General Design Considerations for Secure Networks

最新推荐文章于 2022-04-19 16:12:34 发布
最新推荐文章于 2022-04-19 16:12:34 发布
阅读量684 收藏
点赞数
分类专栏: network

General Design Considerations for Secure Networks

Contents

  1. Physical Security Issues
  2. Layer 2 Security Considerations
  3. IP Addressing Design Considerations
  4. ICMP Design Considerations
  5. Routing Considerations
  6. Transport Protocol Design Considerations
  7. DoS Design Considerations
  8. Summary
  9. Applied Knowledge Questions
  10. References

Chapter Description

At the beginning of any secure network design project, many best practices apply more or less uniformly to all areas of the design. This article by Sean Convery presents these practices in a single location.

From the Book

Network Security Architectures

Network Security Architectures

$52.00(Save 20%)

ICMP Design Considerations

One way to spot inexperienced secure network design is to look for networksthat completely block Internet Control Message Protocol (ICMP) traffic. As anyoperator of all but the smallest networks will tell you, troubleshooting anetwork without ping is very frustrating, bordering on impossible. That said,ICMP messages should not be enabled everywhere without reservation. Somesecurity considerations must be understood, just like for any other protocol.This section assumes basic ICMP understanding. Refer to your favorite TCP/IPbook for background or read RFC 792.

ICMP security can be a very lengthy discussion because lots of nasty thingscan be done with ICMP messages when scanning networks or trying to gain a covertchannel. If you are interested in this sort of thing, Ofir Arkin's papertitled "ICMP Usage in Scanning" is available athttp://www.sys-security.com/archive/papers/ICMP_Scanning_v2.5.pdf.Rob Thomas has some guidelines for ICMP filtering that are available here:http://www.cymru.com/Documents/icmp-messages.html.

The basics behind ICMP design considerations are to define how much ICMPtraffic you should allow on your network and which messages types you shouldfilter.

ICMP Rate Limiting

Because ICMP is a troubleshooting and error-reporting tool, there should be alimit to the amount of ICMP traffic you see on a given network. For example, ona 100 Mbps Ethernet link, you might block ICMP traffic that exceeds 500 Kbps. Atechnology called committed access rate (CAR) enables this sort of filtering andis discussed later in this chapter.

ICMP Message Type Filtering

As Chapter 2 discussed, your own security policies and threat models might bedifferent from those assumed here. Deploying filters throughout your internalnetwork to permit only the ICMP message types required would be difficult. As afirst step, focus on possible boundaries of trust between two networks. Yournetwork will have its own trust boundaries, but here are a few to get youstarted. Zones of trust are detailed more fully in Chapter 12, "DesigningYour Security System."

  • Internet and internal network

  • Management network and production network

  • Critical applications and production network

An easy first step in ICMP filtering is to deny any ICMP message that is afragment. First, the ICMP messages you must permit are generally small. Echo andecho reply, for example, default on BSD UNIX to 84 bytes: 20-byte IP header,8-byte ICMP header, and 56 bytes of ICMP data. Other required ICMP messages aresimilarly small and come nowhere near the minimum link size on today's IPnetworks. Blocking ICMP fragments is easy using an ACL:

access-list 101 deny icmp any any fragments

WARNING

The fragments keyword in a Cisco ACL has some special use rules. For adetailed discussion of this, including flow charts and examples, check the paperat the following URL:http://www.cisco.com/warp/public/105/acl_wp.html.

As a quick summary of the paper, the fragments keyword applies only tononinitial fragments (fragment offset > 0), so in the preceding example, thefirst part of a fragmented ICMP packet will not match that entry, while allsubsequent fragments will.

When filtering ICMP messages between trust boundaries, apply the securityprinciple "Expressly permit, implicitly deny." Though your specificrequirements may vary, the following ICMP types should be permitted in someform:

  • ICMP echo request and ICMP echo reply

  • ICMP destination unreachable—fragmentation needed but DF bitset

  • ICMP time exceeded

ICMP Echo Request and ICMP Echo Reply

ICMP echo request (Type 8 Code 0) and ICMP echo reply (Type 0 Code 0) arebetter known as the message types used by the ping command. The format ofan ICMP echo message has the standard 8 bytes of ICMP header information andthen allows for a variable-length data field that can contain any kind of data.Certain size ping packets caused system crashes on some older OSs. This attackwas commonly called the Ping of Death. More information can be found here:http://www.insecure.org/sploits/ping-o-death.html.Permitting ICMP echo can lead to DoS attacks and buffer overflows as discussedin Chapter 3. It can also lead to a covert channel because information can beembedded into the data field in the ICMP echo message. An attacker that installsspecial software on a host internal to your network could communicate back andforth using only ICMP echo request or reply messages. Covert channels have beenimplemented in many different protocols, and they are impossible to completelyeliminate. So, with these risks, it is understandable why a security engineerwould want to stop ICMP echo messages. Unfortunately, troubleshooting would befar too difficult without it making your overall network less secure in mostcases. With all that said, here are the best practices:

  • Permit ICMP echo request messages to leave your network destined for anynetwork you have reason to communicate with.

  • Permit ICMP echo reply messages to your internal hosts from any networkyou have reason to communicate with.

  • Permit ICMP echo request messages from external hosts to servers theymust access (public web servers, for example). As of this writing, a randomsampling of top websites yielded several that block inbound pings to theirservers and several more that permit them. As an organization, you must weighthe risks of allowing this traffic against the risks of denying this traffic andcausing potential users troubleshooting difficulties.

  • Permit ICMP echo reply messages from any server system to the networkswhere that server's users reside. Echo replies from your public web serverto the Internet at large is an example of this.

  • Deny every other ICMP echo message.

As an example, consider the very simplified Internet edge shown in Figure6-15.

Figure 15Figure6-15 Simple Internet Edge

If you were writing ICMP echo access lists for router "police," theinbound Serial0 ACL would look like this:

! permit echo-request to Serial0 interface of the router
access-list 101 permit icmp any host 192.0.2.2 echo
! permit echo-request to public server
access-list 101 permit icmp any host 126.0.64.10 echo
! permit echo-reply from anywhere to the internal network and the public server
access-list 101 permit icmp any 126.0.128.0 0.0.0.255 echo-reply
access-list 101 permit icmp any host 126.0.64.10 echo-reply

The ACL on the inbound Ethernet0 interface would look like this:

! permit echo-request from the internal network to anywhere
access-list 102 permit icmp 126.0.128.0 0.0.0.255 any echo

The ACL on the inbound Ethernet1 interface would look like this:

! permit echo-request from the public web server to anywhere
access-list 103 permit icmp host 126.0.64.10 any echo
! permit echo-reply from the public web server to anywhere
access-list 103 permit icmp host 126.0.64.10 any echo-reply

Based on these ACLs, internal users can ping the web server and the Internet,the Internet can ping the web server, and the web server can ping the Internet.Of special note is that the web server cannot ping internal hosts. Based on yoursecurity policies, you can permit this to aid in troubleshooting, but be awarethat many organizations consider public servers to be not much more trusted thanthe Internet. To make the change, you would add this line to the Ethernet0ACL:

access-list 102 permit icmp 192.0.128.0 0.0.0.255 host 192.0.64.10 echo-reply

NOTE

Cisco router ACLs can be applied inbound or outbound on a given interface.Security folks, myself included, tend to prefer inbound ACLs, but there aresituations in which you must use both and situations in which an outbound ACLmakes more sense. I prefer inbound because the packets are blocked before theycross the router. Outbound ACLs allow the packet to be routed by the router andthen are blocked when they try to leave. This could leave the router open tocertain attacks.

Another special note on Cisco ACLs is that ACLs never apply to trafficgenerated by the router. So, even if you have an inbound and an outbound ACL ona router denying all traffic, the router will still be able to send any packetit wants; the return packet, however, will be blocked as usual.

ICMP Destination Unreachable—Fragmentation Needed but DF Bit Set

ICMP destination unreachable messages (type 3 code 0–15) are a wholerange of messages designed to alert the sending system that something is wrongwith a particular message sent. This includes specific errors such as networkunreachable (code 0), host unreachable (code 1), protocol unreachable (code 2),and port unreachable (code 3). These types of messages are generated by hostsand routers when a sending system tries to go somewhere that is unreachable forwhatever reason. Many security administrators block most type 3 messages becausethe sending host will often figure out that the service is unavailable on itsown without the benefit of the ICMP message (albeit more slowly). One message isrequired though: "fragmentation needed but DF bit set" (type 3 code4). This message is required for path Maximum Transmission Unit (MTU) discoveryto work. Path MTU discovery is the method most hosts use to determine the IP MTUsize for their traffic. Without it functioning properly, large TCP segmentscould be dropped without a means to remedy the problem because the offendinghost never knows why the drop occurs.

Path MTU discovery has some interesting implications in IPsec and isdiscussed in more detail in Chapter 10, "IPsec VPN DesignConsiderations."

ICMP type 3 code 4 messages can be easily permitted by adding the followingline to the ACLs built for Figure 6-15:

access-list 101 permit icmp any any packet-too-big
ICMP Time Exceeded

ICMP time exceeded: Time-to-Live (TTL) equals 0 during transit (type 11 code0) is required because it is used by traceroute. To permit these messages, addthe following line to the ICMP ACLs you have seen in this section:

access-list 101 permit icmp any any time-exceeded
ICMP Filtering Recommendations

As you can see, there was a reason that ICMP was created beyond as aplayground for attackers. Although most of the 15 ICMP message types can beblocked, several are necessary to the healthy operation of a network. We canrebuild the previous ACLs to allow all the messages we discussed, to blockfragments, and to deny any other ICMP messages. Those ACLs are as follows.

Router "police" Serial0 ACL, inbound:

! deny non-initial ICMP Fragments
access-list 101 deny icmp any any fragments
! permit echo-request to Serial0 interface of the router
access-list 101 permit icmp any host 192.0.2.2 echo
! permit echo-request to public server
access-list 101 permit icmp any host 126.0.64.10 echo
! permit echo-reply from anywhere to the internal network and the public server
access-list 101 permit icmp any 126.0.128.0 0.0.0.255 echo-reply
access-list 101 permit icmp any host 126.0.64.10 echo-reply
! permit "fragmentation needed but DF bit set" message
access-list 101 permit icmp any any packet-too-big
! permit "Time exceeded" message
access-list 101 permit icmp any any time-exceeded
! deny any other ICMP message
access-list 101 deny icmp any any
! from here you would continue with other non ICMP related ACL entries

Router "police" Ethernet0 ACL, inbound:

! deny non-initial ICMP Fragments
access-list 102 deny icmp any any fragments
! permit echo-request from the internal network to anywhere
access-list 102 permit icmp 126.0.128.0 0.0.0.255 any echo
! permit "fragmentation needed but DF bit set" message
access-list 102 permit icmp any any packet-too-big
! permit "Time exceeded" message
access-list 102 permit icmp any any time-exceeded
! deny any other ICMP message
access-list 102 deny icmp any any
! from here you would continue with other non ICMP related ACL entries

Router "police" Ethernet1 ACL, inbound:

! deny non-initial ICMP Fragments
access-list 103 deny icmp any any fragments
! permit echo-request from the public web server to anywhere
access-list 103 permit icmp host 126.0.64.10 any echo
! permit echo-reply from the public web server to anywhere
access-list 103 permit icmp host 126.0.64.10 any echo-reply
! permit "fragmentation needed but DF bit set" message
access-list 103 permit icmp any any packet-too-big
! permit "Time exceeded" message
access-list 103 permit icmp any any time-exceeded
! deny any other ICMP message
access-list 103 deny icmp any any
! from here you would continue with other non ICMP related ACL entries

NOTE

If you want to get very picky, you could probably block the packet-too-bigand time-exceeded messages from being generated by either the public serversegment or the internal network, depending on the rest of your configuration.With protocols such as ICMP (which are often used in troubleshooting), you areprobably better off following the KISS principle by making your ICMP filteringconsistent as much as possible.

5. Routing Considerations | Next Section Previous Section

From

http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4


zhoupengTrim
关注
专栏目录
【rustdesk 】rfc5128 :跨NATs的P2P通信技术 和rdserver
突围
04-17 724
Endpoint-Independent Mapping NAT(简称EIM-NAT)是一种NAT。BEHAVE 文档([BEH-UDP]、[BEH-TCP] 和 [BEH-ICMP])。应用程序和 NAT 设备,即 [NAT-PMP]、[NSIS-NSLP]、[SOCKS]、“Endpoint-Dependent Filtering”指的是“Address-文档中,指的是Traditional NAT [NAT-TRAD]。[RSIP]、[MIDCOM] 和 [UPNP] 超出了本文档的范围。
ICDE 2017 论文目录与一些想法的整理
chunjing6629的博客
06-12 3240
ICDE 2017 1.1 Research Session 1A: Graphs UniWalk: Unidirectional Random Walk Based Scalable SimRank Computation over Large Graph A Fast Order-Based Approach for Core Maintenance Scalable and ...
hping3
weixin_34414196的博客
01-08 1035
hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle ...
HCLA-Datacom v1.0华为认证数通笔记1(网络层层协议及IP编址,数据通信网络基础)
kaituozhizzz的博客
04-19 3585
TTL是 Time To Live的缩写,该字段指定IP包被路由器丢弃之前允许通过的最大网段数量 TTL是用来限制IP数据包在在计算机网络中存在的时间TTL最大值是255,也就是存活的时间,实际上是IP数据包在计算机网络中可以转发的最大跳数,每经过一个路由器就会修改这个TTL字段 ,具体就是将TTL值减小,如若IP包在到达目的IP时TTL值减小为0,路由器会丢弃该包并发送ICMP time exceeded消息 主要功能是避免IP包在网络中无限循环和收发,节省了网络资源,并能发送报警信息 私网IP地址
服务器 解决方案_为什么无服务器解决方案不安全?
weixin_26752759的博客
09-15 1333
服务器 解决方案 保护您的无服务器解决方案 (Protecting Your Serverless Solution)Photo by Collin Armstrong on Unsplash 科林·阿姆斯特朗在Unsplash上的照片 In recent years, the growth of Serverless has been monumental. More and more org...
Design guidelines for application performance
screaming的博客
04-06 829
Chapter 3 — Design Guidelines for Application Performance   Retired Content This content is outdated and is no longer being maintained. It is provided as a courtesy for in
AR law : Privacy
weixin_42786150的博客
02-17 4544
ar law privacy
SIGMOD 2017论文的摘要与看法
chunjing6629的博客
06-23 3730
SIGMOD2017 持续更新 3.1 Concurrency并发 ACIDRain: Concurrency-Related Attacks on Database-Backed Web Applications ACIDRain:对数据库支持的Web应用程序的并发性攻击 Cicada: Dependably Fast Multi-Core In-Memory Transact...
Modern Operating Systems,Tanenbaum,3rd
10-10
3. **Large Programming Projects**: Offers insights into managing large-scale projects, including design considerations, testing strategies, and debugging techniques. 4. **The Model of Run Time**: ...
考研复习-英语二真题考试题集-带答案
09-14
英语二考研真题复习资料,带答案版
2024中美独角兽公司发展分析报告.pdf
09-14
全球各大洲独角兽企业分布、中美独角兽企业对比(数量、估值、新增及退榜情况、行业分布、所在城市)、
C++ 中的异步编程模型是什么
09-14
在C++中,异步编程模型是处理并发任务、提高程序性能和响应性的关键技术。以下是C++中实现异步编程的几种主要方式: 每种异步编程模型都有其适用场景和优缺点。选择合适的模型可以提高代码的可读性、可维护性和性能。随着C++标准的不断发展,异步编程模型也在不断进化,为开发者提供了更多的工具和选择。 在实际开发中,应根据具体需求选择合适的异步编程模型。例如,对于简单的异步任务,回调函数可能是最直接的选择;而对于需要结构化错误处理和结果获取的复杂异步任务,std::async和std::future可能更合适;在需要高效资源管理的场景下,线程池是一个不错的选择;而对于需要编写大量异步代码的现代应用程序,协程提供了一种更简洁、更直观的解决方案。 总之,C++中的异步编程模型是多核和高并发环境下提高程序性能的重要工具。通过合理使用这些模型,开发者可以构建出更高效、更可靠的软件系统。
正则表达式Regex是一种文本模式.docx
09-14
正则表达式(Regular Expression,简称Regex或Regexp)是一种文本模式,包括普通字符(例如,a 到 z 之间的字母)和特殊字符(称为"元字符")。正则表达式使用单个字符串来描述、匹配一系列符合某个句法规则的字符串。正则表达式是强大的文本处理工具,广泛用于搜索、编辑或操作文本和数据。 基本组成 普通字符:大多数字符,包括所有大写和小写字母、所有数字、所有标点符号和一些其他符号,都是普通字符。正则表达式中的普通字符表示它们自身。例如,正则表达式test会匹配字符串"test"。 特殊字符(元字符):一些字符在正则表达式中具有特殊的意义,如^、$、.、*、+、?、{、}、[、]、|、\等。这些特殊字符用于表示在搜索文本时要匹配的一个或多个字符。例如,.匹配除换行符之外的任何单个字符。 字符类:字符类允许你指定一组字符中的任何一个字符。例如,[abc]匹配"a"、"b"或"c"中的任意一个字符。你也可以使用范围,如[a-z]匹配任何小写字母。 预定义字符类:正则表达式提供了一些预定义字符类,用于匹配常见的字符集合。例如,\d匹配任何数字(等价于[0-9]),\s匹配任
基于struts+sqlserver网络购物系统毕业课程源码设计+论文资料
09-14
编号:150 系统功能: 展示网站最新的商品信息。 展示网站特价的商品信息。 为用户提供修改个人资料和查看在网站操作情况的平台。 提供用户在网站上购物的平台。 展示网站发布的公告信息。 展示商品的销量排行。 展示网站的友情链接信息。 对商品详细信息以及分类信息进行管理。 对用户基本资料、交易制度、消费情况及留言信息进行管理。 对用户提交的订单进行管理。 对管理员信息、网站公告信息、商业资讯信息及友情链接信息进行管理。 系统运行稳定,具有强大的数据处理能力。 操作注意事项 (1)本系统的用户名为:admin,密码为:admin (2)admin管理员的信息不能删除。 (3)用户注册登录后,可进行商品购买、商品信息查看以及订单查询操作。 (4)后台登陆地址:http://localhost:8080/WebShopping/bg-land.jsp。
基于ssm的高校毕业生就业管理系统设计与实现.docx
09-14
基于ssm的高校毕业生就业管理系统设计与实现.docx
退工、裁员培训讲义.ppt
09-14
退工、裁员培训讲义.ppt
认知实习decesion tree代码
最新发布
09-14
认知实习decesion tree代码
Java 算法:冒泡,选择,插入排序算法
09-14
Java 算法:冒泡,选择,插入排序算法
phy electrical test considerations for pci express architecture
07-09
### 回答1: PCI Express(简称PCIe)架构是一种用于连接计算机内置设备的高速串行总线标准。在进行PCIe的物理电测试时,需要考虑以下几个方面。 首先,传输速率是PCIe物理电测试的一个重要考虑因素。PCIe标准定义了不同的传输速率,如2.5Gbps、5Gbps和8Gbps等。测试时需要确保信号能以指定的速率进行传输,而不产生数据错误或错误的传输速率。 其次,信号完整性是另一个需要考虑的因素。PCIe信号在传输过程中容易受到干扰,如时钟抖动、串扰和噪声等。在测试中需要检测和分析信号的完整性,确保它们能稳定地传输而不受到干扰。 第三,功耗和电源管理也是PCIe物理电测试中需要关注的方面。PCIe设备在工作期间会产生热量,而不正确的功耗管理可能导致设备过热或不稳定。测试时需要测量设备的功耗和电源管理功能,以确保其在不同工作负载下能够正常运行。 此外,电缆和连接器的质量也是物理电测试中需要考虑的因素之一。PCIe连接器的接触质量和电缆的传输性能直接影响了整个系统的稳定性和可靠性。测试时需要检查连接器和电缆的连接状态,并测试其传输性能以确保其质量。 最后,抗干扰能力也是PCIe物理电测试中一个重要的考虑因素。PCIe设备在实际使用中可能会受到其他电子设备或无线信号的干扰。因此,在测试中需要评估设备的抗干扰能力,确保其在干扰环境下仍能稳定工作。 综上所述,PCIe物理电测试需要考虑传输速率、信号完整性、功耗和电源管理、连接器质量以及抗干扰能力等因素。通过对这些方面的测试和评估,可以确保PCIe设备的可靠性、性能和稳定性。 ### 回答2: PCI Express(PCIe)架构是一种高速串行数据总线标准,用于计算机系统中的外部设备连接。在测试PCIe架构时,需要考虑一些物理电测试的因素。 首先,应该确保传输介质的质量和可靠性。PCIe使用不同版本的传输介质,如铜线缆或光纤。测试人员需要检查传输介质的物理状态,确保其没有损坏或其他问题,以确保数据传输的稳定性和可靠性。 其次,还需考虑电气特性。PCIe架构需要满足特定的电气规范,以确保信号的正确传输和接收。测试时应检查电压、电流和信号波形等电气特性是否符合规范。这包括测试电源电压稳定性、消耗功率以及时钟信号等。 第三,信号完整性也是一个重要的考虑因素。PCIe使用差分信号传输,在测试过程中需要检查信号的完整性。差分信号测试涉及测试信号的振幅、上升时间、下降时间和噪声等。通过测试信号完整性,可以确保数据的正确传输,减少丢失和误码等问题。 此外,还应考虑外部干扰的影响。外部干扰可能会导致信号质量下降,从而影响PCIe架构的性能。测试人员需要测试环境中的干扰情况,以及采取适当的措施来减少干扰对PCIe架构的影响,例如使用屏蔽措施或进行地线和屏蔽的良好连接。 总之,测试PCIe架构时需要考虑传输介质的质量和可靠性、电气特性、信号完整性以及外部干扰等因素。通过进行全面的物理电测试,可以确保PCIe架构在实际应用中的稳定性和性能。 ### 回答3: PCI Express(以下简称PCIe)架构是一种计算机总线标准,用于在计算机内部连接外部设备和其他组件。进行PCIe物理电测试时需要考虑以下几个方面。 首先,受电控制和供电电机应该被充分考虑。在进行物理电测试之前,需要确保PCIe接口和其他相关设备的电源系统能够稳定地工作,并能提供足够的电流和电压。这需要进行电感、阻抗和稳压控制等方面的测试,以确保电源系统的稳定性和可靠性。 其次,信号完整性也是物理电测试的重要考虑因素之一。信号完整性是指在信号从发送器到接收器过程中,保持信号的正确性和可靠性。为了确保信号的完整性,需要对信号传输线路的电阻、电容和传输延迟进行测试。此外,还需要检查信号的波形、噪音和抖动等参数,以评估信号的质量和稳定性。 另外,电磁兼容性(EMC)也是PCIe物理电测试的重要考虑因素之一。EMC测试是为了确保PCIe接口和其他设备在电磁环境中能够正常工作,且不会对其他设备产生干扰。在EMC测试中,需要检查设备的辐射和敏感度,以及接地和屏蔽的效果,以确保PCIe架构在各种电磁环境下都能保持稳定的工作状态。 最后,还需要考虑PCIe接口的机械强度和可靠性。这包括对接口连接器的插拔次数、连接器的保持力和连接器接触性能等方面进行测试,以确保PCIe接口在长时间使用中能够保持稳定的连接和可靠的传输性能。 综上所述,PCIe物理电测试涉及到电源控制、供电电机、信号完整性、电磁兼容性和机械强度等多个方面的考虑因素。通过对这些方面的测试和评估,可以确保PCIe架构在各种环境下都能够提供稳定、可靠的数据传输和设备连接。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值