Ethernet Switches & Routers

wp-enhancing-int-network-security.pdf

by serhat.kahraman on ‎12-14-2011 02:00 AM (595 Views)

Hi All,

WHITE PAPER: IRONSHIELD BEST PRACTICES ENHANCING INTERNAL NETWORK SECURITY
Written By: Philip Kwan
March 2003

I dont  remember how I found this document but it is very helpful for those who are looking for an assistance about security concepts in brocade ip world.

 

 

Summary

The IronShield Best Practices: Enhancing Internal LAN Security document is designed to help network and security administrators understand how to implement Foundry security features. The document gives the reasons why the security features are necessary and how to best implement them to compliment existing security devices, such as firewalls and IDS systems, to create a robust secure network infrastructure. The key is “Defense in Depth” and to apply security at all layers of the enterprise.

IronShield Security is not meant to replace Data Security infrastructures. With careful planning and implementation, IronShield Security features can help improve Network Security and enhance Data Security where it’s needed.



Contents
Introduction
Audience
Nomenclature
Related Publications
The Local Area Network
Defense-in-Depth
Modern Network Layers
Perimeter Security Considerations
Internal Network Security Considerations
Human Factor Security Considerations
The Perfect Security Model
Foundry IronShield Security
Enhancing Internal Network Security
Case Study Company Network
Hardening Foundry Routers & Switches
Denial of Service (DoS) Prevention
Stopping IP Spoofing
Foundry Access Control Lists (ACLs)
General Guidelines for Creating ACLs
Stopping Inbound IP Spoofing From The Internet
Stopping Outbound IP Spoofing From The Internal Network
Stopping IP Address Spoofing – Host Protection
Stopping Smurf Attacks
Stopping TCP SYN Flood Attacks
Stopping LAND Attacks
Disabling Proxy ARP
ARP Attack Prevention
Stopping Hacks Using ICMP
ICMP Redirects
ICMP Unreachable
ICMP Timestamp and Information Requests
Stopping Foundry Devices From Responding to Broadcast ICMP Requests
Limiting Broadcasts
Preventing UPD Broadcass or All Broadcasts
Fragmentation Attack Prevention
How Fragmentation Works
How Hackers Use Fragmentation
CPU Inspection of Fragmented Packets
Controlling the Fragment Rate
Dropping All Fragments For IronCore Products
Containment Design
What To Protect
Restricting Access & Containment
Security Zones
Redesign Tips
Protecting Resources With ACLs43
Standard ACLs
Extended ACLs
General ACL Principles
Inbound ACLs vs Outbound ACLs
Security Defense Example Using ACLs
Widget-WorksCOM’s Security Zones
EXAMPLE - Building B’s ACLs
R&D Server Security Zone
Staging & Testing Server Security Zone
R&D User Security Zone
Developers & QA User Security Zone 
ACLs For Building B’s Router
EXAMPLE – Remote Office’s ACLs54
Controlling Inbound Traffic
Controlling Outbound Traffic
EXAMPLE – Building C’s ACLs
Protecting The NOC Operations Security Zone
EXAMPLE – Common Shared Areas
Policy-Based Routing (PBR)
Configuring PBR Policies
EXAMPLE – Null Route
EXAMPLE – Honeypot
Virtual LANs (VLANs)
Foundry VLANs
VLANs for Security Purposes
Port-Based VLANs
Port-Based VLANs With 8021q
Network Address Translation (NAT)
Layering Security Using NAT
Foundry’s NAT Implementation
Configuring Inside Source NAT
Configuring Inside Destination NAT
Port Security And Port Authentication
MAC Address & ARP Spoofing
Example - Man-in-the-Middle Attack
ARP Reply Spoofing
Defending Against MAC Address & ARP Spoofing
Port Security - Restricting Source MAC Addresses
Other Port Security Commands
EXAMPLE – Port Security MAC Lock
Defending Against Unauthorized Access
How 8021x Works
Configuring 8021x Port Authentication
EXAMPLE – 8021x Port Authentication
Appendix A - Foundry IronShield Security Enhancements
Device Protection
Denial of Service Protection
Enhanced Perimeter Protection
Enhanced Internal Network Protection
Enhanced Network Visibility
Appendix B - Physical Security Design Considerations