Network Security II: Integration and Implementation [formerly Designing Security Architectures]

Build and deploy a comprehensive security architecture.

There is more to security than meets the eye. Get a valuable understanding of the level of effort and life cycle management issues involved in developing a robust security architecture. Build upon the knowledge you gain in Network Security I: Policy, Administration, and Firewalls by designing and building a security infrastructure from the ground up and testing your configuration during each stage of development. This powerful course will help you define your security strategy, put the pieces and parts together, and configure the final solution.

In this intense, hands-on course, spend over two-thirds of the course using Windows NT laptops, UNIX servers, Windows 2000 servers, Cisco 2514 screening routers, Check Point FireWall-1, NT Web servers, Linux mail servers, and ISS SafeSuite and RealSecure software.

If you can't afford to be out of the office for weeks at a time, but you need high-quality security training, this is the course for you.

To register, call  916-852-2570
This course can be delivered by the methods below:
Classroom Learning $1295 USD

You Learn...
Configure bastion hosts
Develop and design an Access Control List (ACL)
Analyze the tradeoffs between performance and security
Put all the pieces of network security architecture together in an intensive hands-on environment, including security policy development, and vulnerability scanning
Repair holes reported by vulnerability scanning

Who Would Benefit

Personnel responsible for designing or implementing security solutions for their networks
Network engineers and managers
Security administrators
IS and data center managers
Systems administrators
Security analysts
Individuals seeking the T.I.C.S.A. Certified Security Associate certification from TruSecure.

 

Course Outline

1. Network Access Policy

Policy: the roadmap
Process vs. product
Organizational agreement
Risk management
Incident response
Design: the objective
Network services: taking a stance
Inbound/outbound traffic flow
Direction of allowed services
Isolating dangerous services
Authenticating services from untrusted sources
Common network services
Functions, vulnerabilities, and general policies
telnet
dns
ftp
smtp
pop3
http
snmp
icmp
others
Security vs. performance issues
Business need versus user convenience
Traffic analysis and baselining the network
Traffic management
Controlling network services
Packet filtering
Proxies
Firewalls
Intrusion detection systems
Trap zones

2. Bastion Hosts

Define the bastion
Protecting itself from attack
Few services installed
Small operating system kernel
No-trust relationship with other devices
Protecting the network from attack
Separating trusted and untrusted networks
Denying dynamic routing between interfaces
Preventing a springboard to the trusted network
Role of the bastion
Web server
Mail server
FTP server
DNS
Firewall or proxy
General configuration guidelines
Hardening the operating system
Removing POSIX and OS2 subsystems
Disabling excess or unnecessary services
Removing executables
Installing OS patches
Configuring filtering on the OS
Creating warning and logon banners
Enabling logging and auditing
Removing or disabling unwanted user accounts and access
Securing the application
Disabling or removing sample applications and scripts
Setting authentication methods
Enabling logging
Installing security patches

3. Architecture Integration

The DMZ
IP addresses
Inserting the bastions
NAT at the firewall
Locking the firewall
Device relationships
Router
Layer 3 filtering
Valid inbound traffic
Blocking inbound packets
Statically routing approved inbound traffic
Blocking selected outbound traffic
Firewall or proxy
Buffer zones
Layer 3 to Layer 7 filtering
Blocking selected outbound packets
Web and mail bastion hosts
Originations from the DMZ
Server responses
Intrusion detection system
Unauthorized activities
Type of activity
Classifying the level of danger
Notifying the Incident Response Team
Restoring to normal operations
Multiple points of vulnerability
Filtering inbound and outbound services
Rules for the router
Spoofed internal IP address space
Spoofed private IP address space
Troublesome external IP addresses
Disallowed network services
Rules for the firewall or proxy
User authentication
Application layer filtering
Hiding internal IP addresses
Services not handled by the router
Directing traffic to its destination
Inbound/outbound mail or web
Other inbound/outbound services
Extenuating circumstances
Business-to-business connectivity
Business partners
Business suppliers
New and established customers
Remote access
Traveling users
Small Office/Home Office (SOHO)
Authentication and access control
Policy exceptions
Added filtering rule complexity
Special services or new protocols
Drilling holes in the architecture
Generic proxies and plugs
Modifying and maintaining the architecture
Configuration management and change control
Policy changes causing architecture changes
Architecture changes causing policy changes
Testing the architecture for vulnerabilities
Initial installation
Periodic "health" checks

Course Labs

Lab 1: Analyzing Network Service Requirements

Analyze a scenario and determine network service requirements to meet business objectives. Determine what to allow or deny based on the scenario, and the optimal filtering to support performance needs.

Lab 2: Creating ACLs for Cisco Routers

Create an ACL on a Cisco router based on the Lab 1 analysis and upload it to the router for testing.

Lab 3: Testing the ACL

Prove that your ACL works as designed for both allowed and denied services, and correct any errors in logic or control.

Lab 4: Hardening the Bastion Host Operating System

Perform system scans using ISS System Scanner to discover pre-bastion hosts configuration vulnerabilities. Harden the host operating systems (Windows NT and Linux) to remove errors.

Lab 5: Post-Bastion Scan

Re-run system scans to determine if your bastion hosts still have weaknesses or vulnerabilities. Assess whether the remaining vulnerabilities need to be fixed before using the hosts in your architecture.

Lab 6: Establishing the DMZ and Making Rule Changes

Insert a Web and mail bastion host into the DMZ. Analyze a case study scenario for changes in requirements, and determine the best device to implement the changes. Create and implement rules on the router and firewall to enforce new policies.

Lab 7: Testing the Policy

Prove that policy changes work as designed for allowed and denied services. Resolve any discrepancies.

Lab 8: Scanning the Architecture for Network-based Vulnerabilities

Using ISS Internet Scanner, find and fix vulnerabilities determined by team analysis as dangerous to policy. Rescan the architecture to ensure that your fixes didn’t break something new.

 

Suggested Prerequisites

Network Security I: Policy, Administration, and Firewalls is an essential prerequisite.

Network Security I: Policy, Administration, and Firewalls [formerly Network Security and Firewall Administration]

 

Suggested Follow-ons

Students followed up Network Security II: Integration and Implementation [formerly Designing Security Architectures] by attending these popular classes:

VPNs and Data Privacy
Foundstone Ultimate Hacking
Advanced Security Boot Camp
CSIDS (Cisco® Secure Intrusion Detection System 2.1)
CSPFA (Cisco® Secure PIX™ Firewall Advanced 3.0)
Microsoft Windows 2000 Security

 

Certifications

T.I.C.S.A. Certified Security Associate