Secure Network Architecture
Principles
- Isolate ICS (Control) Network & Corporate (Production) Network
- Use minimal connections between Control & Production Networks
- use Firewalls
- Filter Packets - ICMP codes, especially Destination Unreachable Network & Host flags
- Block all Communication by Default
- Enforce Secure Authentication
- Enforce Destination Authorisation
- Record Information
- Permit the ICS to Implement Operational Policies
Netwok Architecture
- Dual-Homed Computer/Dual Network Interface Cards (NIC)
Firewall ISP -----| |---------| |-----ProductionNetwork | | ControlNetwork
- Firewall between Corporate Network & control Network
Control Network | |FireWall| | | Production Network------|FireWall|---|router|--ISP
- Firewall & Router between Corporate Network & Control Network
Control Network | --------- Router (Router can filter packets too) --------- | |FireWall| | | Production Network------|FireWall|---|router|--ISP
- Firewall with DMZ between Corporate Network & Control Network
Control Network | | DMZ |-----------|FireWall| | | Production Network-------|FireWall|---|router|--ISP
- Paired Firewalls between Corporate Network and Control Network Practically Used
Control Network | | |FireWall| (Router can filter packets too) | | | DMZ |-------|FireWall| FS | | FO Production Network------|FireWall|---|router|--ISP Can Use different Firewall Configs Active - Active | FAIL - Secure State FO Active - Passive | FAIL - Open State FS
Logically Seperated Control Networks
-
LAN -----> Virtual LAN -------> Enclave (Grouping of VLANS)
Defense in Depth / Onion Security
- Application & Data
- Data End Point
- Patch Management - Qualys Guard
- Intrusion Prevention
- Virus Protection
- Host-Based Firewall
- Server Hardening
- Internal Network
- Perimeter Security
- Physical Security
- Policies & Procedures
Use Secure Protocols
- WEP --> WPA2
- TELNET --> SSH
- FTP --> SFTP
- EMAIL --> PGP ro SMIME
- HTTP --> HTTPS
Links
http:///wiki/?securenetworkarchitecture
01dec16 | admin |