Securing a wired LAN

Hello everyone,

I'm starting a project that my objectives are securing the 7 layer of the OSI model. The problem is that there are so many methods to achieve that, that I don't know which ones should I apply and if they are all being applied in the proper layer.

My main goal is to achieve maximum security with less overhead.

So my plan is as follow:
Layer 1 Phisical -
Restric Autorun in all machines
Control what employees can plug into the USB ports
Use of Mcaffe Antivirus in all machines

Layer 2 Data Link-
Create VLAN's
Configure SSH
Configure dynamic ARP inspection to drop invalid MAC's
Disable all unused ports
Configue MPLS VPN layer 2

Layer 3 Network -
Configue ACL's
Configure VPN layer 3 to inforce the layer 2 VPN
Use A Firewall router
Configure NAT

Layer 4 Transport -
Use SNMP version 3 only
Control the amount of ICMP used in the network
Use of IPS/IDS software (please let me know if someone know any free and efective version)
I also need any free software that can confuse fingerprint attacks.

Layer 5 Session -
Preventing and Detecting by limiting incoming connection and Configuring the network to reject packets from the internet that Claim to originate from local address.
Configure port security on LAN Switches

Layer 6 Presentation -
Use SSL and TLS

Layer 7 Application -
Use an AAA server + the methods used in the previous layers might be enought to prevent application layer attacks
Require DNS to use random transaction id and source port.


Please what I think about my objectives? May I be using to many features in some cases?

Thank you for you time.

Ed

You've made a good start.
Try to bear in mind what each layer does, and try to include under each layer heading only those measures that impact that layer and which improve security. For example, for the physical layer antivirus is not really that relevant. However things like using fibre instead of copper to make the physical bitstream harder to intercept and modify, is. Remember physical security also - if they can't physically get to your network then you limit much of what they can do.
Most of your other suggestions are under the correct layer but there are one or two I might move.
Also, for free intrusion dectection have a look at Snort

Great start indeed. Just a few notes here. SSH is above layer 3 (Application layer in the DoD model en.wikipedia.org/wiki/Secure_Shell ). The "Firewall router" could be at layer 3 or above it, it depends on it's capabilities and what you configure on. Antivirus is surely above layer 4.

Usually a subset of what your proposing will do the job. It depends on your requirements. Port security for example is effective in ensuring no machines connect to your network other than the ones you have allowed. VPNs are a popular choice for allowing and securing remote users. May I suggest configuring personal firewalls (software). A Firewall at the edge router is great in preventing outsiders, but it wont prevent viruses or attackers that have already propagated (or infected) an internal PC from spreading its hazard around. I personally use the Windows built-in firewall.

As the TheBishop mentioned, physical security should be took seriously. For example, if there is a possibility for a intruder to have physical access to some of your machines (provided those machines have a floppy drive). Then I suggest you enable BIOS passwords. An intruder can change the Windows password of an Administrator by booting from a floppy disk with some password cracking/changing software on it. Such software is already available in the wild.

you are not going to be controlling ICMP at layer 4


also after using the best softwares to secure all the layers, make sure your users are not careless ones. they are the easiest path through your network

ok u can block ports at layer 4

Thank you all for your answers:


I will apply SSH for Layer 5 security and I will try Communicrypt2g0 1.0 for sessions encryption

I found one software SecurePAQ INIDS 1.1 (although I never try it, don't know if is good yet) for IDS/IPS at layer 4

Protect ports at layer 4 (SSL) and (TLS) will protect also layer 6 attacks

Controlling ICPM at layer 3. I will be Blocking both inbound and outbound ICMP at the firewall and allow limited number of ICPM's once this is used for testing purposes.

Activate the windows built-in in all machines
Create a central patch server that all systems must to communicate each week to update all machines in the same day when new patches come out.

Fiber is a good option however is expensive. Anyway this kind of decision normaly rely on the company's size.

enable BIOS password at layer 1 and of course educate the users
(Social Engineering layer 8 )

What would you advise me for a good BACKUP strategy?

Thx all