View Source

Some ideas for following a defense-in-depth approach to network segmentation:

Monitoring and Alerting
1. Implement network monitoring switches to feed information security sensors
2. Implement a Security Information and Event Management (SIEM) system
Network Intrusion Detection / Prevention
1. Implement additional open source IDS sensors
2. Implement general IPS appliances where network segments meet
3. Implement malware detection appliances where network segments meet
Host Intrusion Detection / Prevention
1. Utilize file integrity monitoring on hosts inside the PII network segment
2. Utilize antivirus software on hosts inside the PII network segment
3. Implement a central server to monitor the hosts for file integrity and antivirus
Incident Response
1. Log network traffic at the campus border when alert is generated
2. Log all network traffic that leaves the PII network segment for a defined period
3. Implement a shared file space (NAS) to conduct forensics on virtual desktop disks
Review and Audit
1. Implement additional vulnerability scanning engines inside network segments
2. Implement a host inventory system inside the PII network segment
3. Implement a central server for reporting PII locations on machines inside PII segment

1/30/2013

URL for departmental RLAN wiki:

https://apps.es.vt.edu/confluence/display/RLAN

11/07/2012

One attack possibility that the RLAN will not currently be able to mitigate is DNS queries to exfiltrate data. For example: an RLAN secure machine becomes infected. The malware finds the data it wants and chunks it into small pieces and uses it as part of a DNS query (d69g6qxcih.baddomain.ru). The campus DNS servers will forward the request to the DNS server of baddomain.ru and may or may not get a reply. The malware could repeatedly query new "hosts" from that domain which are actually chunks of the data. The baddomain.ru DNS server is actually piecing together the data for later use.

One solution would be to setup DNS forwarders specifically for the RLAN which will not attempt to resolve hosts that are not on the whitelist. It could instead return an internal RLAN address for any non-whitelist hosts. The internal host could serve a webpage warning and log connections for later analysis.

9/12/2012

New Client Option Diagrams (PDF): RLAN-client-options.pdf

Note for Options 3 and 4, either Marc's infrastructure or a Citrix solution could work.

6/21/2012

Current rack photo (PDF): RLAN-JUN2012-rack.pdf

Redundancy diagram (PDF): RLAN-JUN2012-redundancy.pdf

8/29/2011

Summary Diagram (PDF): infrastructure-summary.pdf

8/26/2011

Latest Diagrams (PDF): segmented-net-v5.pdf

8/23/2011

Latest Diagrams (PDF): segmented-net-v4.pdf

8/22/2011

Summary Diagram (PDF): ITSO-infrastructure-summary.pdf

8/18/2011
Latest Diagrams (PDF): segmented-net-v3.pdf

8/11/2011
Second version of diagrams (PDF): segmented-net-v2.pdf

This PDF includes An over-all diagram, ITSO monitoring infrastructure, and individual diagrams for each client connection option.

8/12/2011

Example 10-GigaBit taps from Net Optics here. These 10-GigaBit taps are around $850 each. Specifications

8/11/2011

A very rough estimate of prices for network monitoring and security infrastructure components: NetSeg-budget.docx
These are rough estimates and there may be missing components

A few early diagram's for visualizing network traffic flow components that might be involved: Security Community > Philip's Notes and Diagrams > NetworkSecTraffic.jpg

Security Community > Philip's Notes and Diagrams > segmented-net-pii.jpg

Security Community > Philip's Notes and Diagrams > segmented-net-pci.jpg