The following lists the proposals that will be incorporated into the security design of this network:
All unnecessary services on all three routers should be disabled. This will be done manually. SSH will be used on all routers for access (Telnet should be blocked). Only network administrators (172.16.4.12, 172.16.4.13, 172.16.4.14, and 172.16.4.15) should be allowed EXEC access.
Each administrator should have a separate account to access the routers. AAA is used to set up authentication of access to the routers. All command executions and system events should be logged. A back-door account should be set up on each router, in case the AAA server is not reachable. The AAA server used will be Cisco Secure ACS with TACACS+ as the security protocol. Even the branch office router will be set up for AAA.
Normal extended ACLs will be used for implementing the policy restrictions on the internal routers. Normal extended ACLs also will be used on RouterC, the branch-office router.
The perimeter router, RouterA, will use a combination of normal extended ACLs and Context-Based Access Control (CBAC) for filtering. Inspection should be set up for e-mail as well as HTTP. The internal router will use CBAC also to allow returning traffic from the outside and to inspect SMTP traffic.
Web filtering through the Websense server will be implemented on the perimeter router.
Address translation needs to be configured on the perimeter router. Static translations are needed for the DMZ devices and dynamic translations for all other internal devices accessing the Internet. For VPN connections, address translation should be disabled.
Because of the small number of subnets, static routes should be used for routing. Reverse-path forwarding should be used to prevent certain kinds of spoofing attacks.
IDS is implemented on both the corporate and branch-office perimeter routers, to provide enhanced protection. Attacks should be logged to a syslog server, and TCP reset should be used for TCP connection attacks.
CBAC will be used to protect against connection attacks, including TCP SYN flooding.
Because of the limited use of ICMP and UDP for Internet access, the company is concerned about DoS attacks with these protocols. It has decided to implement rate limiting through NBAR.
NTP will be used to synchronize devices. The internal syslog server also serves as the master NTP time source, and authentication is used to verify a device's identity. All three routers will log syslog messages, with time stamps, to the syslog server. For RouterC at the branch office, these messages should be encrypted.
A site-to-site IPSec VPN should be used to protect traffic between the branch and corporate offices. All branch traffic must traverse this connection, including traffic destined to the Internet. Device authentication is done with preshared keys.
To handle remote-access users, Easy VPN is implemented. There are three groups of users: admin, accounting, and users. The admin group includes the network administrators. The accounting group includes remote-access accounting personnel, and the appropriate restrictions should be applied to these people. The users group includes all other employees. A software firewall is required for these users to access the Internet; all traffic sent to the corporate site should be protected.