Summary, Weblinks & Books
Overall then, the aim is to provide layers of defence. For this you could use a Cisco PIX as your hardware firewall (first firewall) with a Microsoft ISA 2004 as your application layer firewall (second firewall). You may also use additional ISA 2004's for internal firewalls to screen branch to Head Office traffic.
The user node will authenticate to the domain. Cisco NAC and Microsoft NAQC/NAP will provide a security audit, authentication and enforcement on these user nodes connecting to the LAN that gain authorisation. If any action is required to make the user node meet the specified corporate security policies this will be carried out by moving the user node to a restricted part of the network.
Once the user node is authenticated, authorised and compliant with the corporate security policy then it will be allowed to connect to its full, allowed rights as part of the Private network. If using wireless the EAP-TLS may be used for the authentication and 802.1x for the encryption of the wireless traffic.
To help strengthen the LAN if the outer perimeter is defeated you need to look at segmenting the network. This will help minimise or delay malicious and undesirable activity from spreading throughout your private network. VLANs will assist with creating workgroups based on job function, allowing you to restrict the scope of network access a user may have.
For example rather than any user being able to browse to the Payroll server you can use VLANs to restrict access to that server to only the HR department. Routers can help to minimise the spread of network worms and undesirable traffic by introducing Access Control Lists (ACLs).
To minimise the chance of “island hopping” where a compromised machine is used to target another machine, you should ensure that the OS of all clients and Servers are hardened as much as possible – remove unnecessary services, patch, remove default admin shares if not used and enforce complex passwords.
Also stop clients from having easy access to another client machine unless it is necessary. Instead build more secure client to server access. The server will typically have better security because it is part of a smaller group of machines, thus more manageable and its is also a more high profile machine.
Applications should be patched and counter measures put in place for known vulnerabilities. This includes Microsoft Exchange, SQL and IIS, which are high on a malicious hackers attack list. The data on the servers can then be secured using NTFS permissions to only permit those who are authorised to access the data in the manner you specify.
Overall the presentation showed me that a more integrated approach was being taken by vendors to Network security. Interoperability is going to be important to ensure the longevity of your solution but it is refreshing to see two large players in the IT industry like Cisco and Microsoft working together.
The slides for this presentation are available as a PDF document – accessed 13 January 2005: http://www.lynxtec.com/presentations/
Microsoft Press release about Cisco and Microsoft working together for Network security – accessed 17 January 2005:http://www.microsoft.com/presspass/press/2004/oct04/10-18CiscoSecurityPR.asp
Cisco trust agents as part of Network Access Control - accessed 13 January 2005: http://www.cisco.com/en/US/products/ps5923/
Microsoft Operations Framework - accessed 17 January 2005: http://www.microsoft.com/technet/itsolutions/cits/mo/mof/default.mspx
Microsoft Security Operations Guide - accessed 17 January 2005: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=F0B7B4EE-201A-4B40-A0D2-CDD9775AEFF8
Software restriction policies for Windows XP – accessed 12 January 2005: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
Hfnetchk patch management tool - accessed 12 January 2005: http://www.microsoft.com/technet/security/tools/hfnetchk.mspx
Microsoft Network Access Protection – accessed 11 January 2005: http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx
Supplier of IT security posters – accessed 15 January 2005: www.nativeintelligence.com
Wireless information source – accessed 14 January 2005: www.netstumbler.com
ISA 2004 Presentation (includes diagram of ISA architecture) – accessed 16 January 2005: http://www.raven-computers.co.uk/downloads/ISA_Presentation.ppt
McClure, S. & Scambray, J. (2003) Hacking Exposed Windows Server 2003 McGraw-Hill/Osborne. ISBN 0-07-223061-4