slides - ch. 10

1

INFO1200 – Hardening the Infrastructure

Perimeter Network Design

• Design Principles• Designing an Internet Access Network• Designing Internet Application Networks• Designing VPN & Remote Access Termination

Networks

2


Design Principles• Overview• Selecting & Deploying Firewalls

• Placing Firewalls for Maximum Effect• Determining Right Type of Firewall for Perimeter Design

• Including IDSs & IPSs in Your Design• Creating Network Segments

• Securing Perimeter Network with VLANs & Routers using ACLs

• Segmenting using DMZ Networks & Service Networks

3


Overview- Network design is usually a top-down design

three step approach

1.collect info to allow determination of requirements for capacity, functionality, performance, availability, scalability, affordability, manageability & security

2.create logical network design to encompass needs of app or users

3.create physical network design to include real network devices

- For perimeter networks top down design must put equal emphasis on designing for security & application requirements

4


Selecting & Deploying Firewalls- meant to be points of control between 2 network security

zones through which all network traffic must flow

- two main functions

enforcing security policies – ie. decide whether to allow network connections

logging – to determine traffic patterns & for forensic analysis

- firewalls alone do not provide complete network protection – must be implemented in conjunction with IDSs & IPSs

5


Placing Firewalls for Maximum Effect- good implementation is designed to keep out all network traffic

that is not specifically allowed

- firewalls in perimeter network responsible for maintaining security policies at all points of access

- should be placed at any access point to perimeter network as well as between any network segments within perimeter network

- multiple firewalls or multiple-interface firewalls should be used to create different security zones for different types of traffic requiring different security policies – ie. public zone segmented from higher level security zones like management network

6


7


Determining Right Type of Firewall for Perimeter Network- firewalls classified by

1. methods they use to enforce security

choices are - packet-filtering (including stateful firewalls)

- proxy-based firewalls- circuit gateway firewalls

2. how they handle network traffic

choices are - routing firewalls

- bridging mode firewalls3. the physical configuration of device

choices are - server-based firewalls

- firewall appliances

8


Including IDSs & IPSs in Your Design- Two main systems for IDSs & IPSs to detect intrusions

knowledge-based system – compares network traffic to known attack or intrusion signatures

behaviour-based system – examines traffic patterns and compares them with historical trends

- optimal location for IDS/IPS depends on its features & functions

passive IDS should be behind perimeter firewall closest to data to be protected

IPS capable of stopping DoS and DDoS attacks should be placed on perimeter network between perimeter router & perimeter firewall

IPS capable of quickly matching traffic patterns should be deployed inline to all network traffic right behind perimeter firewalls

9


Creating Network Segments- used to separate perimeter network into separate networks based

on content & use

- enables network security devices to be implemented at boundaries between network segments allowing more control over network traffic

- methods used to segment perimeter network include:

VLANs & Routers with Access Control Lists

- ways to separate perimeter network architecture include:

- segmenting network based on function and location of resources within each segment – ie. DMZ with web, mail servers

- segmenting network based on services resources within each segment provide

10


Designing an Internet Access Network

• Considerations when Designing Internet Access Network

• Designing Logical & Physical Networks

11


Considerations when Designing Internet Access Network- based on top-down network design - 1st collect requirements

- requirements generally broken down into two types – business & technical

- results are displayed in Table 10.1 of textbook

12


13


14


Logical & Physical Network Design for Internet Access Network

- Logical design is displayed in Figure 10.2 in textbook

- Physical design is displayed in Figure 10.3 in textbook

15


16


17


Designing Internet Application Networks

• Considerations when Designing Internet Application Networks

• Logical & Physical Network Design

18


Considerations when Designing Internet Application Networks- similar top-down network design approach required as for Internet

Access Network


19


20


Logical & Physical Network Design for Internet Application Network



21


22


23


Designing VPN & Remote Access Termination Networks

• Considerations when Designing VPN & Remote Access Termination Networks

• Logical & Physical Network Design

24


Considerations when Designing VPN & Remote Access Termination Networks- similar top-down network design approach required as for Internet

Access Network & Internet Application Network


25


26


Logical & Physical Network Design for VPN & Remote Access Termination Network



27


28


29


slides - ch. 10

Documents

perimeter network firewalls

network segments

logical network design

management network

network trafficthat

perimeter network architecture

perimeter network responsible

network security zones