Interested in learningmore about security?SANS InstituteInfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.Design Secure Network Segmentation ApproachIn this document I will discuss some issues related to security on network and how design a secure network. Wewill look to network segmentations and how it will help us to identify the network topology. Our segment willbe defined based on security level for each segment. The segments will be outside, internal, services andremote users. I will discuss each segment in detail and guide the NetAdms to steps that will help them tosecure each segment.Copyright SANS InstituteAuthor Retains Full RightsAD SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights.Design Secure NetworkSegmentation ApproachGIAC Security Essentials Certification (GSEC)Practical Assignment Version.1.4cOption 1 - Research on Topics in Information SecuritySubmitted by: Ibrahim N.AlateeqSubmitted Date: Saturday, January 08, 2005Location: SANS Down Under 2004, MelbournePaper Abstract: This paper written to obtain GSEC certification and its will be guidance for Network Administrator in Small Office Home Office (SOHO) networks to implement a secure network. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights.Ibrahim N.Alateeq Table of ContentsTable of ContentsAbstract/Summary 1Introduction 2Chapter 1: Network Topology: 31. Outside Segment 32. Services Segment 33. Internal Segment 34. Remote User Segment 3Chapter 2: Securing Edge Router 51. Technical Considerations: 52. IP Spoofing 53. Protect Your Network 64. Protect Your Router 7Chapter 3: Firewall Traffic Map 8Chapter 4: Securing Services Segment 91. One service per server 92. One Platform for All Server 93. Secure Your Servers Operating System Side 104. Secure Your Servers Services Side 11Chapter 5: Securing Internal Segment 13Chapter 6: Securing Remote Access Segment 14Chapter 7: Securing NetAdm Mentality 15Conclusion 16References 17Terminology 18List of FiguresFigure 1: General Network Topology 4Figure 2: Inner and Outer Interface 6 SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights.3Ibrahim Alateeq Design Secure NetworkAbstract/SummaryIn this document I will discus some issues related to security on network and how design a secure network. We will look to network segmentations and how it will help us to identify the network topology. Our segment will bedefinedbasedonsecuritylevelforeachsegment.Thesegmentswillbeoutside, internal,servicesandremoteusers.Iwilldiscuseachsegment indetailsand guide the NetAdms to steps that will help them to secure each segment. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 4IbrahimN.Al-Ateeq Design Secure NetworkIntroductionThispaperwritten toobtainGSECcertificationanditswillbeasmall guide for Network Administrator in small Office Home Office (SOHO) networks.SOHO networks usually haveasmallnumberofusers.Inthissituation usuallyyoudonothaveasecurity specialistbut you still needagoodlevelof securityinyournetwork.IconcentrateinthispapertohelpandguideNetAdmpeople to design a secure network.Ibuildtheseguidelinesandchecklistsbasedonsomeassumptions to simplify this task for the Network Administrator to achieve his goal by designing hisnetworktomeet hisrequirementswithgoodlevelofsecurity.These assumptions are:Itisdesignedfor SOHOnetworksanditmaybenotsuitableforbignetworks, which they are; need procedures that are more complex. Iconsiderinthispaperthatanetworkwillbeimplementedfrom scratch. These guides will work very well for existing network but you must consider some factors when you want to apply these procedures onexistingnetwork.Thesefactorslikedowntimeplanning,define specific services that youprovideitinyournetworkandanyspecific issue or concerns in your network.I prefer to use Good Level of Security termtodescribehighlevelofsecurity.Assecurityspecialists,weknowthereisno100%secure network. When I say Good Level of Security, I mean 90%-95%of security. Also,IwillconsiderthisnetworkcontainsthefollowingProductandservices.EdgeRouter,Firewall,MailServer,WebServer, Applications Server, DNS, PCs, and Remote Access users.Whatever thevendors,theseguidebasedonstandardoptionsoneach products.In this guide I will discuss the technical issues and define policies you will need it to secure the network. So, we will find in each chapter the security techniques and polices. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 5IbrahimN.Al-Ateeq Design Secure NetworkChapter 1: Network TopologyTypically, SOHO network is simple one and you do not need to divide it to manysegments.However,because thisnetworkcontainsdifferentlevelof security, you need to know some weakness pointes in your network to protect itvery well. Thesimplestwaytodefinethatissegmentationyournetworkbased onsecuritylevelneededbyeachsegment. Thisprocedurecallednetwork segmentationand itwillhelp usverymuchwhenwegetlater tofirewall configuration. AsyouShowninthefigure (Figure1),youwillseeallmain devices and different segments. The optimal segmentation for SOHO is dividing it to four segments. Here are the specifications for each segment (Figure 1).Outside Segment 1.In this segment, you have only the edge router and in ourcase, itisthe internet. In this segment, you have no control on traffic coming to you, But you have a full control (by Access-lists) to decide which traffic can get in your network and which traffic can travel to outside.Services Segment 2.This segment contains the main services you are looking to provide themto the public. In some paper they are called DMZ zone. Inthissegment, youneedtoallowanyrequestcomingfromoutsidetoyournetwork services.We will define it very well in next section.Internal Segment 3.Thisisthehighestsecuritylevelinyournetwork.Itiscontainingthe internal stations andinternalserversthatcontainallyourbusinessplan, marketing plan and financials details.Remote User Segment 4.This segment is themostcriticaloneandyoumustconcernaboutit.A firsttimeyoumustaskyourself inadvance,Doweneedourstaffto access our internal network from outside or not? If NO, just remove this segment and dont care about it. Otherwise you must define your polices and techniques to secure this segment. We willlookinmoredetailshowtosecureeachsegment.Inthe followingchapterswewilldiscusseachsegmentindetailsandwewilldefine polices needed and techniques to secure SOHO network.IntheFollowingFigure(Figure1),weillustratethetopologyofthe SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 6IbrahimN.Al-Ateeq Design Secure Networknetwork that we will discuss it. WWWEdge RouterIDCService Segment Internal SegmentRemote UsersVPNFigure 1: General Network Topology SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 7IbrahimN.Al-Ateeq Design Secure NetworkChapter 2: Securing Edge RouterTechnical Considerations: 1.Ingeneralandregardless of vendors,theroutertechnologyprovidesbasic services and they must be available in each router. These services are: WAN Connectivity that will be provided byyourISP.Thisconnectivityits1.maybevaryingbasedonyourrequirementsandwhatyourISPcan provide. Whatevertheconnectivitytype ADSL,ISDN,FrameRelayor ATM, the router capabilities and functionalities still the same.Routingcapabilitybasedondestinationaddresswhateverprotocolsare2.used.Traffic filtering based on source address, destination address or Services3.port.Nowadays, most routers existed in internet are Cisco Router. Therefore, in this paper you will find me use Cisco syntax. IP Spoofing 2.The first issue in Edge router you must concern about it is IP spoofing. IP spoofing isdenied byensuringfollowingrulesapplied: fromanyinterface, access-lists accept only packets with legit source address. This means that only packetswithsourceaddressfromconnectednetwork'sIPaddressspaceare allowed.Ifthisrulecannotbefullyenforced,wedenypacketswithsource-addressthatcannotberight.Forexample,nopacketwithsourceaddressof yournetworkcancomeinfromexternalinterface (Outer-If) (Figure2). In Summary, inbound & outbound access-lists on every interface filter out spoofedpacket. In practically, this technique can be done by deny any packet with source addressofyournetworkandanypackethasaprivetaddressasmentionon RFC 1918. Also deny any packet with broadcast or multicast source addresses, andpacketwiththereservedloopback addressasasourceaddress.It's usuallyalsoappropriateforananti-spoofingto filteroutallICMPredirects, regardless ofsourceordestinationaddress. StepbyStep-Cisco827ADSL Router Configuration http://www.secwiz.com/Default.aspx?tabid=49 .Allthese appliedatouterinterfaceasinboundaccesslist.Andtoprotectoutsidefrom your spoofing, you must deny any packet going to internet with IPnot belong to you. You can apply this as outbound access list at inner interface. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 8IbrahimN.Al-Ateeq Design Secure Network! Anti-Spoofing!inbound Access list@ outer interfaceaccess-list 100 deny ip 0.0.0.0 0.255.255.255 any! RFC 1918 Private Networkaccess-list 100 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 100 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 100 deny ip 192.168.0.0 0.0.255.255 any! Loopback Addressaccess-list 100 deny ip 127.0.0.0 0.255.255.255 any! Link Local Networksaccess-list 100 deny ip 169.254.0.0 0.0.255.255 any! TEST-NETaccess-list 100 deny ip 192.0.2.0 0.0.0.255 any! Class D Multicast & Class E Reserved & Unlocated Addressaccess-list 100 deny ip 224.0.0.0 31.255.255.255 anyaccess-list 100 deny ip 240.0.0.0 15.255.255.255 anyaccess-list 100 deny ip 248.0.0.0 15.255.255.255 any! ICMP Redirectaccess-list 100 deny icmp any any redirect! Yor Networkaccess-list 100 deny ip Your Network IP Space any!! Outbound Access list@ inner interfaceaccess-list 102 permit ip Your Network IP Space anyProtect Your Network 3.Access to your network is limited to certain hosts offering public services likeWWW, DNSand Mail.Thisdone by usinginboundaccess-listson interfaces directly connected toyournetwork(Inner-If) (Figure2) tofiltertraffic entering your network. Some one may be ask, Why we do that in Router? The answerwillbetoimplement (Defense-in-Depth)concept. Inthisstage, the router filtering will be act as first level of defense to your network. You will see in thenextsectionthatwewilldothesameprotectioninfirewalltobeasecond layer of Protection. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 9IbrahimN.Al-Ateeq Design Secure NetworkInternet Your NetworkOuter-IfInner-IfFigure 2: Inner and Outer InterfaceInpractically, this restrictiontechniquecanbedonebyapplyingthis access list:Protect Your Router 4.Router can be, by default, accessed physically byconsoleportorremotelybyTELNET orSSH.Inthiscase,youmustfollowthispolicytoprotectrouter itself from unauthorized access:Set agood passwordbyusingAlphanumericandspecialcharacters.1.And you must change it periodically each Tow or three months - Use SSH whenever you can. 2.Permitonlyyourteams workstation(NetAdm PC) toaccessrouterby3.telnet. In Cisco Router you can do that be this commands:!ConfigureAccesslistToPermitTELNET from SysAdm PC!RouterA(config)#access-list50permitNetAdm-WorkStation-IPRouterA(config)#line vty 0 4!!ApplyaccesslisttoTELNETVirtual Interface! Allow FTP services (ftp.yourcompany.com)access-list 101 permit tcp any host ftp.yourcompany.com eq ftpaccess-list 101 permit tcp any host ftp.yourcompany.com ftp-dataaccess-list 101 permit tcp any host ftp.yourcompany.com gt 1023!! Allow SMTP services (smtp.yourcompany.com)access-list 101 permit tcp any host smtp.yourcompany.com eq smtp!! Allow DNS query ONLY (ns.yourcompany.com) access-list 101 permit udp any host ns.yourcompany.com eq domain!! Allow DNS replaies to anywhere including Your networkaccess-list 101 permit udp any eq domain any!! Allow Zone Transfer from your slaves servers access-list 101 permit tcp host A-Root host ns1.yourcompany.com eq domainaccess-list 101 permit tcp host A-Root host ns2.yourcompany.com eq domain!! Allow WWW services to www.yourcompany.comaccess-list 101 permit tcp any host www.yourcompany.com eq www SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 10IbrahimN.Al-Ateeq Design Secure NetworkNote: In some Cisco IOS, there is no supporting for Secure Remote Access like SSH.IfitsupportedinyourrouteritisprefertouseitanddisableTELNET access.Chapter 3: Firewall Traffic MapInthissectionwewillconfigurethemaindeviceinyournetworktoprotect youfromoutsideattacker.Thefirewallinournetworkwillbethecontactpoint with outside world (Internet). Therefore, we need to identify each service that willallow going outsideand eachservice,whichwill allow reaching ournetwork. This procedure called Traffic Map.Firewalltrafficmapisaprocedurethatwilldefinebased onyournetwork segmentations and which traffic can be going from any segment to another. This procedure is most useful one to identify your services in each segment and from where you can reach these services. Again, regardless of vendors you can use this traffic map to implement your policy in your firewall.Based on our network segmentations in chapter 1 and based on the services (WWW, DNS,andMail)wementioned aboutitinourassumptions,wecan write the traffic map as following: Service protocol Src. Segment Src. Server Dst. Segment Dst. ServerAction CommentsSSH TCP Internal Any Services Any PermitHTTP TCP Internal Any Services WWW PermitHTTPS TCP Internal Any Services WWW PermitFTP TCP Internal Any Services FTP PermitDNS UDP Internal Any Services DNS PermitSMTP TCP Internal Any Services Mail PermitPOP3 TCP Internal Any Services Mail PermitAnyAny InternalNetAdmPC Services AnyPermitAnyAnyInternalAnyServicesAnyDenyImplicit Deny*Any Any Internal Any Outside Any PermitAnyAnyInternalAnyOutsideAnyDenyImplicit Deny*HTTP TCP Outside Any Services WWW PermitHTTPS TCP Outside Any Services WWW PermitFTP TCP Outside AnyServices FTP PermitAnyAnyOutsideAnyServicesAnyDenyImplicit Deny*Any Any Outside Any Internal Any DenyAny Any Services Any Internal Any DenyAny Any Services Any Outside Any Permit SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 11IbrahimN.Al-Ateeq Design Secure NetworkVPN TCP Remote User Any Internal Any PermitAnyAnyRemote UserAnyInternalAnyDenyImplicit Deny*AnyAnyRemote User AnyServicesAnyDenyImplicit Deny*Table 1: Firewall Traffic Map*implicit Deny:in most FirewallalsoinACLconfigurationinCiscoRouter,you just need to tell the firewall which traffic can be pass thefirewall and by default the firewall will deny all another traffic.Chapter 4: Securing Services SegmentInthissection, wewilldiscusstheservicesyouwanttoprovideit to public and how you will secure it.One service per server 1.Youneedtoconsiderthistechnique.Oneserviceperserverisagood policytoyournetworksecurity. Dividing various servicesbetweendifferent servers has the following advantages:This minimizes the complexity for any server, and helps to slow down anattacker from spreading their control throughout your servers if one serveris compromise.Italsogreatlysimplifiesrecoveryincaseofasuccessfulattack.RayIngles. Securing Server Hosts.http://ingles.homeunix.org/presos/websec/. It is easier to configuration of the individual servers with Simple and moresecure configuration.Itismostreliability.Whenoneserviceisdownitwillnotaffect anotherservices. It should be possible to compensate for any negative consequences that may a rise, such as higher hardware costs for purchasing several servers with fact that the individual server do not have the same performance, do not have to be more expensive than one particularly powerful server. Also Administration costs do not necessarily have to rise with the number of server, either, because simpler configuration of the individual server saves time. Dr. Udo Helmbrecht. IT Baseline Protection Manual. (BSI, German Information Security Agency)http://www.bsi.bund.de/gshb/english/s/s04097.htmlOne Platform for All Server 2.As a part of simplifying your network setup, which will help you very well tosecureit,youneedtouseoneplatforminyoursservers.Byusinga uniqueplatform(Windows,Linux,andUNIX), itwillbe asimpletoyouto achieve the following security technique: SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 12IbrahimN.Al-Ateeq Design Secure NetworkUpdating or Patching Operating System isanimportantproceduretofix many holes in your OS. By using one OS in your environment, this task will be simpler. IncaseofyoursystemiscrashedorCompromiseandyou wanttorecoverit thiswillbeeasywithoneOS.InRedHatLinuxthereisa technologycalledkickstart.KickStartisaprocedure toautomate installation. Usingkickstart,aNetworkAdministratorcancreatea singlefilecontainingtheanswerstoallthequestionsthatwould normallybeaskedduringatypicalRedHatLinuxinstallation. Thisinstallationmethodcansupporttheuseofasinglekickstartfileto installRedHatLinuxonmultiplemachines,makingitidealfor network and system administrators. Kickstart lets you automate most ofaRedHatLinuxinstallation,including:Languageselection - Networkconfiguration-Keyboardselection-Bootloaderinstallation (LILO)-Diskpartitioning-Mouseselection-XWindowSystem configuration RedHat Linux7.1Manuals WhatareKickstart Installations?http://www.redhat.com/docs/manuals/linux/RHL-7.1-Manual/custom-guide/ch-kickstart2.htmlLike Kickstart, there is a Jumpstart in Solaris environment.AsAdministrationwise,itissimpler toNetAdm to dealingwithoneOS than different OS and it help them to take a quick action if needed. The quick action is very important especially when server is down. Secure Your Servers Operating System Side 3.Basedonyoudecisiononprevioussectionaboutyourplatform,weneed someissuesyoumustconsiderittoprotecttheserveritself. RegardlessOS youareuseandthemethodsto secureserver,youmustdothefollowingto protect server OS:Securing File System: vThe core of your server is the OS files system.Inthispart,youmust concern about some issue in OS Files system and you must consider itduringsetuptheserverbecauseyouneedtodothesestepsin installation phase. To do that follows these steps:Configure OS and data partitions with files system that supportsecurity features. (e.g., NTFS) Configurefilesystemwithproperaccesspermissionsspecifically youneedto restrictaccesstofilessystemand executables.Securing Log On vThemostweaknessringinsecuritychainispeople. Therefore,you mustwriteandapplysomepoliciestominimizethis risk. The following policies and technique you asNetAdm take care to apply it and monitoring its operation.Disable any access to server by TELNET (if possible) because SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 13IbrahimN.Al-Ateeq Design Secure Networkituses a cleartexttosenddataand replaceitbyencrypted method like Secure Shell (SSH).Setastrongpasswordforadministrator/root andusers account. All Passwords must have the followingconditions: At least(8) characterscontain Upper/LowerCharacters, numeric values and 2 Special Characters. No dictionary word is allowedEach user has own user account. Disable Guest account if enabled.Loggingallaccessingtoyourserversandcreate warningmessageagainstunauthorized accessoruseofrestricted resources.Disable anonymous user logons. Disable caching of user logons Createagroupforeachdepartment thatsharesinformationand assign each user to his group.Some of these policies (in above) you can find it in this link. I use some of them in this section and if you have more complex environment it will help you to write your policies. Robert L. Williams. Computers and Network Security in small Libraries.http://www.tsl.state.tx.us/ld/pubs/compsecurity/index.htmlSecuring Files and Folders vYourdatainyoursystemandyourconfigurationfileshave themost valuesyouinyournetwork.Youmustcareifanybodymodifyor change these files. The good tool to do that isTripwire. Tripwire is a toolthatcheckstoseewhathaschangedonyoursystem.The programmonitorskeyattributesoffilesthatshouldnotchange, including binary signature, size, expected change of size, etc. Various freeofchargeversions oftripwire an available forLinuxinthislink.Fromhttp://www.tripwire.orgSecure Your Servers Services Side 4.Theservicesavailableinyourserveraretheinterfacewithothersandany communication between your servers and any body it come through the services available in your server. Therefore, you need to consider the following technique to minimize accessing to server just for services you are want to provide it. Youmustremoveunnecessaryservicesinthesystem.Youneedtobacktoyour systemmanuals toknowhowtodothat.Tosimplifyyour task Icollecthere someniceguidesfor exampleifyouareusing IISServerSeethisline http://support.microsoft.com/default.aspx?scid=kb;en-us;321141.Ifyouare using Linux see these links to guide you how remove unwanted services.http://www.talug.org/events/20031206/basic_linux_security.htmlhttp://www.linux.com/howtos/Security-Quickstart-HOWTO/services.shtmlAs A part of this, also you need to remove unnecessary files/programs. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 14IbrahimN.Al-Ateeq Design Secure NetworkSecond, each services has its own procedures to secure it and it is basedon software you use it to provide this service. For example, if you use Apache on your WWW server it is good to look to these guides:Securing Apache HTTP Server 1.http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-http.html. Securing Apache 2: Step-by-Step 2.http://www.securityfocus.com/infocus/1786If you are use IIS Server See A Guide to Securing IIS 5.0 3.http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/depovg/securiis.mspx.For DNS,itisverygoodtorefertoTheSANSTop20InternetSecurity4.Vulnerabilities.http://www.sans.org/top20/. Thereisaverynicereferenceto this issue in DNS part.For Mail see Securing Sendmail. 5.http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-mail.htmlAny why, to simplify your job, you must diced which software you will use it to the specific service and go back to products homepage on internet. I sure you will find a good guide to secure this service. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 15IbrahimN.Al-Ateeq Design Secure NetworkChapter 5: Securing Internal SegmentThis is your highest security level on your network. This segment contains yourstaffPCs, Printers andinternalserversthatmaybecontainyour confidentialinformation.Notlikeserversegment,in thissegmentyoucannotforce your staff to use specific OS because every body wants to use his favorite OS (Windows, Linux, and Mac OS). Because that you need policies more than techniques and you must be serious when you apply it to secure this important segment in your network.Yourpoliciesinthissegmentwillbecovering yourstafffromvariant vulnerability.SomeofthesevulnerabilitiesrelatedtoOSitselfandsomeof them related to your staff behavior.Many employees let his PC working all the time without Lockout Timer or they like to try many software from internet. This is an example about employees behavior and you as a NetAdm, must put your policies to avoid any irresponsible behavior.There is a lot of paper in internet describing how to protect PC and a lot of tools and software that may be help you in this task. To help you, you can followthese policies to achieve this task. Some of these policies from this document in this linkwhichithasalotofpoliciesandveryniceideas. RobertL.Williams. Computers and Network Security in small Libraries.http://www.tsl.state.tx.us/ld/pubs/compsecurity/ptthreecheck.htmlSetastrongpasswordforusersaccount.AllPasswordsmusthavethefollowingconditions:Atleast(8)characterscontainUpper/Lower Characters,numericvaluesandtwo SpecialCharacters.Nodictionary words are allowed.Disable Guest account if enabled.Set Logout Timer to logout when no body works on PC. Disable Guest user logons. Disable caching of user logons and passwords. Install Antivirus Software and update it regularly (at least once every twoweeks). SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 16IbrahimN.Al-Ateeq Design Secure NetworkInstall a personal Firewall in each PC. Restrictaccesstoharddrive.Byanotherword,dontallowyourstafftoinstallanysoftware. Anysoftwareneededmustinstallunderyour permission. This to avoid install software has backdoors.Configurewebbrowsertoenhanceprivacy,andrestrictaccesstowebbrowser settings.InstallsoftwaretorestrictaccesstosystemfunctionswithinWindowsapplications.Remove unnecessary/unused files/programs from hard driveSchedule a periodic download for service pack and patches. Whatever policies you have, it has no value if your staff does not care about security.Awareness training must be providing to your staff to let themrealize the risk and help you to secure this segments.Chapter 6: Securing Remote Access SegmentAs we discuss in First chapter, you may be do not need this segment. However, in case you want your staff to reach your internal network from internetyou must consider some issues to be sure about your network security. First of all, do not allow any communication between internal segment and outside world unless you use encrypted method, regardless the servicesyou will offer it. By this policy, you will be sure about traffic communication to your internal network will be encrypted. The VPN is the technique will help you to doing that.Avirtualprivatenetwork (VPN)isawaytouseapublic telecommunication infrastructure, such as the Internet, to provide remote offices orindividualuserswithsecureaccesstotheirorganization'snetwork.AVPNcan be contrasted with an expensive system of owned or leased lines thatcan onlybeusedbyoneorganization.ThegoalofaVPNistoprovidethe organization with the same capabilities, but at a much lower cost. A VPN works by using the shared public infrastructure while maintaining privacythroughsecurityproceduresandtunnelingprotocolssuchastheLayer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sendingendanddecryptingitatthereceivingend,sendthedatathrougha "tunnel"thatcannotbe"entered"bydatathatisnotproperlyencrypted.An additionallevelofsecurityinvolvesencryptingnotonlythedata,butalsothe originating and receiving network addresses From:www.whatis.com Many Firewall now coming with VPN capability.Therefore, to implement VPNyouneedtoinstallclientinRemotePCsandtheserverwillbeyour firewall. VPN used port TCP 50 or TCP 51 as mention in RFC 1700. The Port 50 forEncapsulationSecurityPayload(ESP)and51forAuthenticationHeader(AH). The ESP and AH are security services providing by IPsec which the VPN is implementation method of it.In windows XP thereisaniceguideinHowto Use VPN for Secure Data Transfer in this link SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 17IbrahimN.Al-Ateeq Design Secure Networkhttp://www.microsoft.com/windowsxp/using/mobility/expert/vpns.mspxVPNpolicyandremoteaccesspolicyareveryimportanttoyouinthis segment.ThereisaverynicesamplepolicyinSANSsiteyoucanuseitand add what you think is important to you. See thishttp://www.sans.org/resources/policies/Chapter 7: Securing NetAdmMentalityDo not be strange from this title.Because,whatevertechniquesyouare useandpoliciesyouarewritetheyhavenothingwithoutyouractions.Aswe knowinsecurityworldthemostweaknesscomingfrompeoplesnotfrom products.So,youmustconcernaboutyoursecurityandbesuretousethe products in optimal way and apply your policies without exceptions. ThesecurityinITenvironmentsitisnotaproductitisaprocess. Therefore, when you apply every thing, we are talking about it in thispaper; do not thinkyouareinsafenow.No,youneedtomonitoryournetworkindaily basestobesurethereisnonewthreatsarecoming.Forexample,everyday there is a new viruses coming in the internet and if you do not update antivirus software, you will be in risk. In this paper I will list some policies and procedure thatmaybehelpyouandputyouupdatedaboutanynewrisksarecoming. These policies and procedures are following:Subscribe insecurityMailingListlikeCERTMailingList(http://www.us- 1.cert.gov/cas/ )or (http://www.microsoft.com/security/bulletins/alerts.mspx).Read any alert carefully and be sure it is not effect you. If it is effect your2.network you must quickly fix that. Subscribeinvendorsmailinglistrelatedtoyourproducts tobeupdated3.about any alerts or vulnerabilities.See your systems log in daily bases. It is a very nice task at starting your4.day with a cup of coffeeJ.You must care about Applying Policies and do not allow to break it. 5. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 18IbrahimN.Al-Ateeq Design Secure NetworkConclusionByapplyingthesetechniquesandpoliciesdiscussedinthispaper,you willreachtosimplenetworkwithgoodlevelofsecurity.AsIsaidbefore,the security is not a product it is a process. So, you need to keep in your mind this issue.Whenyoudothatyoucandecidewhatisanewriskscomingtoyour network and how you can avoid this risk to affect you or at least how minimize this risk. I hope this guide will be your first step in Security implementation with my best wishes. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 19IbrahimN.Al-Ateeq Design Secure NetworkReferencesVal Thiagarajan B.E., Information Security ManagementAudit Check List 1.http://www.sans.org/score/checklists/ISO_17799_checklist.pdfArticle: Network Infrastructure Security Checklist 2.http://www.redsiren.com/pdf/advisory_virus/NetworkInfrastructureSecurityChecklistnew.pdfArticle: District Security Self-Assessment Checklist 3.http://securedistrict.cosn.org/Downloads/DistrictSelfAssessmentChecklist.pdfRobert Boyce, Vulnerability Assessments: The Pro-active Steps to Secure4.Your Organizationhttp://www.sans.org/rr/papers/60/453.pdfRobert L. Williams. Computers and Network Security in small Libraries 5.http://www.tsl.state.tx.us/ld/pubs/compsecurity/index.htmlArticle: Step by Step - Cisco 827 ADSL Router Configuration 6.http://www.secwiz.com/Default.aspx?tabid=49Victor Hazlewood, Defense-In-Depth Information Assurance for 2003 7.http://www.sdsc.edu/~victor/DefenseInDepthWhitePaper.pdfArticle: Help Defeat Denial of Service Attacks: Step-by-Step 8.http://www.sans.org/dosstep/index.phpGermany. German Information Security Agency, Dr. Udo Helmbrecht. IT9. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 20IbrahimN.Al-Ateeq Design Secure NetworkBaseline Protection Manualhttp://www.bsi.bund.de/gshb/english/s/s04097.htmlSheldon, Tom. The Encyclopedia of Networking Electronic Edition (CD- 10.ROM). Modern Age Books Inc, 1997 (I use it for terminology and Definitions)www.whatis.com (I use it for terminology and Definitions) 11.http://business.cisco.com/glossary (I use it for terminology and Definitions) 12.http://www.webopedia.com (I use it for terminology and Definitions) 13.http://www.cyber.ust.hk/handbook4/03_hb4.html#ChapTocTop 14.http://www.information-security-policies.com/ 15.http://www.sans.org/resources/policies/ 16.http://www.faqs.org/rfcs/rfc1918.html 17.http://www.faqs.org/rfcs/rfc1700.html 18.http://rusecure.rutgers.edu/sec_plan/checklist.php 19.TerminologyAccess Control Aprocessthatdetermineswhoisgivenaccesstoa localor remote computersystemornetwork,aswell aswhatand howmuchinformationsomeonecan receive.ADSL Anasynchronousdigitalsubscriberline,whichisa DSLvariantinwhichtrafficistransmittedatdifferent rates in different directions. Suitable for Home Users orremote LAN access.Asynchronous Transfer ModeATM isadedicated-connectionswitchingtechnology thatorganizesdigitaldatainto53cell unitsand transmitsthemoveraphysicalmediumusingdigital signal technology.Authentication Header AHallows authentication of the sender of data.Defense in DepthThesecurityapproachwherebyeachsystemonthe network issecuredtothegreatestpossibledegree. May be used in conjunction with firewalls.DMZ Itisasub networkthatsitsbetweeninternalnetwork (LAN),andexternalnetwork,suchasthepublic Internet.Typically,theDMZcontainsdevices accessible to Internet traffic, such as Web, FTP, Emailand DNS servers. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 21IbrahimN.Al-Ateeq Design Secure NetworkDomain Name ServiceDNSanInternettranslationservicethatresolvesdomain names to IP addresses and vice versa. Encapsulation Security PayloadESP supportsauthenticationofthesenderand encryption of data as wellEncryption Themanipulation,orencoding,ofinformationto prevent anyoneotherthantheintendedrecipientfrom readingthe information.Therearemanytypesof encryption, and they are the basis of network security. Encryptionisonlyapart ofthebasisofNetwork Security. There are other elements.Firewall Aserverorcollectionofcomponentsthatcontrol alltraffic in and out of a network permitting only traffic that is authorized by local security policy to pass.Firewall Traffic Map Acollectionofnetworktrafficfiltersandactionsthat can be applied to your firewallFrame Relay Itis atelecommunicationservicedesignedforcost-efficientdatatransmissionforintermittenttraffic betweenLANsandbetweenend-pointsinaWAN. Framerelayputsdatainavariable-sizeunitcalleda frame andleavesanynecessaryerrorcorrection (retransmissionofdata)uptotheend-points,which speeds up overall data transmission.ICMP redirects ICMPredirectpacketsareusedbyrouterstoinform the hosts of correct routes to a particular destination. If anattackerisabletoforgeICMPredirectpackets,he orshecanaltertheroutingtablesonthehostand possiblysubvertthesecurityofthehostbycausing traffic to flow via an unintended pathInner-InterfaceThis is the interfacethatwillacceptconnectionsfrom internal Network.Integrated Services Digital NetworkISDN isasetofCCITT/ITUstandardsfordigital transmissionoverordinarytelephonecopperwireas well as over other media SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 22IbrahimN.Al-Ateeq Design Secure NetworkIP SpoofedAtechniqueusedtogainunauthorizedaccessto computers, whereby the intruder sends messages to a computerwithanIPaddressindicatingthatthe message is coming from a trusted host.IPsec IPsec is a framework for a set of protocols for security atthenetworkorpacket processinglayerofnetwork communicationprovidestwochoicesofsecurity service:AuthenticationHeader(AH)and EncapsulatingSecurityPayload(ESP).Thespecific informationassociatedwitheachoftheseservicesis inserted into the packet in a headerthat follows the IP packet header.Jumpstart AtypeofinstallationinwhichtheSolarissoftwareis automaticallyinstalledonasystembyusingthe factory-installed JumpStart softwareKickstart isaproceduretoautomateinstallation inRedHat environment.Layer 2 Tunneling Protocol L2TP An IETF protocol for creating VPN using Internet. Itsupportsnon-IPprotocols suchasAppleTalkand IPXaswellastheIPSecsecurity protocol.Itisa combinationofMicrosoftsPoint-to-Point Tunneling Protocol and Ciscos Layer 2 Forwarding technology.Logging Theprocessofstoringinformationabouteventsthat occurred on the firewall or any network devices.Network Topology Atopology(fromGreektopos meaningplace)isa description of any kind of locality in terms of its layout. Incommunicationnetworks,atopologyisausually schematicdescriptionofthearrangementofa network, including its nodes and connecting lines.NTFS NTFS(NTfilesystem;sometimesNewTechnology FileSystem)isthefilesystem thattheWindowsNToperatingsystem usesforstoringandretrievingfiles on a hard disk. NTFS is the Windows NT equivalent of theWindows95fileallocationtable(FAT)andthe OS/2 HighPerformanceFileSystem(HPFS). However, NTFS offers a number of improvements over FATandHPFSintermsofperformance,extendibility, and security. SANS Institute 2000 - 200 5, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2000 - 2005Author retains full rights. 23IbrahimN.Al-Ateeq Design Secure NetworkOuter-Interface Thisistheinterfacethatwillacceptconnectionsfrom internet.Policy Organization-levelrulesgoverningacceptableuseof computingresources, securitypractices,and operational procedures.Secure Shell Protocol SSH protocol is communication protocol that is written with security in mind. It relaysonstrongencryptionto securethecommunicationbetweentheSSHserverandclient.Ifyouwant toallowotherstoconnect remotely to their accounts, you better use SSH.Secure Sockets LayerSSL A security protocol developed by the NetscapeCommunications Corp. to encrypt sensitive data and toverify server authenticity.Security Awareness CourseIt is a course provides the attendees a basic skills and informationneededtofocusattentiononsecurityand risks in IT environments.Simple Network Management ProtocolSNMP is the protocol governing network management and themonitoringofnetworkdevicesandtheir functions.Itis notnecessarilylimitedtoTCP/IP networks.Small Office Home Office networksSOHO Ininformationtechnology,SOHOisatermfor thesmallofficeorhomeofficeenvironmentand businessculture.Anumberoforganizations, businesses,andpublicationsnowexisttosupport peoplewhoworkorhavebusinessesinthis environment.VPN isawaytouseapublictelecommunication infrastructure,suchastheInternet,toprovideremote officesorindividualuserswithsecure accesstotheir organization's network.Last Updated: July 7th, 2015Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by LocationSANS London in the Summer 2015 London, GB Jul 13, 2015 - Jul 18, 2015 Live EventSANS San Jose 2015 San Jose, CAUS Jul 20, 2015 - Jul 25, 2015 Live EventSANS Minneapolis 2015 Minneapolis, MNUS Jul 20, 2015 - Jul 25, 2015 Live EventSANS Boston 2015 Boston, MAUS Aug 03, 2015 - Aug 08, 2015 Live EventCyber Defense Summit & Training Nashville, TNUS Aug 11, 2015 - Aug 18, 2015 Live EventSecurity Awareness Summit & Training Philadelphia, PAUS Aug 17, 2015 - Aug 25, 2015 Live EventSANS San Antonio 2015 San Antonio, TXUS Aug 17, 2015 - Aug 22, 2015 Live EventSANS DFIR Delhi 2015 Delhi, IN Aug 24, 2015 - Sep 05, 2015 Live EventSANS Virginia Beach 2015 Virginia Beach, VAUS Aug 24, 2015 - Sep 04, 2015 Live EventSANS Chicago 2015 Chicago, ILUS Aug 30, 2015 - Sep 04, 2015 Live EventFOR578 Cyber Threat Intelligence Tysons Corner, VAUS Aug 31, 2015 - Sep 04, 2015 Live EventSANS Milan 2015 Milan, IT Sep 07, 2015 - Sep 12, 2015 Live EventSANS Crystal City 2015 Crystal City, VAUS Sep 08, 2015 - Sep 13, 2015 Live EventSANS Network Security 2015 Las Vegas, NVUS Sep 12, 2015 - Sep 21, 2015 Live EventSANS Seoul 2015 Seoul, KR Sep 14, 2015 - Sep 19, 2015 Live EventSANS Baltimore 2015 Baltimore, MDUS Sep 21, 2015 - Sep 26, 2015 Live EventSANS Perth 2015 Perth, AU Sep 21, 2015 - Sep 26, 2015 Live EventCyber Security Enforcement Summit & Training Dallas, TXUS Sep 21, 2015 - Sep 26, 2015 Live EventSANS Tallinn 2015 Tallinn, EE Sep 21, 2015 - Sep 26, 2015 Live EventSANS ICS Amsterdam 2015 Amsterdam, NL Sep 22, 2015 - Sep 28, 2015 Live EventSANS Bangalore 2015 Bangalore, IN Sep 28, 2015 - Oct 17, 2015 Live EventSANS DFIR Prague 2015 Prague, CZ Oct 05, 2015 - Oct 17, 2015 Live EventSANS Seattle 2015 Seattle, WAUS Oct 05, 2015 - Oct 10, 2015 Live EventEuropean Security Awareness Summit OnlineGB Jul 08, 2015 - Jul 10, 2015 Live EventSANS OnDemand Books & MP3s OnlyUS Anytime Self Paced