K-20 Constituent Network Design. Recommendations

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "K-20 Constituent Network Design. Recommendations"

Transcription

1 Network Design Recommendations Recommendations for s to take into account when doing network design to help create a more easily defendable and manageable network K-20 Network Engineering 6/30/15 Network Design Recommendation

2 Contents Network Goals... 2 Common Components... 2 Recommendations to protect and defend and analyze... 2 Example Network Designs... 5 Documentation... 8 Network Diagram... 8 Equipment Information Repository... 8 Network Run Book... 8 Communications Plans... 8 Conclusion... 9 For more information... 9 Resources... 9 Figure 1: Simple Network Design... 5 Figure 2: Multiple ISP Network Design... 6 Figure 3: SaaS Network Design... 7 K-20 Network Engineering 1

3 Network Goals In today s online world, services vital to organizations performing their day to day operations web presence, VoIP, Real Time Collaboration, outsourced payroll, Telemedicine, standardized tests are becoming more dependent upon network communications. Outages of many sorts looped ports, overloaded firewalls, saturated links, DDoS attacks can bring an organization to a screeching halt, as such specific design strategies should be deployed to enhance the survivability of services. This document aims to help create a more fully functional network which has the specific goals. Dependable Scalable Defendable Stable Manageable Common Components A network which is designed with the following components should be able to provide the functionality needed while keeping aligned with the aforementioned goals. Routers Switches VLANS network space Public network space Subnets Access Control Lists Demilitarized Zone (DMZ) Firewalls Network Address Translation (NAT) Log Collector(s) Traffic Policy Devices The proper implementation and use of these components will help to create a highly scalable, dependable, defendable and stable network that can help to simplify analyzing, managing and mitigating outages. Recommendations to protect and defend and analyze The following are a list of recommendations that organizations can institute to help defend themselves against becoming a victim of an attack, participant in an attack on another organization, or to help identify the flows involved in an attack. Hardware: For (s), use a which is able to easily process all the data flows expected for not only normal operations, but to include operations when in a failed or attacked state K-20 Network Engineering 2

4 For (s), use a which is able to provide some robust Access Control List (ACL) capabilities For stateful and stateless firewall(s), use a firewall which will have enough processing power to handle all data flowing through it and will should not buckle under extreme load For stateful firewall(s), use a firewall which is able to inspect all traffic and proxy all necessary protocols which may need translations help such as SIP, H.323, etc Use redundant network infrastructure configurations where possible Use managed switches Use switches which are compatible with your chosen Layer 2 loop elimination protocols Use switches which are able to perform storm control protocols Configure all hardware to export their logs to an external log collection server, in addition to on-device log stores All network segments: Where possible, try to create non-loopable Layer 2 (L2) segments Where L2 loop elimination is not possible, use L2 loop elimination technologies (STP, PVST, RSTP, TRILL, etc ) Use broadcast storm control technologies (BPDU guard, Stormcontrol, etc ) Monitor network segment for network performance metrics (throughput, errors, levels, etc ) Log performance statistics violations of network segment to logging servers (allowable bandwidth exceeded, Utilize smart log analyzers to detect suspicious activities (Fluentd, Sagan, Splunk, etc ) Set up easily modifiable rate limiting infrastructure Network Infrastructure Links Segregate network infrastructure Links to dedicated ports (not shared with other subnets) Use authentication schemes in accordance with dynamic routing protocols (OSPF, BGP, etc ) Mirror traffic to deep packet inspection engine (SNORT, Suricata, etc ) Log data flows to an analysis server (NTOP, nprobe, cflowd, StealthWatch, plixer, etc ) Monitor link utilization for historical, trending and real time statistics User Subnets Segregate user subnets to their own VLANS NAT user subnets with a many:1 private:public outbound Know and understand the type of traffic that should be traversing the user subnet Don t allow inbound connections from the internet to user subnets Utilize host firewall and anti-virus on all hosts in user subnet Utilize a firewall or Access Control Lists (ACL) to prevent inbound connections on the user subnets Use a stateful inspection firewall to protect OSI layers 4-7 from more complex attacks Server Subnets K-20 Network Engineering 3

5 Segregate private server subnets to their own VLANS Possibly NAT private server subnets with a many:1 private:public outbound Utilize host firewall and anti-virus on all servers in the private server subnet Filter access to services which should not be accessed remotely (RDP, fileserver, etc ) Utilize a firewall or ACL on the private server subnet to prevent any access into the private subnet from the internet Utilize a firewall or ACL on the private server subnets to prevent access to anything but the authorized services Public Server Subnets Segregate public server subnets to their own VLANS NAT server subnets with a 1:1 private:public space For stateful firewalls, utilize a firewall which is able to inspect all traffic and proxy all necessary protocols which may need translations help such as SIP, H.323, etc Know and understand the services running on the servers in the server subnets Utilize host firewall and anti-virus on all servers in the public server subnet Filter access to services which should not be accessed remotely (RDP, fileserver, etc ) VoIP Subnets Segregate VoIP communications infrastructure to their own VLANS Know and understand the services running on the servers in the VoIP subnets NAT VoIP subnets with a Many:1 private:public and only allow outbound connections Filter access to services which should not be accessed remotely (RDP, fileserver, etc ) Utilize a host firewall on all servers on VoIP subnets to only allow traffic to specific services DMZ Subnets Relocate high-target resources to a DMZ, if service off-site is not possible Utilize a host firewall on all DMZ servers to only allow traffic to specific services Filter access to services which should not be accessed remotely (RDP, fileserver, etc ) Filter access to services which should not be accessed remotely (RDP, fileserver, etc ) Offsite Subnets Off-site high-target resources (DNS, CRM, Web, Mail, etc ) to alternate service locations (colocation, SaaS, etc ) Use firewall and anti-virus as applicable on offsite services (SaaS, DaaS, IaaS, etc ) Monitoring Record all network events for analysis K-20 Network Engineering 4

6 Utilize smart log analyzers to detect suspicious activities (Fluentd, Sagan, Splunk, etc ) Utilize DDoS mitigation services to detect and clean dirty traffic Use IPS / IDS to prevent and detect intrusions Example Network Designs Below are some example network designs which incorporate a number of the proposed recommendations above to help create a more easily managed and defendable network which can lead to lessened impact by negative network events and ensure service availability. These designs are intended to be more logical designs with an understanding that there may be many instances of particular portions of the designs within an organization. While each of these designs focus on specific aspects of network design, parts of them can be combined and merged with each other to provide the appropriate network design that best fits the needs of the organization. FIGURE 1: SIMPLE NETWORK DESIGN Servers should be running local firewalls web server DNS Server collaboration server mail server dmz switch Public Subnet Via 1:1 NAT or Public addresses. Should have Firewall or ACLs on the Router limiting access to only the available services log collector monitor server file server Server Subnet On firewall or User Subnet On firewall or firewall Public and Network Space Internet Provider laptops PC As can be seen in the above diagram, the users and servers are segmented onto different VLANs to prevent local broadcast problems interfering with each other and taking out the entire network. The use of Layer 2 protocols such as spanning tree (STP, RSTP, PVSTP, etc ) and broadcast storm mitigation protocols (BPDU Guard, Storm Control, etc ) helps to prevent a looped port or an errantly broadcasting device from taking out all user and server subnets. Some services which may be high bandwidth or may not interact well with firewalling technologies are configured on a DMZ connected to the and are able to be protected with local firewalls and ACLs or firewall filters on the. The use of dynamic routing protocols such as OSPF may or may not be utilized in this K-20 Network Engineering 5

7 situation depending on the complexity and diameter of the network, for example if there were multiple s or multiple firewalls servicing all the network segments. The use of dynamic protocols helps to ensure that as new segments are added or new s are added that static routes do not have to be updated. Per user, subnet, or service rate limits may be placed on the firewall or to ensure that there are bounds on an errant devices or that may be trying to consume all the network resources. The and firewall in this scenario should be logging information about equipment performance, observed network events, user data flows, and any other information that is pertinent to the organization to the log collectors and monitoring servers so that real time stats and historical information can be reviewed for forecasting and forensic investigation. This option is a fairly common option for a medium sized organization which has a single internet connection and cannot afford to offsite services or purchase additional internet connections. FIGURE 2: MULTIPLE ISP NETWORK DESIGN Servers should be running local firewalls web server collaboration server dmz switch Public Subnet Via 1:1 NAT or Public addresses. Should have Firewall or ACLs on the Router limiting access to only the available services Internet Provider log collector Monitor server file server Server Subnet User Subnet firewall Public Network Internet Provider laptops PC Voice Subnet And only outbound Connections From Voice server allowed Phones Voice server While still implementing the monitoring and Layer 2 and Layer 3 protocols as referenced in the network design above, the above diagram has segregated services which may have been high likelihood targets or provide critical services to their own internet connectivity. This may be a separate connection coming into the organizations existing data center and utilizing VLANs and a K-20 Network Engineering 6

8 separate, or this may be a case where the organization has collocated the services to an external vendor. This prevents attacks to those high target servers from impacting the day to day operations of the users and local servers required for their day to day operations. It also provides a boundary so that issues which may arise within the local network are less likely to be able to negatively impact services which may be critical for business functions or brand identity. Also of note: in this scenario, the organization has deployed Voice over IP (VoIP) services, and have segregated those services onto their own VLAN to ensure that voice services are as protected as possible. This type of network design is quite often used by organizations which may have some of its web presence hosted externally. FIGURE 3: SAAS NETWORK DESIGN Servers should be running local firewalls web server DNS switch SaaS Provider log collector file server Server Subnet User Subnet firewall Public Network Internet Provider laptops PC As is the case with the previously mentioned network design, the design above has collocated some of its services to third party SaaS providers. This affords the organization the ability to have an external company manage and maintain the security policies and infrastructure for critical systems without taking on the complexity and cost of maintaining the appropriate security infrastructure. One other feature that is often offered by the SaaS providers is guarantees of uptime, specifically that 100% uptimes are guaranteed for critical services and brand identity. The cost of the SaaS services vary widely based upon throughput, number of servers required, levels of response, services being protected, etc While this design helps to ensure that services are always available, that does come at additional cost. K-20 Network Engineering 7

9 Documentation One of the most important things about managing a network is making sure that it is documented properly. Documentation of the network consists of a number different information stores, but a few types that are essential to ensure that all individuals are working with the same understanding and goals are listed below. Network Diagram All networks should have a detailed network diagram. Included above are some generic network diagrams, but the network diagrams that are generated for an organizations network should contain information about what servers and services are located on which systems and how they all interconnect. This should be in an easy to read pictorial format. This network diagram may be broken up into a number of smaller more detailed documents for clarity s sake, but there should be an overarching diagram which should reference detailed documents. There are a number of examples of what these diagrams may look at here in the link in the resources at the end of this document. Equipment Information Repository As part of the documentation for the network, there should be an equipment information repository. This information should be in an easy to review format and should be centrally located so all individuals of the organization know what equipment is active and the functions that equipment performs. This should also contain information such as warranty and support information. This information is operational information that may be referenced by the Network Run Book for appropriately responding to an incident within the network. Network Run Book Another key document to ensure proper network management and stability is the Network Run Book. This book defines all the processes that are utilized to manage and maintain the activities associated with the network. This includes functions such as adding in new segments, new servers, new s, new routes, new customers, new VPN connections, etc This book should be the authoritative guide for how to execute and react to incidents. This document should reference well defined communication plans, if there are to be communications about activities governed by this document. In addition to the Communications Plans for each of the activities in the Network Run Book, there should be a well-defined Roles and Responsibilities matrix developed. This should contain information about who is Responsible, Accountable, Contributing and Informed (RACI) about the procedures in the Network Run Book. Communications Plans Communications plans are vital for disseminating information about the going-on in a network. A well-defined and executed communication plan should be developed to ensure that when there are network issues that information can be broadcast and notifications can occur in a timely manner. The organization should have clearly defined roles and methodologies of communications, bearing in mind that normal means of communications may be hindered because of network unavailability, therefore non-traditional forms of communications, or old school forms may be more reliable. K-20 Network Engineering 8

10 Conclusion While this document is intended to present a number of recommendations for how to architect and implement a network, it is by no means authoritative in all circumstances, nor does it address every situation that may arise. The architecture and management of a network is an ever evolving process that changes with technologies, people, organizational needs, and any other number of factors. The main thing to be cognizant of is that the network should be constructed to be scalable, flexible, defendable, and manageable. For more information If you have more questions, comments or requests about the materials covered in this document or for additional documents, please contact the your organizations K-20 liaison, your sector representative, or the K-20 Program Office. If the matter is regarding an operational issue, please contact the K-20 NOC at or +1 (888) Resources Below are a list of resources which go into great detail regarding various aspects of the technologies mentioned in this document. These links are by no means the authoritative repository, they are meant to be a stepping off place for further research and evaluation. Here are some resources for some of the lower level components that should be utilized, these are very basic building blocks to help build up more complex networks. Router Switch Firewall VLANs https://en.wikipedia.org/wiki/access_control_list OSI Model Access Control Lists (ACL) Network Diagram Examples diagram Network Run Book https://en.wikipedia.org/wiki/runbook Network Run Book Example https://contursiconsulting.com/documents/xyz_directory_runook.doc Below are some articles which go into comparisons of various logging and analysis tools with their strengths, weaknesses and caveats to them: Flow collection tools Log Analyzer tools RACI Information https://en.wikipedia.org/wiki/responsibility_assignment_matrix K-20 Network Engineering 9

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Chapter 11 Cloud Application Development

Chapter 11 Cloud Application Development Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Chapter 15. Firewalls, IDS and IPS

Chapter 15. Firewalls, IDS and IPS Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE4635 - Computer Network Analysis and Design Slide 1

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE4635 - Computer Network Analysis and Design Slide 1 NETE-4635 Computer Network Analysis and Design Designing a Network Topology NETE4635 - Computer Network Analysis and Design Slide 1 Network Topology Design Themes Hierarchy Redundancy Modularity Well-defined

More information

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time Essential Curriculum Computer Networking II Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time Chapter 1 Networking in the Enterprise-------------------------------------------------

More information

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Hosting more than one FortiOS instance on. VLANs. 1. Network topology Hosting more than one FortiOS instance on a single FortiGate unit using VDOMs and VLANs 1. Network topology Use Virtual domains (VDOMs) to divide the FortiGate unit into two or more virtual instances of

More information

Configuring IP Load Sharing in AOS Quick Configuration Guide

Configuring IP Load Sharing in AOS Quick Configuration Guide Configuring IP Load Sharing in AOS Quick Configuration Guide ADTRAN Operating System (AOS) includes IP Load Sharing for balancing outbound IP traffic across multiple interfaces. This feature can be used

More information

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions Find your network example: 1. Basic network with and 2 WAN lines - click here 2. Add a web server to the LAN - click here 3. Add a web,

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

http://www.it-exams.com

http://www.it-exams.com -The fastest and guaranteed way to certy now! http://www.it-exams.com Exam Number : SY0-301 Exam Name : Security+ Certification Exam 2011 version Version : Demo QUESTION NO: 1 Actively monitoring data

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs As a head of the campus network department in the Deanship of Information Technology at King Abdulaziz University for more

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

Firewall Configuration. Firewall Configuration. Solution 9-314 1. Firewall Principles

Firewall Configuration. Firewall Configuration. Solution 9-314 1. Firewall Principles Configuration Configuration Principles Characteristics Types of s Deployments Principles connectivity is a common component of today s s networks Benefits: Access to wide variety of resources Exposure

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Security Design. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/

Security Design. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Security Design thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Security Design Analysing Design Requirements Resource Separation a Security Zones VLANs Tuning Load Balancing

More information

Layer-2 Design: Link Balancers Simplified

Layer-2 Design: Link Balancers Simplified Technology White Paper Layer-2 Design: Link Balancers Simplified Build Smarter Networks Table of Contents 1. Executive Summary... 3 2. Overview of the Problem... 3 3. Layer-2 Design Principles... 4 4.

More information

White Paper 230-1040-001. Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

White Paper 230-1040-001. Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012 Nomadix Service Engine Enterprise Guest Access Application Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012 30851 Agoura Road Suite 102 Agoura Hills, CA 91301 USA www.nomadix.com

More information

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall Government of Canada Managed Security Service (GCMSS) Date: July 12, 2012 TABLE OF CONTENTS 1 FIREWALL... 1 1.1 SECURITY...1 1.2 STANDARDS...1 1.3 FAILOVER...2 1.4 PERFORMANCE...3 1.5 REPORTING...3 1.6

More information

Networking Devices. Lesson 6

Networking Devices. Lesson 6 Networking Devices Lesson 6 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Network Interface Cards Modems Media Converters Repeaters and Hubs Bridges and

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Interconnecting Cisco Networking Devices Part 2

Interconnecting Cisco Networking Devices Part 2 Interconnecting Cisco Networking Devices Part 2 Course Number: ICND2 Length: 5 Day(s) Certification Exam This course will help you prepare for the following exam: 640 816: ICND2 Course Overview This course

More information

Deploying ACLs to Manage Network Security

Deploying ACLs to Manage Network Security PowerConnect Application Note #3 November 2003 Deploying ACLs to Manage Network Security This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx Abstract With new system

More information

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection

More information

Cisco Networking Professional-6Months Project Based Training

Cisco Networking Professional-6Months Project Based Training Cisco Networking Professional-6Months Project Based Training Core Topics Cisco Certified Networking Associate (CCNA) 1. ICND1 2. ICND2 Cisco Certified Networking Professional (CCNP) 1. CCNP-ROUTE 2. CCNP-SWITCH

More information

NEFSIS DEDICATED SERVER

NEFSIS DEDICATED SERVER NEFSIS TRAINING SERIES Nefsis Dedicated Server version 5.2.0.XXX (DRAFT Document) Requirements and Implementation Guide (Rev5-113009) REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER Nefsis

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

DDoS Overview and Incident Response Guide. July 2014

DDoS Overview and Incident Response Guide. July 2014 DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target

More information

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

Network Security Topologies. Chapter 11

Network Security Topologies. Chapter 11 Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network

More information

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Application Note. Stateful Firewall, IPS or IDS Load- Balancing Application Note Stateful Firewall, IPS or IDS Load- Balancing Document version: v1.0 Last update: 8th November 2013 Purpose Improve scallability of the security layer Limitations when Load-Balancing firewalls

More information

Firewall Environments. Name

Firewall Environments. Name Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1 Smart Tips Enabling WAN Load Balancing Overview Many small businesses today use broadband links such as DSL or Cable, favoring them over the traditional link such as T1/E1 or leased lines because of the

More information

Lucent VPN Firewall Security in 802.11x Wireless Networks

Lucent VPN Firewall Security in 802.11x Wireless Networks Lucent VPN Firewall Security in 802.11x Wireless Networks Corporate Wireless Deployment is Increasing, But Security is a Major Concern The Lucent Security Products can Secure Your Networks This white paper

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

Proxy Server, Network Address Translator, Firewall. Proxy Server

Proxy Server, Network Address Translator, Firewall. Proxy Server Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

More information

Course Contents CCNP (CISco certified network professional)

Course Contents CCNP (CISco certified network professional) Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,

More information

Introducing Network Design Concepts

Introducing Network Design Concepts CHAPTER 1 Introducing Network Design Concepts Objectives Upon completion of this chapter, you should be able to answer the following questions: What are the benefits of a hierarchal network design? What

More information

Voice Over IP and Firewalls

Voice Over IP and Firewalls Introduction Voice Over IP and Firewalls By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Use of Voice Over IP (VoIP) in enterprises is becoming more and more

More information

"Charting the Course...

Charting the Course... Description "Charting the Course... Course Summary Interconnecting Cisco Networking Devices: Accelerated (CCNAX), is a course consisting of ICND1 and ICND2 content in its entirety, but with the content

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

COURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking

COURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking COURSE AGENDA CCNA & CCNP - Online Course Agenda Lessons - CCNA Lesson 1: Internetworking Internetworking models OSI Model Discuss the OSI Reference Model and its layers Purpose and function of different

More information

Integrate Cisco Application Centric Infrastructure with Existing Networks

Integrate Cisco Application Centric Infrastructure with Existing Networks White Paper Integrate Cisco Application Centric Infrastructure with Existing Networks What You Will Learn Cisco Application Centric Infrastructure (ACI) offers a revolutionary way of deploying, managing,

More information

Description: Objective: Upon completing this course, the learner will be able to meet these overall objectives:

Description: Objective: Upon completing this course, the learner will be able to meet these overall objectives: Course: Building Cisco Service Provider Next-Generation Networks, Part 2 Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,750.00 Learning Credits: 38 Description: The Building Cisco Service Provider

More information

IP Telephony Management

IP Telephony Management IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient

More information

Configuring the Transparent or Routed Firewall

Configuring the Transparent or Routed Firewall 5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

SSVP SIP School VoIP Professional Certification

SSVP SIP School VoIP Professional Certification SSVP SIP School VoIP Professional Certification Exam Objectives The SSVP exam is designed to test your skills and knowledge on the basics of Networking and Voice over IP. Everything that you need to cover

More information

Network Segmentation

Network Segmentation Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or

More information

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide HOSTED VOICE Bring Your Own Bandwidth & Remote Worker Install and Best Practices Guide 2 Thank you for choosing EarthLink! EarthLinks' best in class Hosted Voice phone service allows you to deploy phones

More information

Firewall and Router Policy

Firewall and Router Policy Firewall and Router Policy Approved By: \S\ James Palmer CSC Loss Prevention Director PCI Policy # 1600 Version # 1.1 Effective Date: 12/31/2011 Revision Date: 12/31/2014 December 31, 2011 Date 1.0 Purpose:

More information

Best Practices for Securing IP Telephony

Best Practices for Securing IP Telephony Best Practices for Securing IP Telephony Irwin Lazar, CISSP Senior Analyst Burton Group Agenda VoIP overview VoIP risks Mitigation strategies Recommendations VoIP Overview Hosted by VoIP Functional Diagram

More information

State of Texas. TEX-AN Next Generation. NNI Plan

State of Texas. TEX-AN Next Generation. NNI Plan State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...

More information

Networking Topology For Your System

Networking Topology For Your System This chapter describes the different networking topologies supported for this product, including the advantages and disadvantages of each. Select the one that best meets your needs and your network deployment.

More information

CHAPTER 6 DESIGNING A NETWORK TOPOLOGY

CHAPTER 6 DESIGNING A NETWORK TOPOLOGY CHAPTER 6 DESIGNING A NETWORK TOPOLOGY Expected Outcomes Able to identify terminology that will help student discuss technical goals with customer. Able to introduce a checklist that can be used to determine

More information

What would you like to protect?

What would you like to protect? Network Security What would you like to protect? Your data The information stored in your computer Your resources The computers themselves Your reputation You risk to be blamed for intrusions or cyber

More information

Firewall Architecture

Firewall Architecture NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT

More information

This chapter covers the following topics:

This chapter covers the following topics: This chapter covers the following topics: Components of SAFE Small Network Design Corporate Internet Module Campus Module Branch Versus Headend/Standalone Considerations for Small Networks C H A P T E

More information

Multi-Homing Security Gateway

Multi-Homing Security Gateway Multi-Homing Security Gateway MH-5000 Quick Installation Guide 1 Before You Begin It s best to use a computer with an Ethernet adapter for configuring the MH-5000. The default IP address for the MH-5000

More information

- Introduction to Firewalls -

- Introduction to Firewalls - 1 Firewall Basics - Introduction to Firewalls - Traditionally, a firewall is defined as any device (or software) used to filter or control the flow of traffic. Firewalls are typically implemented on the

More information

Injazat s Managed Services Portfolio

Injazat s Managed Services Portfolio Injazat s Managed Services Portfolio Overview Premium Managed Services to Transform Your IT Environment Injazat s Premier Tier IV Data Center is built to offer the highest level of security and reliability.

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

REFERENCE ARCHITECTURES FOR MANUFACTURING

REFERENCE ARCHITECTURES FOR MANUFACTURING Synopsis Industry adoption of EtherNet/IP TM for control and information resulted in the wide deployment of standard Ethernet in manufacturing. This deployment acts as the technology enabler for the convergence

More information

Cisco Certified Network Professional - Routing & Switching

Cisco Certified Network Professional - Routing & Switching Cisco Certified Network Professional - Routing & Switching Information Course Price 5,265 No. Vouchers: Course Code 0 Vouchers CCNP-RS No. Courses: 3 1/9 Implementing Cisco IP Routing Information Length:

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

Introducing Network Design Concepts

Introducing Network Design Concepts CHAPTER 1 Introducing Network Design Concepts Objectives Upon completion of this chapter, you should be able to answer the following questions: What are the benefits of a hierarchal network design? What

More information

A Model Design of Network Security for Private and Public Data Transmission

A Model Design of Network Security for Private and Public Data Transmission 2011, TextRoad Publication ISSN 2090-424X Journal of Basic and Applied Scientific Research www.textroad.com A Model Design of Network Security for Private and Public Data Transmission Farhan Pervez, Ali

More information

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book:

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: Scenario One: Pearland Hospital Scenario Two: Big Oil and Gas Scenario Three: Beauty Things Store

More information

640-816: Interconnecting Cisco Networking Devices Part 2 v1.1

640-816: Interconnecting Cisco Networking Devices Part 2 v1.1 640-816: Interconnecting Cisco Networking Devices Part 2 v1.1 Course Introduction Course Introduction Chapter 01 - Small Network Implementation Introducing the Review Lab Cisco IOS User Interface Functions

More information

Developing Network Security Strategies

Developing Network Security Strategies NETE-4635 Computer Network Analysis and Design Developing Network Security Strategies NETE4635 - Computer Network Analysis and Design Slide 1 Network Security Design The 12 Step Program 1. Identify network

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations Cisco PIX Security Appliance provides stateful firewall protection at smaller Internet gateways. Cisco IT Case Study / Security and

More information

Ranch Networks for Hosted Data Centers

Ranch Networks for Hosted Data Centers Ranch Networks for Hosted Data Centers Internet Zone RN20 Server Farm DNS Zone DNS Server Farm FTP Zone FTP Server Farm Customer 1 Customer 2 L2 Switch Customer 3 Customer 4 Customer 5 Customer 6 Ranch

More information

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Hosted Voice. Best Practice Recommendations for VoIP Deployments Hosted Voice Best Practice Recommendations for VoIP Deployments Thank you for choosing EarthLink! EarthLinks best in class Hosted Voice phone service allows you to deploy phones anywhere with a Broadband

More information

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July 2010. Network Security 08

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July 2010. Network Security 08 Network Security (Principles i & Practices) Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ By: Arash Habibi Lashkari July 2010 1 Introduction to Network Security Model of Network

More information

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Load Balancing for Microsoft Office Communication Server 2007 Release 2 Load Balancing for Microsoft Office Communication Server 2007 Release 2 A Dell and F5 Networks Technical White Paper End-to-End Solutions Team Dell Product Group Enterprise Dell/F5 Partner Team F5 Networks

More information

Secure networks are crucial for IT systems and their

Secure networks are crucial for IT systems and their ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential

More information

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality

More information

Software Defined Networking A quantum leap for Devops?

Software Defined Networking A quantum leap for Devops? Software Defined Networking A quantum leap for Devops? TNG Technology Consulting GmbH, http://www.tngtech.com/ Networking is bottleneck in today s devops Agile software development and devops is increasing

More information

CompTIA Network+ (Exam N10-005)

CompTIA Network+ (Exam N10-005) CompTIA Network+ (Exam N10-005) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate

More information

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ

More information

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc. Chapter 2 TOPOLOGY SELECTION SYS-ED/ Computer Education Techniques, Inc. Objectives You will learn: Topology selection criteria. Perform a comparison of topology selection criteria. WebSphere component

More information

Essential Curriculum Computer Networking 1. PC Systems Fundamentals 35 hours teaching time

Essential Curriculum Computer Networking 1. PC Systems Fundamentals 35 hours teaching time Essential Curriculum Computer Networking 1 PC Systems Fundamentals 35 hours teaching time Part 1----------------------------------------------------------------------------------------- 2.3 hours Develop

More information

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6) Cisco Certified Network Associate Exam Exam Number 200-120 CCNA Associated Certifications CCNA Routing and Switching Operation of IP Data Networks Operation of IP Data Networks Recognize the purpose and

More information

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc. Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet

More information