I'm starting a project that my objectives are securing the 7 layer of the OSI model. The problem is that there are so many methods to achieve that, that I don't know which ones should I apply and if they are all being applied in the proper layer.
My main goal is to achieve maximum security with less overhead.
So my plan is as follow:
Layer 1 Phisical -
Restric Autorun in all machines
Control what employees can plug into the USB ports
Use of Mcaffe Antivirus in all machines
Layer 2 Data Link-
Configure dynamic ARP inspection to drop invalid MAC's
Disable all unused ports
Configue MPLS VPN layer 2
Layer 3 Network -
Configure VPN layer 3 to inforce the layer 2 VPN
Use A Firewall router
Layer 4 Transport -
Use SNMP version 3 only
Control the amount of ICMP used in the network
Use of IPS/IDS software (please let me know if someone know any free and efective version)
I also need any free software that can confuse fingerprint attacks.
Layer 5 Session -
Preventing and Detecting by limiting incoming connection and Configuring the network to reject packets from the internet that Claim to originate from local address.
Configure port security on LAN Switches
Layer 6 Presentation -
Use SSL and TLS
Layer 7 Application -
Use an AAA server + the methods used in the previous layers might be enought to prevent application layer attacks
Require DNS to use random transaction id and source port.
Please what I think about my objectives? May I be using to many features in some cases?
You've made a good start.
Try to bear in mind what each layer does, and try to include under each layer heading only those measures that impact that layer and which improve security. For example, for the physical layer antivirus is not really that relevant. However things like using fibre instead of copper to make the physical bitstream harder to intercept and modify, is. Remember physical security also - if they can't physically get to your network then you limit much of what they can do.
Most of your other suggestions are under the correct layer but there are one or two I might move.
Also, for free intrusion dectection have a look at Snort
Great start indeed. Just a few notes here. SSH is above layer 3 (Application layer in the DoD model
). The "Firewall router" could be at layer 3 or above it, it depends on it's capabilities and what you configure on. Antivirus is surely above layer 4.
Usually a subset of what your proposing will do the job. It depends on your requirements. Port security for example is effective in ensuring no machines connect to your network other than the ones you have allowed. VPNs are a popular choice for allowing and securing remote users. May I suggest configuring personal firewalls (software). A Firewall at the edge router is great in preventing outsiders, but it wont prevent viruses or attackers that have already propagated (or infected) an internal PC from spreading its hazard around. I personally use the Windows built-in firewall.
As the TheBishop mentioned, physical security should be took seriously. For example, if there is a possibility for a intruder to have physical access to some of your machines (provided those machines have a floppy drive). Then I suggest you enable BIOS passwords. An intruder can change the Windows password of an Administrator by booting from a floppy disk with some password cracking/changing software on it. Such software is already available in the wild.