Helping You Ensure Your Infrastructure is Secure

Firewall Router Switch Configuration Reviews

Agenda

• Overview & Functions

• What to Protect & Why

• Firewalls

• Routers & Switches

• Definitions

1

Trad i t iona l Corporate Network Overv iew

& Funct ions

Tr a d i t i o n a l C o r p o r a t e N e t w o r k O v e r v i e w

Network Functions• Let people do the things they need to for work.

• Provide security for users and resources.

– Ensure network traffic is legitimate and not malicious

– Take action against malicious traffic

– Log actions taken

2What to Protec t

& why

What to Protect• What are the Crown Jewels for the company?

– PCI, PII, Proprietary Resources• PCI is often NOT the most sensitive data stored• PCI is often emphasized because of financial penalties for non-compliance

– Examples of non-PCI data that would be critical to protect:• Company that invents, manufactures, sells surgical devices

– Schematics, drawings, plans, research & development, financials• Software company

– Code repositories, plans, research & development, financials• Social Media Company

– Usernames, passwords, personal information

Why is This Important?• Helps determine if configuration of devices permits flow of data while protecting

resources

• Questions you should ask yourself:

– What resources need protection?• Defining what resources need protection helps you decide how to control

traffic

– Are they adequately protected by device configurations?• Your firewall, router, and switch policies and configurations should protect

your important assets

– Are there concentric rings of security surrounding high value resources?• From the external firewall inward, your network devices should control and

monitor traffic to and from your resources

3

Firewalls

Firewalls

Firewalls• Usually secure by default

• Must provide Stateful Packet Inspection at a minimum

– Application Layer control is desired and available on most modern firewalls

• Take careful note of any “any” rules

– Where, if anywhere, are “any” rules OK?

• Ensure management is conducted over secure channel (SSH or HTTPS)

• Many vendors – (examples: Checkpoint, Cisco, Juniper, PFSense)

• Could have integrated IDS/IPS

Bad Example

Good Example

4

Routers & Swi tches

Routers• Unlike Firewalls, NOT secure by default

• Control flow of traffic with ACL’s at a minimum or Stateful Packet Inspection

• Control access to the device

– Secure (SSH or HTTPS, not Telnet or HTTP)

– Only from management subnet if possible

• Disable unneeded services

– Finger, CDP, Telnet

• Enable good services

– TCP Keepalives

• Configuration management

• Change management

– Most outages are caused by human error during changes

Routing Example

Switches• Also NOT secure by default

• Similar to routers slide above, but additionally:

– Disable “Default VLAN”

– Use separate VLAN for device management if possible

Additional Considerations

Virtual Private Network (VPN) Users?• Must be properly authenticated and controlled• Access for VPN users should be restricted based on

business needAuthentication to Management Interfaces

• Uses secure channels (SSH, HTTPS)• Uses Enterprise authentication (LDAP, RADIUS)• Activity is logged externally (syslog)• Watch for back doors

If back doors are in place for device management (such as local authentication that bypasses RADIUS) ensure that they are allowed by policy and secured properly

Commonalities• All devices have the following security concerns in common:

– Control and permit access to resources for authorized users

– Deny access to unauthorized users

• Additionally, the network infrastructure should

– Detect, Deter, Prevent, Log malicious activity

– Provide Admins with a secure means of managing devices

5

Defi nitions

Defi nitions• DMZ – Demilitarized Zone – An untrusted area between the outside (Internet) and

inside (Corporate LAN) networks where devices that have to be accessed by Internet

users reside.

• ACL – Access Control List – Basic method for controlling network traffic flow.

• SPI - Stateful Packet Inspection – Goes beyond what ACL’s can do and tracks traffic

based on state.

• Deep Packet Inspection – Does some level of reconstructing traffic up to the

Application Layer to ensure it is secure. Application layer firewalls.

Defi nitions• BOGON – Bogus IP addresses (public IP space that has not been issued by

IANA).

• Martian – Addresses that are private or reserved for testing or special use

cases (ex. 127.0.0.0/8, 192.168.0.0/16).

Templates, References

• NSA SNAC Guides• Vendor Documentation

-Cisco IOS Security Configuration Guidehttp://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html

• Open source / volunteer-Cymru.com Secure IOS Template

https://www.cymru.com/Documents/secure-ios-template.html

• For Routing reviews, Border Router Security Toolhttp://borderroutersec.org/

Contact UsTed LeRoy, Security Consultantted@securitycompass.com

Security Compass

http://www.securitycompass.com

SD Elements

http://www.sdelements.com