![Page 1: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/1.jpg)
VLAN-Based Security for Modern Service-Provision
Networks
Version 1.0
October, 2001
Bill Woodcock
Packet Clearing House
![Page 2: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/2.jpg)
We Have Linguistic Problems, not Technological Problems
The technology is much, much more flexible than most people’s ability to comprehend the problem-space.
The problem is in finding a mental model which allows users to comprehend the problems and their solutions, not in finding a technology to solve the problem.
![Page 3: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/3.jpg)
Legacy Firewall TerminologyHistorical distinction between “packet
filtering firewalls” and “stateful-inspection firewalls” no longer very useful in the real world.
“inside,” “outside” and “DMZ” nomenclature limits lay-people’s ability to understand security.
![Page 4: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/4.jpg)
Old Enterprise Solution: Stateful-inspection box Usually an application on top of Windows.
Immense differential between the complexity of the system and what’s exposed to the operator.
Usually very slow. Usually very low MTBF. Three 10/100 Ethernet interfaces.
No protection against stepping-stone attacks. No protection against untrusted users.
![Page 5: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/5.jpg)
Stepping-Stone Attack
Attacker
VulnerableServer
NormalServer
“Outside”
“Inside” Allowed Port
![Page 6: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/6.jpg)
Stepping-Stone Attack
Attacker
VulnerableServer
NormalServer
Attack Channel“Outside”
“Inside” Allowed Port
![Page 7: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/7.jpg)
Stepping-Stone Attack
Attacker
CompromisedServer
Normal ServerNow At Risk
Control Channel“Outside”
“Inside” Allowed Port
![Page 8: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/8.jpg)
Stepping-Stone Attack
Attacker
CompromisedServer
Normal ServerNow At Risk
Stepping-StoneAttack
“Outside”
“Inside”
![Page 9: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/9.jpg)
Stepping-Stone Attack
Attacker
CompromisedServer
Normal ServerCompromised
“Outside”
“Inside”
Control Channel
![Page 10: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/10.jpg)
Untrusted User Attack
Intranet Server
Untrusted User
“DMZ”
“Inside”
“Outside”
Many Allowed Ports
Allowed Ports
Normal User
![Page 11: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/11.jpg)
Untrusted User Attack
Intranet Server
Untrusted User
“DMZ”
“Inside”
“Outside”
Many Allowed Ports
Allowed Ports
Normal User
Attack Channel
![Page 12: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/12.jpg)
Untrusted User Attack
Compromised Server
Untrusted User
“DMZ”
“Inside”
“Outside”
Many Allowed Ports
Allowed Ports
Normal User
Control Channel
![Page 13: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/13.jpg)
Modern Firewalling Don’t add points of failure. Make full use of
the high-MTBF equipment you already have. Don’t slow things down. Don’t invite Bill Gates into your network. Security needs should define your security
policy, not some coincidental number of physical interfaces on a box.
![Page 14: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/14.jpg)
Simple Packet Filter
Router
“Inside”
Switch Fabric
“Outside”
One Large Packet Filter
![Page 15: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/15.jpg)
Simple Packet Filter
Router
“Inside”
Switch Fabric
“Outside”
One Large Packet Filter
![Page 16: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/16.jpg)
VLAN-Based Firewalling
Router
802.1Q VLAN Trunk
Switch Fabric
“Outside”
Many “Insides”
Many Small Packet Filters
![Page 17: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/17.jpg)
VLAN-Based Firewalling
Router
802.1Q
Switch Fabric
“Outside”
“Insides”
Many Small Packet Filters
![Page 18: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/18.jpg)
Relative Processing Speed
One large packet filter
(40 lines)
Average exit after 20 lines
![Page 19: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/19.jpg)
Relative Processing Speed
Ten small packet filters
(4 lines each)
Average exit after 2 lines
Routing is cheap, ruleset processing is expensive. Use the router for what it’s good at.
Routing process selects output ruleset
![Page 20: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/20.jpg)
What This Looks Like: Switchhostname OAK-Switch-3!interface FastEthernet0/41 description VLAN_341-OAK_DNS-131.161.2.0/30 switchport access vlan 341 speed 100 full-duplex
OAK-Switch-3# vlan databaseOAK-Switch-3(vlan)# vlan 341 name VLAN_341-OAK_DNS-131.161.2.0/30OAK-Switch-3(vlan)# exitAPPLY completed.Exiting....
![Page 21: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/21.jpg)
What This Looks Like: Routerhostname OAK-Firewall!interface FastEthernet0/0 description 802.1Q VLAN Trunk to OAK-Switch-1 no ip address speed 100 full-duplex!interface FastEthernet0/0.341 description VLAN_341-OAK_DNS-131.161.2.0/30 encapsulation dot1Q 341 ip address 131.161.2.2 255.255.255.252 ip access-group ACL-341-OAK_DNS-IN in ip access-group ACL-341-OAK_DNS-OUT out!ip access-list extended ACL-341-OAK_DNS-IN permit udp host 131.161.2.1 eq domain any permit udp host 131.161.2.1 any eq domain permit tcp host 131.161.2.1 any eq domain permit tcp host 131.161.2.1 eq domain any deny icmp any any port-unreachable deny udp any any gt 0 log-input deny tcp any any gt 0 log-input deny ip any any log-inputip access-list extended ACL-341-OAK_DNS-OUT permit udp any host 131.161.2.1 eq domain permit udp any eq domain host 131.161.2.1 gt 1023 permit tcp any any established permit tcp any host 131.161.2.1 eq domain deny udp any any eq netbios-ns deny icmp any any deny udp any any gt 0 log deny tcp any any gt 0 log deny ip any any log
![Page 22: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/22.jpg)
Example With VPN Endpoint
Router
802.1Q Trunk
Switch
“Outside”
VPN Endpoint
Access Ports
Server
Rulesets
![Page 23: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/23.jpg)
Example With VPN EndpointTraffic enters network from the commodity network
Rulesets
![Page 24: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/24.jpg)
Example With VPN Endpoint
RulesetsFirst ruleset guarantees that only IPSec traffic will reach the VPN endpoint
VPN endpoint is protected against non-IPSec attack
![Page 25: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/25.jpg)
Example With VPN Endpoint
Rulesets
IPSec traffic enters “outside” of VPN endpoint
![Page 26: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/26.jpg)
Example With VPN Endpoint
Rulesets
Decrypted IP traffic leaves “inside” of VPN endpoint
![Page 27: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/27.jpg)
Example With VPN Endpoint
RulesetsSecond ruleset defines which internal resources VPN users are allowed access to
Users who have undergone visual authentication are differentiated from those who may have left a home terminal logged in
![Page 28: VLAN-Based Security for Modern Service-Provision Networks Version 1.0 October, 2001 Bill Woodcock Packet Clearing House](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ca85503460f9496aa04/html5/thumbnails/28.jpg)
Example With VPN Endpoint
Third ruleset defines which
services are accessible on
a particular server