocol / port / flags / zones
- threat prevention
- url filtering
- data filtering
- file blocking
- ...
- DOS / DDOS attack statistics
- unsuccessful authentication and authorization attempts
- statistics on all of the above security policy violations
- ...
In this security chapter, we are interested in the second part.
Some modern firewalls (from my Palo Alto practice) provide a good level of visibility. But, of course, the traffic that interests you should go through this firewall (in this case, you have the ability to block traffic) or mirror the firewall (used only for monitoring and analysis), and you must have licenses to enable all these services. .
There is, of course, an alternative path, or rather a traditional path, for example,
- Session statistics can be collected through netflow and then use special utilities for data analysis and data visualization.
- threat prevention - special programs (anti-virus, anti-spyware, firewall) on end hosts
- URL filtering, data filtering, file blocking - on proxy
- tcpdump can also be analyzed using, for example, snort
You can combine these two approaches, complementing the missing functions or duplicating them to increase the likelihood of detecting an attack.
Which approach to choose?
It strongly depends on the qualifications and preferences of your team.
And there, and there are pros and cons.
Unified centralized authentication and authorization system
With a good design, mobility, which we discussed in this article, assumes that you have the same access, working from the office or from home, from the airport, from a cafe or any other point (with the limitations that we discussed above). It would seem, what's the problem?
In order to better understand the complexity of this task, let's consider a typical design.
Example
- You broke all the staff into groups. You have decided to grant access by groups.
- Inside the office, you control access to the office firewall
- Traffic from the office to the data center you control on the firewall of the data center
- You use Cisco ASA as a VPN gateway and you use local ACL ACLs to control the traffic that enters your network from remote clients.
Now, suppose you are asked to add additional access to a specific employee. In this case, you are asked to add access only to him and more to anyone in his group.
To do this, we must create a separate group for this employee, that is,
- on ASA create a separate IP pool for this employee
- add a new ACL on the ASA and bind it to this remote client
- create new security policy on the office and data center firewalls
Well, if this event is rare. But in my practice there was a situation when employees participated in different projects, and this set of projects for some of them changed quite often, and it was not 1 -2 people, but dozens. Of course, there was something to change.
This was resolved as follows.
We decided that the only source of truth that determines all employee access is LDAP. We created all sorts of groups that define sets of accesses and we tied each user to one or several groups.
So for example, suppose there were groups
- guest (internet access)
- common access (access to shared resources: mail, knowledge base, ...)
- accounting
- project 1
- project 2
- data base administrator
- linux administrator
- ...
And if one of the employees was involved, both in project 1 and project 2, and he needed the access needed to work in these projects, then this employee was tied to the following groups:
- guest
- common access
- project 1
- project 2
How now to turn this information into accesses on network equipment?
Cisco ASA Dynamic Access Policy (DAP) (see www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide .html ) the solution is suitable for this task.
Briefly about our implementation, during the identification / authorization process, the ASA receives from LDAP a set of groups corresponding to a given user and “collects” from several local ACLs (each of which corresponds to a group) a dynamic ACL with all the necessary access that fully corresponds to our wishes.
But this is only for VPN connections. In order to make the situation the same for both employees connected via VPN and those in the office, the next step was taken.
When connecting from the office, users using the 802.1x protocol got into either the guest wilan (for guests), or the wilan with shared access (for company employees). Further, to obtain specific access (for example, to projects in the data center), employees had to connect via VPN.
To connect from the office and from home used different tunnel groups on the ASA. This is necessary so that for people who connect from the office, traffic to shared resources (used by all employees, such as mail, file servers, ticket system, dns, ...) does not go through ASA, but through the local network. Thus, we did not load ASA with excess traffic, including high-intensity traffic.
Thus, the problem was solved.
We got
- the same set of access, both for connections from the office and for remote connection
- no degradation of service when working from the office associated with the transmission of high-intensity traffic through the ASA
What is the advantage of this approach?
In the administration of access. Access is easily changed in one place.
For example, if an employee leaves a company, you simply remove him from LDAP, and he automatically loses all access.
Host checking
With the possibility of a remote connection, we get the risk of allowing not only an employee of the company to the network, but also all the malicious software that is most likely present on his computer (for example, home), and moreover, through this software we may open our network to the attacker using this host as a proxy.
It is reasonable for a remotely connected host to apply the same security requirements as a host located in the office.
This includes the “correct” version of the OS, anti-virus, anti-spyware, and firewall software and updates. Usually, this feature exists on the VPN gateway (for ASA, see, for example, here ).
It is also wise to apply the same methods of analyzing and blocking traffic (see “High level of protection”), which, in accordance with your security policy, applies to office traffic.
It is reasonable to proceed from the assumption that now your office network is not limited to an office building and the hosts located in it.
Example
A good reception is to provide each employee who needs remote access with a good, convenient laptop and demand to work, both in the office and from home, only from him.
This not only increases the security level of your network, but is also really convenient and usually perceived by employees positively (if it is a really good and convenient laptop).
About sense of proportion and balance
In principle, this is a conversation about the third vertex of our triangle - about the price.
Let's look at a hypothetical example.
Example
200 . .
. security , (anti-virus, anti-spyware, and firewall software), .
( ) 10- , — NGFW , , Palo Alto 7K (c 40 ), , , High Availability .
, , security .
, .
, 10 , ( ) .
, 200 …
? , .
…
, - , . — , , , .
Is this example exaggerated? The next chapter will answer this question.
If you are on your network, you do not see anything of the article reviewed in this article, then this is the norm
For each case, you need to find a reasonable compromise between convenience, price and security. Often NGFW is not even required in your office, L7 protection on the firewall is not required. Enough to provide a good level of visibility and alerts, and this can be done using open source products, for example. Yes, your reaction to the attack will not be instant, but the main thing is that you will see it, and if you have the right processes in your department, you will be able to quickly neutralize it.
And let me remind you that according to the intention of the cycle of these articles, you are not engaged in designing a network, you are just trying to improve what you got.
SAFE office architecture analysis
Pay attention to this red square, with which I have allocated a place in the diagram from the SAFE Secure Campus Architecture Guide that I would like to discuss here.
This is one of the key places of architecture and one of the most important uncertainties.
Note
I have never set up or worked with FirePower (from the Cisco firewall product line — only with ASA), so I will consider it like any other firewall, for example, like Juniper SRX or Palo Alto, assuming that it has the same features .
From conventional designs, I see only 4 possible uses of the firewall with this connection:
- , transparent ( , L3 )
- - ( SVI ), L2
- VRF, VRF , VRF ACL
- ,
1
, .
2
PBR ( service chain), , , , .
From the description of the streams in the document, we see that all the traffic goes through the firewall, that is, in accordance with the design of Cisco, the fourth option disappears.
Let's first consider the first two options.
With these options, all traffic goes through the firewall.
Now we look at the data sheet , we look at the Cisco GPL and see that if we want the total bandwidth for our office to have at least 10 to 20 gigabits, then we should buy the 4K version.
Note
When I talk about the total bandwidth, I mean traffic between subnets (and not within the same Vilana).
From the GPL, we see that for the HA Bundle with Threat Defense, the price, depending on the model (4110 - 4150), varies from ~ 0.5 - 2.5 million dollars.
That is, our design begins to resemble the previous example.
Does this mean that this design is wrong?
No, it does not mean.Cisco provides you with the best possible protection based on the product line it has. But this does not mean that it is a “mast-doo” for you.
In principle, this is a common question that arises when designing an office or a data center, and this only means that you need to look for a compromise.
For example, not all traffic is allowed through the firewall, and in this case, the third option seems pretty nice to me, or (see the previous section), you may not need Threat Defense or you don't need a firewall at all in this network segment, and you just need to passive monitoring with the use of paid (not expensive) or open source solutions, or firewall is needed, but another vendor.
Usually there is always this uncertainty and there is no definite answer as to which solution is best for you.
This is the complexity and beauty of this task.
Source: https://habr.com/ru/post/447610/
All Articles