PACE-IT, Security+1.3: Secure Network Design Elements and Components
Download as PPTX, PDF0 likes748 views
This document outlines essential elements of secure network design, emphasizing the importance of a layered security approach referred to as 'defense in depth.' It details various components such as demilitarized zones (DMZ), network address translation (NAT), network access control (NAC), and remote access technologies to enhance network security. Additionally, it highlights the significance of segmentation and subnetting to improve both performance and security within network structures.
PACE-IT, Security+1.3: Secure Network Design Elements and Components
- 1. Secure network design elements and components.
- 2. Page 2 Instructor, PACE-IT Program – Edmonds Community College Areas of Expertise Industry Certifications PC Hardware Network Administration IT Project Management Network Design User Training IT Troubleshooting Qualifications Summary Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
- 3. Page 3 – Defense in depth. – Elements and components of network design. PACE-IT.
- 4. Page 4 Secure network design elements and components.
- 5. Page 5 Due to the complexity of modern networks, malicious attackers have multiple avenues that they can use to breach network security. This same complexity also allows for security to be placed in multiple areas using different methods. By placing security at different levels and in different places, network administrators can increase the overall security posture of a network. This concept is known as defense in depth. Security should not just be placed in a single spot, as this creates a single point of failure. Security should be emplaced at multiple layers of the network, using a diversity of methods, in order to create an effectively hardened network. Secure network design elements and components. Just as when peeling an onion, once one layer of security is stripped away, the attacker should find another layer waiting underneath.
- 6. Page 6 Secure network design elements and components.
- 7. Page 7 – Demilitarized zone (DMZ). » The DMZ is a specific area (zone) created—usually between two firewalls—that allows outside access to network resources (e.g., a Web server), while the internal network remains protected from outside traffic. • The external facing router allows specific outside traffic into the DMZ, while the internal router prevents that same outside traffic from entering the internal network. – Network address translation (NAT). » NAT is a technique used to allow private IP addresses to be routed across, or through, an untrusted public network. • The NAT device—usually a router—assigns a public routable IP address to a device that is requesting outside access. » NAT has the added benefit of protecting the internal private network. • The private network’s IP addressing scheme is hidden from untrusted networks by the NAT enabled router. Secure network design elements and components.
- 8. Page 8 – Network access control (NAC). » NAC is a method of controlling who and what gains access to a wired or wireless network. • In most cases, NAC uses a combination of credentials based security (e.g., 802.1x) and some form of posture assessment for a device attempting to log on to the network. » A posture assessment considers the state of the requesting device. The device must meet a set of minimum standards before it is allowed access to the network. • Common device assessments include the type of device, operating system, patch level of the operating system, the presence of anti-malware software and how up to date it is. – Virtualization. » Virtualization is the process of creating virtual resources instead of actual resources. • Hardware, operating systems, and complete networks can be virtualized. » A security advantage to virtualization is that, if the virtual resource is compromised, it can easily be taken down, recovered, fixed, and then brought back online. Secure network design elements and components.
- 9. Page 9 – Subnetting. » Subnetting is the logical division of a network—a single block of IP addresses—into discrete separate networks. • Can be done to match the physical structure of the network (e.g., the network only requires enough addresses for 100 nodes, not 254). • Can be done to increase the security of the network by segmenting resources by needs and security level. – Segmentation of resources. » Security can be increased by segmenting a network based on resources and security needs through the implementation of virtual local area networks (VLANs). • The segmentation can be done based on user groups (e.g., a VLAN for the sales department and another one for human resources). • The segmentation can be done based on resource type (e.g., a VLAN for file servers and another one for Web servers). • Commonly, segmentation is accomplished with a combination. » The use of VLANs supports a more secure, layered approach in the network design. Secure network design elements and components.
- 10. Page 10 In modern networks, it is not uncommon to need to allow remote access to local network resources. Remote workers often need to access resources that are located on the main business network. This requires the use of remote access technology in order for it to happen in a secure manner. Remote access can occur using telephony technology (e.g., dial- up) or through the use of a virtual private network (VPN). In all cases, secure protocols and methods should be used in order to ensure the security of the local network. For example, one of the forms of Extensible Authentication Protocol (EAP) should be used when allowing remote access. Secure network design elements and components.
- 11. Page 11 Secure network design elements and components. The complexity of modern networks means that there are different avenues that attackers can use to breach a network’s security. Defense in depth involves placing security at many different layers of a network. By placing security at different layers and by using different security methods, even if the outer security is breached, the inner security remains in place. Topic Defense in depth. Summary Defense in depth can be implemented in multiple ways, including adding a DMZ, using NAT, implementing NAC, using virtualization, employing subnetting and segmentation, and requiring remote access technology. Elements and components of network design.
- 13. This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53. PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.