Knowledge Base Article Project Planning for Securing

Knowledge Base Article
Project Planning for Securing
Exposed Network Connections
Copyright © 2010-2012, ISONAS Security Systems
All rights reserved
Table of Contents
1: INTRODUCTION ................................................................................................................................ 3
1.1: OVERVIEW: ............................................................................................................................... 3
Networking Tool Chest ..................................................................................................................... 3
1.2: ISONAS SYSTEM CONCEPTS:.................................................................................................. 3
Data Encryption ................................................................................................................................ 3
Assigned IP Port ............................................................................................................................... 4
How the IP connection is initiated ..................................................................................................... 5
PowerNet’s Network Connection Count Control ............................................................................... 5
Alarm Notifications .......................................................................................................................... 5
1.3: MANAGED NETWORK SWITCHES TECHNIQUES: ................................................................ 6
Access Control Lists (ACL) .............................................................................................................. 6
Network Policy Enforcement............................................................................................................. 6
1.4: NETWORK TOPOLOGY TECHNIQUES: ................................................................................... 7
Physically Separate Networks ........................................................................................................... 7
Host computer equipped with dual NIC cards.................................................................................... 7
Isolated Subnets w/Firewall .............................................................................................................. 7
Virtual LAN (VLAN) ....................................................................................................................... 7
2: EXAMPLE CONFIGURATION........................................................................................................... 8
2.1: ACL EXAMPLE: ......................................................................................................................... 8
Prevent the creation of TCP/IP connections from the exposed end..................................................... 9
Allow TCP/IP traffic that is destined for the Host Computer ........................................................... 10
Block all other network traffic from using this connection. ............................................................. 11
“Bind” the ACL to the physical port on the network switch ............................................................ 12
Document Version
( KBA0140NetworkConnections.Doc )
Date of Revision
06/05/2010
06/09/2010
10/20/2010
Revision
1.0
1.1
1.2
Author
Shirl Jones
Shirl Jones
Shirl Jones
Description
Initial Release
Clarifications of the concepts
Added ACLexample
1: INTRODUCTION
When installing IP–based physical security systems, a common question is
asked regarding the protection of network connections that reside on the
outside of a building.
This question arises when discussing the ISONAS system, IP-based video
camera systems, IP-based intercom systems, or other such systems.
This document describes some commonly used techniques that are available
to address this question.
1.1: OVERVIEW:
Networking Tool Chest
The techniques described here are part of a “networking tool chest” that may
be used by the system integrator and end-users to provide security to the
network connections used by the PowerNet reader-controllers.
Is some ways, this “Networking tool chest” is similar to an auto mechanic’s
tool chest. The mechanic has many tools in his tool chest. Some are used
for every repair job. Others are only used on a select number of jobs, where
the project being completed requires them.
Likewise, you will probably not use every tool in this networking tool-chest,
on every project. In fact, most projects will typically only use one or two of
these techniques.
And, since we are discussing networking technologies, which is a large and
growing field, depending on the brand and model of networking equipment
used, there may be other tools available that this document does not
discuss.
1.2: ISONAS SYSTEM CONCEPTS:
The vast majority of the tools within the networking tool chest are
implemented thru the networking hardware/software; such as Network
Switches, Routers, Firewalls, VLAN’s, etc.
There are several concepts and features of the ISONAS system that are
important to understand, when discussing this topic.
Data Encryption
The IP communications between the PowerNet reader-controller and the Host
computer can be encrypted using AES 256 bit encryption. For installations
where data will be passing over the public Internet, encrypting that data is
encouraged. IP data encryption is also a tool that is available to prevent
anyone from attaching to a network connection and sending data to the
access control system. Within the Powernet itself, the credential and event
data is encrypted using the same AES256 bit techniques, prior to being
written to the PowerNet’s nonvolatile memory.
Securing Exposed Network Connections
3
Assigned IP Port
When discussing IP Networks, the term “port” has two meanings.
A “port” can be the physical connector where a network cable is attached to
a device. This might be on a network switch, on the PowerNet, or on a
laptop
For our discussions, when talking about a physical connection, we will use
the term “Physical Port”
A “port” can also be an internal identifier that network devices use to
organize different conversations over the network. For example, assume
that your laptop has a single LAN connector and a single IP Address assigned
on that connection. Even though you have a single physical connection to
the network you may simultaneously receive email, browse the internet, and
maintain an active connection to your payroll system. In order for this to
work, your laptop needs a way to segregate the data coming from these
different systems. IP Ports are used for this. Each conversation will be
assigned its own IP Port. For your laptop’s one IP Address, there are 64,000
IP Ports available.
An analogy may help explain this. If your IP Address is like a Post Office,
then one of your IP Ports is like a single Post Office Box.
For our discussions, when talking about these internal network identifiers,
we will use the term “IP Port”
The ISONAS system is designed so the host computer communicates to the
PowerNet using a single “IP Port”.
This design feature of the ISONAS system allows the network to be
configured to block the remaining 64,000 IP ports. This is a very efficient
configuration and assures that a PowerNet is the only device that will
successfully communicate over the physical port.
Securing Exposed Network Connections
4
How the IP connection is initiated
The Host computer will always initiate the IP communication connection to
the PowerNet reader-controller, in an outgoing direction. Once the network
connection has been established, the data can travel both ways.
This allows the network to be configured to treat the physical port going to
the PowerNet as an “outgoing only” connection.
An analogy would be a simple intercom speaker located at the front door and
connected to your phone system.
People inside can call the front door, but the front door cannot call into
different phones inside the building.
PowerNet’s Network Connection Count Control
The PowerNet will only allow one IP connection to exist. The host computer
will establish this connection on start-up. Any other attempts to connect to
the PowerNet will be rejected.
Alarm Notifications
The PowerNet and Crystal Matrix software can detect different alarm
conditions that would indicate that someone is attempting to disrupt or
disable the PowerNet.
Through the PowerNet’s Tamper Detector, if the reader is physically
disturbed, it will generate an alarm.
Through network communication heartbeats, if the communications path
between the PowerNet and the host is disrupted, then alarms will be
generated.
Alarms can cause a Video System to focus on the door, email to be created,
or notify personnel who are monitoring the Access Control System.
Securing Exposed Network Connections
5
1.3: MANAGED NETWORK SWITCHES TECHNIQUES:
The use of a managed switch to protect the exterior LAN connections is the
protection method most commonly used and easiest to implement.
Managed Switches are made by most of the major LAN equipment vendors
and the feature-set supported by each brand and model will vary but the
techniques mentioned in this document are supported by most of the
common models.
Access Control Lists (ACL)
Managed Network Switches support “Access Control Lists” (ACL). These are
business rules that the switch will follow when certain events happen on the
physical ports that are connected to that switch.
Please note that an ACL is a feature of the network switch, and ACL’s are
totally independent from the ISONAS Access Control System. The names
are similar and you may use both on more complex projects, but they are
not related.
The types of rules that an ACL can implement include:
• For a specific physical port on the switch:
o Only allow a connection to a specific MAC address
o Only allow a connection to be made to a specific set of IP Ports
o Only allow outgoing connections to be made.
With these types of rules, you can easily restrict the switch’s physical port
to only allow the PowerNet’s network traffic.
Network Policy Enforcement
Network Switches can either directly support Network Policy Rules, or they
can be managed by a Network Management Application which can implement
these rules over the Simple Network Management Protocol (SNMP)
Using these policy techniques, the network switch can be configured to
either:
1.
Create a network alarm, if the network switch detects that the
physical connection to the PowerNet has been interrupted
2.
Shut-down the physical port, on the detection of the
disconnect
The technique of shutting down physical ports can cause the customer
additional administrative overhead for the Access Control System. If a
power outage was to interrupt the PowerNet’s network connections, either
manual intervention would be required to re-enable the physical port(s) on
the network switch, or a programmatically driven event in the SNMP
application might re-enable the port, after some selected criteria have been
met.
Securing Exposed Network Connections
6
1.4: NETWORK TOPOLOGY TECHNIQUES:
Different techniques can be used during the design of the network that
supports the PowerNet to enhance the security of the exposed network
connections.
Physically Separate Networks
By installing a 2nd IP network within the customer’s facility, it is easy to
totally isolate the security system’s network traffic from the corporate
network; however this technique adds cost to the installation and is not
recommended for most ISONAS projects. If IP Video is being installed as
part of the project, then isolating the corporate network from the video
system’s volume of network traffic is often a desired goal, and this has the
secondary benefit of enhancing the security of the solution.
Host computer equipped with dual NIC cards
If separate networks are installed, typically it is still desirable to manage the
host computer from the corporate network. To meet this goal the Host
Computer needs to be able to communicate over the security network and
the corporate network. Equipping the Host Computer with two Network
Interface Cards (NIC) is one technique that can be used to accomplish
thiswhile preserving the isolation between the two networks.
Isolated Subnets w/Firewall
If separate networks are installed, a standard Router/Firewall configuration
can be setup to connect, yet isolate, the two networks. This allows the Host
Computer to communicate over both the security network and the corporate
network. This same technique is commonly used when connecting the
corporate network to the public Internet, so it is a well understood process.
Virtual LAN (VLAN)
VLANs can be used to support multiple logical networks on a common
networking hardware platform. If the access control system is
geographically dispersed, this is a very cost effective method. Also, since
most managed network switches readily support VLANs, this is also used in
single locations, to leverage the customer’s current investment. It gives you
the benefits of a physically separated network, without incurring the cost of
installing separate network switches.
Securing Exposed Network Connections
7
2: EXAMPLE CONFIGURATION
2.1: ACL EXAMPLE:
In this example, a typical network switch will be configured with an “Access
Control List” (ACL). This ACL will restrict the network switch’s ports so they
only pass traffic that is related to the PowerNet’s communications.
The switch that is discussed is a member of the Cisco line of Small Business
Managed Switches (Model: SRW224G4P). This is a class of switch that could
be easily used on smaller ISONAS installations, and the features being
discussed are commonly supported on most brands and models of managed
network switches.
The ACL is configured as an “ingress ACL”, in that the rules are checked
against network traffic that is “incoming to the switch”. This ACL will not
affect packets are that going out of the switch, towards the PowerNet.
The configuration will be done in two steps:
1)
Define the rules of the Access Control List. These rules are referred to
as ACL “Conditions”
2)
Direct the network switch to use these rules, on the network port(s)
that are connected to the PowerNet(s). This process is called “Binding
the ACL to the port(s)”
There are three simple rules for this ACL
1)
Do not allow TCP/IP connections to be created from the PowerNet side
of the connection.
2)
Restrict the TCP/IP traffic, so it can only flow between the PowerNet
and the Host computer, where Crystal Matrix is running.
3)
Block any other network traffic.
The network switch being used for this example allows you to assign a name
to an ACL, and we will name the ACL as “PowerNet”.
Securing Exposed Network Connections
8
Prevent the creation of TCP/IP connections from the exposed end
The 1st ACL condition to be configured prevents new TCP/IP connections from
being created from the PowerNet side of the cable.
Note that the order in which the ACL Conditions are “applied” is important,
so this condition needs to be defined 1st.
The important settings of this ACL condition are:
Attribute
Setting
Action
Protocol
TCP Flags
Source IP Address
Deny
TCP
Syn flag is “Set”
Other flags are “UnSet”
Any
Dest. IP Address
Any
The network switch’s configuration screen, with these settings specified, is
shown below.
Securing Exposed Network Connections
9
Allow TCP/IP traffic that is destined for the Host Computer
The 2nd ACL condition will allow TCP/IP packets that are being sent to the
host computer to be passed thru the network switch.
The important settings of this ACL condition are:
Attribute
Setting
Action
Protocol
Source Port
Permit
TCP
10001
Note: Your installation may have the
PowerNets configured to use a different
IP port.
Any
192.168.1.88
Note: This would be the static IP Address
that is assigned to the Crystal Matrix
Host computer.
Source IP Address
Destination IP Address
The network switch’s configuration screen, with these settings specified, is
shown below.
Securing Exposed Network Connections
10
Block all other network traffic from using this connection.
The last ACL condition will block all network traffic that was not already
allowed by the 2nd ACL condition.
The important settings of this ACL condition are:
Attribute
Setting
Action
Protocol
Source IP Address
Destination IP Address
Deny
Any
Any
Any
The network switch’s configuration screen, with these settings specified, is
shown below.
Securing Exposed Network Connections
11
“Bind” the ACL to the physical port on the network switch
The rules of the ACL have now been defined.
The next step is to tell the switch what ports it should apply these rules to.
For our example, port #21 is connected to a PowerNet.
From the “ACL Binding” screen, port #21 is configured so that:
The use of an ACL is:
The specific ACL to use is named:
“Enabled”
“PowerNet”
This completes the task of protecting the port, and yet still allows the
required communications between the Crystal Matrix host computer and the
PowerNet.
Securing Exposed Network Connections
12
For more information:
Web: www.isonas.com
E-mail: sales@isonas.com
Tel: 800-581-0083 x102 (toll-free) or 303-567-6516 x102 (CO)
Fax: 303-567-6991
ISONAS Headquarters:
4720 Walnut Street, Suite 200, Boulder, Colorado 80301 USA
Securing Exposed Network Connections
13
Download PDF