Deigning network with implementing security:
CCDA security management is about the Implementation of security with some design standpoint, as a CCDA candidate you should understand the reason of network security and some efficient approaches for implementing the network security. You also need to focus on confidentially, integrity and Authentication. You can design a good secure network by going into following steps:
- Find out security risks and threats
- Define Network security policy and process
- Trust and Identity management
- Secure connectivity
- Threat Defense
Find out security risks and threats:
For designing a secure network you need to define and address all the risks and threats in your organization. An effective secure network design should be transparent to end user and you should need to create a balance between network security and performance, it means you can implement the high security for attacks and threats but on the other hand you need to balance the productivity of users as well. Following are the some of the most common threats:
- Unauthorized access
- Denial of Service (Dos)
Reconnaissance is an information gathering process includes scanning and exploration of network resources. A lot of worm attacks, virus attacks Trojan horse attacks and access layer attacks are usually consider as the reconnaissance. Reconnaissance can also be accomplished through social engineering, email sniffing and with fishing as well. There are several tools that you can use for reconnaissance for example we can use Nmap, supperscan, Netstumbler for wireless network, aero peek etc. The goal of Reconnaissance is to gather the as much information of target network and then use this information for attacking the computer/ network. So as the network engineer you need to ensure your data from reconnaissance.
The unauthorized access is another main security threat, a hacker can get the unauthorized access to your resources with the information that he gather from reconnaissance. This access includes the access to system, physical access or anything that escalate your privileges.
Denial of Service (Dos):
Denial of service is one of the most dangerous types of threat and this is basically the overvaluing resources on systems, servers, this could be a bandwidth issue
Vulnerability: sometimes we consider the vulnerability as the type of risk, confidentially of data, integrity of data, and risk to authenticity of users and systems, risk to availabilities.
Identify all the devices that can be targeted and implement the security measures for securing these devices. Target devices includes the routers, multilayer switches, wireless access points, wireless controllers, firewalls, IDS/IPS and other network services like DNS, DHCP etc.
To protect network resources, processes, and procedures, technology needs to address several security risks. Important network characteristics that can be at risk from security threats include data confidentiality, data integrity, and system availability.
- System availability should ensure uninterrupted access to critical network and computing resources to prevent business disruption and loss of productivity.
- Data integrity should ensure that only authorized users can change critical information and guarantee the authenticity of data.
- Data confidentiality should ensure that only legitimate users can view sensitive information to prevent theft, legal liabilities, and damage to the organization.
Define security policy and process
Defining the security policy for your network security is an important aspect of network design, you can learn more about the security policy.
Trust and Identity management:
Trust identity management is a critical part of developing network security.Trust and identity management is basically define who can access the network, when they can access and from where they can access. It also has the mechanism for separating the infected machines by enforcing access control. Trust include the thing like only devices that fulfilling your security policy can communicate with your firewall, switches and router. You can define the domain of trust in your network for creating the different trust zone with different trust relations. Identity is what the subject has known, what it is. Identity is the “who” of a trust relationship. These can be users, devices, organizations, or all of the above. Network entities are validated by credentials. Generally, identity credentials are checked and authorized by requiring:
- Passwords or pins
To satisfying the network security you need to ensure the internal and external network connectivity, for WAN you can use the VPN with IPsec or SSH. Some of recommended infrastructure protection measures are as follows:
- Use SSH instead of Telnet, because telnet send the data in clear text which can be hacked easily.
- Implement the port base security on your Cisco catalyst.
- You can implement AAA server for authentication.
- Logging is a very important aspect of security you can implement the log with syslog and enabling SDEE.
- You need to use the latest and secure versions of protocols like use HTTPs instead of http, also you can use the secure version of SNMP3, NTP3 and secure version of FTP that is SFTP.
- Make sure no one can stop the security services on local systems and on servers.
- You can enable the routing protocols authentication for security the communication between your end routers.
- With ACL only allow the trusted hosts to your network and deny all other hosts and sub-network
- You can also secure the internal traffic with IPsec
Threat defense enhances the security in the network by adding increased levels of security protection on network devices, appliances, and endpoints. DoS attacks, man-in-the-middle attacks, and Trojan horses have the potential to severely impact business operations. The Cisco Threat Defense System (Cisco TDS) provides a strong defense against these internal and external threats.
Threat defense has three main areas of focus:
- Enhancing the security of the existing network: Preventing loss of downtime, revenue, and reputation
- Adding full security services for network endpoints: Securing servers and desktops endpoints with Cisco Network Admission Control (NAC)
- Enabling integrated security in routers, switches, and appliances: Security techniques enabled throughout the network, not just in point products or locations
Physical security also helpful against different security threats and helps to protect and restrict access to network resources and physical network equipment. Here are some considerations for potential physical threats:
- Access to the network, allowing attackers to capture, alter, or remove data flowing in the network.
- Attackers may use their own hardware, such as a laptop or router, to inject malicious traffic onto the network.
- Use physical access controls such as locks or alarms.
By using best practices and a security policy, you can secure and harden the infrastructure equipment to prevent potential attacks. To combat network threats, Cisco has enhanced Cisco IOS with security features to support the secure infrastructure and increase the network’s availability.
Here are some recommended best practices for infrastructure protection:
- Access network equipment remotely with SSH rather than with Telnet.
- In network switching infrastructure, use BPDU Guard, Root Guard, and VLAN Trunking Protocol (VTP) mode Transparent.
- In network switching infrastructure, use ARP inspection and DHCP snooping.
- Use AAA for access control management.
- Use Simple Network Management Protocol Version 3 (SNMPv3) for its security and privacy features.
- Use FTP or SFTP rather than TFTP to manage images.
- Use access classes to restrict access to management and the command-line interface (CLI).