In my previous blog post in this multi-part series on constructing an information security policy, I reviewed identifiers such as IP addresses and VLAN IDs and their role as security policy match criteria for identifying traffic flows subject to features such as firewalling and IPS services. In the final post in this series, I'll review secure assignment of identifiers to end entities, such as users and devices. I'll also discuss manipulation techniques that impact security policy, and new role-based identifiers that may be used in lieu of more traditional network topology-based constructs.
The allocation of addresses and other identifiers to users and devices must be handled with security in mind. When managing VLANs, consider techniques such as VTP with pruning, implement PVST (Per-VLAN STP), and secure it with features such as Root Guard, BPDU Guard, and disabling dynamic trunking. Private VLANs (PVLANs) also are useful for segmenting traffic and protecting important resources.
Address assignment methods should be controlled and secured; this is simpler for static assignment to resources that do not change frequently. Dynamic assignment is required for users and devices that may be transient in nature. Allowing access dynamically is best handled by DHCP, which where possible, should follow authentication and authorization of the end entity via RADIUS Whenever a DHCP server is used, secure the service using techniques such as DHCP snooping, and Dynamic ARP Inspection. It's also important to track assigned addresses by associating MACs to IPs to prevent spoofing.
Using authentication methods such as 802.1X or MAB and tying them to device profiling and security posture assessments introduces the concept of authorized network access based not only on identity, but also device capabilities and compliance status.
Manipulation techniques and security
Allocated addresses may need to be translated to allow access to private services from a public network, or to hide the real address of a private resource. Get familiar with uni-directional vs. bi-directional access when configuring NAT and PAT methods. If a translated address is used to initiate traffic flows (to allow connectivity to a web server, for example), a bi-directional method like a static public to private mapping is required. This also can be combined with application port mapping, which forces connectivity via a non-standard port, hiding the real port from potential exploits.
If address translation is not an option, but connectivity across a WAN or the Internet to remote sites is required, consider tunneling methods such as IPv6-in-IPv4 or IPv4-in-IPv4 tunnels, which may also be protected with IPsec.
Once users and devices access the network, a solid understanding of routing protocols and packet-forwarding techniques adds to overall security. Static routes help redirect traffic for security reasons. Policy-based routing can also redirect or discard traffic as well as mark certain flows for priority handling. Be familiar with best practices for dynamic routing protocols as well as any security mechanisms associated with them -- for example, authentication of routing updates via MD5 and TTL maximum hop limits for Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP).
Role-based identifiers that add context to a security policy beyond topology-dependant constructs such as IP address are another technology to consider when building your information security policy. Some vendors offer identity-based firewalling where a username-IP address mapping is used to enforce policy.
Other methods exist whereby a Security Group Tag (SGT) is assigned to groupings of end entities according to roles and functions. Dynamic assignment is via a RADIUS-driven authorization profile and static assignment is used to apply SGTs to devices, subnets and other groupings that do not tend to change their location. Although IP addresses are still assigned and used for routing and forwarding, the SGT value is used as the security policy match criteria.
The use of SGTs for policy provides a method for uniform enforcement regardless of the location of the end entities or the underlying network topology.
Careful consideration of the issues I've discussed in this blog series will pay off when planning an information security policy. Ultimately, a detailed and comprehensive security policy will ensure deployment and configuration is less prone to error and successfully -- and securely -- reflects business objectives.