Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Securing a wired LAN

Securing a wired LAN 8 years 2 weeks ago #28209

  • DSL55
  • DSL55's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hello everyone,

I'm starting a project that my objectives are securing the 7 layer of the OSI model. The problem is that there are so many methods to achieve that, that I don't know which ones should I apply and if they are all being applied in the proper layer.

My main goal is to achieve maximum security with less overhead.

So my plan is as follow:
Layer 1 Phisical -
Restric Autorun in all machines
Control what employees can plug into the USB ports
Use of Mcaffe Antivirus in all machines

Layer 2 Data Link-
Create VLAN's
Configure SSH
Configure dynamic ARP inspection to drop invalid MAC's
Disable all unused ports
Configue MPLS VPN layer 2

Layer 3 Network -
Configue ACL's
Configure VPN layer 3 to inforce the layer 2 VPN
Use A Firewall router
Configure NAT

Layer 4 Transport -
Use SNMP version 3 only
Control the amount of ICMP used in the network
Use of IPS/IDS software (please let me know if someone know any free and efective version)
I also need any free software that can confuse fingerprint attacks.

Layer 5 Session -
Preventing and Detecting by limiting incoming connection and Configuring the network to reject packets from the internet that Claim to originate from local address.
Configure port security on LAN Switches

Layer 6 Presentation -
Use SSL and TLS

Layer 7 Application -
Use an AAA server + the methods used in the previous layers might be enought to prevent application layer attacks
Require DNS to use random transaction id and source port.


Please what I think about my objectives? May I be using to many features in some cases?

Thank you for you time.

Ed
The administrator has disabled public write access.

Re: Securing a wired LAN 8 years 2 weeks ago #28219

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
You've made a good start.
Try to bear in mind what each layer does, and try to include under each layer heading only those measures that impact that layer and which improve security. For example, for the physical layer antivirus is not really that relevant. However things like using fibre instead of copper to make the physical bitstream harder to intercept and modify, is. Remember physical security also - if they can't physically get to your network then you limit much of what they can do.
Most of your other suggestions are under the correct layer but there are one or two I might move.
Also, for free intrusion dectection have a look at Snort
The administrator has disabled public write access.

Re: Securing a wired LAN 8 years 2 weeks ago #28222

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Great start indeed. Just a few notes here. SSH is above layer 3 (Application layer in the DoD model en.wikipedia.org/wiki/Secure_Shell). The "Firewall router" could be at layer 3 or above it, it depends on it's capabilities and what you configure on. Antivirus is surely above layer 4.

Usually a subset of what your proposing will do the job. It depends on your requirements. Port security for example is effective in ensuring no machines connect to your network other than the ones you have allowed. VPNs are a popular choice for allowing and securing remote users. May I suggest configuring personal firewalls (software). A Firewall at the edge router is great in preventing outsiders, but it wont prevent viruses or attackers that have already propagated (or infected) an internal PC from spreading its hazard around. I personally use the Windows built-in firewall.

As the TheBishop mentioned, physical security should be took seriously. For example, if there is a possibility for a intruder to have physical access to some of your machines (provided those machines have a floppy drive). Then I suggest you enable BIOS passwords. An intruder can change the Windows password of an Administrator by booting from a floppy disk with some password cracking/changing software on it. Such software is already available in the wild.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Securing a wired LAN 8 years 2 weeks ago #28223

  • sose
  • sose's Avatar
  • Offline
  • Honored Member
  • Posts: 813
  • Thank you received: 4
  • Karma: 3
you are not going to be controlling ICMP at layer 4


also after using the best softwares to secure all the layers, make sure your users are not careless ones. they are the easiest path through your network
sose
Network Engineer
analysethis.co/index.php/forum/index
The administrator has disabled public write access.

Re: Securing a wired LAN 8 years 2 weeks ago #28224

  • sose
  • sose's Avatar
  • Offline
  • Honored Member
  • Posts: 813
  • Thank you received: 4
  • Karma: 3
ok u can block ports at layer 4
sose
Network Engineer
analysethis.co/index.php/forum/index
The administrator has disabled public write access.

Re: Securing a wired LAN 8 years 2 weeks ago #28227

  • DSL55
  • DSL55's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Thank you all for your answers:


I will apply SSH for Layer 5 security and I will try Communicrypt2g0 1.0 for sessions encryption

I found one software SecurePAQ INIDS 1.1 (although I never try it, don't know if is good yet) for IDS/IPS at layer 4

Protect ports at layer 4 (SSL) and (TLS) will protect also layer 6 attacks

Controlling ICPM at layer 3. I will be Blocking both inbound and outbound ICMP at the firewall and allow limited number of ICPM's once this is used for testing purposes.

Activate the windows built-in in all machines
Create a central patch server that all systems must to communicate each week to update all machines in the same day when new patches come out.

Fiber is a good option however is expensive. Anyway this kind of decision normaly rely on the company's size.

enable BIOS password at layer 1 and of course educate the users
(Social Engineering layer 8 :) )

What would you advise me for a good BACKUP strategy?

Thx all
:wink:
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup