Manažment v teórii a praxi 3/2007



Similar documents
Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

IP Telephony Management

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

Polycom. RealPresence Ready Firewall Traversal Tips

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

Application Note Secure Enterprise Guest Access August 2004

Recommended IP Telephony Architecture

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Security Technology: Firewalls and VPNs

Network Services Internet VPN

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1


STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Based on the VoIP Example 1(Basic Configuration and Registration), we will introduce how to dial the VoIP call through an encrypted VPN tunnel.

Overview. Firewall Security. Perimeter Security Devices. Routers

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Peer-to-Peer SIP Mode with FXS and FXO Gateways

INTRODUCTION TO FIREWALL SECURITY

Security appliances with integrated switch- Even more secure and more cost effective

IT Security - Regulations and Technical Aspects. Network concepts. Authors: Andreas Lorenz and Thomas Brandel

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

How To Extend Security Policies To Public Clouds

Basic Network Configuration

GPRS and 3G Services: Connectivity Options

Firewall Architecture

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

- Introduction to PIX/ASA Firewalls -

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

How To Protect Your Network From Attack

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Lab Developing ACLs to Implement Firewall Rule Sets

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

INE 2810 Lab Version 1.1

Cornerstones of Security

Avaya G700 Media Gateway Security - Issue 1.0

The Bomgar Appliance in the Network

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

APPENDIX 3 LOT 3: WIRELESS NETWORK

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

Policy on Connection to the University Network

Kaspersky Security for Business

KASPERSKY SECURITY FOR BUSINESS

Security Labs in OPNET IT Guru

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

ENDIAN Topologies Setup of different Network topologies with Endian Firewalls

Network Security. Network Security. Protective and Dependable. > UTM Content Security Gateway. > VPN Security Gateway. > Multi-Homing Security Gateway

8. Firewall Design & Implementation

Ti m b u k t up ro. Timbuktu Pro Enterprise Security White Paper. Contents. A secure approach to deployment of remote control technology

Network Security Topologies. Chapter 11

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Secondary DMZ: DMZ (2)

Internet infrastructure. Prof. dr. ir. André Mariën

ICANWK406A Install, configure and test network security

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Accessing TP SSL VPN

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

To Configure Network Connect, We need to follow the steps below:

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Network Access Control ProCurve and Microsoft NAP Integration

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Huawei One Net Campus Network Solution

1B1 SECURITY RESPONSIBILITY

Analysis of Network Segmentation Techniques in Cloud Data Centers

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Designing a Windows Server 2008 Network Infrastructure

Network Configuration Settings

UX5000 with CommPartners SIP Trunks

Building Secure Networks for the Industrial World

Secure Web Appliance. Reverse Proxy

Avaya TM G700 Media Gateway Security. White Paper

Securing Networks with PIX and ASA

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Lesson 5: Network perimeter security

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design.

How To Protect Information At De Montfort University

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Barracuda IM Firewall Administrator s Guide

Information Technology Services

District Information Technology Service Catalog

Vega 100G and Vega 200G Gamma Config Guide

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Integration with IP Phones

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

PROTECTION AND SYSTEM MAINTENANCE COMPUTER AND COMUNICATION SYSTEM OF EXECUTIVE COUNCIL OF AUTONOMOUS PROVINCE OF VOJVODINA.

Efficient and easy-to-use network access control and dynamic vlan management. Date: F r e e N A C. n e t Swisscom

Firewalls and Network Defence

CompTIA Convergence Examination Objectives

Using a Firewall General Configuration Guide

How it works. b) IP addresses are allocated dynamically and may change any time.

Security basics and application SIMATIC NET. Industrial Ethernet Security Security basics and application. Preface. Introduction and basics

SANGFOR SSL VPN. Quick Start Guide

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Transcription:

SECURITY AND FINANCIAL VIABILITY OF MIXED NETWORKS CONSISTING OF PRODUCTION AND TEST ENVIRONMENTS Dominik VYMĚTAL ABSTRACT Companies using both and test networks in order to present their products and services, to educate their personnel and customers cope with the problem of contradiction between the security and flexibility of their and test networks. The same may be valid for educational institutes providing distance education for their students especially in several nodes connected through network infrastructure. Three proposals how to solve this challenge are discussed in the paper. The 802.1x based solution deployed in several steps is recommended as both system and financial viable. The analysis is done based on an example of a mid-sized company. KEYWORDS: Security, VPN, 802.1x, Distributed test nodes, financial viability JEL classification: M15, O32 INTRODUCTION Companies selling copiers, printers, faxes, PDAs and other office and multi-media products, services and software are being confronted by contradictions between the security of their productive networks and the necessity of maximum flexibility in testing, presenting and education of their personnel and customers. The same may be valid for educational institutes providing distance education for their students especially in several nodes connected through network infrastructure and supporting various tests during the educational courses. This might be a real challenge for the security administrator. Let us analyse a mid-sized company having a central site and some branch offices throughout a country. The situation would be similar for an educational institute supporting test nodes and educational connections for its students. To support its productive information system a package of WAN provider services is used. The employees using the productive system connect regularly to ; hence the network is protected by common means like firewall, proxy server,antivirus/antispam programs etc. The active elements of the networks are either rented or company owned but they mostly do not posses switch port level authentication possibilities. This is a typical situation in a lot of companies of this type. On the other side, an urgent need is emerging to test the new software, for distance education, for on-line presentations of new ideas and products in the distributed education and show rooms of the branch offices and last but not least, to download the firmware and corresponding manuals from the partner portals and networks. This situation, shown in fig.1 is a real challenge to the IT manger of the company. Let us discuss his practical and financial possibilities in the well known environment of limited budgets. (Note: in the figures using icons of well known manufacturers and providers have no relevance to theses manufacturers and do not imply any recommendation.) 4

1 test& n test& Branch network routers lab.network Company central office test network Firewall Figure 1 Initial Situation 1. INTERNAL FIREWALL The principle of the internal firewall usage is shown in the fig.2. The in the central site is connected to branch office s via routers and WAN, the whole network is protected by external firewall. The test network in the branch offices and SW laboratory network in the central site is detached from the productive network by internal firewall. Any device connected to these test networks has to use the internal firewall rules. Advantages: A) this is the simplest solution B) the costs of the solution are sufficiently low Disadvantages: A) Requirements to enable the connection to the external partners cause random requirements to open the firewall ports in both external and internal firewalls. This takes time and practically diminish the firewall s functionality B) The devices used normally in the networks but needing some time spans to be used in the test networks (e.g. service personnel notebooks) have to be reconfigured all the time in order to meet the firewall rules 5

s test network Branch network router Company central office lab.network External firewall Internal firewall Figure 2 Proposed solution with internal firewall C) The traffic from PCs and notebooks to the output devices in the show rooms placed in the test networks but used from the network (printers in the branch offices etc.) causes high data load in the network in order to reach the internal firewall and the target output device. This solution will not be accepted as viable. 2. VPN SOLUTION A possible VPN connection is presented in the fig.3. Internal firewall is either still used to detach the test networks in the branch offices and Laboratory network in the central site from the network or multiple s are connected to the network through. The end user devices in the test networks can access the resources of the network via VPN. Advantages: A) The solution is still simple and most of the requirements of the end users are met. Disadvantages: A) Multiple firewalls cause higher administration costs, the problem of ports is not solved and the danger of un-coordinated handling of the firewall rules is high. 6

lab.network External firewall Internal firewall Central office VPN test network s network router Figure 3 Proposed solution using VPN B) Not all end devices like printers can use VPN in the time being. C) The requirement to use resources of this type from the s is not met. D) The requirement to reach both and test s causes the necessity to build a split-tunnel what brings further risks in the environment. This solution will be most probably refused. 3. 802.1x BASED SOLUTION 802.1x is based on the authentication on the switch-port level. There are three Roles defined in the authentication process: End device asking for network connection (Supplicant) some notebook, printer or other end device. The Authenticator a switch directly connected to the Supplicant, this is the device through which the Supplicant gets the network access. The authentication Server where the authentication procedure runs. The Authenticator serves as a gateway to the Authentication Server. The authentication process consists of so called Extensible Authentication Protocol messages between the Server and the Supplicant. The protocol of the communication RADIUS (Remote Authentication Dial In User Service) runs over the UDP ports. 7

Following authentication services can be proposed based on 802.1x: Authentication of the end user or device The security policy can be enforced on the network level independent of the end user or device The network access can be allowed or denied on the port level On the top of the basic authentication, extended function can be defined and / or enforced during the authentication like antivirus and antispam definition check, operating system patches level control, etc. Possibilities of the 802.1x standard can be used to meet the requirements of flexibility and security our network. Typically, based on the MAC address, end user name or certification the devices can be authentified on the switch port level. Roles and access control lists can be used to make the process more flexible. The introduction of such a solution can be done in several steps in order to keep the financial costs of the solution in the scope needed. Based on the functional possibilities of the network active elements, more steps can be defined to achieve financial viability of the change. The first step of the migration to 802.1x solution is shown in the fig. 4. The test and laboratory networks in the central site would be grouped into own Vs in demilitarized zone (DMZ) and migrated to 802.1x ready network using proper switches. The external firewall would get 2 more interfaces connected to 802.1x network. The hardware costs of this step can be coped with. The end user of the Vs and their communication routes would be then defined and necessary roles on the authentication server can be set. In the first step, the MAC based authentication is proposed. If the MAC address corresponds to the address defined on the server, the role of the device can be set and authorised, the switch port of the corresponding V would be configured and a dynamic ACL (Access Control List) on the firewall can be changed. The device can get all resources needed from the network. If the MAC address of the device is not known to the authentication server, there are two possibilities - either the device gets a guest role or the access would is, what can be defined in the setup time of the network. As the authentication using MAC address is not sufficiently safe, some certification procedure is to be done in the next step or in the further steps when the branch offices will be connected to the new network. The routers do not support MAC address authentication. The connection of the branch offices in the next step needs a definition of two Vs in each branch office namely, the V and the test V. The deployment of Vs causes the procurement of new switches supporting Vs. However, the introduction of the solution proposed can be done step by step to keep the costs in the limit. The connection of the branch office routers to the central WAN router is to be done by 802.1Q trunk. 8

network router File Server Authentification Server network router Mail Server Web Server 802.1Q Trunk Production DB Server WEB DMZ Production Laboratory DMZ Test DMZ Laboratory V lab. External firewall 802.1x Switch Test V VPN test Figure 4 802.1x based solution The last step of the migration would then be the migration of the in the central site and introduction of the extended functions like virus protection, patch fixes control etc. The steps proposed can be done according to the security needs of the company and the financial resources assigned to the project what we see as an advantage of the solution proposed. 4. SUMMARY The proposal of 802.1x based network interconnection presented in Chapter 3. solves the most important needs of the company coping with the problem of and test network co-operation keeping necessary security level of the solution. The deployment in two to four steps helps the financial viability of the project and the flexibility needed. 9

INFORMÁCIE O AUTOROVI Ing. Dominik VYMĚTAL, DrSc. was appointed to a chair in Information Technologies Silesian University, School of Business Administration in Karvina Czech Republic recently. His previous appointments were at Konica Minolta Business Solutions Austria and Czech Republic where he was responsible for Strategy, Operations and Support of Company Information Systems for the last 16 years. Formerly he spent 22 years in Iron and Steel Works Trinec, Czech Republic in Research and IT Operations. He received his CSc. degree at Institute of Steel in Moscow, Russia in 1975 on modelling metallurgical processes and DrSc. degree at the same institution in 1985 on Methodology of Information Systems Development. He lives in the Czech Republic. ADRESA Ing. Dominik VYMĚTAL, DrSc. Silesian University in Opava School of Business Administration Department of Informatics Univerzitní nám.1934/3 733 40 Karviná Czech Republic Phone: +420 596 398 237 Fax: +420 596 312 069 e-mail:vymetal@opf.slu.cz 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information