Upload
content-rules-inc
View
642
Download
1
Tags:
Embed Size (px)
Citation preview
© 2006 Extreme Networks, Inc. All rights reserved.
page 2
Description
This module provides an overview of the network vulnerabilities and security threats companies face today.
It reviews the factors that should be taken into consideration when designing a security solution.
It describes basic Sentriant CE150 network design configurations.
Finally, it lists the technical information needed before you install the Sentriant CE150.
© 2006 Extreme Networks, Inc. All rights reserved.
page 3
Objectives
Upon completion of this module the successful student will be able to:
• List the factors taken into consideration when designing a network security solution.
• Understand the network vulnerabilities that are addressed by the Sentriant CE150.
• Describe basic Sentriant CE150 network design configurations.
• Identify the technical information required before you install a Sentriant CE150 in a customer site.
© 2006 Extreme Networks, Inc. All rights reserved.
page 4
Traditional Defenses:Firewalls and IDS
Firewall
• Enforce access control policies between networks
• Determine which inside services may be available from outside and vice versa
• Provide a single “Choke point” where security audits may be performed
• Provide information about who has been “sniffing” around
Intrusion Detection Systems (IDS)
• Excellent at detecting many types of network attacks
© 2006 Extreme Networks, Inc. All rights reserved.
page 5
Firewall and IDS Limitations
Cannot protect from attacks that bypass it
• Internal attacks or unrestricted dial-outs
Cannot protect data that is traversing the network
• Financial data, corporate secrets, etc.
Cannot protect against data being “changed” as it moves across the network
Cannot stop any attacks that come from the inside
© 2006 Extreme Networks, Inc. All rights reserved.
page 6
Network Vulnerabilities
Unauthorized Access of Data in Motion
• Unauthorized monitoring – Network users believe the data they send over networks will be viewed only by the intended receiver.
• Unauthorized modification – A simple route traced between any two corporate networks may provide an opportunity for an intruder to inconspicuously modify data.
Common Inside Attacks
• Insider breaches – Employees, contractors and others with legitimate network access can easily bypass perimeter security to access sensitive data on the network.
• Man-in-the-middle attacks (also known as TCP Hijacking) – An attacker sniffs packets from the network, modifies them and inserts them back into the network.
• Port mirroring – Port mirroring is a method of monitoring network traffic that forwards a copy of each incoming and outgoing packet from one port of a network switch to another port where the packet can be studied.
© 2006 Extreme Networks, Inc. All rights reserved.
page 7
Mitigate Network Vulnerabilities: Inside the Perimeter
It is important to secure your data as it travels within your organization’s network.
• Insiders account for up to 50% of network security breaches.
A layered approach to network security provides the best defense possible.
This means that in addition to perimeter security e.g., firewall perimeter security, data traversing the internal network must also be secured.
The only way to protect data traversing internal networks is to encrypt it. Sentriant CE150 provides the ideal solution for
encrypting and safeguarding data in motion.
© 2006 Extreme Networks, Inc. All rights reserved.
page 8
Elements of a Comprehensive Security Solution
Physical protection
• Where are you?
User authentication
• Who are you?
Encryption
• Which information should be hidden?
Access control
• Which assets are you allowed to use?
Management
• What is going on within the network?
© 2006 Extreme Networks, Inc. All rights reserved.
page 9
Security Design ConsiderationsPerformance
• Security solutions cannot become bottlenecks on the network. Security appliances must provide low latency and high throughput.
User Transparency
• Security appliances should not require reconfiguration of routers, gateways, or end-user devices
Centralize management and administration
• Security solutions should provide centralized management and control, including: SNMP, MIB, audit and syslog
Regulatory compliance
• Security solutions must be able to support the every evolving Federal and State government regulations, e.g., HIPAA
Resiliency
• Security solutions must be available 7/24 with the ability to update security policies on the fly
© 2006 Extreme Networks, Inc. All rights reserved.
page 11
Sentriant CE150Non-Router Network - Outbound
Non-Router Network Outbound traffic:
• This example explains the steps network equipment performs when sending data from a company site out to an external entity in a non-router environment.
Outbound Traffic
Layer2
Fiber backbone, Pt-Pt Wireless
Switch network
Switch Switch
Sentriant CE150 Sentriant CE150
© 2006 Extreme Networks, Inc. All rights reserved.
page 12
Sentriant CE150Non-Router Network - Inbound
Non-Router Network Inbound traffic:
• This example explains the steps network equipment performs when receiving data from an external entity into a company site in a non-router environment.
Inbound Traffic
Layer2
Fiber backbone, Pt-Pt Wireless
Switch network
Switch Switch
Sentriant CE150 Sentriant CE150
© 2006 Extreme Networks, Inc. All rights reserved.
page 13
Sentriant CE150Router WANs - Outbound
Router WAN/Backbone Outbound traffic:
• This example explains the steps network equipment performs when sending data from a company site out to an external entity in a router environment.
Outbound Traffic
Router
Internet
Router
SwitchSwitch
Sentriant CE150 Sentriant CE150
© 2006 Extreme Networks, Inc. All rights reserved.
page 14
Sentriant CE150Router WANs - Inbound
Router WAN/Backbone Inbound traffic:
• This example explains the steps network equipment performs when receiving data from an external entity into a company site in a router environment.
Inbound Traffic
Router
Internet
Router
SwitchSwitch
Sentriant CE150Sentriant CE150
© 2006 Extreme Networks, Inc. All rights reserved.
page 15
ResiliencyNon-VRRP Example
Dual active-path redundancy
• This example has two Sentriant CE150 appliances at each end of the connection creating two active paths between the locations.
Internet
Router
RouterRouter 1 Router 2
Sentriant CE150
Router
RouterA
C D
B
Sentriant CE150
© 2006 Extreme Networks, Inc. All rights reserved.
page 16
ResiliencyVRRP Example
Single active-path redundancy
• A pair of Sentriant CE150 appliances can be configured to form a virtual security gateway (VSG).
• One appliance is active and the other waits in a backup state
Virtual Router Redundancy Protocol
• Allows two security gateways (Sentriant CE150) to share one IP address
Internet
RouterRouter 1 Router 2
Sentriant CE150
RouterA
C D
B
Sentriant CE150
© 2006 Extreme Networks, Inc. All rights reserved.
page 18
Configuration Planning WorksheetInterface Configuration
© 2006 Extreme Networks, Inc. All rights reserved.
page 19
Configuration Planning WorksheetManagement Access
© 2006 Extreme Networks, Inc. All rights reserved.
page 20
Configuration Planning WorksheetFTP Client
© 2006 Extreme Networks, Inc. All rights reserved.
page 21
Configuration Planning WorksheetNetwork Interoperability
© 2006 Extreme Networks, Inc. All rights reserved.
page 22
Configuration Planning Worksheet Manual Key Policies
© 2006 Extreme Networks, Inc. All rights reserved.
page 23
Configuration Planning Worksheet Negotiated IPSec
© 2006 Extreme Networks, Inc. All rights reserved.
page 24
Configuration Planning Worksheet Negotiated IPSec (cont’d)
© 2006 Extreme Networks, Inc. All rights reserved.
page 25
Configuration Planning Worksheet Discard and Clear Policy
© 2006 Extreme Networks, Inc. All rights reserved.
page 26
Summary
This module provided an overview of the network vulnerabilities and security threats companies face today.
The module also reviewed the factors that should be taken into consideration when designing a security solution.
It described basic Sentriant CE150 network design configurations.
And finally, it provided the technical information worksheets used to assist with the installation of the Sentriant CE150.
© 2006 Extreme Networks, Inc. All rights reserved.
page 27
Summary continued
You should now be able to:
• List the factors taken into consideration when designing a network security solution.
• Understand the network vulnerabilities that are addressed by the Sentriant CE150.
• It describe basic Sentriant CE150 network design configurations.
• Identify the technical information required before you install a Sentriant CE150 in a customer site.