slides - ch. 10
TRANSCRIPT
1
INFO1200 – Hardening the Infrastructure
Perimeter Network Design
• Design Principles• Designing an Internet Access Network• Designing Internet Application Networks• Designing VPN & Remote Access Termination
Networks
2
INFO1200 – Hardening the Infrastructure
Design Principles• Overview• Selecting & Deploying Firewalls
• Placing Firewalls for Maximum Effect• Determining Right Type of Firewall for Perimeter Design
• Including IDSs & IPSs in Your Design• Creating Network Segments
• Securing Perimeter Network with VLANs & Routers using ACLs
• Segmenting using DMZ Networks & Service Networks
3
INFO1200 – Hardening the Infrastructure
Overview- Network design is usually a top-down design
three step approach
1.collect info to allow determination of requirements for capacity, functionality, performance, availability, scalability, affordability, manageability & security
2.create logical network design to encompass needs of app or users
3.create physical network design to include real network devices
- For perimeter networks top down design must put equal emphasis on designing for security & application requirements
4
INFO1200 – Hardening the Infrastructure
Selecting & Deploying Firewalls- meant to be points of control between 2 network security
zones through which all network traffic must flow
- two main functions
enforcing security policies – ie. decide whether to allow network connections
logging – to determine traffic patterns & for forensic analysis
- firewalls alone do not provide complete network protection – must be implemented in conjunction with IDSs & IPSs
5
INFO1200 – Hardening the Infrastructure
Placing Firewalls for Maximum Effect- good implementation is designed to keep out all network traffic
that is not specifically allowed
- firewalls in perimeter network responsible for maintaining security policies at all points of access
- should be placed at any access point to perimeter network as well as between any network segments within perimeter network
- multiple firewalls or multiple-interface firewalls should be used to create different security zones for different types of traffic requiring different security policies – ie. public zone segmented from higher level security zones like management network
6
INFO1200 – Hardening the Infrastructure
7
INFO1200 – Hardening the Infrastructure
Determining Right Type of Firewall for Perimeter Network- firewalls classified by
1. methods they use to enforce security
choices are - packet-filtering (including stateful firewalls)
- proxy-based firewalls- circuit gateway firewalls
2. how they handle network traffic
choices are - routing firewalls
- bridging mode firewalls3. the physical configuration of device
choices are - server-based firewalls
- firewall appliances
8
INFO1200 – Hardening the Infrastructure
Including IDSs & IPSs in Your Design- Two main systems for IDSs & IPSs to detect intrusions
knowledge-based system – compares network traffic to known attack or intrusion signatures
behaviour-based system – examines traffic patterns and compares them with historical trends
- optimal location for IDS/IPS depends on its features & functions
passive IDS should be behind perimeter firewall closest to data to be protected
IPS capable of stopping DoS and DDoS attacks should be placed on perimeter network between perimeter router & perimeter firewall
IPS capable of quickly matching traffic patterns should be deployed inline to all network traffic right behind perimeter firewalls
9
INFO1200 – Hardening the Infrastructure
Creating Network Segments- used to separate perimeter network into separate networks based
on content & use
- enables network security devices to be implemented at boundaries between network segments allowing more control over network traffic
- methods used to segment perimeter network include:
VLANs & Routers with Access Control Lists
- ways to separate perimeter network architecture include:
- segmenting network based on function and location of resources within each segment – ie. DMZ with web, mail servers
- segmenting network based on services resources within each segment provide
10
INFO1200 – Hardening the Infrastructure
Designing an Internet Access Network
• Considerations when Designing Internet Access Network
• Designing Logical & Physical Networks
11
INFO1200 – Hardening the Infrastructure
Considerations when Designing Internet Access Network- based on top-down network design - 1st collect requirements
- requirements generally broken down into two types – business & technical
- results are displayed in Table 10.1 of textbook
12
INFO1200 – Hardening the Infrastructure
13
INFO1200 – Hardening the Infrastructure
14
INFO1200 – Hardening the Infrastructure
Logical & Physical Network Design for Internet Access Network
- Logical design is displayed in Figure 10.2 in textbook
- Physical design is displayed in Figure 10.3 in textbook
15
INFO1200 – Hardening the Infrastructure
16
INFO1200 – Hardening the Infrastructure
17
INFO1200 – Hardening the Infrastructure
Designing Internet Application Networks
• Considerations when Designing Internet Application Networks
• Logical & Physical Network Design
18
INFO1200 – Hardening the Infrastructure
Considerations when Designing Internet Application Networks- similar top-down network design approach required as for Internet
Access Network
- results are displayed in Table 10.2 of textbook
19
INFO1200 – Hardening the Infrastructure
20
INFO1200 – Hardening the Infrastructure
Logical & Physical Network Design for Internet Application Network
- Logical design is displayed in Figure 10.4 in textbook
- Physical design is displayed in Figure 10.5 in textbook
21
INFO1200 – Hardening the Infrastructure
22
INFO1200 – Hardening the Infrastructure
23
INFO1200 – Hardening the Infrastructure
Designing VPN & Remote Access Termination Networks
• Considerations when Designing VPN & Remote Access Termination Networks
• Logical & Physical Network Design
24
INFO1200 – Hardening the Infrastructure
Considerations when Designing VPN & Remote Access Termination Networks- similar top-down network design approach required as for Internet
Access Network & Internet Application Network
- results are displayed in Table 10.3 of textbook
25
INFO1200 – Hardening the Infrastructure
26
INFO1200 – Hardening the Infrastructure
Logical & Physical Network Design for VPN & Remote Access Termination Network
- Logical design is displayed in Figure 10.6 in textbook
- Physical design is displayed in Figure 10.7 in textbook
27
INFO1200 – Hardening the Infrastructure
28
INFO1200 – Hardening the Infrastructure
29
INFO1200 – Hardening the Infrastructure