Create a Segmented Network - Security, Intermediate

Started by deanwebb, February 08, 2016, 10:52:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

February 08, 2016, 10:52:42 AM
Hey, kids! It's network lab time again!

For this one, you'll need the following gear:

2 switches
2 clients
1 firewall

I'm keeping this setup vendor-independent,

You should also already know how to set up a VLAN on a switch and how to do a basic configuration on a firewall involving static routes and two different zones/interfaces.

Cabling goes like this:

Corp Client -- Corp Switch -- Segmentation Firewall -- Manufacturing Switch -- Manufacturing Client

Pretty simple, really. This is what's known as physical segmentation.

Question: Why use physical segmentation?

Devices in manufacturing environments can be very sensitive to network conditions. Some of them are so sensitive, if they get the wrong kind of packet hitting their NIC, they will go into a fail state. That's bad because it can destroy an entire production run. You don't want that to happen.

Segmentation can be of two varieties: physical and logical. Logical segmentation is when a switch has one or more VLANs on it for corporate and manufacturing networks and a "firewall on a stick" handles traffic between VLANs. While this is logically the equivalent of physical segmentation, it's not the physical equivalent. Physical segmentation is when the different VLAN classes are handled by different switches, with a firewall barrier between the two. Physical segmentation may be required in some environments subject to certain regulations. It's also a method of segmentation that eliminates/reduces a possibility of plugging the wrong device into the wrong switchport and thereby bringing down a production line.

So here's what to do:

1. Cable everything. Let the corporate network be 10.1.1.0/24 and the manufacturing network be 172.16.1.0/24. Apply configurations on the switches and firewalls as appropriate to this addressing scheme. Use static routes on the firewall to handle the traffic.

NOTE: Let the manufacturing network have a *lower* security value than the corporate network. Manufacturing devices tend to be patched either infrequently or not at all, and they can present a potential hazard to the corporate network as a result.

2. On the firewall, create rules to explicitly deny all traffic in both directions.

3. Let us assume for this lab that the corp client is a patching server and the manufacturing client is a server inside the manufacturing network that will be used by devices there to receive patches. Therefore, create a rule to permit traffic from corp client to manufacturing client on ports TCP/UDP 135, 139, and 445.

4. An end-user says that he can't ping the manufacturing client. Why is this true? What could be done to verify the manufacturing client is up without opening up ICMP traffic to that destination?

5. The end-user now has a note from his manager to permit ping traffic to that client. What ICMP traffic should you allow? Do you need to create one rule, or two to allow ICMP traffic to pass?

6. An end-user requests that a device in the segmented network be allowed to access the Internet. Why is this a security risk to other devices in the segmented environment?

7. What needs to be done to allow the corp client to manage the manufacturing switch? What traffic should be permitted? What is the security risk of using "any" rules or rules that allow that management traffic to the entire manufacturing subnet?

8. The manufacturing switch and client need to be monitored via an SNMP monitoring system on the corp client. What traffic needs to be permitted? Will you need one rule or two rules to allow SNMP traffic? Why do you need one/two rule(s) for the SNMP traffic?

9. The manufacturing client needs to be able to log on via Windows Active Directory. What ports need to be opened from the manufacturing network to the corporate network to handle AD traffic? (HINT: There are literally THOUSANDS of ports to open. MSDN and TechNet are your best resources for these ports.)

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

flipmode

#1
February 11, 2016, 11:54:23 AM
This sounds like a fun lab. Wish I had an ASA. That's my next purchase!

deanwebb

#2
February 11, 2016, 12:33:52 PM
Quote from: flipmode on February 11, 2016, 11:54:23 AM
This sounds like a fun lab. Wish I had an ASA. That's my next purchase!

3 years ago, I got a 5505 for about $200. I see some for $100 now.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions