EC Council CHFI Certification Course CF220 by yurtgc548


									        Penetration testing

Security Analysis and Advanced
          Designing a DMZ
 Introduction to Designing a DMZ
• DMZ (demilitarized zone)
  – Computer host or small network inserted as a
    “neutral zone” between a company’s private
    network and the outside public network
  – Network construct that provides secure
    segregation of networks that host services for
    users, visitors, or partners
• DMZ use has become a necessary method of
  providing a multilayered, defense-in-depth
  approach to security
Introduction to Designing a DMZ (cont’d.)

Firewalls are essential for the secure segregation of networks.
               DMZ Concepts
• DMZ has proven to be more secure and to
  offer multiple layers of protection for the
  security of the protected networks and
• Bastion host
  – Device in a DMZ that is built to withstand attacks
• Multitiered Firewall with a DMZ Flow
  – DMZ is established, separated, and protected from
    both the internal and external networks
DMZ Concepts (cont’d.)

A multitiered firewall is useful for protection from both
internal and external networks.
      DMZ Design Fundamentals
• DMZ designs generally consist of
   – Firewalls and segments that are protected from each
     other by firewall rules and routing as well as the use
     of RFC 1918 addressing on the internal network
• Design of the DMZ is critically important to the
  overall protection of the internal network
• Access control lists (ACLs)
   – Determine who is allowed access to an item in a
     network and how that item can be used
• DMZ Protocols
   – See next slide
DMZ Design Fundamentals (cont’d.)

  Certain protocols are vulnerable to attack and should be
  used with caution.
     Advanced Design Concepts
• Internal Network Access
  – Consider the methods that might be used to provide
    VPN services
  – Limit or restrict outbound traffic from the internal
    network to inappropriate services
  – Provide for out-of-band management capabilities
• Remote Administration
  – Extremely tempting to use the built-in capabilities of
    the various operating systems and the management
    software provided for many hardware devices
  – It is very important to thoroughly review alternatives
 Advanced Design Concepts (cont’d.)
• Authentication
  – Generally inappropriate to locate a RADIUS or
    TACACS+ server in a DMZ segment
  – It might be necessary to implement a plan to
    accommodate the authentication of users
    entering the DMZ from a public network
  – DMZ design should include a separate
    authentication DMZ segment
     • Equipment in that segment should be hardened
              DMZ Architecture
• Inside-Versus-Outside Architecture
  – Packet-filtering routers act as initial line of defense
• Three-Homed Firewall Architecture
  – DMZ handles the traffic between the internal network
    and firewall, as well as the traffic between the firewall
    and DMZ
• Weak-Screened Subnet Architecture
  – Used when routers have better high-bandwidth data-
    stream handling capacity
• Strong-Screened Subnet Architecture
  – Both the DMZ and the internal networks are
    protected by a well-functioning firewall
     Designing a DMZ Using IPtables

The inside and outside firewalls in a DMZ serve multiple functions.
        Designing a Wireless DMZ
• Categories of attacks on wireless networks:
  –   Passive attacks
  –   Active attacks
  –   Man-in-the-middle attacks
  –   Jamming attacks
• Placement of Wireless Equipment
  – Depends on needed accessibility area for the WLAN
• Access to DMZ and Authentication Considerations
  – Access to DMZ Services
  – Authentication Considerations
  Designing a Wireless DMZ (cont’d.)
• Wireless DMZ Components
   –   Access Points
   –   Network Adapters
   –   Authentication Servers
   –   Enterprise Wireless Gateways and Wireless Gateways
   –   Firewalls and Screening Routers
• Wireless DMZ Using RADIUS to Authenticate Users
   – See Figure 5-12
• WLAN DMZ security best practices include
   – Perform a risk analysis of the network
   – Develop relevant and comprehensive security policies
 Designing a Wireless DMZ (cont’d.)

A RADIUS server can be used to provide authentication at an access
 Specific Operating System Design
• Designing a Windows-Based DMZ
  – Select all the needed networking hardware
  – Scale up the number of connections to the Internet
  – Add more bandwidth and site-to-site VPN services
  – Set up a load-balanced solution
  – Make sure that users can obtain the information they
  – Segment Internet-based resources via the DMZ for an
    added level of safety
  – Finalize the network layout
 Specific Operating System Design (cont’d.)
• Precautions for DMZ Setup
  – Designer should consider other possible access to and
    from the DMZ
• Security Analysis for the DMZ
  – After the DMZ network segment design is finalized
    and the systems are placed where they need to be,
    the security of such systems should be taken into
• ISA Server Support to DMZ Configuration
  – ISA firewall network needs to be created for the
    wireless DMZ segment
  – ISA firewall networks are defined depending on per-
    network interfaces
 Specific Operating System Design (cont’d.)
• Designing a Sun Solaris DMZ
  – Features include zones, ZFS, and Reduced Networking
    Software Group
  – Placement of Servers
     • Depends on network requirements
     • Smaller networks generally place the DMZ server directly
       behind the router
  – Advanced Implementation of a Solaris DMZ Server
     • See Figure 5-17
  – Solaris DMZ Servers in a Conceptual Highly Available
     • See Figure 5-18
Specific Operating System Design (cont’d.)

    places a switch between the router and the DMZ server.
Specific Operating System Design (cont’d.)

   In this conceptual Solaris configuration,
   three DMZs are connected to the external network switch.
 Specific Operating System Design (cont’d.)
• Designing a Sun Solaris DMZ (cont’d.)
  – Private and Public Network Firewall Rule Set
     • Private Network Rules
     • Public Network Rules
  – DMZ Server Firewall Rule Set
     • Generally, the best policy is to deny all traffic to the
       host from all systems
  – Solaris DMZ System Design (phases)
     • Planning
     • Implementation
     • Maintenance
 Specific Operating System Design (cont’d.)
• Designing a Sun Solaris DMZ (cont’d.)
  – Hardening Checklists for DMZ Servers and Solaris
     • Has a model or diagram of the host been made?
     • Is the host physically secured?
• Designing a Linux DMZ
  – Ethernet Interface Requirements and Configuration
  – Traffic Routing Between Public and DMZ Servers
  – Protecting Internet Servers (Using DMZ Networks)
     • Disable all unnecessary services
     • Run services “chrooted” whenever possible
     • Use Firewall Security Policy and Anti-IP-Spoofing Features
Specific Operating System Design (cont’d.)

   A common Linux DMZ configuration uses a Linux firewall and three
   Ethernet cards.
DMZ Router Security Best Practices
• Checklist for ensuring router security:
   – Authenticate routing updates on dynamic routing
   – Use ACLs to protect network resources and prevent
     address spoofing
   – Secure the management interfaces
   – Lock down the router services
   – Disable interface-related services
   – Disable unneeded services
   – Keep up to date on IOS bug fixes and vulnerabilities
DMZ Switch Security Best Practices
• Checklist to follow to ensure switch security:
   – Secure the management interfaces
   – Lock down the switch services
   – Disable unneeded services
   – Use VLANs to logically segment a switch and PVLANs
     to isolate hosts on a VLAN
   – Use port security to secure the input to an interface
     by limiting and identifying the MAC addresses of hosts
     that are allowed to access the port
   – Do not use VTP on DMZ switches
   – Keep up to date on IOS bug fixes and vulnerabilities,
     and upgrade if necessary
       Six Ways to Stop Data Leaks
• Consider:
  –   Get a handle on the data
  –   Monitor content in motion
  –   Keep an eye on databases
  –   Limit user privileges
  –   Cover those endpoints
  –   Centralize intellectual property data
• Tool: Reconnex
  – Enables an organization to protect all information
    assets on its network without requiring up-front
    knowledge of what needs to be protected
• A DMZ functions as a “neutral zone” between an
  internal and external network
• Multitiered firewalls are often used when there is
  a need to provide more than one type of service
  to the public
• DMZ designers should be aware of protocol
• It is generally inappropriate to locate a RADIUS or
  TACACS+ server in a DMZ segment
• DMZs for wireless networks must be set up with
  certain conditions in mind
              Summary (cont’d.)
• A three-homed firewall DMZ handles the traffic
  between the internal network and firewall, as
  well as the traffic between the firewall and DMZ
• A site survey can be conducted to determine the
  proper number of access points needed based on
  the expected number of users and the specific
  environment for a WLAN
• Authentication may not be desired if a network is
  publicly accessible
• An access point is a layer-2 device that serves as
  an interface between the wireless network and
  the wired network

To top