Download - Network Security Topologies (1)
-
7/31/2019 Network Security Topologies (1)
1/29
Jason Kennedy
March 23, 2004
-
7/31/2019 Network Security Topologies (1)
2/29
Perimeter Security Topologies
Demilitarized zone (DMZ)
Network Address Translation
Tunneling
Virtual Local Area Networks
-
7/31/2019 Network Security Topologies (1)
3/29
Perimeter networks permit communicationbetween the organization and third
parties.
Technology closely related to perimeter
networks is network address translation(NAT). .
-
7/31/2019 Network Security Topologies (1)
4/29
It is critical to create a strong networkperimeter that protects internal resources
from threats outside the org.Problems can occur from:
The internet (no power to enforce security)
External networks (business partners,customers, suppliers)
Need to block undesirable network traffic
-
7/31/2019 Network Security Topologies (1)
5/29
Goal is to selectively admit or deny traffic(or data flows) from other networks
based on a number of criteria, such as: Type of protocol
Source of request
Destination
Content
Admitted or denied based on companiessecurity policy.
-
7/31/2019 Network Security Topologies (1)
6/29
Enforced primarily by firewalls
Firewalls used to create choke points onthe network perimeter.
Firewall inspects each packet forcompliance with the security policy.
-
7/31/2019 Network Security Topologies (1)
7/29
To have a successful network security perimeter, thefirewall must be the gateway for all communicationsbetween trusted networks and untrusted and unknown
networks. Each network can contain multiple perimeter networks.
Three types:
The outermost perimeter
Internal perimeter
The innermost perimeter
-
7/31/2019 Network Security Topologies (1)
8/29
Outermost
Identifies the separation point between the assets you control and theassets you dont control.
This is the router you use to separate your network from your ISPs
network.
Internal
Represent additional boundaries where you have other securitymechanisms in place.
Ex. When a manager creates a new policy, each network that makes
up that topology must be classified as one of three types of networks:
Trusted
Semi trusted
Untrusted
-
7/31/2019 Network Security Topologies (1)
9/29
-
7/31/2019 Network Security Topologies (1)
10/29
The Outermost perimeter is the most insecure area ofyour network infrastructure.
Normally reserved for routers, firewalls, and public
Internet servers, such as HTTP, FTP, and Gopherservices
The easiest area to gain access to and therefore themost frequently attacked.
Sensitive company info should not be put in this area.
-
7/31/2019 Network Security Topologies (1)
11/29
1. Know your enemy
Consider who might attack
Identify motivations for an attack
What could they do?
2. Counting the Cost
Weigh costs against benefits
3. Identifying Any Assumptions Dont assume hackers know less than you
-
7/31/2019 Network Security Topologies (1)
12/29
4. Controlling Your Secrets
Use passwords and encryption keys
Have a limited number of secrets
5. Knowing Your Weaknesses Understand system weak points
Areas of potential danger
6. Limiting the Scope of Access
Create barriers in your system, so if intruders attack onepoint of the system, they do not automatically have accessto other points.
-
7/31/2019 Network Security Topologies (1)
13/29
7. Understanding Your Environment
Know what is expected and unexpected from yoursystem.
Any traffic or patterns that stray from the normshould be investigated.
8. Limiting Your Trust
Know which software you rely on S/W has bugs too!
-
7/31/2019 Network Security Topologies (1)
14/29
DMZ are areas that are within the autonomous system, but are notas tightly controlled as the networks interior.
Used by companies that want to host its own Internet services,without sacrificing unauthorized access to its private network.
Sits between the Internet and an internal networks line of
defense, and is usually some combination of firewalls and bastionhosts.
Basically involves adding multiple firewall layers of security
between the Internet and a companies critical data and businesslogic.
-
7/31/2019 Network Security Topologies (1)
15/29
A typical DMZ configuration includes:
Outer firewall b/t the Internet and the Web Server processingthe requests originating on the company Web site.
Inner firewall b/t the Web Server and the appl. Server to whichit is forwarding requests. Date resides behind this.
-
7/31/2019 Network Security Topologies (1)
16/29
How it works in a small business:
A separate computer receives requests from users within theprivate network for access to Web sites or other companyresources on the public network.
The bastion host then initiates sessions for these requests on
the public network. The bastion is not able to initiate a sessionback into the private network. It can only forward packets thathave been requested.
Users on the public network outside the company can accessonly the hosts on the DMZ. They can only view your website.
Use filtering to impair an attackers ability to have a
vulnerable host communicate to the attackers host.
-
7/31/2019 Network Security Topologies (1)
17/29
Other security tips:
Filter the source of the IP address to determine if itsis one on the DMZ network.
Solid understanding of network traffic.
FTP and DNS initiate outbound connections.Special considerations should be given to theseprotocols.
-
7/31/2019 Network Security Topologies (1)
18/29
Intranet A network topology or the application (Web portal) that
enterprises use as a single point of access to deliver servicesto employees and business units.
Also called a campus network.
Main purpose is to share company info and company
resources among employees. Extranet
Private network that uses the Internet protocol and the publictelecommunication system to securely share part of abusinesss info or operations with suppliers, vendors, partners,
customers, or other businesses. For users outside of the company.
Requires firewall mgt., the use of digital certificates,encryption, and the use of VPNs.
-
7/31/2019 Network Security Topologies (1)
19/29
An Internet standard that enables a local area networkto use one set of IP addresses for internal traffic and asecond set of addresses for external traffic.
-
7/31/2019 Network Security Topologies (1)
20/29
Serves two main purposes:
1. Provides a type of firewall by hiding internal IP addresses
2. Enables a company to use more internal IP addresses.
When communication between a privately addressedhost and a public network (the Internet) is needed,address translation is required. This is where NATcomes in.
-
7/31/2019 Network Security Topologies (1)
21/29
NAT is like the receptionist in a large officeLets say you left instructions with the receptionist not to forward any
calls to you unless you request it.
Later on, you call a potential client and leave a message for thatclient to call you back.
You tell the receptionist that you are expecting a call from this clientand to put the client through when he/she calls back.
The client calls the main number to your office, which is the onlynumber the client knows.
When the client tells the receptionist that he/she is looking for you,the receptionist checks the lookup table that matches your namewith your extension.
The receptionist knows that you requested this call, and forwards youthe call (message).
-
7/31/2019 Network Security Topologies (1)
22/29
NAT routers sit on the border between public andprivate networks.
NAT works by creating bindings between addresses.
Static NAT a one to one mapping between public andprivate addresses.
Dynamic NAT maps an unregistered IP address to aregistered IP address from a group of registered IP
addresses.
-
7/31/2019 Network Security Topologies (1)
23/29
In static NAT, the computer with the IP address of192.168.32.10 will always translate to 213.18.123.110
-
7/31/2019 Network Security Topologies (1)
24/29
Edge devices that run dynamic NAT create binding on
the fly by building a NAT table.
Connections initiated by private hosts are assigned a
public address from a pool.
As long as the private hosts has an outgoingconnection, it can be reached by incoming packetssent to this public address.
When the connection expires, the binding expires, andthe address is returned to the pool for REUSE.
-
7/31/2019 Network Security Topologies (1)
25/29
In dynamic NAT, the computer with the IP address192.168.32.10 will translate to the first availableaddress in the range from 213.18.123.100 to213.18.123.150.
-
7/31/2019 Network Security Topologies (1)
26/29
Port Address Translation (PAT)
Used to allow many hosts to share a single IP address bymultiplexing streams differentiated by TCP/UDP port numbers
Ex. Suppose private hosts 192.168.0.2 and 192.168.0.3 bothsend packets from source port 1108. A PAT router mighttranslate these to a single public IP address 206.245.160.1and two different source ports, lets say 61001 and 61002.Response traffic received for port 61001 is routed back to
192.168.0.2:1108, while port 61002 traffic is routed back to192.168.0.3:1108.
Commonly implemented on Small Office / Home Officerouters (SOHO)
-
7/31/2019 Network Security Topologies (1)
27/29
Technology that enables a network to securely send itsdata through an untrusted or shared networkinfrastructure.
Works by encrypting and encapsulating the securedtraffic within packets carried by the second network.
VPN is the best known example of tunneling
Tunnel is actually an agreement between routers on
how the data is encrypted.
-
7/31/2019 Network Security Topologies (1)
28/29
Virtual local area networks
A way of dividing a single physical network switch amongmultiple network segments or broadcast domains.
Ability to configure multiple LANs on a single switch
Trunk allows switches to share many VLANs over asingle physical link
Routers needed to make different VLANs talk
-
7/31/2019 Network Security Topologies (1)
29/29