• Network Security Design
• Network Security Implementation

DCSL is combined of three small networks: test-bed network (or prototype network), server network (or target network) and student network. DCSL is connected to the Internet through DSL connection.

• To protect all networks from internet attack Cisco router 2801 with IOS advanced security 2801/Sec-K9 that has VPN, IDS, statefull firewall features integrated or at least Access List Control feature in standard router IOS will be employed to protect them. This Router also serves as central switch for all networks. Its other role is to control traffic going in and out each network.

• All users in DCSL network are managed in one unique Active Director (AD) user database. Upon logging on the network, user will be required to authenticate with domain control server (secure policy 4.f).

• In order to access the network resource such as internet access, DMZ web server and DMZ ftp server, users will be authenticated against Access Control Server (Cisco ACS). The user database in ACS may be separate or integrated with AD database. Users are allowed to logon the network 24 hours/day. Sometimes due to administrative works such as virus scanning, backup work, trouble shooting, hardware maintenance or network re-configuration, users are not allowed to log in (secure policy 4.b, 4.g). This feature is done by using logon scheduler in Windows 2003.

• Domain Control (DC) server contains user database of the DCSL network. A Windows 2003 server will play the role of primary DC and file server. Another Windows 2003 server will play the role of backup DC. This backup DC will replicate AD user database, user data files from primary DC. Backup DC will take the role of primary DC whenever the first primary DC goes does (security policy 4.g).

• DCSL network will have the unique domain name started with dcsl.uhcl.edu. The DNS server is installed in primary DC server and backed up in backup DC.  

• Wireless user, VPN users as normal users of network will be authenticated against ACS server.

• System state for Domain Controller, DHCP server, DNS server and DMZ web server: Backup is done whenever there is change.

• IOS and Configuration files of network equipments: IOS of Cisco equipments is backed up once. The configuration files are backed up whenever there is change.

• ACS accounts: ACS account database is backed up whenever there is change.

• User data files: data files are backed up every week.

For Server Network

• Server network is protected by two Cisco PIX Firewalls. One is for connection to Router 2801 and the other for connection to student network.

• Remote connection to server network is through VPN connection and remote users will be authenticated by Cisco ACS server.

• DMZ web-server, FTP server will be protected by Cisco PIX firewall. Only HTTP and FTP traffic is allowed to go through firewall. Private area in web-server must be protected by username/password.

• External users must be authenticated with web-server to access private area. This is done through windows account management.

• FTP connection is authenticated through Cisco ACS.

• Protect user data in web server. Web pages are stored in DMZ web server in security lab as well in DCM server of the university. Web pages are also backed up in DVD-RW.

For Student Network:

• To separate between student network and server network, one Cisco PIX firewall is installed in-between.

• Student Network is assigned IP subnet: 192.168.10.0/24.

• IP addresses are assigned to workstations through DHCP server.

• Users of Student Network must authenticate with Domain Controller server in Server network.

• Only HTTP protocol to the Internet is allowed to Student Network.

• The access from student network to other networks as server or test-bed network is implemented through static routing within DCSL network. The access to these routers is strictly restricted, allowed only to the network manager and network administrators.

• It is recommended remote users employ Cisco VPN client to make remote connection through IP-Sec to Student Network. PPTP protocol is also supported for user employing MS windows VPN client. Workstations from UHD network are not allowed to access the Internet and just allowed to access DMZ web-server. Of course, in order to access DMZ web server, these workstation must be authenticated with Cisco Secure ACS.   (security policy 4.e).

• Technical specification for remote access:

• VPN server: vpn.dcsl-uhcl.net or 67.64.179.155

• Group name/password and username/password are given to each remote access user.

• For Cisco VPN client: enable IPSec over TCP port 10000

• For MS client: enable L2TP IPSec VPN

• Wireless connections also terminate in Student Network. Wireless users must be authenticated with Cisco Secure ACS before logging in the domain dcsl.uhcl.edu. (security policy 4.e).

• Technical Specification for wireless workstations:

• IP address: obtain IP address automatically from DHCP server.

• SSID: dcsld140

• Once authenticated, wireless users have equal rights as wired users.

For Prototype Network:

• VLANs are created to separate wireless connections, wire connections and Galileo server.

• Routing between VLANs is enabled.

• All workstations in prototype network are allowed to access the Internet. Each workstation is

• All access from the internet to test-bed network is banned except accesses to Honeypots system for experiment purpose.

• Users of test-bed network are authenticated with Galileo server. This account database is separated from ACS account database.

Top

     - Addressing Schema

     - Equipment Configuration

Configure Windows 2003 servers:

Domain Controller Server- File server: Active Directory is installed in this server. Other services are turned off. Users are divided into groups: student groups and admin group. Students groups are named according to class name and semester. Storage limit  for a student account is set to 100 MB.

Backup Domain Controller: Using dcpromo to replicate between primary and backup domain controller servers. All other services are turned off.

Configure Windows 2003 Galileo server: DHCP, DNS server

Configure DMZ web-server:

      - IP address of web server : 192.168.7.10, public IP: 67.64.179.154 ? www.dcsl-uhcl.net

      - Web management system: IIS 6.0.

      - Default Web Site and assigned IP address: 192.168.7.10.

      - Anonymous Access enabled to default web site

      - Configured secure access to subfolder private of website, using local user database

      - Disabled irrelevant services in the server e.g. remote login, web client.

Configure Cisco Router 2801:

Setup for Router:

    - Ethernet ports are assigned to VLAN 10

    - Firewall enabled for incoming traffic between Fast Ethernet 0/0 (outside interface) and VLAN 10 (inside interface).       

    - Access Control Lists for outgoing traffic:

Network	Permit	Deny
192.168.3.0	http, ftp	All other protocols
192.168.4.0	http, ftp	All other protocols
192.168.5.0	http, ftp	All other protocols
192.168.6.0	IP traffic
192.168.7.10	IP traffic
192.168.8.0
192.168.9.0	http, ftp	All other protocols

- Access Control Lists for incoming traffic:   

Firewalls

Configure PIX firewall A:

Controls traffic to Web/FTP Server, AD/DNS/File Server, Backup File Server, Control Server and Administration workstations:

     - Public Interface: 192.168.9.3

     - Private Interface: 192.168.6.19, connected to Cisco Catalyst 3550 Switch

     - Private Interface: 192.168.7.9, connected to Web/FTP Server

Configure PIX firewall B:

Controls traffic to Student network

     - Public Interface: 192.168.9.4

     - Private Interface: 192.168.10.254, connected to Cisco Catalyst 3550 Switch

Configure Cisco VPN concentrator 3005:

Connection specifications for remote access and site to site connection; authentication protocol, encryption protocol.

Technical Specifications:

•  Address management:

        - Private interface: 192.168.10.253

        - Public interface 192.168.9.2

        - Internet IP: 67.64.179.155

        - IP address pool for remote-access client: 192.168.10.150-192.168.10.200

•  Site to Site VPN configuration:

        - UHD private LAN address: 172.16.1.0/24

        - UHD internet IP: 68.91.105.61

        - Pre-share key:carbohydrates123

        - Authentication: ESP/MD5/HMAC-128

        - Encryption: 3DES-168

•   Remote Access configuration:

Configure Cisco Secure ACS:

Control the authentication, authorization and accounting of users accessing the DCSL network ? VPN and wireless users. Authentication, authorization and accounting are all enabled for AAA clients The list of AAA client:

Technical Specifications:

IP address: 192.168.6.21

Secret key:  secretkey

Protocols enabled: RADIUS, TACACS+

Groups, accounts and permission for groups:

Configure Linksys Access Point:

Provide access to Student Network for wireless users:

Technical Specifications:

    - Name: AP3

    - IP address: 192.168.5.254/24

    - WPA algorithm: AES

    - WPA pre-sharekey: dcsld140

    - SSID broadcast: enabled

    - SNMP: disabled

Network management system: SMNP should be enabled on servers and network equipment interfaces.

Top