Data Center Network Security by unf12316


More Info
									      Data Center
Network Infrastructure and
    Security Topics
              Best practices
• Best Practice is a management idea which
  asserts that there is a technique, method,
  process, activity, incentive or reward that is more
  effective at delivering a particular outcome than
  any other technique, method, process, etc.
• The idea is that with proper processes, checks,
  and testing, a project can be rolled out and
  completed with fewer problems and unforeseen
         Network Infrastructure
• Communications in data centers today are most often
  based on networks running the IP protocol suite.
• Data centers contain a set of routers and switches that
  transport traffic between the servers and to the outside
• Redundancy is sometimes provided by getting the
  network connections from multiple vendors.
• Some of the servers at the data center are used for
  running the basic Internet and intranet services needed
  by internal users in the organization: email servers,
  proxy servers, DNS servers, etc.
       Network Infrastructure
• Some of the servers at the data center are
  used for running the basic Internet and
  intranet services needed by internal users
  in the organization
  – email servers
  – proxy servers
  – DNS servers
        Network Infrastructure
• Network security elements are also usually
  – Firewalls
  – VPN gateways
  – Intrusion detection systems
• Also common are monitoring systems for the
  network and some of the applications.
• Additional offsite monitoring systems are also
  typical, in case of a failure of communications
  inside the data center.
• The main purpose of a data center is running the
  applications that handle the core business and
  operational data of the organization.
• Such systems may be proprietary and
  developed internally by the organization, or
  bought from enterprise software vendors.
• Such common applications are ERP and CRM
• Enterprise Resource Planning systems (ERPs)
  integrate (or attempt to integrate) all data and
  processes of an organization into a unified
• A typical ERP system will use multiple
  components of computer software and hardware
  to achieve the integration.
• A key ingredient of most ERP systems is the use
  of a unified database to store data for the
  various system modules.
• Customer relationship management
  (CRM) is a broad term that covers
  concepts used by companies to manage
  their relationships with customers,
  including the capture, storage and analysis
  of customer information.
                 Aspects of CRM

•   There are four aspects of CRM, each of which can be
    implemented in isolation:
    1. Active CRM: Centralized database which facilitates organization
       of data and automate business processes and common tasks.
    2. Operational CRM: automation or support of customer processes
       that include a company’s sales or service representatives
    3. Collaborative CRM: direct communication with customers that
       does not include a company’s sales or service representatives
       (“self service”)
    4. Analytical CRM: analysis of customer data for a broad range of
 CRM: Technology considerations
• The technology requirements of a CRM strategy are very
  complex and far reaching. The basic building blocks

   – A database to store customer information. This can be a CRM
     specific database or an enterprise data warehouse.
   – Operational CRM requires customer agent support software.
   – Collaborative CRM requires customer interaction systems, eg an
     interactive website, automated phone systems etc.
   – Analytical CRM requires statistical analysis software, as well as
     software that manages any specific marketing campaigns.
   – Support CRM systems require interactive chat software to
     provide live help and support to web site visitors.
CRM: Privacy and Data Security
• The data gathered as part of CRM must
  consider customer privacy and data
  security. Customers want the assurance
  that their data is not shared with 3rd
  parties without their consent and not
  accessed illegally by 3rd parties.

• Customers also want their data used by
  companies to provide a benefit for them.
• In computer security terminology, a DMZ is a
  network area that sits between an organization's
  internal network and an external network,
  usually the Internet.
• Typically, the DMZ contains devices accessible
  to Internet traffic, such as
  –   Web (HTTP ) servers
  –   FTP servers
  –   SMTP (e-mail) servers
  –   DNS servers.
• In computer security, a demilitarized zone
  (DMZ) or perimeter network is a network
  area (a subnetwork) that sits between an
  organization's internal network and an
  external network, usually the Internet.
• The point of a DMZ is that connections
  from the internal and the external network
  to the DMZ are permitted, whereas
  connections from the DMZ are only
  permitted to the external network -- hosts
  in the DMZ may not connect to the internal
• This allows the DMZ's hosts to provide
  services to the external network while
  protecting the internal network in case
  intruders compromise a host in the DMZ.
  For someone on the external network who
  wants to illegally connect to the internal
  network, the DMZ is a dead end.
• Connections from the external network to
  the DMZ are usually controlled using port
  address translation (PAT).
• Port Address Translation (PAT) is a feature of a
  network device that translates TCP or UDP
  communications made between a host and port
  on an outside network, and a host and port on
  an inside network. It allows a single IP address
  to be used for many internal hosts. PAT may
  allow one public IP address to handle
  communication for 65536 inside hosts.
• A PAT device can transparently and
  automatically modify the IP packets' destination
  or source host IP and port fields belonging to its
  internal hosts.
• PAT is closely related to the concept of
  Network Address Translation, often called
• Similar to NAT, port translation makes
  changes to the sender’s address or
  recipient’s address on data packets.
• However, any IP address change involves
  the PAT device’s outside IP address rather
  than a pool of addresses as in NAT.
• PAT translates both the IP and port fields -
  - wherever those values belong to an
  internal host.
• Port numbers on packets coming from the
  external network, rather than destination
  IP addresses, are used to identify and
  designate traffic to different computers on
  the inside network.
• Server (public) IP addresses have worldwide
  significance and ports have significance that depend on
  the particular type of communication desired (e.g. web,
  email, FTP).
• The significance of the IP address on an internal host
  however needs only to be limited to the organizational
  entity where it resides. Thus private addresses as given
  in RFC 1918 may be used.
• Additionally, the port number of a client application on a
  client host is significant only to that particular host.
• Consequently within an organization any communicating
  client application can be uniquely identified by the
  combination of its host IP (organizational significance)
  and host port (host only significance).
• A PAT device is like a post office that
  delivers box mail: outgoing envelopes are
  changed to appear to come from a post
  office box; incoming envelopes addressed
  to a valid post office box are changed to
  have the real street address of the box
• PAT can only translate/replace IP
  addresses and ports for its internal hosts.
• As a consequence of its function it
  effectively hides the true endpoint IP
  address and port of the internal hosts.
• However, PAT must of course leave the
  public IP address and port information of
  the external host unmodified.
• Port translation allows many computers to
  share a single IP address.
• The PAT device periodically deletes
  translations from its table when they no
  longer appear to be in use.
• Because the port number field is a 16-bit
  unsigned number (0-65535), the likelihood
  of an inside computer not being able to
  send outside traffic is greatly reduced.
• The PAT operation is typically invisible to both
  the internal and external hosts.
• Typically the internal host is aware of the true IP
  address and TCP or UDP port of the external
• Typically the PAT device may function as the
  default gateway for the internal host.
• However the external host is only aware of the
  public IP address for the PAT device and the
  particular port being used to communicate on
  behalf of a specific internal host.
• The PAT device usually sits at the network
  perimeter where one side connects to the
  external network, usually the public
• On the other side is internal network,
  usually with private IP addressing.
• Firewall systems and multi-port broadband
  network access devices (e.g. ADSL
  routers, cable modems) tend to use PAT.
• In the configuration of those devices, the
  outside network is the Internet and the
  inside network is the LAN.
• Advantage:
  – PAT's main advantage is that multiple internal hosts
    can share a single IP address for communication.
• Disadvantage:
  – Only a single public service e.g. port 80 HTTP, can be
    exposed per public IP address.
  – Thus an organization using PAT and a single IP
    cannot easily run more than one of the same type of
    public service behind a PAT e.g. two public web
    servers using the default port 80.
• The process of network address translation (NAT, also
  known as network masquerading, native address
  translation or IP-masquerading) involves re-writing the
  source and/or destination addresses of IP packets as
  they pass through a router or firewall.
• Most systems using NAT do so in order to enable
  multiple hosts on a private network to access the Internet
  using a single public IP address (see gateway).
• According to specifications, routers should not act in this
  way, but many network administrators find NAT a
  convenient technique and use it widely.
• Nonetheless, NAT can introduce complications in
  communication between hosts.
• In a typical configuration, a local network uses one of the
  designated "private" IP address subnets (the RFC 1918
  Private Network Addresses are 192.168.x.x, 172.16.x.x
  through 172.31.x.x, and 10.x.x.x), and a router on that
  network has a private address (such as in
  that address space.
• The router is also connected to the Internet with a single
  "public" address (known as "overloaded" NAT) or
  multiple "public" addresses assigned by an ISP.
• As traffic passes from the local network to the Internet,
  the source address in each packet is translated on the fly
  from the private addresses to the public address(es).
• The router tracks basic data about each active
  connection (particularly the destination address and
• When a reply returns to the router, it uses the connection
  tracking data it stored during the outbound phase to
  determine where on the internal network to forward the
   – the TCP or UDP client port numbers are used to demultiplex the
     packets in the case of overloaded NAT, or IP address and port
     number when multiple public addresses are available, on packet
• To a system on the Internet, the router itself appears to
  be the source/destination for this traffic.
• Drawbacks:
  – Hosts behind a NAT-enabled router do not have true
    end-to-end connectivity and cannot participate in
    some Internet protocols.
  – Services that require the initiation of TCP
    connections from the outside network, or stateless
    protocols such as those using UDP, can be disrupted.
  – Use of NAT also complicates tunneling protocols such
    as IPsec because NAT modifies values in the
    headers which interfere with the integrity checks done
    by IPsec and other tunneling protocols
• In addition to the convenience and low cost of NAT, the
  lack of full bidirectional connectivity can be regarded in
  some situations as a feature rather than a limitation.
• To the extent that NAT depends on a machine on the
  local network to initiate any connection to hosts on the
  other side of the router, it prevents malicious activity
  initiated by outside hosts from reaching those local
• This can enhance the reliability of local systems by
  stopping worms and enhance privacy by discouraging
  scans. Many NAT-enabled firewalls use this as the core
  of the protection they provide.
• The greatest benefit of NAT is that it is a
  practical solution to the impending exhaustion of
  IPv4 address space.
  – Networks that previously required a Class B IP range
    or a block of Class C network addresses can now be
    connected to the Internet with as little as a single IP
    address (many home networks are set up this way).
  – The more common arrangement is having machines
    that require true bidirectional and unfettered
    connectivity supplied with a 'real' IP address, while
    having machines that do not provide services to
    outside users (e.g. a secretary's computer) tucked
    away behind NAT with only a few IP addresses used
    to enable Internet access.
• Two kinds of network address translation exist.
  – The type popularly called simply "NAT" (also
    sometimes named "Network Address Port
    Translation" or "NAPT" or even PAT) refers to
    network address translation involving the mapping of
    port numbers, allowing multiple machines to share a
    single IP address.
  – The other, technically simpler, form - also called NAT
    or "one-to-one NAT" or "basic NAT" or "static NAT" -
    involves only address translation, not port mapping.
    This requires an external IP address for each
    simultaneous connection. Broadband routers often
    use this feature, sometimes labelled "DMZ host", to
    allow a designated computer to accept all external
    connections even when the router itself uses the only
    available external IP address.
• NAT with port-translation comes in two
  – source address translation (source NAT),
    which re-writes the IP address of the
    computer which initiated the connection
  – destination address translation (destination
• In practice, both are usually used together
  in coordination for two-way
• NAT traversal refers to a solution to the common
  problem in TCP/IP networking of establishing
  connections between hosts in private TCP/IP networks
  which use NAT devices.

• This problem is typically faced by developers of client-to-
  client networking applications especially in peer-to-peer
  and VoIP. NAT-T is commonly used by IPsec VPN
  clients in order to have ESP packets go through NAT.

• Many techniques exist, but no technique works in every
  situation since NAT behavior is not standardized.
• Many techniques require a public server on a
  well-known globally reachable IP address.
  – Some methods use the server only when establishing
    the connection (such as STUN), while
  – Others are based on relaying all the data through it
    (such as TURN), which adds bandwidth costs and
    increases latency detrimental to conversational VoIP
• Most NAT behavior-based techniques fail to
  preserve enterprise security policies and break
  end-to-end transparency.
              Some NAT types
• With full cone NAT, also
  known as one-to-one
  NAT, all requests from
  the same internal IP
  address and port are
  mapped to the same
  external IP address and
• An external host can
  send a packet to the
  internal host, by sending
  a packet to the mapped
  external address.
             Some NAT types
• With restricted cone NAT,
  all requests from the
  same internal IP address
  and port are mapped to
  the same external IP
  address and port.
• Unlike a full cone NAT,
  an external host can send
  a packet to the internal
  host only if the internal
  host had previously sent
  a packet to it.
             Some NAT types
• Port restricted cone NAT
  or symmetric NAT is like
  a restricted cone NAT,
  but the restriction
  includes port numbers.
• Specifically, an external
  host can send a packet to
  a particular port on the
  internal host only if the
  internal host had
  previously sent a packet
  from that port to the
  external host.
                Some NAT types
• With symmetric NAT all
  requests from the same
  internal IP address and port
  to a specific destination IP
  address and port are
  mapped to a unique external
  source IP address and port.
• If the same internal host
  sends a packet with the
  same source address and
  port to a different destination,
  a different mapping is used.
• Only an external host that
  receives a packet can send a
  UDP packet back to the
  internal host.
• Many NAT implementations follow a port
  preservation design.
• For most communications, they will use the
  same values as internal and external port
• If two internal hosts attempt to communicate with
  the same external host using the same port
  number, the external port number used by the
  second host will be chosen at random.
  – Such NAT will be sometimes perceived as restricted
    cone NAT and other times as symmetric NAT.
• A firewall is an information technology (IT)
  security device which is configured to
  permit, deny or proxy data connections set
  and configured by the organization's
  security policy.
• Firewalls can either be hardware and/or
  software based.
• A firewall's basic task is to control traffic
  between computer networks with different zones
  of trust.
  – Typical examples are the Internet which is a zone
    with no trust and an internal network which is (and
    should be) a zone with high trust.
  – The ultimate goal is to provide controlled interfaces
    between zones of differing trust levels through the
    enforcement of a security policy and connectivity
    model based on the least privilege principle and
    separation of duties.
• A firewall is also called a Border Protection
  Device (BPD) in certain military contexts
  where a firewall separates networks by
  creating perimeter networks in a
  Demilitarized zone (DMZ).
• In a BSD context they are also known as a
  packet filter.
• A firewall's function is analogous to
  firewalls in building construction.
             Firewall Types
• There are three basic types of firewalls
  depending on:
  – Whether the communication is being done
    between a single node and the network, or
    between two or more networks.
  – Whether the communication is intercepted at
    the network layer, or at the application layer.
  – Whether the communication state is being
    tracked at the firewall or not.
                  Firewall Types
• With regard to the scope of filtered
  communications there exist:
   – Personal firewalls, a software application which
     normally filters traffic entering or leaving a single
   – Network firewalls, normally running on a dedicated
     network device or computer positioned on the
     boundary of two or more networks or DMZs
     (demilitarized zones).
      • Such a firewall filters all traffic entering or leaving the
        connected networks.
              Firewall Types
• In reference to the layers where the traffic
  can be intercepted, three main categories
  of firewalls exist:
  – Network layer firewalls.
     • An example would be iptables.
  – Application layer firewalls.
     • An example would be TCP Wrappers.
  – Application firewalls.
     • An example would be restricting ftp services
       through /etc/ftpaccess file
       Network Layer Firewall
• A network layer firewall works as a packet filter
  by deciding what packets will pass the firewall
  according to rules defined by the administrator.
• Filtering rules can act on the basis of source and
  destination address and on ports, in addition to
  whatever higher-level network protocols the
  packet contains.
• Network layer firewalls tend to operate very fast,
  and transparently to users.
        Network Layer Firewall
• Network layer firewalls generally fall into two
  sub-categories, stateful and stateless.
   – Stateful firewalls hold some information on the state
     of connections (for example: established or not,
     initiation, handshaking, data or breaking down the
     connection) as part of their rules (e.g. only hosts
     inside the firewall can establish connections on a
     certain port).
   – Stateless firewalls have packet-filtering capabilities
     but cannot make more complex decisions on what
     stage communications between hosts have reached.
      • Stateless firewalls therefore offer less security.
      • Stateless firewalls somewhat resemble a router in their ability
        to filter packets.
      Network Layer Firewall
• Any normal computer running an operating
  system which supports packet filtering and
  routing can function as a network layer
• Appropriate operating systems for such a
  configuration include Linux, Solaris, BSDs
  or Windows Server.
     Application Layer Firewall
• An application layer firewall is a firewall
  operating at the application layer of a protocol
• Generally it is a host using various forms of
  proxy servers to proxy traffic instead of routing it.
• As it works on the application layer, it may
  inspect the contents of the traffic, blocking what
  the firewall administrator views as inappropriate
  content, such as certain websites, viruses,
  attempts to exploit known logical flaws in client
  software, and so forth.
    Application Layer Firewall
• An application layer firewall does not route
  traffic on the network layer.
• All traffic stops at the firewall which may
  initiate its own connections if the traffic
  satisfies the rules.
          Application Firewall
• An application firewall limits the access which
  software applications have to the operating
  system services, and consequently to the
  internal hardware resources found in a
  computer, much as a car firewall limits access of
  heat, or even fire, to the passengers of the
• The reason that application firewalls are needed
  in today's internet and data-sharing world is that
  the other types of firewalls in existence do not
  control the execution of data, only of the flow of
  data to the computer's processor.
• A proxy server is a computer that offers a computer
  network service to allow clients to make indirect network
  connections to other network services.
• A client connects to the proxy server, then requests a
  connection, file, or other resource available on a different
• The proxy provides the resource either by connecting to
  the specified server or by serving it from a cache.
• In some cases, the proxy may alter the client's request or
  the server's response for various purposes, usually to
  view websites normally not allowed
               Web Proxy
• Proxies that attempt to block offensive web
  content are implemented as web proxies.
• Other web proxies reformat web pages for a
  specific purpose or audience; for example,
  Skweezer reformats web pages for cell phones
  and PDAs.
• Network operators can also deploy proxies to
  intercept computer viruses and other hostile
  content served from remote web pages.
          Intercepting Proxy
• An intercepting proxy, often incorrectly
  called transparent proxy (also known as a
  forced proxy) combines a proxy server
  with NAT. Connections made by client
  browsers through the NAT are intercepted
  and redirected to the proxy without client-
  side configuration (or often knowledge).
           Intercepting Proxy
• Intercepting proxies are commonly used in
  businesses to prevent avoidance of acceptable
  use policy, and to ease administrative burden,
  since no client browser configuration is required.
• Intercepting proxies are also commonly used by
  Internet Service Providers in many countries in
  order to reduce upstream link bandwidth
  requirements by providing a shared cache to
  their customers.
                  Open Proxy
• An open proxy is a proxy server which will accept client
  connections from any IP address and make connections
  to any Internet resource.
• Generally, a proxy server allows users within a network
  group to store and forward internet services such as
  DNS or web pages so that the bandwidth used by the
  group is reduced and controlled.
• With an "open" proxy, however, any user on the Internet
  is able to use this forwarding service.
• Because proxies might be used for abuse, system
  administrators have developed a number of ways to
  refuse service to open proxies
            Reverse Proxy
• A reverse proxy is a proxy server that is
  installed in the neighborhood of one or
  more web servers. All traffic coming from
  the Internet and with a destination of one
  of the web servers goes through the proxy
            Reverse Proxy
• A reverse proxy is a proxy server that is
  installed in the neighborhood of one or
  more web servers. All traffic coming from
  the Internet and with a destination of one
  of the web servers goes through the proxy
              Reverse Proxy
• Typically, reverse proxies are utilized in front of
• All connections coming from the Internet
  addressed to one of the webservers are routed
  through the proxy server, which may either deal
  with the request itself or pass the request wholly
  or partially to the main webserver.
• Contrast this with 'forward proxy', which is a
  proxy server configured in the end-user's
                  Reverse Proxy
• There are several reasons for installing reverse proxy
   – Security: the proxy server is an additional layer of defense and
     therefore protects the webservers further up the chain
   – Encryption / SSL acceleration: when secure websites are
     created, the SSL encryption is sometimes not done by the
     webserver itself, but by a reverse proxy that is equipped with
     SSL acceleration hardware.
   – Load distribution: the reverse proxy can distribute the load to
     several servers, each server serving its own application area. In
     the case of reverse proxying in the neighborhood of webservers,
     the reverse proxy may have to rewrite the URLs in each
     webpage (translation from externally known URLs to the internal
             Reverse Proxy
– Caching static content: A reverse proxy can offload
  the webservers by caching static content, such as
  images. Proxy caching of this sort can often satisfy a
  considerable amount of website requests, greatly
  reducing the load on the central web server.
– Compression: the proxy server can optimize and
  compress the content to speed up the load time.
– Spoon feeding: if a program is producing the
  webpage on the webservers, the webservers can
  produce it, serve it to the reverse-proxy, which can
  spoon-feed it however slowly the clients need and
  then close the program rather than having to keep it
  open while the clients insist on being spoon fed.
                Split Proxy
• A split proxy is effectively a pair of proxies
  installed across two computers. Since they
  are effectively two parts of the same
  program, they can communicate with each
  other in a more efficient way than they can
  communicate with a more standard
  resource or tool such as a website or
                  Split Proxy
• This is ideal for compressing data over a slow
  link, such as a wireless or mobile data service
  and also for reducing the issues regarding high
  latency links (such as satellite internet) where
  establishing a TCP connection is time
  – Taking the example of web browsing, the user's
    browser is pointed to a local proxy which then
    communicates with its other half at some remote
    location. This remote server fetches the requisite
    data, repackages it and sends it back to the user's
    local proxy, which unpacks the data and presents it to
    the browser in the standard fashion .
• An intrusion detection system (IDS)
  generally detects unwanted manipulations
  to computer systems, mainly through the
• The manipulations may take the form of
  attacks by skilled malicious hackers, or
  script kiddies using automated tools.
• An intrusion detection system is used to detect
  all types of malicious network traffic and
  computer usage that can't be detected by a
  conventional firewall.
• This includes
  – network attacks against vulnerable services
  – data driven attacks on applications
  – host based attacks such as privilege escalation,
    unauthorized logins and access to sensitive files
  – malware (viruses, trojan horses, and worms).
• An IDS is composed of several
  – Sensors which generate security events,
  – a Console to monitor events and alerts and
    control the sensors
  – a central Engine that records events logged
    by the sensors in a database and uses a
    system of rules to generate alerts from
    security events received.
– There are several ways to categorize an IDS
  depending on the type and location of the
  sensors and the methodology used by the
  engine to generate alerts.
– In many simple IDS implementations all three
  components are combined in a single device
  or appliance.
• In a network-based intrusion-detection system
  (NIDS), the sensors are located at choke points
  in the network to be monitored, often in the
  demilitarized zone (DMZ) or at network borders.
• The sensor captures all network traffic and
  analyzes the content of individual packets for
  malicious traffic.
• In systems, PIDS and APIDS are used to
  monitor the transport and protocols illegal or
  inappropriate traffic or constricts of language
  (say SQL).
• A network intrusion detection system is an
  independent platform which identifies
  intrusions by examining network traffic and
  monitors multiple hosts.
• Network Intrusion Detection Systems gain
  access to network traffic by connecting to
  a hub, network switch configured for port
  mirroring, or network tap.
• An example of a NIDS is Snort.
• In a host-based system, the sensor usually
  consists of a software agent, which
  monitors all activity of the host on which it
  is installed.
• A host-based intrusion detection system
  (HIDS) is an intrusion detection system
  that focuses its monitoring and analysis on
  the internals of a computing system rather
  than on its external interfaces (as a
  network intrusion detection system (NIDS)
  would do).
     Protocol Based IDS(PIDS)
• A protocol-based intrusion detection system consists of a
  system or agent that would typically sit at the front end of
  a server, monitoring and analyzing the communication
  protocol between a connected device (a user/PC or
• For a web server this would typically monitor the HTTPS
  protocol stream and understand the HTTP protocol
  relative to the web server/system it is trying to protect.
  Where HTTPS is in use then this system would need to
  reside in the "shim" or interface between where HTTPS
  is un-encrypted and immediately prior to it entering the
  Web presentation layer.
Application Protocol-Based IDS
• An application protocol-based intrusion detection
  system consists of a system or agent that would
  typically sit within a group of servers, monitoring
  and analyzing the communication on application
  specific protocols.
• For example in a web server with database this
  would monitor the SQL protocol specific to the
  middleware/business-login as it transacts with
  the database.
              Hybrid IDS
• A hybrid intrusion detection system
  combines one or more approaches.
• Host agent data is combined with network
  information to form a comprehensive view
  of the network.
     Passive vs. Reactive IDS
• In a passive system, the IDS sensor detects a
  potential security breach, logs the information
  and signals an alert on the console.
• In a reactive system, also known as an intrusion
  prevention system (IPS), the IDS responds to
  the suspicious activity by resetting the
  connection or by reprogramming the firewall to
  block network traffic from the suspected
  malicious source. This can happen automatically
  or at the command of an operator.

To top