This article is the fifth in a series of articles "How to take control of your network infrastructure." The content of all articles in the cycle and links can be found .
This part will focus on Campus (Office) & Remote access VPN segments.
It may seem that the design of an office network is simple.
Indeed, we take L2/L3 switches and connect them together. Next, we perform elementary configuration of wlans, default gateways, raise simple routing, connect WiFi controllers, access points, install and configure ASA for remote access, we are glad that everything worked. In principle, as I wrote in one of the previous of this cycle, almost every student who has listened to (and mastered) two semesters of a telecom course can design and configure an office network so that it “works somehow”.
But the more you learn, the less easy this task begins to seem. For me personally, this topic, the topic of office network design, does not seem easy at all, and in this article I will try to explain why.
In short, there are quite a few factors to consider. Often these factors are in conflict with each other and a reasonable compromise has to be found.
This uncertainty is the main difficulty. So, speaking about security, we have a triangle with three vertices: security, convenience for employees, price of the solution.
And every time you have to find a compromise between these three.
Architecture
As an example of architecture for these two segments, as in previous articles, I recommend model: , .
These are somewhat outdated documents. I bring them here because the fundamental schemes and approach have not changed, but at the same time I like the presentation more than in .
Without urging you to use Cisco solutions, I still think it is useful to carefully study this design.
This article, as usual, by no means claiming to be complete, is rather an addition to this information.
At the end of the article, we will analyze the Cisco SAFE design for the office in terms of the concepts outlined here.
General Principles
The design of an office network must, of course, satisfy the general requirements that have been considered. in the chapter "Criteria for evaluating the quality of design". In addition to price and safety, which we intend to discuss in this article, there are three more criteria that we must consider when designing (or when making changes):
- scalability
- ease of management
- availability
Much of what has been discussed also holds true for the office.
But, nevertheless, the office segment has its own specifics, which is critical in terms of security. The essence of this specificity is that this segment is created to provide network services to employees (as well as partners and guests) of the company, and, as a result, at the highest level of consideration of the problem, we have two tasks:
- protect company resources from malicious actions that may come from employees (guests, partners) and from the software they use. This also includes protection against unauthorized connection to the network.
- protect systems and user data
And this is only one side of the problem (or rather, one vertex of the triangle). On the other side is user convenience and the price of applied solutions.
Let's start by looking at what the user expects from a modern office network.
Facilities
This is what “network conveniences” look like for an office user in my opinion:
- Mobility
- Ability to use the full range of familiar devices and operating systems
- Easy access to all necessary company resources
- Availability of Internet resources, including various cloud services
- "Fast work" network
All this applies to both employees and guests (or partners), and it is the task of the company's engineers to differentiate access for different user groups based on authorization.
Let's take a closer look at each of these aspects.
Mobility
We are talking about the ability to work and use all the necessary resources of the company from anywhere in the world (of course, where the Internet is available).
This fully applies to the office. This is convenient when you have the opportunity to continue working from anywhere in the office, for example, receive mail, communicate in a corporate messenger, be available for a video call, ... Thus, this allows you, on the one hand, to resolve some issues through a "live" communication (for example, to participate in rallies), and on the other hand, to be always online, keep abreast and quickly solve some urgent high-priority tasks. This is very convenient and really improves the quality of communications.
This is achieved by proper WiFi network design.
Comment
Here the question usually arises, is it enough to use only WiFi? Does this mean that you can stop using Ethernet ports in the office? If we are talking only about users, and not about servers, which, nevertheless, it is reasonable to connect with a regular Ethernet port, then in general the answer is: yes, you can limit yourself to WiFi only. But there are nuances.
There are important user groups that require a separate approach. These are, of course, administrators. In principle, a WiFi connection is less reliable (in terms of traffic loss) and slower than a regular Ethernet port. This can be significant for administrators. In addition, network administrators, for example, can in principle have their own dedicated Ethernet network for out-of-band connection.
Perhaps there are other groups/departments in your company for which these factors are also important.
There is another important point - telephony. Perhaps for some reason you don't want to use Wireless VoIP and want to use IP phones with a regular Ethernet connection.
In general, in those companies in which I worked, there was usually the possibility of both a WiFi connection and an Ethernet port.
It would be desirable that mobility was not limited only to the office.
A VPN connection is used to enable work from home (or any other place with available internet). At the same time, it is desirable that employees do not feel the difference between working from home and remote work, which implies the same access. We will discuss how to organize this a little later in the chapter “Unified Centralized Authentication and Authorization System”.
Comment
Most likely, you will not be able to fully provide the same quality of services for remote work that you have in the office. Let's assume that you are using a Cisco ASA 5520 as your VPN gateway. this device is able to "digest" only 225 Mbps of VPN traffic. That is, of course, in terms of bandwidth, connecting via VPN is very different from working from the office. Also if, for some reason, delay, loss, jitter (for example, you want to use office IP telephony) for your network services are significant, you also will not get the same quality as if you were in the office. Therefore, when talking about mobility, we must keep in mind the possible limitations.
Easy access to all company resources
This task should be carried out jointly with other technical departments.
The ideal situation is when the user needs to authenticate only once, and after that he gets access to all the necessary resources.
Providing easy access without sacrificing security can dramatically increase productivity and reduce stress for your co-workers.
Note 1
Ease of access isn't just about how many times you have to enter your password. If, for example, in accordance with your security policy, in order to connect from the office to the data center, you must first connect to the VPN gateway, and in doing so you lose access to office resources, then this is also very, very inconvenient.
Note 2
There are services (for example, access to network equipment) where we usually have our own dedicated AAA servers and it is normal that in this case we have to authenticate several times.
Availability of Internet resources
The Internet is not only entertainment, but also a set of services that can be very useful for work. There are also purely psychological factors. A modern person through the Internet is connected with other people by many virtual threads, and, in my opinion, there is nothing wrong if he continues to feel this connection even during work.
From the point of view of wasting time, there is nothing to worry about if an employee, for example, has Skype running, and he spends 5 minutes communicating with a loved one if necessary.
Does this mean that the Internet should always be available, does this mean that employees can have access to all resources and not control them in any way?
No does not mean, of course. The level of openness of the Internet can be different for different companies - from complete closeness to complete openness. We will discuss ways to control traffic later in the sections on protections.
Ability to use the full range of familiar devices
It is convenient when, for example, you have the opportunity to continue using all the means of communication you are used to at work. There is no difficulty technically to implement it. This requires WiFi and a guest wlan.
It is also good if it is possible to use the operating system that you are used to. But, in my observation, usually only managers, administrators and developers are allowed to do this.
Example
You can, of course, follow the path of bans, prohibit remote access, prohibit connecting from mobile devices, limit everything to static Ethernet connections, limit Internet access, without fail seize cell phones and gadgets at the checkpoint ... and some organizations with elevated security requirements, and, perhaps, in some cases this may be justified, but ... agree that this looks like an attempt to stop progress in a single organization. Of course, I would like to combine the opportunities that modern technologies provide with a sufficient level of security.
"Fast work" network
Data transfer speed is technically a combination of many factors. And the speed of your connection port is usually not the most important of them. Not always the slow operation of the application is associated with network problems, but now we are only interested in the network part. The most common LAN "slowdown" problem is related to packet loss. This usually occurs when there is bottleneck or L1 (OSI) problems. More rarely, some designs (for example, when the default gateway on your subnets is a firewall and thus all traffic goes through it), the performance of the equipment may not be enough.
Therefore, when choosing equipment and architecture, you need to correlate the speeds of end ports, trunks and equipment performance.
Example
Let's assume you are using 1 Gbps switches as access layer switches. They are connected to each other via Etherchannel 2 x 10 gigabits. As a default gateway, you use a firewall with gigabit ports, to connect it to the L2 office network, you use 2 gigabit ports combined into Etherchannel.
This architecture is quite convenient in terms of functionality, because all traffic goes through the firewall, and you can comfortably manage access policies and apply sophisticated algorithms to control traffic and prevent possible attacks (see below), but in terms of throughput and performance, this design, of course, has potential problems. So, for example, 2 hosts downloading data (with a port speed of 1 gigabit) can completely load a 2 gigabit connection to the firewall, and thus lead to degradation of the service for the entire office segment.
We have considered one vertex of the triangle, now let's look at how we can ensure security.
Remedies
So, of course, usually, our desire (or rather, the desire of our management) is to achieve the impossible, namely, to provide maximum convenience with maximum security and minimum cost.
Let's look at what methods we have to provide protection.
For the office, I would single out the following:
- zero trust approach in design
- high level of protection
- network visibility
- unified centralized system of authentication and authorization
- host checking
Let's take a closer look at each of these aspects.
Zero Trust
The IT world is changing very quickly. Literally over the past 10 years, the emergence of new technologies and products has led to a serious revision of the concepts of security. Ten years ago, in terms of security, we segmented the network into trust, dmz and untrust zones, and used the so-called "perimeter protection", where there were 2 lines of defense: untrust -> dmz and dmz -> trust. Also, protection was usually limited to access lists based on L3/L4 (OSI) headers (IP, TCP/UDP ports, TCP flags). Everything related to higher levels, including L7, was left to the OS and security products installed on the end hosts.
Now the situation has changed dramatically. Modern concept proceeds from the fact that it is no longer possible to consider internal, that is, those located inside the perimeter, systems as trusted, and the very concept of the perimeter has become blurred.
In addition to an internet connection, we also have
- remote access VPN users
- various personal gadgets brought laptops connected via office WiFi
- other (branch) offices
- cloud infrastructure integration
What does the Zero Trust approach look like in practice?
Ideally, only the traffic that is required should be allowed, and if we are talking about the ideal, then control should be not only at the L3 / L4 level, but at the application level.
If, for example, you have the ability to pass all traffic through the firewall, then you can try to get closer to the ideal. But this approach can significantly reduce your overall network bandwidth, and application filtering doesn't always work well.
When controlling traffic on a router or L3 switch (using standard ACLs), you encounter other problems:
- it's only L3/L4 filtering. Nothing prevents an attacker from using allowed ports (e.g. TCP 80) for their application (not http)
- complex ACL management (difficult to parse ACLs)
- this is not a statefull firewall, i.e. you need to explicitly allow reverse traffic
- in the case of switches, you are usually quite tightly constrained by the size of the TCAM, which can quickly become a problem in the case of a "allow only what you need" approach.
Comment
Speaking of reverse traffic, we must remember that we have the following opportunity (Cisco)
permit tcp any established
But you need to understand that this line is equivalent to two lines:
permit tcp any any ack
permit tcp any any rstWhich means that even if there was no initial TCP segment with the SYN flag (that is, the TCP session did not even begin to be established), this ACL will let the packet with the ACK flag through, which an attacker can use to transfer data.
That is, this line in no way turns your router or L3 switch into a statefull firewall.
High level of protection
В in the section on data centers, we considered the following methods of protection.
- stateful firewalling (default)
- ddos/dos protection
- application firewalling
- threat prevention (antivirus, anti-spyware, and vulnerability)
- URL filtering
- data filtering (content filtering)
- file blocking (file types blocking)
In the case of an office, the situation is similar, but the priorities are slightly different. Office availability (availabilty) is usually not as critical as in the case of a data center, while the likelihood of “internal” malicious traffic is orders of magnitude higher.
Therefore, the following protection methods for this segment become critical:
- application firewalling
- threat prevention (anti-virus, anti-spyware, and vulnerability)
- URL filtering
- data filtering (content filtering)
- file blocking (file types blocking)
While all of these security methods, with the exception of application firewalling, have traditionally been and continue to be resolved on end hosts (eg by installing antivirus software) and through proxies, modern NGFWs also provide these services.
Security equipment vendors strive to create comprehensive protection, therefore, along with protection on a local box, various cloud technologies and client software for hosts (end point protection / EPP) are offered. So, for example, from we see that Palo Alto and Cisco have their own EPPs (PA: Traps, Cisco: AMP), but are far from the leaders.
Enabling these protections (usually through the purchase of licenses) on the firewall is of course optional (you can go the traditional way), but it provides some advantages:
- in this case, there is a single point of application of protection methods, which improves visibility (see the next topic).
- if there is an unprotected device on your network, then it still falls under the “umbrella” of firewall protection
- By using firewall protections in conjunction with end-host protections, we increase the likelihood of detecting malicious traffic. For example, the use of threat prevention on local hosts and on the firewall increases the likelihood of detection (provided, of course, that these solutions are based on different software products)
Comment
If, for example, you use Kaspersky as an antivirus both on the firewall and on the end hosts, then this, of course, will not greatly increase your chances of preventing a virus attack on your network.
network visibility
simple - "see" what is happening on your network, both in real time and historical data.
I would divide this "vision" into two groups:
Group one: what your monitoring system usually provides you.
- equipment loading
- channel loading
- memory usage
- disk usage
- changing the routing table
- link status
- availability of equipment (or hosts)
- ...
Group two: security related information.
- various kinds of statistics (for example, by application, by URL traffic, what types of data were downloaded, user data)
- what was blocked by security policies and for what reason, namely
- prohibited application
- forbidden based on ip/protocol/port/flags/zones
- threat prevention
- url filtering
- data filtering
- file blocking
- ...
- statistics on DOS/DDOS attacks
- unsuccessful authentication and authorization attempts
- statistics on all the above security policy violation events
- ...
In this chapter on security, we are interested in the second part.
Some modern firewalls (from my Palo Alto experience) provide a good level of visibility. But, of course, the traffic you are interested in must go through this firewall (in which case you have the ability to block traffic) or be mirrored to the firewall (used only for monitoring and analysis), and you must have licenses to enable all these services .
There is, of course, an alternative way, or rather the traditional way, for example,
- session statistics can be collected through netflow and then use special utilities to analyze information and visualize data
- threat prevention - special programs (anti-virus, anti-spyware, firewall) on end hosts
- URL filtering, data filtering, file blocking - on proxy
- it is also possible to parse tcpdump with e.g.
It is possible to combine these two approaches, adding missing features or duplicating them to increase the likelihood of attack detection.
Which approach to choose?
Highly depends on the qualifications and preferences of your team.
Both there and there there are pluses and minuses.
Unified centralized system of authentication and authorization
Well designed, the mobility we discussed in this article assumes that you have the same access whether you work from the office or from home, from the airport, from a coffee shop, or anywhere else (with the limitations we discussed above). It would seem, what is the problem?
In order to better understand the complexity of this task, let's look at a typical design.
Example
- You divided all employees into groups. You have decided to grant access by groups
- Inside the office, you control access on the office firewall
- You control the traffic from the office to the data center on the firewall of the data center
- You use the Cisco ASA as your VPN gateway, and you use local (on the ASA) ACLs to control traffic entering your network from remote clients.
Now, suppose you are asked to add additional access to a specific employee. At the same time, you are asked to add access only to him and no one else from his group.
To do this, we must create a separate group for this employee, that is
- create a separate IP pool on the ASA for this employee
- add a new ACL on the ASA and bind it to that remote client
- create new security policies on office and data center firewalls
Well, if this event is rare. But in my practice there was a situation when employees participated in different projects, and this set of projects for some of them changed quite often, and it was not 1-2 people, but dozens. Of course, something had to change here.
It was solved in the following way.
We decided that the only source of truth that defines all possible employee accesses will be LDAP. We created all kinds of groups that define sets of accesses, and we tied each user to one or more groups.
So, for example, suppose there were groups
- guest (internet access)
- common access (access to shared resources: mail, knowledge base, ...)
- Accounting
- project 1
- project 2
- data base administrator
- linux administrator
- ...
And if one of the employees was involved, both in project 1 and in project 2, and he needed the access necessary to work in these projects, then this employee was assigned to, respectively, groups:
- guest
- common access
- project 1
- project 2
How now to turn this information into accesses on network equipment?
Cisco ASA Dynamic Access Policy (DAP) (see ) solution is just right for this task.
Briefly about our implementation, in the process of identification / authorization, the ASA receives from LDAP a set of groups corresponding to a given user and “collects” from several local ACLs (each of which corresponds to a group) a dynamic ACL with all the necessary accesses, which fully corresponds to our wishes.
But this is only for VPN connections. To make the situation the same for both employees connected via VPN and those in the office, the next step was taken.
When connecting from the office, users using the 802.1x protocol got into either a guest wlan (for guests) or a wlan with shared access (for company employees). Further, in order to obtain specific access (for example, to projects in the data center), employees had to connect via VPN.
To connect from the office and from home, different tunnel groups were used on the ASA. This is necessary so that for those who connect from the office, traffic to shared resources (used by all employees, such as mail, file servers, ticket system, dns, ...) does not go through the ASA, but through the local network. Thus, we did not load the ASA with unnecessary traffic, including high-intensity traffic.
Thus, the problem was solved.
We got
- the same set of accesses, both for connections from the office and for remote connections
- no degradation of the service when working from the office, associated with the transfer of high-intensity traffic through the ASA
What is the other benefit of this approach?
Access administration. Access is easy to change, in one place.
For example, if an employee left the company, then you simply delete him from LDAP, and he automatically loses all access.
Host checking
With the possibility of remote connection, we run the risk of allowing into the network not only an employee of the company, but also all the malicious software that is most likely present on his computer (for example, home), and moreover, through this software we may open access to our network to an attacker using this host as a proxy.
It makes sense for a host connecting remotely to apply the same security requirements as for a host in the office.
This includes the "correct" version of the OS, anti-virus, anti-spyware, and firewall software and updates. Typically, this feature exists on the VPN gateway (for ASA, see e.g. ).
It is also wise to apply the same methods of traffic analysis and blocking (see “High level of protection”) that, in accordance with your security policy, apply to office traffic.
It's reasonable to assume that your office network is no longer limited to the office building and the hosts in it.
Example
A good trick is to provide every employee who needs remote access with a good, comfortable laptop and require them to work both in the office and from home only from it.
Not only does this increase the security of your network, but it's also really convenient and is generally accepted positively by employees (if it's a really good and comfortable laptop).
About a sense of proportion and balance
In principle, this is a conversation about the third top of our triangle - about the price.
Let's look at a hypothetical example.
Example
You have an office for 200 people. You decided to make it as convenient and as safe as possible.
Therefore, you decided to pass all traffic through the firewall and thus for all subnets of the office, the firewall is the default gateway. In addition to the security software installed on each end host (anti-virus, anti-spyware, and firewall software), you also decide to apply all possible protection methods on the firewall.
To ensure high connection speed (everything for convenience), you chose switches with 10 Gigabit access ports as access switches, as firewalls - high-performance NGFW firewalls, for example, Palo Alto 7K series (with 40 Gigabit ports), naturally with all licenses included and, of course, a High Availability couple.
Also, of course, to work with this line of equipment, we need at least a couple of highly qualified security engineers.
Next, you decide to give each employee a good laptop.
In total, about 10 million dollars for implementation, hundreds of thousands of dollars (I think closer to a million) for annual support and salaries for engineers.
Office, 200 people…
Comfortable? I guess it's yes.You come with this offer to your leadership...
Perhaps there are a certain number of companies in the world for which this is an acceptable and correct solution. If you are an employee of this company, congratulations, but in the vast majority of cases, I am sure that your knowledge will not be appreciated by management.
Is this example exaggerated? The next chapter will answer this question.
If on your network, you do not see any of the above, then this is the norm.
For each specific case, you need to find your reasonable compromise between convenience, price and safety. Often you don't even need NGFW in your office, you don't even need L7 firewall protection. It is enough to provide a good level of visibility and alerts, and this can be done using open source products, for example. Yes, your reaction to an attack will not be instantaneous, but the main thing is that you will see it, and with the right processes in your department, you will be able to quickly neutralize it.
And, let me remind you that, according to the idea of \uXNUMXb\uXNUMXbthe series of these articles, you are not engaged in network design, you are only trying to improve what you got.
SAFE Office Architecture Analysis
Pay attention to this red square, with which I marked the place on the diagram from which I would like to discuss here.
This is one of the key places of architecture and one of the most important uncertainties.
Comment
I have never configured or worked with FirePower (from the Cisco firewall line - only with ASA), so I will treat it like any other firewall, such as Juniper SRX or Palo Alto, assuming that it has the same capabilities.
Of the usual designs, I see only 4 possible options for using a firewall with such a connection:
- the default gateway for each subnet is the switch, while the firewall is in transparent mode (that is, all traffic goes through it, but it does not form an L3 hop)
- the default gateway for each subnet is the firewall sub-interfaces (or SVI interfaces), the switch plays the role of L2
- different VRFs are used on the switch, and traffic between VRFs goes through a firewall, traffic within one VRF is controlled by ACL on the switch
- all traffic is mirrored to the firewall for analysis and monitoring, traffic does not go through it
Note 1
Combinations of these options are possible, but for simplicity we will not consider them.
Remark2
There is still the possibility of using PBR (service chain architecture), but so far this, although a beautiful solution in my opinion, is rather exotic, so I do not consider it here.
From the description of the flows in the document, we see that, nevertheless, the traffic goes through the firewall, that is, in accordance with the design of Cisco, the fourth option is eliminated.
Let's look at the first two options first.
With these options, all traffic goes through the firewall.
Now look look and we see that if we want the total bandwidth for our office to be at least in the region of 10 - 20 gigabits, then we must buy the 4K version.
Comment
When I talk about the total bandwidth, I mean traffic between subnets (and not within one wealan).
From the GPL, we see that for a HA Bundle with Threat Defense, the price, depending on the model (4110 - 4150), varies from ~ 0,5 - 2,5 million dollars.
That is, our design begins to resemble the previous example.
Does this mean that this design is wrong?
No, it doesn't. Cisco gives you the best possible protection based on the product line it has. But that doesn't mean it's a must-do for you.
In principle, this is a common question that arises when designing an office or data center, and it only means that you need to find a compromise.
For example, not all traffic is allowed through a firewall, in which case the 3rd option seems pretty nice to me, or (see the previous section) maybe you don't need Threat Defense or you don't need a firewall at all in this network segment, and you just need to limit yourself to passive monitoring using paid (not expensive) or open source solutions, or you need a firewall, but from a different vendor.
Usually there is always this uncertainty and there is no clear answer which solution is best for you.
This is the complexity and beauty of this task.
Source: habr.com