Building a Defensible Network – Ability to plan and create a defensive network

2958105570_e284f75acf
  • Click here to download the original properly formatted document.
  • One of the worst mentalities to have in the networking world is to believe that you are 100% safe from attacks and intrusions.  This is just false hope and horrible ego to have.  Paranoia is one of your best friends when running a network due to the constant changes in technology, and the relentless attacks of those that want to break it.  In this piece, I demonstrate my ability to create a network that covers the basics and should withstand many attacks.  While we will never be perfectly safe, setting up proper defensive measures will go a long way in securing a network.

To design a defensible network, we must think of every little detail involved in the planning process.  We can compare it as art because you are essentially designing something in your own fashion.  The network should, by the end deployment, be up to date with current technologies and threats, contain proper elements and layers to prevent attacks, and contain depth without being overly complicating.  Bejtlich (2008) made it rather clear when he wrote “a defensible network is an information architecture that is monitored, controlled, minimized, and current. In my opinion, a defensible network architecture gives you the best chance to resist intrusion, since perfect intrusion prevention is impossible.”   Although I have yet to have a true real-world experience with creating a network, I will take what I have learned from classes and my knowledge of networking in general to create a safe networking environment.

My first step is to figure out what kind of operation are we running which will allow me to consider hardware ideas.  Hardware should usually be the first step because you can’t have a network without it.  I’m going to make this a smaller organization with a distant partner.  “Home base” will house fifty regular users and while there are no magic numbers for the amount of administrators, I believe that having three administrators to share the workload and having specific jobs should suffice for now.  Our distant partner will employ seventy users with four administrators.  These numbers aren’t huge, but this is a smaller organization that I expect will expand as time goes on.  In the meantime, it’s time to figure out the hardware.

First off, we’ll be using PCs instead of anything Apple related.  I don’t expect the user computers to require a ton of power.  They aren’t playing the latest graphic-intensive games or anything, they are doing work.  But that doesn’t mean they should be using some $300 Netbook either.  I would like to keep a standard on what each computer is, perhaps the same specs at Home Base.  We could build these computers ourselves, which would give us decent power at a lower cost, much better understanding of the computer hardware and equipment (ever had to use those restore discs from HP or Dell?  Nightmares).  Or, as an option I’m not agreeable on, we could have a contract with one of the big companies such as Dell, Asus, Sony, etc.  In my situation as a type of hardware “guru”, I want to build my own machines because I know I can do it cheaply while still creating a great computer that allows me to know exactly what is in it, and what may need repaired in unforeseen circumstances.  It’s my preferred method.  I also believe that every computer should follow the same formula and contain the same specifications.  This way, all users are even and it’s much easier for the administrators to keep up with everything.  Speaking of the administrators, their computers will obviously need more horsepower for all the work they will be doing.  I expect these computers to be a lot more powerful to keep up with constant monitoring and workloads.  I don’t feel this is unfair to the users:  It’s just plain smart.  In actuality, the administrator computers will act as the servers.

One thing to highly consider is the type of Internet service we will be using.  I know Intranets are becoming more common due to their way of keeping everything tight and inside the corporation.  But I like to go with what I know (and that’s usually the best setup), and right now, I’m not totally sure if using an Intranet would be the best way.  Security-wise… sure, but users and administrators may need to access many things outside of the Intranet and I’m not totally sure that utilizing an Intranet will work for this. What I do know is that there are many companies, such as Comcast, who offer great plans for businesses.  These plans offer things such as back-ups, business security, and enough bandwidth for all users, depending on the chosen plan and the amount of users involved.  Basically, there should be no excuse for a lack of bandwidth on one of these plans and even so, we can limit each computer to the amount of bandwidth it should use.  Are the users going to really need 1MB?  No, of course not, we can limit them to far lower than that while still enjoying speedy access.

With that said, I don’t see the point of having a ton of routers in my setup.  Some might yell Blasphemy, but I think it being a smaller network we could get away with using one router.  That’s right, one.  If we go with an Internet business class suite, we can use the modem to connect to this one router (No, we won’t be using any special modem/router combination that those ISPs like to give you).  The router I’d want would be top of the line that incorporates a ton of security features.  Again, my obsessive fascination with using things that are meant for that specific reason, instead of combos or multiple gadgets shoved into one box is the reason for this.  But I’m not done yet as I have to make sure everyone has access.   This is where Switches come in.  Since Switches offer slightly better abilities than hubs, I would certainly go with them.  Now, say our Router has eight Ethernet ports.  We can buy dependable switches that can hold up to twenty-four Ethernet connections and with having fifty users plus administrators, three of these switches will work perfectly with room for expansion.

To expand on that a bit more, we will be using wired connections.  As much as I enjoy the freedom of Wireless, I don’t feel it has any business in my network.  I feel that while it does offer benefits, it is a huge security risk compared to being wired.  So for any possible attacker who would like to sit near the building to try to tap into a wireless signal, it’s not going to happen.  Ethernets will be the wire of choice, and considering it’s not a huge organization with a huge building, fiber optics would be an unnecessary expense.

Early design layout of home:

Now that the hardware is set, it’s time to figure out the software and it should always be the operating system that comes first.  I have always been a Microsoft person and I feel that I know the Windows platform better than other operating systems.  I also feel that the users would be far more comfortable with that considering it is what most average people use.  I am going to run Windows 7 on all user machines.  It will be familiar for them, and we can utilize many software programs.  I also believe that Microsoft got it right with Windows 7 and it is a dependable OS compared to previous lackluster efforts.  Considering we are a business, I’m sure we could get package deals for the OS that might save some cash.  Now, the administrators of course will be running something slightly different.  They need to be able to have a lot more power, flexibility, and options at their hands in regards to networking.  They will be running Microsoft Server 2008 as opposed to Sever 2003.  I feel that 2008 will incorporate more features that keep up with today’s standards in networking and also utilize the newest hardware and software features.

There are going to be needs for software of course, and this is why I feel those operating systems will work better for us, as well.  Administrators know what they need and what they don’t.  They are trusted with that knowledge (that’s why they are hired as administrators, after all).  In terms of the users though, they should use what we feel they need.  We can’t let them go rampant and install anything they find or see fit.  That’s just a security mess waiting to happen.  For work, Microsoft Office will no doubt be an essential software suite with its variety of software tools for business-like jobs.  E- mail, video conferencing, and web browsing will all have designated software as well.  I will be deploying the use of Mozilla Thunderbird to handle our internal e-mails.  Mozilla Firefox will be the web browser of choice as I feel it is a much stronger browser compared to the likes of Internet Explorer which seemingly has new vulnerabilities every month.  I would like to use Skype for any video conferencing. Again, my obsession shows as I like to have software for specific conditions.  I feel that each of these are secure in their own right and have enough options to tailor to our security needs.

As for our distant partner, I would like them to share similar ideas to how we are running things.  While it may not be exact, I need to know what hardware and software they are planning on using and what type of access they are allowing their users to have.  Personally, I’d rather standardize the ideas of Home Base to them so we’re all on the same page and distant networking will be safe and secure.

The thought of distant networking can be scary.  For one thing, I have to make sure that all computers at home base are correctly, and securely, connected to the servers via a Domain.  With Windows Server 2008 and our admin servers, setting up a domain will be relatively easy.  We’ll be in charge of making sure the correct people have the correct levels of power.  The power of least privilege prevails here.  No user should be able to have any more access or abilities than they need.  Also, within this Domain, we can setup different departments depending on the user (sales, finance, research, etc.) We can also connect our distant partner easily to our domain and bring in those users and categorize them to the correct departments as well.  They too will only have the rights they need, including their administrators.

A VPN should also be setup for users who need access while away.  I believe this shouldn’t be a huge problem and we can tweak the settings to our needs.  Again, users over a VPN will only have a certain amount of access.  It’s too risky at times, even if they are rather secure.  The point of creating a VPN would be for users who are at home and need to access the database for various work-related projects.  Again, least privilege works considerably well here.  I feel that this will also keep productivity strong since those who need to get work done away from the offices can do so.  I would suggest we purchase a VPN from a reputable and strong company.  They can offer many advantages with decent pricing, more so than the freebies out there.  Plus, my knowledge in that field is very dim at the moment and unless one of the other administrators knows a lot, I think a reputable VPN from a company would be a wise choice.  This VPN can be and should be used in the distant partner as well, the same setup, of course, for all of their users.  Every security option should be standardized.

I understand that users absolutely hate attempting to remember long passwords with a variety of rules such as Uppercase, Lowercase, numbers, and long lengths.  This can make things really tedious even if it is for the best.  This can cause a security concern as people will forget their passwords, write them down, get them lost, get locked out and a mess of other situations.  I know this may cost a bit more, but the data and information of my business is even more valuable, I would like to introduce a small form of Biometrics on each machine.  Using a fingerprint scanner, each user can easily log into their computer through print identification and a four digit pin number.  I feel that this creates a stronger security presence, while not making it too stressful on the users.  The idea is to change the pin number every six months so it isn’t the same and more difficult for would-be hackers.

It is now time to look into some security measures.  The most obvious thing is to setup a firewall on each computer.  Firewalls are so valuable and should be a common standard in any professional and home setup.   Rosamond (2004) mentioned that “We can invisibly restrict traffic moving in and out of our network are various choke points, so that packets are merely dropped if they don’t match our ingress firewall rule sets (p. 11).   Of course, referring to certain software, we will need to allow them to pass through the firewall as well.  There are many out there to choose from and even Windows includes a rather generic firewall, but it appears that ZoneAlarm has been a consistent winner.  Setting up the firewall on each computer will definitely create an even securer environment and possibly keep users from accessing certain unwanted things.  But, it does need to be setup properly for all things such as the VPN connection, domains, and even make sure it isn’t causing conflicts with the router and switches. Headaches are bound to happen, but once it’s running smoothly, it will be a great addition.

There are many nasty things out on the Internet that can compromise our systems besides hackers.  Those would be the viruses, worms, and malware of the world.  Installing Anti-Virus software on each machine is another necessity.  Again, there are so many to choose from out there including strong suites from McAfee and Norton, who offer easy updates, business solutions, and yearly renewals and upgrades.  Now, at home, I don’t use them.  Instead, I have adjusted myself to the freeware out there such as AVG and Avast. These programs offer great protection without all the costs and aren’t as likely to be full of bloat-ware like others.  However, in an organization, are they as trustworthy?  I’m not quite sure of this and since McAfee and Norton are both well known and semi-respected companies that completely deal with viruses, it may be best to go with one of them in this environment.  They should keep the machines clean and warn users of any possible issue.

Installing a IDS is another big factor in terms of network security.  We want to have something that will constantly monitor what’s going on within our network and there are a few options.  Snort and Wireshark both offer the methods to do so.  However, Snort seems to be very popular and constantly updated.  This might be the best way to go as it is considered a Network Intrusion Prevention/Detection system (NIPS/NIDS).  It’s free and comes highly recommended from the general community.  It can provide real-time traffic analysis, logging, and can be used in different modes which are all needed. Sniffer, packet logger, and intrusion detection are all great things to have and are all included in Snort.  My plans for Snort, if possible, are to setup two variations of it.  I would like to set it to just log, nothing else, outside of the firewall.  I know this may cause a lot of resources to utilize it properly, but I feel that using it only for logging purposes outside of the firewall would allow for us to see what kind of activity is trying to push through.  How often are we getting hit and with what?  It may seem redundant, but I believe that it could benefit us to know what’s happening out there.  As well, we could use this for documentation for colleges and students.   The other part would be set behind the firewall, within our organization.  We can set it up here for intrusion and detection.  It won’t need as much as a workload since the traffic will be contained more and it will benefit us greatly in case anything is making its way through.  While I know that false negatives and positives will occur, adding this structure is still an intelligent move.

This brings me to another point – Logging.  Hard drives are very cheap now for a large amount of storage.  I don’t see this as a problem at all.  All logs should be dumped for the administrators to have access to.  Now, there are a lot of options for backing up logs these days.  We could go the route of using discs to burn the logs onto and have them filed under dates.  CD-Rs are very cheap, but don’t hold as much data compared to DVDs.  DVD-Rs are now pretty cheap and you can even get them Dual-Layered to hold double the data of a normal DVD-R.  If that isn’t enough, there are even Blu-Ray burners and discs that can hold from 25GB up to 50GB.  However, those are still high in price and we may not need that type of space, yet.  And there is yet another option in the way of external hard drives.  These connect via USB and can hold large amounts of data just as a normal hard drive.  And we can back them up to this quite periodically with ease.  The costs for these are also not very high and might be a bit more dependable without the need for a ton of discs to stash.  Also, we can format these drives to NTFS and encrypt the logs for administrative use only.  I think that may be the best route to go.

Again, I would like my distant partner to keep very similar policies so we are all on the same page and data can be shared between administrators much easier.  With that said, there’s something that needs to be done to both offices before deployment goes live.  I would like to conduct a series of penetration testing on our networks to see how well they hold up and if everything is in working order.  To do this, I’d want to push different methods and attacks through using different tools such as Nmap, Wireshark, DSniff, Cain & Abel, DoS, OS vulnerabilities, port scanning, the whole works.  The PCI Security Standards Council (2008) stated “Once the threats and vulnerabilities have been evaluated, design the testing to address the risks identified throughout the environment (p. 03).  So even after various testing, we must again penetrate the weaknesses that were found to ensure proper security levels.  If the system holds up on both ends against everything, then I can consider it approved to push it live.  Of course, if we find major holes or problems then we’ll need to think of another strategy to prevent that and resume the penetration testing again until the system is ready to go.  I might also suggest adding a bandwidth logger on the machines so we can see how much bandwidth traffic is going through on each machine.  It may seem like no big deal, but I think that this can be used as another defense and productivity tool that will monitor bandwidth per day, week, and month.

A final diagram should look similar to this:

I understand that putting a network together is quite a daunting task.  Even writing a blueprint out such as this can cause a lot of confusion and missteps.  Luckily, we have the ability to do these things and to properly test our systems before they go live.  I can’t say for sure how my system would fair against the big real-world systems in place out there, but as a person lacking experience, I do feel that I have managed to put together a good security structure for the organizations.  My only wish is that I actually had access to something like this to truly test this out and to get that hands-on trial and error.  It actually sounds like fun, if you include a bottle of Ibuprofen.    Still, I look forward to the challenges ahead of me.

Bejtlich, R. (January 10th, 2008).  Defensible Network Architecture 2.0.  Retrieved from http://taosecurity.blogspot.com/2008/01/defensible-network-architecture-20.html

PCI Security Standards Council (March 8th, 2008).  Penetration Testing.  Retrieved from https://www.pcisecuritystandards.org/minisite/en/docs/information_supplement_11.3.pdf

Rosamond, G. (March 8th, 2004).  Building a More Secure Network.    Retrieved from http://www.sans.org/reading_room/whitepapers/modeling/building-secure-network_1415

Comments are closed.