How To Build A Network Security Network

Transcription

1 Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG Prog. Director Mark Ferrar Status Approved Owner James Wood Version 1.0 Author Mike Farrell Version Date 18/09/2009 Local Area Network Security Good Practice Guideline Crown Copyright 2009

2 Amendment History: Version Date Amendment History /08/2006 First draft for comment /09/2006 Second draft including comments and amendments /10/2006 Third draft including comments and amendments /03/2007 Fourth draft to place document in new template /06/2009 Document refreshed /07/2009 Incorporating changes suggested by CfH Infrastructure Security Team /07/2009 Incorporating changes suggested by Matt Ballinger /09/2009 Incorporating changes suggested by James Wood. Approved for issue Forecast Changes: Anticipated Change When Annual Review Nov 2010 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Infrastructure Security Team Matt Ballinger Deployment Support Officer - Technology Office Approvals: This document must be approved by the following: <author to indicate approvers> Name Signature Title / Responsibility Date Version James Wood Head of IT Security 1.0 Distribution: NHS Connecting for Health Information Governance Website Crown Copyright 2009 Page 2 of 23

3 Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version 1 NPFIT-SHR-QMS-PRP Glossary of Terms Consolidated.doc 13 2 NPFIT-FNT-TO-INFR-SEC-0001 Glossary of Security Terms 1 Glossary of Terms: List any new terms created in this document. Mail the NPO Quality Manager to have these included in the master glossary above [1]. Term Acronym Definition Crown Copyright 2009 Page 3 of 23

4 Contents 1 About this Document Purpose Audience Content Disclaimer Introduction Background Overview of Local Area Networks Network Access Protection (NAP) Network Admission Control (NAC) x Port-based Access Control Quality of Service (QoS) Key Aspects of a Local Area Network Infrastructure A Modular and Layered Network Topology Resilience and Redundancy Security Intelligent Services Management The Hierarchical Modular Layered Network Model Access Layer Recommendations Core and Distribution Layer Recommendations Server Layer Recommendations Network Infrastructure Availability Physical Resilience and redundancy Equipment Level Redundancy Software resilience and redundancy Security Policy Management Wide Area Network Link Considerations Environmental Factors Crown Copyright 2009 Page 4 of 23

5 1 About this Document 1.1 Purpose The purpose of this guide is to address the major challenges associated with creating and maintaining secure Local Area Networks (LANs) connected to the New NHS Network (N3) or other network infrastructures such as Community of Interest Networks (CoINs), partner networks, or the Internet. The following information covers all environments anticipated to interact with the NHS Care Records Service (NCRS). It includes information on suitable measures and controls for the most secure solutions that are in conformance with the Information Governance Statement of Compliance (IGSoC). It is however recommended that a full assessment of both threat and impact levels of potential security breaches be performed. This should incorporate partnering networks, including N3, in line with the electronic Government Interoperability Framework (e- GIF) recommendations. 1 The information contained in this document should be used as an informed assessment of technologies that support LAN security. However it is the sole responsibility of network owners to ensure that any LAN solutions that they deploy are sufficiently secure to fully satisfy their own risk assessment. 1.2 Audience This document has been written for readers who have a good level of experience and familiarity with firewalls, switches, routers and secure local area networking practices. 1.3 Content This document comprises this following sections / topics: - Introduction Overview of Local Area Networks Key aspects of a Local Area Network Infrastructure The Hierarchical Modular Layered Network Model Network Infrastructure Availability Security Policy Management Wide Area Network Link Considerations Environmental Factors 1 See the GovTalk Schemas and Standards Website: Crown Copyright 2009 Page 5 of 23

6 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by National Health Service Connecting for Health (NHS CFH). The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes. This means that changes implemented following this guidance are done so at the implementers risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer. Crown Copyright 2009 Page 6 of 23

7 2 Introduction The following information provides a knowledge-based framework that will help maintain good practice values within an organisation. The guidance within this document is written to reflect good practice, and, by following it, some of the consequences of non-compliance should be avoided. The reader will find good practice guidance for the design and use of Local Area Networks within a network infrastructure. This includes: - Minimum standards for LAN Security. The methods by which a LAN infrastructure can be supported efficiently and safely. Guidance to ensure maximum network uptime and reliability. Procedures and mechanisms for the control of access to LANs in an NHS or other healthcare environment. 2.1 Background N3 is a private Wide Area Network (WAN) and access is therefore strictly limited to authorised endpoints. Any organisation wishing to connect to N3 is responsible for ensuring that their N3 connection does not compromise the security measures already in place within the WAN. N3 is a private network accommodating thousands of PCs, servers, printers and other items of equipment all acting as the nodes or endpoints within the network. The confidentiality of sensitive information transmitted unencrypted within N3 is not assured. However all National Applications encrypt data using Transport Layer Security (TLS) 2 or an equivalent security standard. It is therefore advisable that the appropriate measures are taken with existing systems to ensure that sensitive data is secure before connecting to N3. N3 faces numerous potential threats to security, possibly from inadequately protected partner networks, or connections to uncontrolled external networks such as the Internet. These threats are continually evolving in both strength and frequency. Therefore ongoing vigilance against these threats, and the maintenance of strict security standards, are essential to the continuing success of N3. 2 See Approved Cryptographic Standards GPG at Crown Copyright 2009 Page 7 of 23

8 3 Overview of Local Area Networks A LAN is a network of computers and other components located relatively close together in a limited area. LANs operate at layer-2 of the Open Systems Interconnect (OSI) model, and can vary widely in size. They can consist of only two computers in a home office or small business, or include hundreds of computers in a large corporate or healthcare environment. Various LAN types are available, such as Ethernet, Token Ring, ARC Net and FDDI. The Ethernet-based technologies are by far the most prevalent within the modern network. This is partly due to the low cost of the technology, coupled with the performance it offers, and the general ease of deployment and maintenance in comparison to some of the legacy technologies. The guidance within this document covers good practice for implementing LANs comprising multiple layers and components. All organisations should endeavour to apply the generic good practice detailed in Sections 2, 3, 6 and 8 of this document. The information in Sections 4 and 5 is aimed at larger infrastructures, and is therefore broken down into distinct network layers or components. Smaller organisations, such as GP Surgeries and Clinics, may find that only the guidance within the Access Layer and Server Layer sections apply to their network infrastructure. 3.1 Network Access Protection (NAP) Network Access Protection 3 (NAP) is a policy enforcement platform, built into the Microsoft Windows Vista, forthcoming Windows 7 and Windows Server 2008 operating systems, which allows an organisation to better protect network assets, by enforcing compliance with system health requirements. NAP allows the creation of customised health policies to validate computer health before allowing access or communication. Automatic update of non-compliant computers is used to ensure ongoing compliance, with optional confinement of noncompliant computers to a restricted network until they become compliant. Administrators can configure Internet Protocol Security (IPSec) enforcement, IEEE 802.1X enforcement, virtual private network (VPN) enforcement, Dynamic Host Configuration Protocol (DHCP) enforcement, or all four, depending on their network needs. 3 Crown Copyright 2009 Page 8 of 23

9 3.2 Network Admission Control (NAC) A Network Admission Control (NAC) solution compares the security state of a device, which is attempting to connect to a network, to a set of policy attributes that define what security conditions must be met to allow network access. The scope of a NAC solution must encompass external and internal network connections by managed and unmanaged devices. Examples of unmanaged devices include rogue systems and servers that are deployed outside central Information Technology (IT) management control, in addition to contractor PCs and employees' home machines. The NAC solution should cover the following network connection scenarios: VPN IPsec and Secure Sockets Layer (SSL) LAN wired and wireless connectivity Dial-in via remote access servers Any NAC solution should ensure that when a system does not meet the criteria of the policy controls, it is added to a quarantine network and remedial action is taken. This could include the application of patches and anti-x updates, 4 or simply the restriction of device access to other parts of the network infrastructure. The quarantine network should be separate from the rest of the internal infrastructure, and should be connected to a firewall with a restrictive access policy. The quarantine network should only allow the minimum access required to apply patches and updates from the centralised management servers x Port-based Access Control IEEE 802.1X 5 is a standard for port-based Network Access Control and is part of the IEEE group of protocols. It provides authentication to devices attached to LAN ports, establishing a point-to-point connection or preventing further access from that port if authentication fails. It is based on the Extensible Authentication Protocol (EAP) X functionality is available on enterprise grade network switches from most vendors, and can be configured to authenticate host systems that are equipped with supplicant software, denying unauthorized access to the network at the data link layer. This means that only 802.1x frames can be transmitted through the switch port, and all other data frames are dropped until the connection is successfully authenticated. 4 Anti-X refers to the anti-virus, anti-spyware, anti-spam and anti-phishing solutions EAP, RFC Crown Copyright 2009 Page 9 of 23

10 This 802.1x authentication can be bound to a number of authentication services, such as Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS) service or Lightweight Directory Access Protocol (LDAP) directory of the organisation. 3.4 Quality of Service (QoS) Quality of Service (QoS) is a traffic engineering term, which is based on the concept that transmission rates, error rates and other characteristics can be measured, improved and guaranteed prior to transmission. The application of QoS functionality is often a requirement for the use of Voice over IP (VoIP), Video Streaming and other protocols sensitive to latency, jitter and timing issues. The use of QoS is particularly important for production and non-stop networks, as it provides predictive performance and availability. This functionality can be useful for providing assured access to clinical applications during all network conditions. For example during busy periods during the working day, such as lunchtime, or extended periods of high throughput resulting from network based data backup. The N3 QoS architecture 7 is outside the scope of this document. 7 Crown Copyright 2009 Page 10 of 23

11 4 Key Aspects of a Local Area Network Infrastructure The key aspects of a secure and robust network infrastructure design are described in the following subsections. 4.1 A Modular and Layered Network Topology The benefits of a modular approach to network design are: - Improved scalability with deterministic service delivery. Reduced operational costs. Ease of maintenance. A modular approach also allows the allocation of network services to specific modules of the network infrastructure, enabling organisations to focus their network infrastructure expenditure where most appropriate. 4.2 Resilience and Redundancy There is increasing reliance on distributed IT based solutions within the NHS for the delivery of clinical care. The availability of clinical applications can have a direct impact on patient care and safety. The importance of minimising all single points of failure within cable plant, power systems, environmental and network infrastructure equipment is discussed in terms of expenditure against risk, or cost and benefit realisation. Recommendations for network level protocol design good practice, specifically for optimising network convergence times under failure conditions, are also provided. 4.3 Security A layered approach to security is recommended. This approach provides a defence in depth posture, which reduces the scope of any security breaches. The recommendations will also assist organisations in meeting the Department of Health Information Governance (IG) requirements for the protection of Person Identifiable Data (PID) whilst in transit, and the requirements of the Confidentiality NHS Code of Practice Crown Copyright 2009 Page 11 of 23

12 4.4 Intelligent Services The networking industry has converged on standard processes for creating quality of service policies for enforcement by network infrastructure devices. An organisation s investment in a network infrastructure can be maximised through the use of these network based intelligent services, whilst ensuring that the shared resources are allocated according to the organisation s business requirements. 4.5 Management Increasing the intelligence of a device generally increases its complexity. To reduce the complexity of management, suitable tools are required for device management, fault diagnosis, device configuration, performance management, and to aid with the relatively complex tasks of deploying consistent network-wide QoS and security policies. Crown Copyright 2009 Page 12 of 23

13 5 The Hierarchical Modular Layered Network Model This model uses a layered architecture of distinct modules or building blocks, with each layer responsible for a specific role in the support of the end-to-end delivery of information. The benefits of a layered architecture are: - Scalability. Ease of implementation. Ease of troubleshooting. Predictability. Manageability. Each of the layers supports distinct functionality or requirements. Layers can be added to the model to support additional functionality. As an example, an Internet or public access layer can be added to complement an existing layered infrastructure. The hierarchical network design model is comprised of four basic layers: - Core Layer: Distribution Layer: Access Layer: This provides high-speed IP connectivity between the distribution, access and server layer LAN switches via two or more high availability core switches. This layer is where elements such as security and QoS policies are enforced to control how the network will service individual information flows. This layer can be a physically separate layer of switches, or a logical layer located within the core switches. This will be dependent on the size of an organisation s network infrastructure. This layer provides connectivity for systems such as end user workstations and printers. The access layer enforces admission and control policies, and provides the logical segmentation of devices into groups Virtual LANs (VLANs) which share common functional requirements. The access layer also provides a trust boundary where application traffic can be identified and classified for appropriate servicing by the distribution and core layers. Server Layer/Module: This layer provides high-performance connectivity and resilience, and secures access to the application servers. The server module is distinct from an access layer module because of the differing requirements between user and server connectivity. For example, availability is much more of an issue within the server module than typically within access modules supporting general network users. Crown Copyright 2009 Page 13 of 23

14 Fig 1 below shows the recommended modular design for larger organisations. Connectivity Module Connectivity Module Access Layer Distribution Layer Si Si Si Si Core Layer Si Si Si Si Server Layer Server Module Fig 1 - Modular Design for Larger Organisations Larger organisations are typified by a combination of a large numbers of users, and many buildings and departments within a large campus or geographically dispersed campus sites. Access layer switches should be connected with dual up-links to separate distribution layer switches, providing resilience against link or distribution switch failure. Distribution switches should be deployed in pairs, in order to provide resilient paths to different core switches. The core layer should consist of inter-connected high availability switches, to provide resilience against any single core layer link or switch failure. The use of modules within the network architecture enables additions, moves and changes to be less disruptive and more deterministic. It creates a coalition between the connectivity requirements of the organisation and the infrastructure bandwidth required to support that connectivity. As the network connectivity requirements increase, additional connectivity modules can be added to the infrastructure, scaling the bandwidth in line with connectivity growth. It also modularises a large infrastructure into smaller domains, aiding fault diagnosis and fault containment. Crown Copyright 2009 Page 14 of 23

15 Fig 2 below shows the recommended modular design for small and medium sized organisations. This design collapses the core and distribution layers into an aggregate layer more suited to smaller user populations, fewer buildings and departments and smaller campuses. Access Layer Collapsed Distribution and Core Layers Si Si Server Layer Fig 2 - Modular Design for Small and Medium Sized Organisations As connectivity modules are added to the small / medium size design, it naturally scales into a larger design when a physically separate layer of distribution switches are implemented. The functionality provided by the distribution layer is then migrated from the core switches onto the physically separate distribution layer switches. 5.1 Access Layer Recommendations Physical locations and wiring closets for active equipment deployment should be physically secured against unauthorised access. The network devices should support 10/100Mb switched Ethernet connectivity, with 10/100/1000Mb switched Ethernet being desirable. Equipment level redundancy and redundant / backup power should be provided to access layer devices that are supporting critical clinical areas and users. Crown Copyright 2009 Page 15 of 23

16 The network devices should support the provisioning of 802.3af Power over Ethernet (PoE). 9 The access layer should use at least two resiliently configured fibre or copper uplink trunk connections to two separate distribution / core layer locations. The access layer should provide the organisational boundary for the classification / marking of application traffic for subsequent prioritisation and scheduling across the organisation s network infrastructure. The network devices should support intelligent security services and features to help maintain the confidentiality of PID whilst in transit. The network devices should support intelligent security services and features to help mitigate unauthorised connections to the network infrastructure. The access layer should include comprehensive management tools for device, fault and performance management. In particular the tools should support network-wide software and configuration updates, and network-wide deployment of QoS and security policies. The network devices should support secure management protocols such as Hypertext Transfer Protocol Secure (HTTPS), Simple Network Management Protocol Version 3 (SNMPv3), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH). 5.2 Core and Distribution Layer Recommendations The Core and Distribution layers should support Ethernet connectivity at speeds up to 1Gbps, with 10Gbps being desirable. Distribution and Core inter-switch links should be a minimum speed of 1Gbps. Core / Distribution Layer inter-switch links (trunks) should be logically bundled for additional resilience and performance. It is preferable to utilise bundling and channelling technologies that are transparent to the link and network layer protocols. Links or trunks between core and distribution switches should be controlled by a layer 3 routing protocol. The Layer 3 protocol controlling network convergence should be tailored to minimise failover times, and hence minimise application interruption. The Distribution layer should provide the capability to enforce the organisational QoS policy through intelligent queuing, scheduling and congestion avoidance mechanisms. The Distribution layer should support intelligent security services and features to help maintain the confidentiality of PID whilst in transit. 9 Crown Copyright 2009 Page 16 of 23

17 The Distribution layer should support intelligent security services and features to help mitigate against unauthorised connections to the Network Infrastructure. The Core and Distribution layers should provide comprehensive management tools for device, fault and performance management. Specifically the tools should support network-wide software and configuration updates, and network-wide deployment of Quality of Service and security policies. The Core and distribution layer should support secure management protocols such as HTTPS, SNMPv3, SFTP and SSHv Server Layer Recommendations The availability of Server resources is often critical to large organisations, and the design of the server layer should therefore reflect the higher level of resilience and performance that is required. It is recommended that: - The Server layer should support 1Gbps Ethernet connectivity. It is desirable that the infrastructure offers support for 10Gbps Ethernet where possible. The infrastructure should utilise equipment level redundancy, and offer redundant or backup power services. Support should be provided for dual attaching servers. Note this may not be possible with some operating systems and some applications, therefore dialogue with server and application suppliers is essential. The server layer should utilise dual uplink connections to the Core layer. The server layer should provide the organisational boundary for application traffic, and should support the capability to classify and mark application traffic for subsequent prioritisation. Intelligent security services and features should be provided to help maintain the confidentiality of PID whilst in transit. Intelligent security services and features should be utilised to help mitigate against unauthorised connections to the Network Infrastructure. Comprehensive management tools for device, fault and performance management should support the server layer. In particular the tools should support network-wide software and configuration updates, and network-wide updates for QoS and security policies. The Server layer should support secure management protocols such as HTTPS, SNMPv3, SFTP and SSHv2. Crown Copyright 2009 Page 17 of 23

18 6 Network Infrastructure Availability High availability can be achieved by the use of a well-designed network infrastructure to support the enforcement of a strong security policy, and the implementation of resilience and redundancy features within the network infrastructure components. The resilience features can be grouped into two basic categories Physical resilience and Software resilience. The supporting infrastructure, cable plant, physical environment and active component all fall into the physical category. Network control plane features, such as layer two and layer three routing protocols, DHCP, and Domain Name System (DNS) services fall into the software category. 6.1 Physical Resilience and redundancy It is essential that fundamental knowledge of the physical layout of the network is known and documented. Node points for the Core and Distribution elements of the network should be identified, in addition to wiring closet locations for distribution to network endpoints. Distances between network locations should be determined before laying cables - both for fibre-optic cabling and structured copper wiring. The measured distance for fibre optic cabling may dictate the mode of cable used, whilst structured copper wiring has a fixed maximum distance. It is recommended that multi-core single mode fibre-optic cable is used between core layer switch sites, and between uplinks from wiring closets to distribution layer / core layer switches, as a minimum standard. It is recommended that fibre-optic cable connecting Core layer infrastructure components should be laid within diverse routing paths. Such connections may be bundled together to create aggregated links. It is recommended that cables are laid from wiring closets to a minimum of two distribution / core layer switch locations. 6.2 Equipment Level Redundancy 10 The provision of redundant or load sharing equipment in a network is a trade off between budget constraints and pragmatism over the likelihood of an outage. The financial impact of such measures has often dictated that specific areas of the network are prioritised for redundancy. However as the IP network becomes the single vehicle for delivery of local and national healthcare applications, greater emphasis should be placed upon providing heightened levels of redundancy across the whole of the network infrastructure. 10 See Business Continuity and Disaster Planning GPG at Crown Copyright 2009 Page 18 of 23

19 It is recommended that the organisation s network infrastructure should have two or more core switch node locations. Each wiring closet / Distribution layer switch should have at least two uplinks to separate Core / Distribution layer switches. Core switches should be deployed with redundant management engines, switching fabrics and power supplies. Where there is a heightened level of dependency on one core switch, e.g. where cable plant restrictions result in distribution / wiring closet uplinks being terminated by a single core switch, the distribution of the uplinks across separate line cards within the core switch should be considered essential. It is recommended that where a single chassis is utilised in the wiring closets, the uplinks are distributed across line cards within the chassis in order to decrease the risk of an outage in the event of a failure of any one card in the chassis. It is recommended that where stackable switches are used in the wiring closets, these should be stacked together to create a single logical access layer switch. This should be achieved either through the uplink ports or optimally via dedicated bus connections if available. The uplinks from the switch stack to core / distribution node locations should be via separate switches in the stack wherever possible. Where stackable switches are used, the insertion and removal of switches in the stack without disruption to network traffic is desirable. 6.3 Software resilience and redundancy Software features within the infrastructure devices to converge around physical failures perform a vital role in ensuring an application s availability. For example, the capability to create one logical link from two or more physical links, and hide individual link failures from higher layer networking protocols, enables the infrastructure to re-route traffic around link failures transparently to the end user / application. The use of layer three routing protocols enables a more scalable approach to alternative path switching around failures. When considering the choice of Layer 3 routing protocol, flexibility, convergence capabilities, and scalability should be considered. Link state protocols, such as Open Shortest Path First (OSPF) 11 and Intermediate System-to-Intermediate System (IS-IS), 12 are the preferred options. OSPF is found to be the most common protocol in use and has the added advantage of being an accepted industry standard suitable for multi-vendor networks. Both OSPF and IS-IS offer enhanced security features. Passwords can be set to prevent unauthorized routers from forming adjacencies with routers in the network, and MD5 Authentication is an option Crown Copyright 2009 Page 19 of 23

20 Some vendors support proprietary layer 3 routing protocols such as Cisco s Enhanced Interior Gateway Routing Protocol (EIGRP), 13 which are often less complex and are able to provide faster convergence times. These protocols should only be considered for single vendor networks or if the vendor also provides layer 3 routing protocol intercommunication capabilities. This is usually achieved through route re-distribution between the layer three routing protocols. The transfer of routing information between routing processes should be treated as an autonomous boundary point in terms of security posture. For example, route re-distribution should be secured against unauthorised route injection and spoofing. At the layer 3 / layer 2 boundaries, a first-hop routing protocol should be used to provide a virtual default gateway. The standards based first-hop routing protocol is 14 Virtual Router Redundancy Protocol (VRRP). Vendors who provide proprietary first-hop routing protocols can provide enhancements such as awareness of upstream network events and active / active uplinks concurrently. Vendor proprietary solutions should only be considered where the first hop routing protocol is intended to be utilised between devices from a single vendor that are performing the virtual default gateway function. Whilst Layer 3 is recommended for the network core, it may be necessary for Layer 2 traffic to traverse the network to support legacy non-routable protocols. Whilst some vendors have introduced their own proprietary enhancements to the Spanning Tree Protocol (STP), 15 there are two standards based enhancements to STP available: - The IEEE 802.1s standard allows several VLANs to be mapped to a reduced number of spanning-tree instances. The IEEE 802.1w standard provides the mechanisms to allow faster spanning tree convergence after a topology change Crown Copyright 2009 Page 20 of 23