October 4, 2017

Network Design – Build Your Network Right

Networks often grow organically; additional equipment is installed as new services and users are added without an overarching design in mind.  It may be a good idea to take a fresh look at your network to see if an overhaul would benefit your business. Networks run best when they are designed from the ground up using a highly modular, flexible design that allows for ease of management, simpler troubleshooting, and easier expansion of capacity and speed.  A well running network will be designed with performance, security, scalability, and availability in mind.

Performance

  • Dividing traffic with VLANs keeps broadcast domains small and reduces the likelihood that a broadcast storm will impact a large group of devices.
  • Do not span VLANs to the network core.  Use a routing protocol, such as EIGRP or OSPF, to keep broadcast domains at the Access and Distribution layers.
  • Access Lists and Firewall Filters should be applied at the network access layer, and should drop traffic as quickly as possible.  Avoid using access-lists in the network core.
  • Link Aggregation technologies, such as Etherchannel and LACP can take advantage of redundant connections and simplify the overall network by removing additional spanning-tree considerations.

Security

Installing a stateful firewall at the business edge is an essential step, but external threats continue to grow, and so have vendors’ responses.  A next-gen firewall (NGFW) has the ability to perform application/layer deep packet filtering.  Juniper’s SRX next-generation firewalls provide traditional firewall elements in conjunction with SkyATP, a service that can detect malware from files obtained from the Internet and, when combined with Junos Space and Security/Network Director, can even disable access-layer switch ports where malware has been detected.

In addition to these highly sophisticated edge services, most modern switching vendors provide a suite of layer 2 security features to protect against common internal attacks:

  • VLAN Segmentation – In most environments, desktops and wireless devices only need to reach servers, printers, and the Internet.  From a security standpoint, VLANs give administrators the flexibility to segment network devices and restrict communication.  Common practices for VLAN segmentation include building, floor, wiring closet, device type, and department.  In a school, for example, teacher staff computers may be placed on a separate VLAN from student computers.  It’s rare that computers on the teacher VLAN need direct communication with student computers, so that is a threat vector that can be reduced.  ACLs or Firewall Filters are written and applied to VLAN interfaces to ensure only authorized inter-vlan communication occurs.
  • Port Security/Mac Limiting – Attackers can spoof MAC addresses when sending packets.  By default, a switchport can learn an unlimited number of MAC addresses off a port.  Using this type of attack, an attacker can force the switch to learn thousands of MAC addresses on a single port, and run out of CAM table space.  The switch will then take a best effort approach and flood packets within the VLAN of the originating port.  At this point, the switch is acting like a hub, which means the attacker can capture every packet sent on the network.  Network Admins can employ switchport security and MAC limiting to restrict how many MAC addresses a port can learn.  Once that threshold has been reached, the switch can be configured to disable the port, drop the next MAC addresses, or drop MAC addresses and write to a log.
  • DHCP Snooping – Internal attacks can include an unauthorized DHCP server.  As clients connect to the network and obtain IP addresses, their DHCP requests can be intercepted by a rogue DHCP server, who will hand out legitimate IP address info, but designate itself as the default gateway.  Once this is done, clients will send packets to the malicious gateway, who will read the packets into a network sniffer while forwarding the packets to the correct gateway.  DHCP Snooping can be configured to permit DHCP replies from trusted ports, often an uplink port, unless the DHCP server is on the same switch as the client.
  • Routing Protocol Security – Routing protocols can be protected against unauthorized adjacencies using authentication strings as well as configuring interfaces, such as VLANs, as passive interfaces.  A passive interface allows a routing protocol to advertise the network to neighbors, but does not actively seek to establish an adjacency with any device on the advertised subnet.
  • Spanning Tree Protection – The Spanning Tree Protocol (STP) allows for redundant layer 2 connections bringing down the network through bridging loops.  By default, STP can create a sub-optimal path, and malicious or careless users could introduce changes to a spanning tree topology that could either further reduce the network’s efficiency, allow an attacker to capture packets, or disable network access.  Fortunately, STP has several open-standard features that can be implemented to allow network engineers to create a deterministic, robust, and secure STP network.  These include: bpduguard (or BPDU Protection in Juniper nomenclature), Loopguard (loop protection), and Rootguard (root protection).

High Availability & Scalability

A well designed network should be able to easily add services or capacity, and should have protections built in to ensure a single switch or interface failure does not lead to a total outage.  

  • Access layer switches should have redundant connections to the next layer of the network, often called the Distribution Layer.  
  • At the Distribution Layer, switches can use First Hop Redundancy Protocols (FSRPs) to ensure VLAN default gateways will continue to function in the event of a switch failure.  Cisco has two redundant FSRPs called HSRP and GLBP, and most switches support VRRP, which is an open standard.  
  • Link Aggregation allows for immediate convergence in the event of a link or interface failure.
  • Bidirectional Forwarding can be used to augment EIGRP and OSPF by allowing routers to detect neighbor failure much faster than the default dead timers.
  • A second Internet connection in conjunction with a floating static route is a great way to ensure business doesn’t halt as a result of a failure external to the organization.